debian/0000775000000000000000000000000011743657403007202 5ustar debian/source/0000775000000000000000000000000011364162400010465 5ustar debian/source/format0000664000000000000000000000001411364162400011673 0ustar 3.0 (quilt) debian/selinux-policy-ubuntu-doc.install0000664000000000000000000000002111345550112015615 0ustar /usr/share/doc/* debian/selinux-policy-ubuntu.postinst0000664000000000000000000000631111364162476015314 0ustar #!/bin/sh # postinst script for refpolicy # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) test -d /etc/selinux.d/ubuntu | /bin/mkdir -p /etc/selinux.d/ubuntu modules=" \ /usr/share/selinux/ubuntu/alsa.pp \ /usr/share/selinux/ubuntu/apm.pp \ /usr/share/selinux/ubuntu/application.pp \ /usr/share/selinux/ubuntu/apt.pp \ /usr/share/selinux/ubuntu/authlogin.pp \ /usr/share/selinux/ubuntu/avahi.pp \ /usr/share/selinux/ubuntu/base.pp \ /usr/share/selinux/ubuntu/bluetooth.pp \ /usr/share/selinux/ubuntu/clock.pp \ /usr/share/selinux/ubuntu/consolekit.pp \ /usr/share/selinux/ubuntu/consoletype.pp \ /usr/share/selinux/ubuntu/cron.pp \ /usr/share/selinux/ubuntu/cups.pp \ /usr/share/selinux/ubuntu/devicekit.pp \ /usr/share/selinux/ubuntu/dbus.pp \ /usr/share/selinux/ubuntu/dpkg.pp \ /usr/share/selinux/ubuntu/fstools.pp \ /usr/share/selinux/ubuntu/getty.pp \ /usr/share/selinux/ubuntu/gnomeclock.pp \ /usr/share/selinux/ubuntu/hal.pp \ /usr/share/selinux/ubuntu/hostname.pp \ /usr/share/selinux/ubuntu/inetd.pp \ /usr/share/selinux/ubuntu/init.pp \ /usr/share/selinux/ubuntu/iptables.pp \ /usr/share/selinux/ubuntu/libraries.pp \ /usr/share/selinux/ubuntu/locallogin.pp \ /usr/share/selinux/ubuntu/logging.pp \ /usr/share/selinux/ubuntu/lpd.pp \ /usr/share/selinux/ubuntu/miscfiles.pp \ /usr/share/selinux/ubuntu/modemmanager.pp \ /usr/share/selinux/ubuntu/modutils.pp \ /usr/share/selinux/ubuntu/mount.pp \ /usr/share/selinux/ubuntu/mta.pp \ /usr/share/selinux/ubuntu/netutils.pp \ /usr/share/selinux/ubuntu/networkmanager.pp \ /usr/share/selinux/ubuntu/ntp.pp \ /usr/share/selinux/ubuntu/policykit.pp \ /usr/share/selinux/ubuntu/raid.pp \ /usr/share/selinux/ubuntu/rtkit.pp \ /usr/share/selinux/ubuntu/selinuxutil.pp \ /usr/share/selinux/ubuntu/ssh.pp \ /usr/share/selinux/ubuntu/storage.pp \ /usr/share/selinux/ubuntu/stunnel.pp \ /usr/share/selinux/ubuntu/sudo.pp \ /usr/share/selinux/ubuntu/sysadm.pp \ /usr/share/selinux/ubuntu/sysnetwork.pp \ /usr/share/selinux/ubuntu/udev.pp \ /usr/share/selinux/ubuntu/unconfined.pp \ /usr/share/selinux/ubuntu/userdomain.pp \ /usr/share/selinux/ubuntu/usermanage.pp \ /usr/share/selinux/ubuntu/xserver.pp \ " for i in $modules do /bin/ln -f -s $i /etc/selinux.d/ubuntu done if [ -x /usr/sbin/update-selinux-config ]; then /usr/sbin/update-selinux-config ubuntu fi /usr/bin/dpkg-trigger semodule ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/patches/0000775000000000000000000000000011743657403010631 5ustar debian/patches/udev.patch0000664000000000000000000000232011364166704012610 0ustar --- policy/modules/system/udev.te | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/udev.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/udev.te 2010-04-22 17:31:46.800570026 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/udev.te 2010-04-22 17:45:08.460466602 -0700 @@ -158,6 +158,7 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) +sysnet_manage_network_state(udev_t) userdom_dontaudit_search_user_home_content(udev_t) @@ -187,6 +188,26 @@ ') ') +ifdef(`distro_ubuntu',` + fs_manage_tmpfs_dirs(udev_t) + fs_manage_tmpfs_files(udev_t) + fs_manage_tmpfs_symlinks(udev_t) + fs_manage_tmpfs_sockets(udev_t) + fs_manage_tmpfs_blk_files(udev_t) + fs_manage_tmpfs_chr_files(udev_t) + fs_relabel_tmpfs_blk_file(udev_t) + fs_relabel_tmpfs_chr_file(udev_t) + + term_search_ptys(udev_t) + + # for arping used for static IP addresses on PCMCIA ethernet + netutils_domtrans(udev_t) + + optional_policy(` + unconfined_domain(udev_t) + ') +') + optional_policy(` alsa_domtrans(udev_t) alsa_read_lib(udev_t) debian/patches/corecommands.patch0000664000000000000000000000475211364166723014333 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/kernel/corecommands.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/kernel/corecommands.fc 2010-04-22 17:31:47.370913064 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/kernel/corecommands.fc 2010-04-22 17:45:08.270611606 -0700 @@ -65,6 +65,11 @@ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/network/if-up\.d/.* -- gen_context(system_u:object_r:bin_t,s0) +/etc/network/if-down\.d/.* -- gen_context(system_u:object_r:bin_t,s0) +/etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:bin_t,s0) +/etc/network/if-port-down\.d/.* -- gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) @@ -87,6 +92,8 @@ /etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0) +/etc/wpa_supplicant/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) @@ -156,13 +163,16 @@ /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/pm-utils/module.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/pm-utils/power.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/pm-utils/sleep.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/ConsoleKit(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) debian/patches/fix-ftbfs.patch0000664000000000000000000000447211743657403013551 0ustar Description: Fix errors preventing policy build checkpolicy version 2.1.0 changed the way the role-type rule works. It can no longer be used to declare a role. It can only be used to associate a role with types, so an explicit role declaration is now needed. See: http://marc.info/?l=selinux&m=131250727712140&w=3 usermanage.te failed to build because an SELinux user was incorrectly being passed to cron_role() when a role was expected. I suspect that the changes to checkpolicy now catch this error whereas they did not before. Author: Tyler Hicks Bug-Ubuntu: https://launchpad.net/bugs/935407 Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/nx.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/nx.te 2012-04-18 13:57:32.000000000 -0500 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/nx.te 2012-04-18 14:02:32.269909501 -0500 @@ -13,6 +13,7 @@ domain_user_exemption_target(nx_server_t) # we need an extra role because nxserver is called from sshd # cjp: do we really need this? +role nx_server_r; role nx_server_r types nx_server_t; allow system_r nx_server_r; Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/unconfined.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/unconfined.te 2012-04-18 13:57:32.629902376 -0500 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/unconfined.te 2012-04-18 14:02:32.269909501 -0500 @@ -22,6 +22,7 @@ type unconfined_execmem_t; type unconfined_execmem_exec_t; init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) +role unconfined_r; role unconfined_r types unconfined_execmem_t; ######################################## Index: refpolicy-ubuntu-0.2.20091117/policy/modules/admin/usermanage.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/admin/usermanage.te 2012-04-18 13:57:32.557902374 -0500 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/admin/usermanage.te 2012-04-18 14:02:32.269909501 -0500 @@ -525,7 +525,7 @@ optional_policy(` # wants to run crontab when deleting a user - cron_role(system_u, useradd_t) + cron_role(system_r, useradd_t) ') optional_policy(` debian/patches/networkmanager.patch0000664000000000000000000001452111364166732014700 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/networkmanager.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/networkmanager.fc 2010-04-22 17:31:47.829418864 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/networkmanager.fc 2010-04-22 17:45:08.160586026 -0700 @@ -2,8 +2,15 @@ /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/lib/NetworkManager/nm-[^/]*\.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/etc/NetworkManager/dispatcher\.d/.* gen_context(system_u:object_r:NetworkManager_exec_t,s0) + /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) + /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/networkmanager.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/networkmanager.te 2010-04-22 17:31:47.819309692 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/networkmanager.te 2010-04-22 17:45:08.160586026 -0700 @@ -22,9 +22,13 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) +type NetworkManager_var_lib_t; +files_type(NetworkManager_var_lib_t) + type wpa_cli_t; type wpa_cli_exec_t; init_system_domain(wpa_cli_t, wpa_cli_exec_t) +domtrans_pattern(NetworkManager_t, wpa_cli_exec_t, wpa_cli_t) ######################################## # @@ -39,6 +43,7 @@ allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; +allow NetworkManager_t self:netlink_kobject_uevent_socket { bind create setopt getattr }; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:tcp_socket create_stream_socket_perms; allow NetworkManager_t self:udp_socket create_socket_perms; @@ -52,13 +57,18 @@ logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_search_tmp(NetworkManager_t) +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, file) manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) +manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) @@ -88,6 +98,7 @@ fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) +fs_list_inotifyfs(NetworkManager_t) mls_file_read_all_levels(NetworkManager_t) @@ -100,13 +111,22 @@ domain_read_confined_domains_state(NetworkManager_t) domain_dontaudit_read_all_domains_state(NetworkManager_t) +# mountnfs is doing this +files_manage_generic_locks(NetworkManager_t) +# nm-system-settings does this when changing network settings +files_delete_etc_files(NetworkManager_t) files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) init_read_utmp(NetworkManager_t) +init_write_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) +# ifup has something to do with this +# creating and removing /lib/init/rw/var.run +libs_manage_lib_dirs(NetworkManager_t) + logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) @@ -114,24 +134,37 @@ modutils_domtrans_insmod(NetworkManager_t) +# ifup/ifdown mounts/unmounts nfs +mount_domtrans(NetworkManager_t) + seutil_read_config(NetworkManager_t) sysnet_domtrans_ifconfig(NetworkManager_t) sysnet_domtrans_dhcpc(NetworkManager_t) sysnet_signal_dhcpc(NetworkManager_t) +sysnet_read_dhcp_config(NetworkManager_t) sysnet_read_dhcpc_pid(NetworkManager_t) sysnet_delete_dhcpc_pid(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) +# this happens when bringing an interface up or down +sysnet_delete_dhcpc_state(NetworkManager_t) # in /etc created by NetworkManager will be labelled net_conf_t. sysnet_manage_config(NetworkManager_t) +sysnet_manage_network_state(NetworkManager_t) sysnet_etc_filetrans_config(NetworkManager_t) +# wants to get the state of the app that is changing network settings +userdom_read_all_users_state(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) # Read gnome-keyring userdom_read_user_home_content_files(NetworkManager_t) optional_policy(` + avahi_domtrans(NetworkManager_t) +') + +optional_policy(` bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_signal(NetworkManager_t) @@ -142,6 +175,10 @@ ') optional_policy(` + consolekit_dbus_chat(NetworkManager_t) +') + +optional_policy(` consoletype_exec(NetworkManager_t) ') @@ -164,11 +201,21 @@ ') optional_policy(` + ntp_domtrans_ntpdate(NetworkManager_t) +') + +optional_policy(` openvpn_domtrans(NetworkManager_t) openvpn_signal(NetworkManager_t) ') optional_policy(` + policykit_domtrans_resolve(NetworkManager_t) + policykit_domtrans_auth(NetworkManager_t) + policykit_read_lib(NetworkManager_t) +') + +optional_policy(` ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) debian/patches/apt.patch0000664000000000000000000000205511364166676012446 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/admin/apt.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/admin/apt.fc 2010-04-22 17:31:46.440394377 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/admin/apt.fc 2010-04-22 17:45:08.620471950 -0700 @@ -1,4 +1,5 @@ /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/sbin/aptd -- gen_context(system_u:object_r:apt_exec_t,s0) # apt-shell is redhat specific /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) # other package managers Index: refpolicy-ubuntu-0.2.20091117/policy/modules/admin/apt.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/admin/apt.te 2010-04-22 17:31:46.430394226 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/admin/apt.te 2010-04-22 17:45:08.620471950 -0700 @@ -161,3 +161,7 @@ optional_policy(` unconfined_domain(apt_t) ') + +optional_policy(` + unconfined_dbus_chat(apt_t) +') debian/patches/users.patch0000664000000000000000000000135711364166753013023 0ustar --- policy/users | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: refpolicy-ubuntu-0.2.20091117/policy/users =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/users 2010-04-22 17:31:48.449144421 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/users 2010-04-22 17:45:07.930404529 -0700 @@ -29,7 +29,7 @@ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. debian/patches/xserver.patch0000664000000000000000000000757211364166751013363 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/xserver.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/xserver.fc 2010-04-22 17:31:48.389268554 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/xserver.fc 2010-04-22 17:45:07.940487085 -0700 @@ -9,6 +9,14 @@ HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.fonts\.conf -- gen_context(unconfined_u:object_r:user_fonts_config_t,s0) +/root/\.fonts(/.*)? gen_context(unconfined_u:object_r:user_fonts_t,s0) +/root/\.fonts/auto(/.*)? gen_context(unconfined_u:object_r:user_fonts_cache_t,s0) +/root/\.fonts\.cache-.* -- gen_context(unconfined_u:object_r:user_fonts_cache_t,s0) +/root/\.ICEauthority.* -- gen_context(unconfined_u:object_r:iceauth_home_t,s0) +/root/\.xauth.* -- gen_context(unconfined_u:object_r:xauth_home_t,s0) +/root/\.Xauthority.* -- gen_context(unconfined_u:object_r:xauth_home_t,s0) + # # /dev # @@ -20,10 +28,10 @@ /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) -/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) +/etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -32,10 +40,9 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) -ifdef(`distro_redhat',` /etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -') +/etc/gdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) # # /opt Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/xserver.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/xserver.te 2010-04-22 17:31:48.409268514 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/xserver.te 2010-04-22 17:45:07.940487085 -0700 @@ -467,6 +467,7 @@ userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) +userdom_dbus_chat_all_users(xdm_t) # for .dmrc userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. @@ -515,6 +516,10 @@ ') optional_policy(` + devicekit_dbus_chat_power(xdm_t) +') + +optional_policy(` # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) @@ -542,6 +547,10 @@ ') optional_policy(` + rtkit_daemon_dbus_chat(xdm_t) +') + +optional_policy(` seutil_sigchld_newrole(xdm_t) ') @@ -552,6 +561,7 @@ optional_policy(` unconfined_domain(xdm_t) unconfined_domtrans(xdm_t) + unconfined_dbus_connect(xdm_t) ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; @@ -727,6 +737,7 @@ # read x_contexts seutil_read_default_contexts(xserver_t) +userdom_dbus_chat_all_users(xserver_t) userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) userdom_setattr_user_ttys(xserver_t) @@ -846,6 +857,7 @@ optional_policy(` dbus_system_bus_client(xserver_t) hal_dbus_chat(xserver_t) + hal_dbus_chat(xdm_t) ') optional_policy(` debian/patches/fstools.patch0000664000000000000000000000127611364166716013352 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/fstools.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/fstools.te 2010-04-22 17:31:47.230414885 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/fstools.te 2010-04-22 17:45:08.300482379 -0700 @@ -135,6 +135,10 @@ term_use_console(fsadm_t) +# checkfs.sh mktemps a file for fsck to use as progress output +init_rw_script_tmp_files(fsadm_t) +# checkroot.sh mktemps a file under /var/run for fsck to use as progress output +init_write_utmp(fsadm_t) init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) init_dontaudit_getattr_initctl(fsadm_t) debian/patches/consolekit.patch0000664000000000000000000000575611364166731014037 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/consolekit.if =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/consolekit.if 2010-04-22 17:31:47.769267981 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/consolekit.if 2010-04-22 17:45:08.190470731 -0700 @@ -57,3 +57,23 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) ') + +######################################## +## +## Read Consolekit PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`consolekit_read_pid_files',` + gen_require(` + type consolekit_var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/consolekit.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/consolekit.te 2010-04-22 17:31:47.749226541 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/consolekit.te 2010-04-22 17:45:08.190470731 -0700 @@ -22,13 +22,14 @@ # allow consolekit_t self:capability { setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; -allow consolekit_t self:process { getsched signal }; +allow consolekit_t self:process { getsched signal setfscreate }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; allow consolekit_t self:unix_dgram_socket create_socket_perms; +manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -logging_log_filetrans(consolekit_t, consolekit_log_t, file) +logging_log_filetrans(consolekit_t, consolekit_log_t, { file dir }) manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) @@ -50,7 +51,8 @@ files_read_usr_files(consolekit_t) # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) -files_search_all_mountpoints(consolekit_t) +# reads /usr/share/PolicyKit/policy/org.freedesktop.policykit.policy +files_read_usr_files(consolekit_t) fs_list_inotifyfs(consolekit_t) @@ -73,6 +75,14 @@ hal_ptrace(consolekit_t) +dev_setattr_all_blk_files(consolekit_t) +dev_getattr_all_blk_files(consolekit_t) + +dev_setattr_all_chr_files(consolekit_t) +dev_getattr_all_chr_files(consolekit_t) + +udev_read_db(consolekit_t) + tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_list_nfs(consolekit_t) fs_dontaudit_rw_nfs_files(consolekit_t) @@ -97,6 +107,10 @@ optional_policy(` unconfined_dbus_chat(consolekit_t) ') + + optional_policy(` + init_dbus_chat_script(consolekit_t) + ') ') optional_policy(` debian/patches/devtmpfs.patch0000664000000000000000000000145111364166703013500 0ustar Description: allow devtmpfs on /dev. Origin: https://launchpad.net/bugs/556823 Bug-Ubuntu: https://launchpad.net/bugs/556823 Index: refpolicy-ubuntu-0.2.20091117/policy/modules/kernel/filesystem.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/kernel/filesystem.te 2010-04-22 17:31:46.750496634 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/kernel/filesystem.te 2010-04-22 17:45:08.470518146 -0700 @@ -171,6 +171,7 @@ fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); +fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0); allow tmpfs_t noxattrfs:filesystem associate; debian/patches/gnome.patch0000664000000000000000000000221711364166677012770 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/gnomeclock.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/gnomeclock.fc 2010-04-22 17:31:46.490396641 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/gnomeclock.fc 2010-04-22 17:45:08.600498154 -0700 @@ -1,2 +1,3 @@ /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/lib/gnome-panel/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/gnomeclock.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/gnomeclock.te 2010-04-22 17:31:46.500394576 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/gnomeclock.te 2010-04-22 17:45:08.600498154 -0700 @@ -40,6 +40,10 @@ ') optional_policy(` + unconfined_dbus_chat(gnomeclock_t) +') + +optional_policy(` policykit_dbus_chat(gnomeclock_t) policykit_domtrans_auth(gnomeclock_t) policykit_read_lib(gnomeclock_t) debian/patches/devkit.patch0000664000000000000000000001232411364166700013134 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/devicekit.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/devicekit.fc 2010-04-22 17:31:46.580663748 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/devicekit.fc 2010-04-22 17:45:08.590648152 -0700 @@ -6,3 +6,8 @@ /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) + +/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) + +/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/devicekit.if =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/devicekit.if 2010-04-22 17:31:46.570632991 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/devicekit.if 2010-04-22 17:45:08.590648152 -0700 @@ -20,6 +20,43 @@ ######################################## ## +## Execute a domain transition to run devicekit power. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`devicekit_domtrans_power',` + gen_require(` + type devicekit_power_t, devicekit_power_exec_t; + ') + + domtrans_pattern($1, devicekit_power_exec_t, devicekit_power_t) +') + +######################################## +## +## Execute a domain transition to run devicekit disk. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`devicekit_domtrans_disk',` + gen_require(` + type devicekit_disk_t, devicekit_disk_exec_t; + ') + + domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t) +') + + +######################################## +## ## Send to devicekit over a unix domain ## datagram socket. ## Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/devicekit.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/devicekit.te 2010-04-22 17:31:46.590466460 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/devicekit.te 2010-04-22 17:45:08.590648152 -0700 @@ -60,8 +60,11 @@ # DeviceKit disk local policy # +allow devicekit_disk_t self:process getsched; allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; +allow devicekit_disk_t self:unix_stream_socket create_socket_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) @@ -71,6 +74,10 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) +manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) + kernel_read_software_raid_state(devicekit_disk_t) kernel_setsched(devicekit_disk_t) @@ -127,6 +134,10 @@ optional_policy(` consolekit_dbus_chat(devicekit_disk_t) ') + + optional_policy(` + unconfined_dbus_chat(devicekit_disk_t) + ') ') optional_policy(` @@ -139,14 +150,21 @@ # DeviceKit-Power local policy # +allow devicekit_power_t self:process getsched; allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; +allow devicekit_power_t self:unix_stream_socket create_socket_perms; +allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) +manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { file dir }) + kernel_read_network_state(devicekit_power_t) kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) @@ -189,12 +207,20 @@ ') optional_policy(` + policykit_dbus_chat(devicekit_power_t) + ') + + optional_policy(` networkmanager_dbus_chat(devicekit_power_t) ') optional_policy(` rpm_dbus_chat(devicekit_power_t) ') + + optional_policy(` + unconfined_dbus_chat(devicekit_power_t) + ') ') optional_policy(` @@ -215,5 +241,9 @@ ') optional_policy(` + udev_read_db(devicekit_power_t) +') + +optional_policy(` vbetool_domtrans(devicekit_power_t) ') debian/patches/conf.patch0000664000000000000000000000736311364166754012613 0ustar --- build.conf | 12 ++++++------ config/appconfig-mcs/seusers | 4 ++-- policy/booleans.conf | 12 ++++++------ 3 files changed, 14 insertions(+), 14 deletions(-) Index: refpolicy-ubuntu-0.2.20091117/build.conf =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/build.conf 2010-04-22 17:31:48.559319279 -0700 +++ refpolicy-ubuntu-0.2.20091117/build.conf 2010-04-22 17:45:07.910544848 -0700 @@ -12,13 +12,13 @@ # Policy Type # standard, mls, mcs -TYPE = standard +TYPE = mcs # Policy Name # If set, this will be used as the policy # name. Otherwise the policy type will be # used for the name. -NAME = refpolicy +NAME = ubuntu # Distribution # Some distributions have portions of policy @@ -27,7 +27,7 @@ # for the distribution. # redhat, gentoo, debian, suse, and rhel4 are current options. # Fedora users should enable redhat. -#DISTRO = redhat +DISTRO = ubuntu # Unknown Permissions Handling # The behavior for handling permissions defined in the @@ -35,18 +35,18 @@ # can either be allowed, denied, or the policy loading # can be rejected. # allow, deny, and reject are current options. -#UNK_PERMS = deny +UNK_PERMS = allow # Direct admin init # Setting this will allow sysadm to directly # run init scripts, instead of requring run_init. # This is a build option, as role transitions do # not work in conditional policy. -DIRECT_INITRC = n +DIRECT_INITRC = y # Build monolithic policy. Putting n here # will build a loadable module policy. -MONOLITHIC = y +MONOLITHIC = n # User-based access control (UBAC) # Enable UBAC for role separations. Index: refpolicy-ubuntu-0.2.20091117/config/appconfig-mcs/seusers =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/config/appconfig-mcs/seusers 2010-04-22 17:31:48.569269127 -0700 +++ refpolicy-ubuntu-0.2.20091117/config/appconfig-mcs/seusers 2010-04-22 17:45:07.910544848 -0700 @@ -1,3 +1,3 @@ system_u:system_u:s0-mcs_systemhigh -root:root:s0-mcs_systemhigh -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0-mcs_systemhigh Index: refpolicy-ubuntu-0.2.20091117/policy/booleans.conf =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/booleans.conf 2010-04-22 17:31:48.559319279 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/booleans.conf 2010-04-22 17:45:07.920512962 -0700 @@ -405,12 +405,12 @@ # # Enable support for upstart as the init program. # -init_upstart = false +init_upstart = true # # Allow the mount command to mount any directory or file. # -allow_mount_anyfile = false +allow_mount_anyfile = true # # Allow users to connect to mysql @@ -446,22 +446,22 @@ # # Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla # -allow_execheap = false +allow_execheap = true # # Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") # -allow_execmem = false +allow_execmem = true # # Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") # -allow_execmod = false +allow_execmod = true # # Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") # -allow_execstack = false +allow_execstack = true # # Enable polyinstantiated directory support. debian/patches/sysnetwork.patch0000664000000000000000000000576511364166747014124 0ustar --- policy/modules/system/sysnetwork.fc | 1 policy/modules/system/sysnetwork.if | 37 ++++++++++++++++++++++++++++++++++++ policy/modules/system/sysnetwork.te | 3 ++ 3 files changed, 41 insertions(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/sysnetwork.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/sysnetwork.fc 2010-04-22 17:31:48.319216243 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/sysnetwork.fc 2010-04-22 17:45:07.980508427 -0700 @@ -53,6 +53,7 @@ /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) +/var/run/network(/.*)? gen_context(system_u:object_r:network_var_run_t,s0) ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/sysnetwork.if =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/sysnetwork.if 2010-04-22 17:31:48.309247287 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/sysnetwork.if 2010-04-22 17:45:07.980508427 -0700 @@ -310,6 +310,25 @@ ####################################### ## +## Create, read, write, and delete network state files. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`sysnet_manage_network_state',` + gen_require(` + type network_var_run_t; + ') + + manage_files_pattern($1, network_var_run_t, network_var_run_t) + manage_dirs_pattern($1, network_var_run_t, network_var_run_t) +') + +####################################### +## ## Create, read, write, and delete network config files. ## ## @@ -365,6 +384,24 @@ ####################################### ## +## Delete the dhcp client state file. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`sysnet_delete_dhcpc_state',` + gen_require(` + type dhcp_state_t, dhcpc_state_t; + ') + + delete_files_pattern($1, dhcp_state_t, dhcpc_state_t) +') + +####################################### +## ## Execute ifconfig in the ifconfig domain. ## ## Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/sysnetwork.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/sysnetwork.te 2010-04-22 17:31:48.309247287 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/sysnetwork.te 2010-04-22 17:45:07.990477181 -0700 @@ -37,6 +37,9 @@ type net_conf_t alias resolv_conf_t; files_type(net_conf_t) +type network_var_run_t; +files_pid_file(network_var_run_t) + ######################################## # # DHCP client local policy debian/patches/capabilities.patch0000664000000000000000000000061411345550112014267 0ustar Index: refpolicy-stable/policy/policy_capabilities =================================================================== --- refpolicy-stable.orig/policy/policy_capabilities 2009-03-06 15:06:14.000000000 -0500 +++ refpolicy-stable/policy/policy_capabilities 2009-03-06 15:07:45.000000000 -0500 @@ -29,4 +29,4 @@ # chr_file: open # blk_file: open # -policycap open_perms; +#policycap open_perms; debian/patches/init.patch0000664000000000000000000000452711364166707012626 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/init.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/init.fc 2010-04-22 17:31:46.990652591 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/init.fc 2010-04-22 17:45:08.380705030 -0700 @@ -42,6 +42,8 @@ /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/lib/system-service/system-service-d -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/init.if =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/init.if 2010-04-22 17:31:46.970725122 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/init.if 2010-04-22 17:45:08.380705030 -0700 @@ -205,6 +205,10 @@ optional_policy(` nscd_socket_use($1) ') + + ifdef(`distro_ubuntu',` + init_domain($1,$2) + ') ') ######################################## @@ -280,6 +284,10 @@ kernel_dontaudit_use_fds($1) ') ') + + ifdef(`distro_ubuntu',` + init_domain($1,$2) + ') ') ######################################## Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/init.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/init.te 2010-04-22 17:31:46.970725122 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/init.te 2010-04-22 17:45:08.420434305 -0700 @@ -196,6 +196,10 @@ unconfined_domain(init_t) ') +optional_policy(` + unconfined_dbus_chat(init_t) +') + ######################################## # # Init script local policy @@ -283,6 +287,9 @@ # Wants to remove udev.tbl: dev_delete_generic_symlinks(initrc_t) +# usplash needs this +domain_mmap_low(initrc_t) + domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) domain_signull_all_domains(initrc_t) @@ -679,6 +686,10 @@ ') optional_policy(` + policykit_dbus_chat(initrc_t) +') + +optional_policy(` postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') debian/patches/avahi.patch0000664000000000000000000000424311364166734012746 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/avahi.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/avahi.fc 2010-04-22 17:31:47.919267963 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/avahi.fc 2010-04-22 17:45:08.120632611 -0700 @@ -6,4 +6,5 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) +/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:avahi_exec_t,s0) /usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/avahi.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/avahi.te 2010-04-22 17:31:47.909226609 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/avahi.te 2010-04-22 17:45:08.120632611 -0700 @@ -37,15 +37,18 @@ manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) +manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) allow avahi_t avahi_var_run_t:dir setattr; -files_pid_filetrans(avahi_t, avahi_var_run_t, file) +files_pid_filetrans(avahi_t, avahi_var_run_t, { file dir }) +filetrans_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t, { file socket }) kernel_read_kernel_sysctls(avahi_t) kernel_list_proc(avahi_t) kernel_read_proc_symlinks(avahi_t) kernel_read_network_state(avahi_t) +kernel_read_system_state(avahi_t) corenet_all_recvfrom_unlabeled(avahi_t) corenet_all_recvfrom_netlabel(avahi_t) @@ -77,6 +80,9 @@ auth_use_nsswitch(avahi_t) +corecmd_exec_bin(avahi_t) +corecmd_exec_shell(avahi_t) + init_signal_script(avahi_t) init_signull_script(avahi_t) @@ -85,6 +91,8 @@ miscfiles_read_localization(avahi_t) miscfiles_read_certs(avahi_t) +sysnet_domtrans_ifconfig(avahi_t) + userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) debian/patches/bluetooth.patch0000664000000000000000000000175311364166736013670 0ustar on ubuntu hardy there are binaries under /usr/lib/bluetooth/ that start bluetooth services. these files do not appear to be present on jaunty. --- policy/modules/services/bluetooth.te | 1 + 1 file changed, 1 insertion(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/bluetooth.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/bluetooth.te 2010-04-22 17:31:47.969325609 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/bluetooth.te 2010-04-22 17:45:08.110419451 -0700 @@ -58,6 +58,7 @@ dontaudit bluetooth_t self:capability sys_tty_config; allow bluetooth_t self:process { getsched signal_perms }; allow bluetooth_t self:fifo_file rw_fifo_file_perms; +allow bluetooth_t self:netlink_socket create_socket_perms; allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:unix_dgram_socket create_socket_perms; debian/patches/policykit.patch0000664000000000000000000000762511364166674013677 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/policykit.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/policykit.fc 2010-04-22 17:31:46.360393273 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/policykit.fc 2010-04-22 17:45:08.640564552 -0700 @@ -8,8 +8,12 @@ /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) /usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) + /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) +/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/policykit.if =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/policykit.if 2010-04-22 17:31:46.380394360 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/policykit.if 2010-04-22 17:45:08.640564552 -0700 @@ -23,6 +23,24 @@ ######################################## ## +## Execute a domain transition to run polkit +## +## +## +## Domain allowed to transition. +## +## +# +interface(`policykit_domtrans',` + gen_require(` + type policykit_t, policykit_exec_t; + ') + + domtrans_pattern($1, policykit_exec_t, policykit_t) +') + +######################################## +## ## Execute a domain transition to run polkit_auth. ## ## @@ -172,6 +190,24 @@ ######################################## ## +## Read polkit pid files. +## +## +## +## Domain allowed access. +## +## +# +interface(`policykit_read_pid_files',` + gen_require(` + type policykit_var_run_t; + ') + + read_files_pattern($1, policykit_var_run_t, policykit_var_run_t) +') + +######################################## +## ## Search policykit lib directories. ## ## Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/policykit.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/policykit.te 2010-04-22 17:31:46.360393273 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/policykit.te 2010-04-22 17:45:08.680423838 -0700 @@ -36,8 +36,8 @@ # policykit local policy # -allow policykit_t self:capability { setgid setuid }; -allow policykit_t self:process getattr; +allow policykit_t self:capability { setgid setuid sys_ptrace }; +allow policykit_t self:process { getattr getsched }; allow policykit_t self:fifo_file rw_file_perms; allow policykit_t self:unix_dgram_socket create_socket_perms; allow policykit_t self:unix_stream_socket create_stream_socket_perms; @@ -70,6 +70,30 @@ userdom_read_all_users_state(policykit_t) +fs_list_inotifyfs(policykit_t) + +optional_policy(` + dbus_system_bus_client(policykit_t) + dbus_session_bus_client(policykit_t) + dbus_connect_system_bus(policykit_t) + + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') + + optional_policy(` + networkmanager_dbus_chat(policykit_t) + ') + + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') + + optional_policy(` + unconfined_dbus_chat(policykit_t) + ') +') + ######################################## # # polkit_auth local policy debian/patches/cron.patch0000664000000000000000000000135311364166725012616 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/cron.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/cron.te 2010-04-22 17:31:47.420788120 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/cron.te 2010-04-22 17:45:08.260627484 -0700 @@ -217,6 +217,7 @@ miscfiles_read_localization(crond_t) +userdom_dbus_chat_all_users(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -259,6 +260,14 @@ ') optional_policy(` + consolekit_dbus_chat(crond_t) +') + +optional_policy(` + dbus_system_bus_client(crond_t) +') + +optional_policy(` hal_dbus_chat(crond_t) ') debian/patches/ssh.patch0000664000000000000000000000304711364166744012455 0ustar --- policy/modules/services/ssh.fc | 2 ++ policy/modules/services/ssh.te | 6 ++++++ 2 files changed, 8 insertions(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/ssh.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/ssh.fc 2010-04-22 17:31:48.189299232 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/ssh.fc 2010-04-22 17:45:08.020684764 -0700 @@ -1,4 +1,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) +/root/\.ssh(/.*)? gen_context(unconfined_u:object_r:home_ssh_t,s0) + /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/ssh.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/ssh.te 2010-04-22 17:31:48.199258886 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/ssh.te 2010-04-22 17:45:08.020684764 -0700 @@ -310,6 +310,8 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) +userdom_dbus_chat_all_users(sshd_t) + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to @@ -323,6 +325,10 @@ ') optional_policy(` + consolekit_dbus_chat(sshd_t) +') + +optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') debian/patches/hal.patch0000664000000000000000000000314711364166742012423 0ustar fstools should be in an optional hal wants to setattr sound_device_t and removable_device_t so, in anticipation of it trying to setattr more devices, i allowed it to setattr all character and block devices the var_lib and var_run access is happening as a result of PolicyKit --- policy/modules/services/hal.te | 11 +++++++++++ 1 file changed, 11 insertions(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/hal.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/hal.te 2010-04-22 17:31:48.109142744 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/hal.te 2010-04-22 17:45:08.050699470 -0700 @@ -122,6 +122,8 @@ dev_rw_printer(hald_t) dev_read_lvm_control(hald_t) dev_getattr_all_chr_files(hald_t) +dev_setattr_all_chr_files(hald_t) +dev_setattr_all_blk_files(hald_t) dev_manage_generic_chr_files(hald_t) dev_rw_generic_usb_dev(hald_t) dev_setattr_generic_usb_dev(hald_t) @@ -143,7 +145,11 @@ files_manage_mnt_files(hald_t) files_manage_mnt_symlinks(hald_t) files_search_var_lib(hald_t) +# reading /var/lib/misc/PolicyKit.reload and /var/lib/misc/usb.ids +files_read_var_lib_files(hald_t) files_read_usr_files(hald_t) +# /usr/lib/polkit-read-auth is doing this for /var/run/PolicyKit/user-USERNAME.auths +files_read_generic_pids(hald_t) # hal is now execing pm-suspend files_create_boot_flag(hald_t) files_getattr_all_dirs(hald_t) @@ -297,6 +303,11 @@ ') optional_policy(` + policykit_read_lib(hald_t) + policykit_read_pid_files(hald_t) +') + +optional_policy(` rpc_search_nfs_state_data(hald_t) ') debian/patches/modemmanager.patch0000664000000000000000000000123711364166663014313 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/modemmanager.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/modemmanager.te 2010-04-22 17:31:46.270392772 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/modemmanager.te 2010-04-22 17:45:08.690565542 -0700 @@ -17,6 +17,7 @@ # ModemManager local policy # +allow modemmanager_t self:process getsched; allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; debian/patches/dbus.patch0000664000000000000000000001610111364166740012604 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/dbus.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/dbus.fc 2010-04-22 17:31:48.049196792 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/dbus.fc 2010-04-22 17:45:08.060496902 -0700 @@ -15,3 +15,10 @@ ifdef(`distro_redhat',` /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) ') + +/usr/bin/system-tools-backends -- gen_context(system_u:object_r:stb_exec_t,s0) +/usr/share/system-tools-backends-2\.0/scripts/SystemToolsBackends\.pl -- gen_context(system_u:object_r:stb_exec_t,s0) + +/var/cache/system-tools-backends(/.*)? gen_context(system_u:object_r:stb_var_cache_t,s0) + +/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/dbus.if =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/dbus.if 2010-04-22 17:31:48.069143854 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/dbus.if 2010-04-22 17:45:08.060496902 -0700 @@ -182,6 +182,7 @@ # SE-DBus specific permissions allow $1 { system_dbusd_t self }:dbus send_msg; + allow system_dbusd_t $1:dbus send_msg; read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) @@ -405,3 +406,22 @@ typeattribute $1 dbusd_unconfined; ') + +######################################## +## +## Do not audit attempts to inherit file +## descriptors from system dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_dontaudit_use_fds',` + gen_require(` + type system_dbusd_t; + ') + + dontaudit $1 system_dbusd_t:fd use; +') Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/dbus.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/dbus.te 2010-04-22 17:31:48.059143334 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/dbus.te 2010-04-22 17:45:08.070440321 -0700 @@ -46,6 +46,18 @@ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) ') +type stb_exec_t; +corecmd_executable_file(stb_exec_t) + +type stb_t; +init_daemon_domain(stb_t, stb_exec_t) + +type stb_var_run_t; +files_pid_file(stb_var_run_t) + +type stb_var_cache_t; +files_type(stb_var_cache_t) + ############################## # # System bus local policy @@ -65,6 +77,9 @@ can_exec(system_dbusd_t, dbusd_exec_t) +can_exec(system_dbusd_t, dbusd_exec_t) +domtrans_pattern(system_dbusd_t, stb_exec_t, stb_t) + allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) @@ -75,9 +90,11 @@ read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file) +files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir sock_file }) +filetrans_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t, { file sock_file }) kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) @@ -86,6 +103,7 @@ dev_read_sysfs(system_dbusd_t) fs_getattr_all_fs(system_dbusd_t) +fs_list_inotifyfs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) fs_dontaudit_list_nfs(system_dbusd_t) @@ -108,6 +126,7 @@ auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) +corecmd_exec_bin(system_dbusd_t) corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) @@ -119,6 +138,7 @@ files_list_home(system_dbusd_t) files_read_usr_files(system_dbusd_t) +init_domtrans_script(system_dbusd_t) init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -145,6 +165,48 @@ ') optional_policy(` + consolekit_domtrans(system_dbusd_t) + consolekit_read_pid_files(system_dbusd_t) +') + +optional_policy(` + apt_domtrans(system_dbusd_t) +') + +optional_policy(` + devicekit_domtrans_disk(system_dbusd_t) + devicekit_domtrans_power(system_dbusd_t) +') + +optional_policy(` + gnomeclock_domtrans(system_dbusd_t) +') + +optional_policy(` + hal_domtrans(system_dbusd_t) +') + +optional_policy(` + mount_domtrans(system_dbusd_t) +') + +optional_policy(` + networkmanager_domtrans(system_dbusd_t) +') + +optional_policy(` + ntp_domtrans(system_dbusd_t) +') + +optional_policy(` + policykit_domtrans(system_dbusd_t) +') + +optional_policy(` + rtkit_daemon_domtrans(system_dbusd_t) +') + +optional_policy(` sysnet_domtrans_dhcpc(system_dbusd_t) ') @@ -158,3 +220,89 @@ # allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; + +############################## +# +# system-tools-backends local policy + +# dac_override needed to move dirs in /var/cache/system-tools-backends/backup/ +# setuid needed to run pppd +allow stb_t self:capability { dac_override fsetid sys_ptrace }; +allow stb_t self:process signal; +allow stb_t self:fifo_file rw_fifo_file_perms; +allow stb_t self:unix_stream_socket { connectto create_stream_socket_perms }; + +manage_files_pattern(stb_t, stb_var_run_t, stb_var_run_t) +files_pid_filetrans(stb_t, stb_var_run_t, file) + +manage_dirs_pattern(stb_t, stb_var_cache_t, stb_var_cache_t) +manage_files_pattern(stb_t, stb_var_cache_t, stb_var_cache_t) +manage_lnk_files_pattern(stb_t, stb_var_cache_t, stb_var_cache_t) +files_var_filetrans(stb_t, stb_var_cache_t, { file dir }) + +corecmd_exec_bin(stb_t) +corecmd_exec_shell(stb_t) + +dev_read_urand(stb_t) + +domain_read_all_domains_state(stb_t) + +# manages init script symlinks +files_manage_etc_symlinks(stb_t) +# modifies /etc/network/interfaces +files_rw_etc_files(stb_t) +files_read_usr_files(stb_t) +files_read_usr_symlinks(stb_t) +files_read_var_lib_files(stb_t) + +fs_list_inotifyfs(stb_t) + +# reads /proc/meminfo +kernel_read_system_state(stb_t) + +init_domtrans_script(stb_t) +init_rw_utmp(stb_t) + +logging_send_syslog_msg(stb_t) + +miscfiles_read_localization(stb_t) + +sysnet_domtrans_dhcpc(stb_t) +sysnet_domtrans_ifconfig(stb_t) +sysnet_read_config(stb_t) + +optional_policy(` + avahi_domtrans(stb_t) +') + +optional_policy(` + consolekit_dbus_chat(stb_t) +') + +optional_policy(` + dbus_connect_system_bus(stb_t) + dbus_system_bus_client(stb_t) +') + +optional_policy(` + networkmanager_domtrans(stb_t) +') + +optional_policy(` + ntp_domtrans_ntpdate(stb_t) +') + +optional_policy(` + policykit_domtrans_auth(stb_t) + policykit_read_lib(stb_t) +') + +optional_policy(` + unconfined_dbus_chat(stb_t) +') + +optional_policy(` + usermanage_domtrans_useradd(stb_t) + usermanage_domtrans_chfn(stb_t) + usermanage_domtrans_groupadd(stb_t) +') debian/patches/dhcp.patch0000664000000000000000000000100711364162476012566 0ustar diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te index a4d3f40..0a7e402 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te @@ -111,9 +111,16 @@ optional_policy(` bind_read_dnssec_keys(dhcpd_t) ') +gen_require(` + class dbus all_dbus_perms; +') + optional_policy(` dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) +',` + allow dhcpd_t domain:dbus all_dbus_perms; + allow domain dhcpd_t:dbus all_dbus_perms; ') optional_policy(` debian/patches/rtkit.patch0000664000000000000000000000200111364166702012774 0ustar Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/rtkit.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/rtkit.fc 2010-04-22 17:31:46.700621632 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/rtkit.fc 2010-04-22 17:45:08.480476504 -0700 @@ -1 +1,2 @@ /usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) +/usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/rtkit.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/rtkit.te 2010-04-22 17:31:46.680881369 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/rtkit.te 2010-04-22 17:45:08.480476504 -0700 @@ -33,3 +33,7 @@ optional_policy(` policykit_dbus_chat(rtkit_daemon_t) ') + +optional_policy(` + unconfined_dbus_chat(rtkit_daemon_t) +') debian/patches/usermanage.patch0000664000000000000000000000662511364166727014015 0ustar useradd must be able to create user home directories ubuntu has a symlink: /etc/skel/Examples -> /usr/share/example-content --- policy/modules/admin/usermanage.fc | 2 ++ policy/modules/admin/usermanage.te | 27 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/admin/usermanage.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/admin/usermanage.fc 2010-04-22 17:31:47.669341112 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/admin/usermanage.fc 2010-04-22 17:45:08.220657750 -0700 @@ -23,7 +23,9 @@ /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) +/usr/sbin/adduser -- gen_context(system_u:object_r:useradd_exec_t,s0) /usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0) +/usr/sbin/deluser -- gen_context(system_u:object_r:useradd_exec_t,s0) /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/admin/usermanage.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/admin/usermanage.te 2010-04-22 17:31:47.659299252 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/admin/usermanage.te 2010-04-22 17:45:08.220657750 -0700 @@ -204,6 +204,8 @@ init_read_utmp(groupadd_t) init_dontaudit_write_utmp(groupadd_t) +dev_read_urand(groupadd_t) + domain_use_interactive_fds(groupadd_t) files_manage_etc_files(groupadd_t) @@ -234,6 +236,10 @@ userdom_dontaudit_search_user_home_dirs(groupadd_t) optional_policy(` + dbus_dontaudit_use_fds(groupadd_t) +') + +optional_policy(` dpkg_use_fds(groupadd_t) dpkg_rw_pipes(groupadd_t) ') @@ -449,12 +455,17 @@ # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) +dev_read_urand(useradd_t) + domain_use_interactive_fds(useradd_t) files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) files_relabel_etc_files(useradd_t) files_read_etc_runtime_files(useradd_t) +# adduser script is written in perl, so needs to read pms +files_read_usr_symlinks(useradd_t) +files_read_usr_files(useradd_t) fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) @@ -498,13 +509,29 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories +userdom_manage_user_home_dirs(useradd_t) userdom_manage_user_home_content_dirs(useradd_t) userdom_manage_user_home_content_files(useradd_t) +userdom_manage_user_home_content_symlinks(useradd_t) userdom_home_filetrans_user_home_dir(useradd_t) userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) mta_manage_spool(useradd_t) +# adduser script runs other utilities +can_exec(useradd_t, useradd_exec_t) +usermanage_domtrans_chfn(useradd_t) +usermanage_domtrans_groupadd(useradd_t) + +optional_policy(` + # wants to run crontab when deleting a user + cron_role(system_u, useradd_t) +') + +optional_policy(` + dbus_dontaudit_use_fds(useradd_t) +') + ifdef(`distro_redhat',` optional_policy(` unconfined_domain(useradd_t) debian/patches/cups.patch0000664000000000000000000000277011364166745012635 0ustar most of this is carryover from previous policy for ubuntu. not sure if or how much of this stuff is needed. --- policy/modules/services/cups.te | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/services/cups.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/services/cups.te 2010-04-22 17:31:48.249236822 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/services/cups.te 2010-04-22 17:45:08.010418968 -0700 @@ -139,10 +139,11 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) allow cupsd_t cupsd_var_run_t:dir setattr; +manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file }) +files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file dir }) allow cupsd_t hplip_t:process { signal sigkill }; @@ -653,10 +654,10 @@ miscfiles_read_localization(hplip_t) sysnet_read_config(hplip_t) +sysnet_read_dhcpc_pid(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(hplip_t) -userdom_dontaudit_search_user_home_dirs(hplip_t) -userdom_dontaudit_search_user_home_content(hplip_t) +userdom_search_user_home_content(cupsd_t) lpd_read_config(hplip_t) lpd_manage_spool(hplip_t) debian/patches/bashisms.patch0000664000000000000000000000132511364166757013472 0ustar Index: refpolicy-ubuntu-0.2.20091117/Makefile =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/Makefile 2010-04-22 17:31:48.619236802 -0700 +++ refpolicy-ubuntu-0.2.20091117/Makefile 2010-04-22 17:45:07.900445245 -0700 @@ -598,7 +598,7 @@ --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \ --regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \ --regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \ - --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt + --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' `find . -name '*.te' -o -name '*.if'` policy/support/*.spt ######################################## # debian/patches/libraries.patch0000664000000000000000000000243611364166710013626 0ustar --- policy/modules/system/libraries.fc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/libraries.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/libraries.fc 2010-04-22 17:31:47.040705167 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/libraries.fc 2010-04-22 17:45:08.370491929 -0700 @@ -160,6 +160,8 @@ /usr/lib -l gen_context(system_u:object_r:lib_t,s0) ') +/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ifdef(`distro_redhat',` /usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:lib_t,s0) @@ -172,7 +174,6 @@ HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) debian/patches/series0000664000000000000000000000072111743657403012046 0ustar bashisms.patch conf.patch users.patch xserver.patch sysnetwork.patch cups.patch ssh.patch hal.patch dbus.patch bluetooth.patch avahi.patch networkmanager.patch consolekit.patch usermanage.patch cron.patch corecommands.patch userdomain.patch fstools.patch kernel.patch locallogin.patch unconfined.patch libraries.patch init.patch mount.patch udev.patch devtmpfs.patch rtkit.patch devkit.patch gnome.patch apt.patch policykit.patch modemmanager.patch fix-ftbfs.patch debian/patches/mount.patch0000664000000000000000000000245511364166706013022 0ustar --- policy/modules/system/mount.fc | 1 + policy/modules/system/mount.te | 7 +++++++ 2 files changed, 8 insertions(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/mount.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/mount.fc 2010-04-22 17:31:46.900600664 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/mount.fc 2010-04-22 17:45:08.440470988 -0700 @@ -2,3 +2,4 @@ /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/mountall -- gen_context(system_u:object_r:mount_exec_t,s0) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/mount.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/mount.te 2010-04-22 17:31:46.890466350 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/mount.te 2010-04-22 17:45:08.440470988 -0700 @@ -193,7 +193,13 @@ # Unconfined mount local policy # +unconfined_dbus_chat(unconfined_mount_t) + optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) unconfined_domain(unconfined_mount_t) ') + +optional_policy(` + hal_dbus_chat(unconfined_mount_t) +') debian/patches/unconfined.patch0000664000000000000000000000154311364166712014002 0ustar --- policy/modules/system/unconfined.te | 6 ++++++ 1 file changed, 6 insertions(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/unconfined.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/unconfined.te 2010-04-22 17:31:47.090517163 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/unconfined.te 2010-04-22 17:45:08.360434231 -0700 @@ -14,6 +14,8 @@ userdom_manage_tmp_role(unconfined_r, unconfined_t) userdom_manage_tmpfs_role(unconfined_r, unconfined_t) +allow unconfined_r system_r; + type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) @@ -81,6 +83,10 @@ dbus_stub(unconfined_t) + ifdef(`distro_ubuntu',` + dbus_system_bus_client(unconfined_t) + ') + optional_policy(` avahi_dbus_chat(unconfined_t) ') debian/patches/userdomain.patch0000664000000000000000000000467111364166720014024 0ustar added an interface to allow a domain to send and recv dbus messages from all userdomains --- policy/modules/system/userdomain.fc | 7 ++++++ policy/modules/system/userdomain.if | 40 ++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/userdomain.fc =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/userdomain.fc 2010-04-22 17:31:47.320507269 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/userdomain.fc 2010-04-22 17:45:08.280529004 -0700 @@ -2,3 +2,9 @@ HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) + +/root/.* unconfined_u:object_r:user_home_t:s0 +/root -d unconfined_u:object_r:user_home_dir_t:s0 +/root/lost\+found/.* <> +/root/\.journal <> +/root/lost\+found -d system_u:object_r:lost_found_t:s0 Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/userdomain.if =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/userdomain.if 2010-04-22 17:31:47.310476190 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/userdomain.if 2010-04-22 17:45:08.280529004 -0700 @@ -2920,6 +2920,24 @@ ######################################## ## +## Ptrace all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_ptrace_all_users',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process ptrace; +') + +######################################## +## ## Read the process state of all user domains. ## ## @@ -2934,6 +2952,7 @@ ') read_files_pattern($1, userdomain, userdomain) + read_lnk_files_pattern($1, userdomain, userdomain) kernel_search_proc($1) ') @@ -3064,3 +3083,23 @@ allow $1 userdomain:dbus send_msg; ') + +######################################## +## +## Send and receive messages from all user domains over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dbus_chat_all_users',` + gen_require(` + attribute userdomain; + class dbus send_msg; + ') + + allow $1 userdomain:dbus send_msg; + allow userdomain $1:dbus send_msg; +') debian/patches/locallogin.patch0000664000000000000000000000126311364166713013775 0ustar --- policy/modules/system/locallogin.te | 1 + 1 file changed, 1 insertion(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/system/locallogin.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/system/locallogin.te 2010-04-22 17:31:47.140393678 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/system/locallogin.te 2010-04-22 17:45:08.320622451 -0700 @@ -129,6 +129,7 @@ miscfiles_read_localization(local_login_t) +userdom_dbus_chat_all_users(local_login_t) userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) userdom_search_user_home_content(local_login_t) debian/patches/kernel.patch0000664000000000000000000000133511364166715013134 0ustar --- policy/modules/kernel/kernel.te | 1 + 1 file changed, 1 insertion(+) Index: refpolicy-ubuntu-0.2.20091117/policy/modules/kernel/kernel.te =================================================================== --- refpolicy-ubuntu-0.2.20091117.orig/policy/modules/kernel/kernel.te 2010-04-22 17:31:47.180559722 -0700 +++ refpolicy-ubuntu-0.2.20091117/policy/modules/kernel/kernel.te 2010-04-22 17:45:08.310583688 -0700 @@ -386,4 +386,5 @@ allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; +allow kern_unconfined unlabeled_t:peer *; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; debian/patches/old/0000775000000000000000000000000011364162476011407 5ustar debian/patches/old/polkit.patch0000664000000000000000000003355311364162476013743 0ustar --- policy/modules/services/polkit.fc | 16 ++ policy/modules/services/polkit.if | 267 ++++++++++++++++++++++++++++++++++++++ policy/modules/services/polkit.te | 238 +++++++++++++++++++++++++++++++++ 3 files changed, 521 insertions(+) Index: b/policy/modules/services/polkit.fc =================================================================== --- /dev/null +++ b/policy/modules/services/polkit.fc @@ -0,0 +1,17 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) +/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) +/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) +/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) + +/usr/lib/policykit-1/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) +/usr/lib/policykit-1/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) +/usr/lib/policykit-1/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) +/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) +/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) + +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/lib/misc/PolicyKit.reload -- gen_context(system_u:object_r:polkit_var_lib_t,s0) + Index: b/policy/modules/services/polkit.if =================================================================== --- /dev/null +++ b/policy/modules/services/polkit.if @@ -0,0 +1,267 @@ + +## policy for polkit_auth + +######################################## +## +## Execute a domain transition to run polkitd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans',` + gen_require(` + type polkit_t; + type polkit_exec_t; + ') + + domtrans_pattern($1, polkit_exec_t, polkit_t) +') + +######################################## +## +## Execute a domain transition to run polkit_auth. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans_auth',` + gen_require(` + type polkit_auth_t; + type polkit_auth_exec_t; + ') + + domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t) +') + +######################################## +## +## Read polkit pid files. +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_read_pid_files',` + gen_require(` + type polkit_var_run_t; + ') + + read_files_pattern($1, polkit_var_run_t, polkit_var_run_t) +') + +######################################## +## +## Search polkit lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_search_lib',` + gen_require(` + type polkit_var_lib_t; + ') + + allow $1 polkit_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## read polkit lib files +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_read_lib',` + gen_require(` + type polkit_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) +') + +######################################## +## +## Execute a domain transition to run polkit_grant. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans_grant',` + gen_require(` + type polkit_grant_t; + type polkit_grant_exec_t; + ') + + domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t) +') + +######################################## +## +## Execute a domain transition to run polkit_resolve. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans_resolve',` + gen_require(` + type polkit_resolve_t; + type polkit_resolve_exec_t; + ') + + domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t) + + allow polkit_resolve_t $1:dir list_dir_perms; + read_files_pattern(polkit_resolve_t, $1, $1) + read_lnk_files_pattern(polkit_resolve_t, $1, $1) + allow polkit_resolve_t $1:process getattr; +') + +######################################## +## +## Execute a policy_grant in the policy_grant domain, and +## allow the specified role the policy_grant domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the load_policy domain. +## +## +## +## +## The type of the terminal allow the load_policy domain to use. +## +## +## +# +interface(`polkit_run_grant',` + gen_require(` + type polkit_grant_t; + ') + + polkit_domtrans_grant($1) + role $2 types polkit_grant_t; + allow polkit_grant_t $3:chr_file rw_term_perms; + allow $1 polkit_grant_t:process signal; + read_files_pattern(polkit_grant_t, $1, $1) + allow polkit_grant_t $1:process getattr; +') + +######################################## +## +## Execute a policy_auth in the policy_auth domain, and +## allow the specified role the policy_auth domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the load_policy domain. +## +## +## +## +## The type of the terminal allow the load_policy domain to use. +## +## +# +interface(`polkit_run_auth',` + gen_require(` + type polkit_auth_t; + ') + + polkit_domtrans_auth($1) + role $2 types polkit_auth_t; + allow polkit_auth_t $3:chr_file rw_term_perms; +') + +####################################### +## +## The per role template for the nsplugin module. +## +## +##

+## This template creates a derived domains which are used +## for nsplugin web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +## +# +template(`polkit_per_role_template',` + polkit_run_auth($2, $3, { $1_devpts_t $1_tty_device_t }) + polkit_run_grant($2, $3, { $1_devpts_t $1_tty_device_t }) + polkit_read_lib($2) +') + +######################################## +## +## Send and receive messages from +## polkit over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_dbus_chat',` + gen_require(` + type polkit_t; + class dbus send_msg; + ') + + allow $1 polkit_t:dbus send_msg; + allow polkit_t $1:dbus send_msg; +') Index: b/policy/modules/services/polkit.te =================================================================== --- /dev/null +++ b/policy/modules/services/polkit.te @@ -0,0 +1,238 @@ +policy_module(polkit_auth, 1.0.0) + +######################################## +# +# Declarations +# + +type polkit_t; +type polkit_exec_t; +init_daemon_domain(polkit_t, polkit_exec_t) + +type polkit_grant_t; +type polkit_grant_exec_t; +init_system_domain(polkit_grant_t, polkit_grant_exec_t) + +type polkit_resolve_t; +type polkit_resolve_exec_t; +init_system_domain(polkit_resolve_t, polkit_resolve_exec_t) + +type polkit_auth_t; +type polkit_auth_exec_t; +init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) + +type polkit_var_lib_t; +files_type(polkit_var_lib_t) + +type polkit_var_run_t; +files_pid_file(polkit_var_run_t) + +######################################## +# +# polkit local policy +# + +allow polkit_t self:capability { setgid setuid }; +allow polkit_t self:process getattr; + +allow polkit_t self:unix_dgram_socket create_socket_perms; +allow polkit_t self:fifo_file rw_file_perms; +allow polkit_t self:unix_stream_socket create_stream_socket_perms; + +polkit_domtrans_auth(polkit_t) +polkit_domtrans_resolve(polkit_t) + +can_exec(polkit_t, polkit_exec_t) +corecmd_exec_bin(polkit_t) + +dev_read_urand(polkit_t) + +domain_use_interactive_fds(polkit_t) + +files_read_etc_files(polkit_t) +files_read_usr_files(polkit_t) + +fs_list_inotifyfs(polkit_t) + +kernel_read_kernel_sysctls(polkit_t) + +auth_use_nsswitch(polkit_t) + +libs_use_ld_so(polkit_t) +libs_use_shared_libs(polkit_t) + +miscfiles_read_localization(polkit_t) + +logging_send_syslog_msg(polkit_t) + +userdom_dbus_chat_all_users(polkit_t) +userdom_read_all_users_state(polkit_t) + +manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) + +# pid file +manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) +manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) +files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir }) + +optional_policy(` + dbus_system_bus_client(polkit_t) + dbus_connect_system_bus(polkit_t) + optional_policy(` + consolekit_dbus_chat(polkit_t) + ') +') + +######################################## +# +# polkit_auth local policy +# + +allow polkit_auth_t self:capability setgid; +allow polkit_auth_t self:process { getattr }; + +allow polkit_auth_t self:unix_dgram_socket create_socket_perms; +allow polkit_auth_t self:fifo_file rw_file_perms; +allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(polkit_auth_t, polkit_auth_exec_t) +corecmd_search_bin(polkit_auth_t) + +dev_read_urand(polkit_auth_t) + +domain_use_interactive_fds(polkit_auth_t) + +files_read_etc_files(polkit_auth_t) +files_read_usr_files(polkit_auth_t) + +auth_use_nsswitch(polkit_auth_t) + +libs_use_ld_so(polkit_auth_t) +libs_use_shared_libs(polkit_auth_t) + +miscfiles_read_localization(polkit_auth_t) + +logging_send_syslog_msg(polkit_auth_t) + +manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) + +# pid file +manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) +manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) +files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir }) + +userdom_read_all_users_state(polkit_t) + +optional_policy(` + dbus_system_bus_client(polkit_auth_t) + consolekit_dbus_chat(polkit_auth_t) +') + +optional_policy(` + hal_getattr(polkit_auth_t) + hal_read_state(polkit_auth_t) +') + +optional_policy(` + unconfined_run_to(polkit_auth_t, polkit_auth_exec_t) +') + +######################################## +# +# polkit_grant local policy +# + +allow polkit_grant_t self:capability setuid; +allow polkit_grant_t self:process getattr; + +allow polkit_grant_t self:unix_dgram_socket create_socket_perms; +allow polkit_grant_t self:fifo_file rw_file_perms; +allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(polkit_grant_t, polkit_grant_exec_t) +corecmd_search_bin(polkit_grant_t) + +files_read_etc_files(polkit_grant_t) +files_read_usr_files(polkit_grant_t) + +auth_use_nsswitch(polkit_grant_t) +auth_domtrans_chk_passwd(polkit_grant_t) + +libs_use_ld_so(polkit_grant_t) +libs_use_shared_libs(polkit_grant_t) + +miscfiles_read_localization(polkit_grant_t) + +logging_send_syslog_msg(polkit_grant_t) + +polkit_domtrans_auth(polkit_grant_t) +polkit_domtrans_resolve(polkit_grant_t) + +manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t) + +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) +userdom_read_all_users_state(polkit_grant_t) + +optional_policy(` + #dbus_system_bus_client_template(polkit_grant, polkit_grant_t) + dbus_system_bus_client(polkit_grant_t) + consolekit_dbus_chat(polkit_grant_t) +') + +#gen_require(` +# type system_crond_var_lib_t; +#') +# +#manage_files_pattern(polkit_grant_t, system_crond_var_lib_t, system_crond_var_lib_t) + +######################################## +# +# polkit_resolve local policy +# + +allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace }; +allow polkit_resolve_t self:process getattr; + +allow polkit_resolve_t self:unix_dgram_socket create_socket_perms; +allow polkit_resolve_t self:fifo_file rw_file_perms; +allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms; + +read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t) + +can_exec(polkit_resolve_t, polkit_resolve_exec_t) +corecmd_search_bin(polkit_resolve_t) + +polkit_domtrans_auth(polkit_resolve_t) + +files_read_etc_files(polkit_resolve_t) +files_read_usr_files(polkit_resolve_t) + +auth_use_nsswitch(polkit_resolve_t) + +libs_use_ld_so(polkit_resolve_t) +libs_use_shared_libs(polkit_resolve_t) + +miscfiles_read_localization(polkit_resolve_t) + +logging_send_syslog_msg(polkit_resolve_t) + +userdom_read_all_users_state(polkit_resolve_t) +userdom_ptrace_all_users(polkit_resolve_t) +mcs_ptrace_all(polkit_resolve_t) + +optional_policy(` + #dbus_system_bus_client_template(polkit_resolve, polkit_resolve_t) + dbus_system_bus_client(polkit_resolve_t) + optional_policy(` + consolekit_dbus_chat(polkit_resolve_t) + ') +') + +optional_policy(` + hal_getattr(polkit_resolve_t) + hal_read_state(polkit_resolve_t) +') + +#optional_policy(` +# unconfined_ptrace(polkit_resolve_t) +#') debian/patches/old/users.patch0000664000000000000000000000122411345550112013553 0ustar --- policy/users | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: refpolicy/policy/users =================================================================== --- refpolicy.orig/policy/users +++ refpolicy/policy/users @@ -30,7 +30,7 @@ gen_user(staff_u, staff, staff_r sysadm_ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. debian/patches/old/xserver.patch0000664000000000000000000000121511345550112014110 0ustar --- policy/modules/services/xserver.te | 10 ++++++++++ 1 file changed, 10 insertions(+) Index: refpolicy/policy/modules/services/xserver.te =================================================================== --- refpolicy.orig/policy/modules/services/xserver.te +++ refpolicy/policy/modules/services/xserver.te @@ -307,6 +307,16 @@ optional_policy(` consolekit_dbus_chat(xdm_t) ') +gen_require(` + class dbus all_dbus_perms; +') +optional_policy(` + dbus_stub(xdm_t) +',` + allow {xdm_t xdm_xserver_t} domain:dbus all_dbus_perms; + allow domain {xdm_t xdm_xserver_t}:dbus all_dbus_perms; +') + optional_policy(` consoletype_exec(xdm_t) ') debian/patches/old/search_dir_open.patch0000664000000000000000000000152611364162476015560 0ustar a bug in the kernel requires open perm on dir search. should be fixed in 2.6.29 --- policy/support/obj_perm_sets.spt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: b/policy/support/obj_perm_sets.spt =================================================================== --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -181,7 +181,7 @@ define(`create_shm_perms', `{ associate # define(`getattr_dir_perms',`{ getattr }') define(`setattr_dir_perms',`{ setattr }') -define(`search_dir_perms',`{ getattr search }') +define(`search_dir_perms',`{ getattr open search }') define(`list_dir_perms',`{ getattr search open read lock ioctl }') define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') debian/patches/old/conf.patch0000664000000000000000000011010611345550112013337 0ustar --- build.conf | 8 config/appconfig-standard/seusers | 4 policy/booleans.conf | 452 +++++++++ policy/modules.conf | 1764 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 2222 insertions(+), 6 deletions(-) Index: refpolicy/build.conf =================================================================== --- refpolicy.orig/build.conf +++ refpolicy/build.conf @@ -27,7 +27,7 @@ NAME = refpolicy # for the distribution. # redhat, gentoo, debian, suse, and rhel4 are current options. # Fedora users should enable redhat. -#DISTRO = redhat +DISTRO = ubuntu # Unknown Permissions Handling # The behavior for handling permissions defined in the @@ -35,18 +35,18 @@ NAME = refpolicy # can either be allowed, denied, or the policy loading # can be rejected. # allow, deny, and reject are current options. -#UNK_PERMS = deny +UNK_PERMS = allow # Direct admin init # Setting this will allow sysadm to directly # run init scripts, instead of requring run_init. # This is a build option, as role transitions do # not work in conditional policy. -DIRECT_INITRC = n +DIRECT_INITRC = y # Build monolithic policy. Putting n here # will build a loadable module policy. -MONOLITHIC = y +MONOLITHIC = n # Number of MLS Sensitivities # The sensitivities will be s0 to s(MLS_SENS-1). Index: refpolicy/config/appconfig-standard/seusers =================================================================== --- refpolicy.orig/config/appconfig-standard/seusers +++ refpolicy/config/appconfig-standard/seusers @@ -1,3 +1,3 @@ system_u:system_u -root:root -__default__:user_u +root:unconfined_u +__default__:unconfined_u Index: refpolicy/policy/booleans.conf =================================================================== --- /dev/null +++ refpolicy/policy/booleans.conf @@ -0,0 +1,452 @@ +# +# Enabling secure mode disallows programs, such as +# newrole, from transitioning to administrative +# user domains. +# +secure_mode = false + +# +# Disable transitions to insmod. +# +secure_mode_insmod = false + +# +# boolean to determine whether the system permits loading policy, setting +# enforcing mode, and changing boolean values. Set this to true and you +# have to reboot to set it back +# +secure_mode_policyload = false + +# +# Control users use of ping and traceroute +# +user_ping = false + +# +# Allow cdrecord to read various content. +# nfs, samba, removable devices, user temp +# and untrusted content files +# +cdrecord_read_content = false + +# +# Allow java executable stack +# +allow_java_execstack = false + +# +# Control mozilla content access +# +mozilla_read_content = false + +# +# Allow mplayer executable stack +# +allow_mplayer_execstack = false + +# +# Allow Apache to modify public files +# used for public file transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +allow_httpd_anon_write = false + +# +# Allow Apache to use mod_auth_pam +# +allow_httpd_mod_auth_pam = false + +# +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = false + +# +# Allow HTTPD scripts and modules to connect to the network using TCP. +# +httpd_can_network_connect = false + +# +# Allow HTTPD scripts and modules to connect to databases over the network. +# +httpd_can_network_connect_db = false + +# +# Allow httpd to act as a relay +# +httpd_can_network_relay = false + +# +# Allow httpd cgi support +# +httpd_enable_cgi = false + +# +# Allow httpd to act as a FTP server by +# listening on the ftp port. +# +httpd_enable_ftp_server = false + +# +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# +# Allow HTTPD to run SSI executables in the same domain as system CGI scripts. +# +httpd_ssi_exec = false + +# +# Unify HTTPD to communicate with the terminal. +# Needed for entering the passphrase for certificates at +# the terminal. +# +httpd_tty_comm = false + +# +# Unify HTTPD handling of all content files. +# +httpd_unified = false + +# +# Allow BIND to write the master zone files. +# Generally this is used for dynamic DNS or zone transfers. +# +named_write_master_zones = false + +# +# Allow system cron jobs to relabel filesystem +# for restoring file contexts. +# +cron_can_relabel = false + +# +# Enable extra rules in the cron domain +# to support fcron. +# +fcron_crond = false + +# +# Allow cvs daemon to read shadow +# +allow_cvs_read_shadow = false + +# +# Allow exim to read unprivileged user files. +# +exim_read_user_files = false + +# +# Allow exim to create, read, write, and delete +# unprivileged user files. +# +exim_manage_user_files = false + +# +# Allow ftp servers to upload files, used for public file +# transfer services. Directories must be labeled +# public_content_rw_t. +# +allow_ftpd_anon_write = false + +# +# Allow ftp servers to login to local users and +# read/write all files on the system, governed by DAC. +# +allow_ftpd_full_access = false + +# +# Allow ftp servers to use cifs +# used for public file transfer services. +# +allow_ftpd_use_cifs = false + +# +# Allow ftp servers to use nfs +# used for public file transfer services. +# +allow_ftpd_use_nfs = false + +# +# Allow ftp to read and write files in the user home directories +# +ftp_home_dir = false + +# +# Allow confined applications to run with kerberos. +# +allow_kerberos = false + +# +# Use lpd server instead of cups +# +use_lpd_server = false + +# +# Allow openvpn to read home directories +# +openvpn_enable_homedirs = false + +# +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# +# Allow gssd to read temp directory. For access to kerberos tgt. +# +allow_gssd_read_tmp = true + +# +# Allow nfs servers to modify public files +# used for public file transfer services. Files/Directories must be +# labeled public_content_rw_t. +# +allow_nfsd_anon_write = false + +# +# Allow rsync to export any files/directories read only. +# +rsync_export_all_ro = false + +# +# Allow rsync to modify public files +# used for public file transfer services. Files/Directories must be +# labeled public_content_rw_t. +# +allow_rsync_anon_write = false + +# +# Allow samba to modify public files used for public file +# transfer services. Files/Directories must be labeled +# public_content_rw_t. +# +allow_smbd_anon_write = false + +# +# Allow samba to act as the domain controller, add users, +# groups and change passwords. +# +samba_domain_controller = false + +# +# Allow samba to share users home directories. +# +samba_enable_home_dirs = false + +# +# Allow samba to share any file/directory read only. +# +samba_export_all_ro = false + +# +# Allow samba to share any file/directory read/write. +# +samba_export_all_rw = false + +# +# Allow samba to run unconfined scripts +# +samba_run_unconfined = false + +# +# Allow samba to export NFS volumes. +# +samba_share_nfs = false + +# +# Allow sasl to read shadow +# +allow_saslauthd_read_shadow = false + +# +# Allow user spamassassin clients to use the network. +# +spamassassin_can_network = false + +# +# Allow spamd to read/write user home directories. +# +spamd_enable_home_dirs = true + +# +# Allow squid to connect to all ports, not just +# HTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# +# allow host key based authentication +# +allow_ssh_keysign = false + +# +# Allow ssh logins as sysadm_r:sysadm_t +# +ssh_sysadm_login = false + +# +# Allow tftp to modify public files +# used for public file transfer services. +# +tftp_anon_write = false + +# +# Allows clients to write to the X server shared +# memory segments. +# +allow_write_xshm = false + +# +# Allow xdm logins as sysadm +# +xdm_sysadm_login = false + +# +# Allow zebra daemon to write it configuration files +# +allow_zebra_write_config = false + +# +# Allow the mount command to mount any directory or file. +# +allow_mount_anyfile = true + +# +# Allow sysadm to debug or ptrace all processes. +# +allow_ptrace = false + +# +# Allow users to connect to mysql +# +allow_user_mysql_connect = false + +# +# Allow users to connect to PostgreSQL +# +allow_user_postgresql_connect = false + +# +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# +# Allow users to read system messages. +# +user_dmesg = false + +# +# Allow user to r/w files on filesystems +# that do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = false + +# +# Allow w to display everyone +# +user_ttyfile_stat = false + +# +# Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla +# +allow_execheap = true + +# +# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") +# +allow_execmem = true + +# +# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") +# +allow_execmod = true + +# +# Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") +# +allow_execstack = true + +# +# Enable polyinstantiated directory support. +# +allow_polyinstantiation = false + +# +# Allow system to run with NIS +# +allow_ypbind = false + +# +# Enable reading of urandom for all domains. +# +# +# +# +# This should be enabled when all programs +# are compiled with ProPolice/SSP +# stack smashing protection. All domains will +# be allowed to read from /dev/urandom. +# +global_ssp = false + +# +# Allow email client to various content. +# nfs, samba, removable devices, user temp +# and untrusted content files +# +mail_read_content = false + +# +# Allow any files/directories to be exported read/write via NFS. +# +nfs_export_all_rw = false + +# +# Allow any files/directories to be exported read/only via NFS. +# +nfs_export_all_ro = false + +# +# Allow reading of default_t files. +# +read_default_t = true + +# +# Allow applications to read untrusted content +# If this is disallowed, Internet content has +# to be manually relabeled for read access to be granted +# +read_untrusted_content = false + +# +# Support NFS home directories +# +use_nfs_home_dirs = false + +# +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# +# Allow users to run TCP servers (bind to ports and accept connection from +# the same domain and outside users) disabling this forces FTP passive mode +# and may change other protocols. +# +user_tcp_server = false + +# +# Allow applications to write untrusted content +# If this is disallowed, no Internet content +# will be stored. +# +write_untrusted_content = false + Index: refpolicy/policy/modules.conf =================================================================== --- /dev/null +++ refpolicy/policy/modules.conf @@ -0,0 +1,1764 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: kernel +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem, +# and unlabeled processes and objects. +# +kernel = base + +# Layer: kernel +# Module: mcs +# Required in base +# +# Multicategory security policy +# +mcs = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility +# +amtu = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: admin +# Module: apt +# +# APT advanced package toll. +# +apt = module + +# Layer: admin +# Module: backup +# +# System backup scripts +# +backup = module + +# Layer: admin +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: admin +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = module + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: admin +# Module: dpkg +# +# Policy for the Debian package manager. +# +dpkg = module + +# Layer: admin +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: admin +# Module: kudzu +# +# Hardware detection and configuration tools +# +kudzu = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: admin +# Module: logwatch +# +# System log analyzer and reporter +# +logwatch = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: portage +# +# Portage Package Management System. The primary package management and +# distribution system for Gentoo. +# +portage = module + +# Layer: admin +# Module: prelink +# +# Prelink ELF shared library mappings. +# +prelink = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: sxid +# +# SUID/SGID program monitoring +# +sxid = module + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: admin +# Module: tripwire +# +# Tripwire file integrity checker. +# +tripwire = module + +# Layer: admin +# Module: tzdata +# +# Time zone updater +# +tzdata = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: admin +# Module: vbetool +# +# run real-mode video BIOS code to alter hardware state +# +vbetool = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: apps +# Module: ada +# +# GNAT Ada95 compiler +# +ada = module + +# Layer: apps +# Module: authbind +# +# Tool for non-root processes to bind to reserved ports +# +authbind = module + +# Layer: apps +# Module: awstats +# +# AWStats is a free powerful and featureful tool that generates advanced +# web, streaming, ftp or mail server statistics, graphically. +# +awstats = module + +# Layer: apps +# Module: calamaris +# +# Squid log analysis +# +calamaris = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: apps +# Module: ethereal +# +# Ethereal packet capture tool. +# +ethereal = module + +# Layer: apps +# Module: evolution +# +# Evolution email client +# +evolution = module + +# Layer: apps +# Module: games +# +# Games +# +games = module + +# Layer: apps +# Module: gift +# +# giFT peer to peer file sharing tool +# +gift = module + +# Layer: apps +# Module: gnome +# +# GNU network object model environment (GNOME) +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: apps +# Module: java +# +# Java virtual machine +# +java = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: apps +# Module: mono +# +# Run .NET server and client applications on Linux. +# +mono = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: apps +# Module: mplayer +# +# Mplayer media player and encoder +# +mplayer = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: apps +# Module: thunderbird +# +# Thunderbird email client +# +thunderbird = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: apps +# Module: userhelper +# +# SELinux utility to run a shell with a new role +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# Wine Is Not an Emulator. Run Windows programs in Linux. +# +wine = module + +# Layer: apps +# Module: yam +# +# Yum/Apt Mirroring +# +yam = module + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aide +# +# Aide filesystem integrity checker +# +aide = module + +# Layer: services +# Module: amavis +# +# Daemon that interfaces mail transfer agents and content +# checkers, such as virus scanners. +# +amavis = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# APC UPS monitoring daemon +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: services +# Module: audioentropy +# +# Generate entropy from audio input +# +audioentropy = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: bitlbee +# +# Bitlbee service +# +bitlbee = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# Cluster Configuration System +# +ccs = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: clamav +# +# ClamAV Virus Scanner +# +clamav = module + +# Layer: services +# Module: clockspeed +# +# Clockspeed simple network time protocol client +# +clockspeed = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: consolekit +# +# Framework for facilitating multiple user sessions on desktops. +# +consolekit = module + +# Layer: services +# Module: courier +# +# Courier IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: services +# Module: dante +# +# Dante msproxy and socks4/5 proxy server +# +dante = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# Distributed checksum clearinghouse spam filtering +# +dcc = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = module + +# Layer: services +# Module: djbdns +# +# small and secure DNS daemon +# +djbdns = module + +# Layer: services +# Module: dnsmasq +# +# dnsmasq DNS forwarder and DHCP server +# +dnsmasq = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: exim +# +# Exim mail transfer agent +# +exim = module + +# Layer: services +# Module: fail2ban +# +# Update firewall filtering to ban IP addresses with too many password failures. +# +fail2ban = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: services +# Module: gatekeeper +# +# OpenH.323 Voice-Over-IP Gatekeeper +# +gatekeeper = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Layer: services +# Module: hal +# +# Hardware abstraction layer +# +hal = module + +# Layer: services +# Module: howl +# +# Port of Apple Rendezvous multicast DNS +# +howl = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = module + +# Layer: services +# Module: imaze +# +# iMaze game server +# +imaze = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: services +# Module: ircd +# +# IRC server +# +ircd = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: monop +# +# Monopoly daemon +# +monop = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: munin +# +# Munin network-wide load graphing (formerly LRRD) +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: services +# Module: nagios +# +# Net Saint / NAGIOS - network monitoring server +# +nagios = module + +# Layer: services +# Module: nessus +# +# Nessus network scanning daemon +# +nessus = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: nsd +# +# Authoritative only name server +# +nsd = module + +# Layer: services +# Module: ntop +# +# Network Top +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: nx +# +# NX remote desktop +# +nx = module + +# Layer: services +# Module: oav +# +# Open AntiVirus scannerdaemon and signature update +# +oav = module + +# Layer: services +# Module: oddjob +# +# Oddjob provides a mechanism by which unprivileged applications can +# request that specified privileged operations be performed on their +# behalf. +# +oddjob = module + +# Layer: services +# Module: openca +# +# OpenCA - Open Certificate Authority +# +openca = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = module + +# Layer: services +# Module: openvpn +# +# full-featured SSL VPN solution +# +openvpn = module + +# Layer: services +# Module: pcscd +# +# PCSC smart card service +# +pcscd = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: perdition +# +# Perdition POP and IMAP proxy +# +perdition = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portslave +# +# Portslave terminal server software +# +portslave = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postfixpolicyd +# +# Postfix policy server +# +postfixpolicyd = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: postgrey +# +# Postfix grey-listing server +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: services +# Module: pxe +# +# Server for the PXE network boot protocol +# +pxe = module + +# Layer: services +# Module: pyzor +# +# Pyzor is a distributed, collaborative spam detection and filtering network. +# +pyzor = module + +# Layer: services +# Module: qmail +# +# Qmail Mail Server +# +qmail = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: services +# Module: razor +# +# A distributed, collaborative, spam detection and filtering network. +# +razor = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: resmgr +# +# Resource management daemon +# +resmgr = module + +# Layer: services +# Module: rhgb +# +# Red Hat Graphical Boot +# +rhgb = module + +# Layer: services +# Module: ricci +# +# Ricci cluster management agent +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: services +# Module: rpcbind +# +# Universal Addresses to RPC Program Number Mapper +# +rpcbind = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rwho +# +# Who is logged in on other machines? +# +rwho = module + +# Layer: services +# Module: samba +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: services +# Module: setroubleshoot +# +# SELinux troubleshooting service +# +setroubleshoot = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = module + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: speedtouch +# +# Alcatel speedtouch USB ADSL modem +# +speedtouch = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: transproxy +# +# HTTP transperant proxy +# +transproxy = module + +# Layer: services +# Module: ucspitcp +# +# ucspitcp policy +# +ucspitcp = module + +# Layer: services +# Module: uptime +# +# Uptime daemon +# +uptime = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uwimap +# +# University of Washington IMAP toolkit POP3 and IMAP mail server +# +uwimap = module + +# Layer: services +# Module: watchdog +# +# Software watchdog +# +watchdog = module + +# Layer: services +# Module: xfs +# +# X Windows Font Server +# +xfs = module + +# Layer: services +# Module: xprint +# +# X print server +# +xprint = module + +# Layer: services +# Module: xserver +# +# X Windows Server +# +xserver = module + +# Layer: services +# Module: zabbix +# +# Distributed infrastructure monitoring +# +zabbix = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: system +# Module: application +# +# Policy for user executable applications. +# +application = base + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: iscsi +# +# Establish connections to iSCSI devices +# +iscsi = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: netlabel +# +# NetLabel/CIPSO labeled networking management +# +netlabel = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Layer: system +# Module: setrans +# +# SELinux MLS/MCS label translation service. +# +setrans = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Layer: system +# Module: xen +# +# Xen hypervisor +# +xen = module + debian/patches/old/sysnetwork.patch0000664000000000000000000000117611345550112014650 0ustar --- policy/modules/system/sysnetwork.te | 10 ++++++++++ 1 file changed, 10 insertions(+) Index: refpolicy/policy/modules/system/sysnetwork.te =================================================================== --- refpolicy.orig/policy/modules/system/sysnetwork.te +++ refpolicy/policy/modules/system/sysnetwork.te @@ -152,6 +152,16 @@ optional_policy(` consoletype_domtrans(dhcpc_t) ') +gen_require(` + class dbus all_dbus_perms; +') +optional_policy(` + dbus_stub(dhcpc_t) +',` + allow dhcpc_t domain:dbus all_dbus_perms; + allow domain dhcpc_t:dbus all_dbus_perms; +') + optional_policy(` init_dbus_chat_script(dhcpc_t) debian/patches/old/init.patch0000664000000000000000000000066711345550112013367 0ustar --- policy/modules/system/init.te | 1 + 1 file changed, 1 insertion(+) Index: refpolicy/policy/modules/system/init.te =================================================================== --- refpolicy.orig/policy/modules/system/init.te +++ refpolicy/policy/modules/system/init.te @@ -716,6 +716,7 @@ optional_policy(` optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) + ssh_write_sshd(initrc_t) ') optional_policy(` debian/patches/old/lpd.patch0000664000000000000000000000240711345550112013175 0ustar /var/spool/cups-pdf needs to be labeled print_spool_t to allow cups to print to pdf. --- policy/modules/services/lpd.fc | 1 + policy/modules/services/lpd.if | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) Index: refpolicy/policy/modules/services/lpd.fc =================================================================== --- refpolicy.orig/policy/modules/services/lpd.fc +++ refpolicy/policy/modules/services/lpd.fc @@ -28,5 +28,6 @@ # /var # /var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) Index: refpolicy/policy/modules/services/lpd.if =================================================================== --- refpolicy.orig/policy/modules/services/lpd.if +++ refpolicy/policy/modules/services/lpd.if @@ -339,7 +339,8 @@ interface(`lpd_manage_spool',` manage_files_pattern($1,print_spool_t,print_spool_t) # cjp: cups wants setattr - allow $1 print_spool_t:dir setattr; + # ccc: cups-pdf wants create + allow $1 print_spool_t:dir {setattr create}; ') ######################################## debian/patches/old/ssh.patch0000664000000000000000000000150511345550112013211 0ustar --- policy/modules/services/ssh.if | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) Index: refpolicy/policy/modules/services/ssh.if =================================================================== --- refpolicy.orig/policy/modules/services/ssh.if +++ refpolicy/policy/modules/services/ssh.if @@ -535,6 +535,24 @@ template(`ssh_server_template', ` ######################################## ## +## Write to ssh server files (e.g. /proc/pid/oom_adj). +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_write_sshd',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:file write; +') + +######################################## +## ## Send a SIGCHLD signal to the ssh server. ## ## debian/patches/old/dhcp.patch0000664000000000000000000000121111345550112013324 0ustar --- policy/modules/services/dhcp.te | 7 +++++++ 1 file changed, 7 insertions(+) Index: refpolicy/policy/modules/services/dhcp.te =================================================================== --- refpolicy.orig/policy/modules/services/dhcp.te +++ refpolicy/policy/modules/services/dhcp.te @@ -110,9 +110,16 @@ optional_policy(` bind_read_dnssec_keys(dhcpd_t) ') +gen_require(` + class dbus all_dbus_perms; +') + optional_policy(` dbus_system_bus_client_template(dhcpd,dhcpd_t) dbus_connect_system_bus(dhcpd_t) +',` + allow dhcpd_t domain:dbus all_dbus_perms; + allow domain dhcpd_t:dbus all_dbus_perms; ') optional_policy(` debian/patches/old/cups.patch0000664000000000000000000000572111345550112013372 0ustar --- policy/modules/services/cups.te | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) Index: refpolicy/policy/modules/services/cups.te =================================================================== --- refpolicy.orig/policy/modules/services/cups.te +++ refpolicy/policy/modules/services/cups.te @@ -116,7 +116,7 @@ manage_files_pattern(cupsd_t,cupsd_tmp_t manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) -allow cupsd_t cupsd_var_run_t:dir setattr; +allow cupsd_t cupsd_var_run_t:dir { create setattr }; manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) @@ -186,7 +186,7 @@ files_read_etc_runtime_files(cupsd_t) # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma -files_search_var_lib(cupsd_t) +files_read_var_lib_files(cupsd_t) files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) @@ -203,6 +203,7 @@ files_dontaudit_getattr_all_tmp_files(cu selinux_compute_access_vector(cupsd_t) init_exec_script_files(cupsd_t) +init_stream_connect_script(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -221,13 +222,17 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) sysnet_read_config(cupsd_t) +sysnet_read_dhcpc_pid(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) -userdom_dontaudit_search_all_users_home_content(cupsd_t) +userdom_search_all_users_home_content(cupsd_t) # Write to /var/spool/cups. lpd_manage_spool(cupsd_t) +# Access to generic pid files. +files_read_generic_pids(cupsd_t) + ifdef(`enable_mls',` lpd_relabel_spool(cupsd_t) ') @@ -240,6 +245,10 @@ optional_policy(` cron_system_entry(cupsd_t, cupsd_exec_t) ') +gen_require(` + class dbus all_dbus_perms; + type var_t, var_run_t; +') optional_policy(` dbus_system_bus_client_template(cupsd,cupsd_t) @@ -248,6 +257,14 @@ optional_policy(` optional_policy(` hal_dbus_chat(cupsd_t) ') +',` + allow {cupsd_t cupsd_config_t} domain:dbus all_dbus_perms; + allow domain {cupsd_t cupsd_config_t}:dbus all_dbus_perms; + + # Allow cupsd_t access to /var/run/dbus/system_bus_socket + list_dirs_pattern(cupsd_t,var_t,var_run_t) + rw_files_pattern(cupsd_t,var_run_t,var_run_t) + rw_sock_files_pattern(cupsd_t,var_run_t,var_run_t) ') optional_policy(` @@ -559,6 +576,7 @@ logging_send_syslog_msg(hplip_t) miscfiles_read_localization(hplip_t) sysnet_read_config(hplip_t) +sysnet_read_dhcpc_pid(hplip_t) userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_sysadm_home_dirs(hplip_t) @@ -634,6 +652,7 @@ logging_send_syslog_msg(ptal_t) miscfiles_read_localization(ptal_t) sysnet_read_config(ptal_t) +sysnet_read_dhcpc_pid(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) userdom_dontaudit_search_all_users_home_content(ptal_t) debian/patches/old/files.patch0000664000000000000000000000217711345550112013524 0ustar --- policy/modules/kernel/files.if | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) Index: refpolicy/policy/modules/kernel/files.if =================================================================== --- refpolicy.orig/policy/modules/kernel/files.if +++ refpolicy/policy/modules/kernel/files.if @@ -4410,6 +4410,7 @@ interface(`files_rw_generic_pids',` list_dirs_pattern($1,var_t,var_run_t) rw_files_pattern($1,var_run_t,var_run_t) + rw_sock_files_pattern($1,var_run_t,var_run_t) ') ######################################## @@ -4450,6 +4451,27 @@ interface(`files_dontaudit_ioctl_all_pid ######################################## ## +## Read generic process ID files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_read_generic_pids',` + gen_require(` + type var_t; + type var_run_t; + ') + + list_dirs_pattern($1,var_t,var_run_t) + read_files_pattern($1,var_run_t,var_run_t) +') + +######################################## +## ## Read all process ID files. ## ## debian/patches/old/unconfined.patch0000664000000000000000000000573711345550112014557 0ustar --- policy/modules/system/unconfined.te | 84 +++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 30 deletions(-) Index: refpolicy/policy/modules/system/unconfined.te =================================================================== --- refpolicy.orig/policy/modules/system/unconfined.te +++ refpolicy/policy/modules/system/unconfined.te @@ -27,6 +27,11 @@ role unconfined_r types unconfined_execm # Local policy # +# allow role transitions +allow unconfined_r system_r; + +files_manage_all_files(unconfined_t) + domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) files_create_boot_flag(unconfined_t) @@ -43,6 +48,8 @@ logging_run_auditctl(unconfined_t, uncon mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +seutil_run_loadpolicy(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -77,36 +84,41 @@ optional_policy(` optional_policy(` init_dbus_chat_script(unconfined_t) +') +optional_policy(` dbus_stub(unconfined_t) +',` + allow unconfined_t domain:dbus all_dbus_perms; + allow domain unconfined_t:dbus all_dbus_perms; +') + +optional_policy(` + avahi_dbus_chat(unconfined_t) +') + +optional_policy(` + bluetooth_dbus_chat(unconfined_t) +') + +optional_policy(` + consolekit_dbus_chat(unconfined_t) +') - optional_policy(` - avahi_dbus_chat(unconfined_t) - ') - - optional_policy(` - bluetooth_dbus_chat(unconfined_t) - ') - - optional_policy(` - consolekit_dbus_chat(unconfined_t) - ') - - optional_policy(` - cups_dbus_chat_config(unconfined_t) - ') - - optional_policy(` - hal_dbus_chat(unconfined_t) - ') - - optional_policy(` - networkmanager_dbus_chat(unconfined_t) - ') - - optional_policy(` - oddjob_dbus_chat(unconfined_t) - ') +optional_policy(` + cups_dbus_chat_config(unconfined_t) +') + +optional_policy(` + hal_dbus_chat(unconfined_t) +') + +optional_policy(` + networkmanager_dbus_chat(unconfined_t) +') + +optional_policy(` + oddjob_dbus_chat(unconfined_t) ') optional_policy(` @@ -212,6 +224,10 @@ optional_policy(` xserver_domtrans_xdm_xserver(unconfined_t) ') +optional_policy(` + ssh_write_sshd(unconfined_t) +') + ######################################## # # Unconfined Execmem Local policy @@ -222,11 +238,19 @@ unconfined_domain_noaudit(unconfined_exe optional_policy(` dbus_stub(unconfined_execmem_t) +',` + allow unconfined_execmem_t domain:dbus all_dbus_perms; +') +optional_policy(` init_dbus_chat_script(unconfined_execmem_t) +') + +optional_policy(` unconfined_dbus_chat(unconfined_execmem_t) +') - optional_policy(` - hal_dbus_chat(unconfined_execmem_t) - ') +optional_policy(` + hal_dbus_chat(unconfined_execmem_t) ') + debian/compat0000664000000000000000000000000211345550112010363 0ustar 5 debian/control0000664000000000000000000000552711364162463010612 0ustar Source: refpolicy-ubuntu Section: admin Priority: optional Maintainer: Ubuntu Hardened Developers XSBC-Original-Maintainer: Caleb Case Build-Depends: cdbs, debhelper (>= 7), policycoreutils (>= 2.0.35), checkpolicy (>= 2.0.7), python, m4, bzip2, gawk Standards-Version: 3.8.4 Homepage: http://oss.tresys.com/projects/refpolicy Package: selinux-policy-ubuntu Architecture: all Pre-Depends: selinux, policycoreutils (>= 2.0.35) Depends: python, checkpolicy (>= 2.0.7), gawk, ${misc:Depends} Provides: selinux-policy, selinux-policy-default Conflicts: selinux-policy-default Replaces: selinux-policy-default Description: Security-Enhanced Linux Reference Policy The SELinux Reference Policy project (refpolicy) is a complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. Reference Policy was originally based on the NSA example policy, but aims to accomplish many additional goals: + Strong Modularity + Security Goals + Documentation + Development Tool Support + Forward Looking + Configurability + Flexible Base Policy + Application Policy Variations + Multi-Level Security Package: selinux-policy-ubuntu-dev Architecture: all Depends: python, policycoreutils (>= 2.0.35), checkpolicy (>= 2.0.7), gawk, ${misc:Depends} Suggests: setools Description: Security-Enhanced Linux Reference Policy Development Headers The SELinux Reference Policy project (refpolicy) is a complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. Reference Policy was originally based on the NSA example policy, but aims to accomplish many additional goals: + Strong Modularity + Security Goals + Documentation + Development Tool Support + Forward Looking + Configurability + Flexible Base Policy + Application Policy Variations + Multi-Level Security . This package provides the header files for building your own SELinux Refpolicy packages. Package: selinux-policy-ubuntu-doc Architecture: all Depends: ${misc:Depends} Section: doc Description: Security-Enhanced Linux Reference Policy Documentation The SELinux Reference Policy project (refpolicy) is a complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. Reference Policy was originally based on the NSA example policy, but aims to accomplish many additional goals: + Strong Modularity + Security Goals + Documentation + Development Tool Support + Forward Looking + Configurability + Flexible Base Policy + Application Policy Variations + Multi-Level Security . This package contains the documentation for SELinux Reference Policy. debian/selinux-policy-ubuntu.install0000664000000000000000000000006511345550112015062 0ustar /etc/selinux/ubuntu/* /usr/share/selinux/ubuntu/*.pp debian/selinux-policy-ubuntu.postrm0000664000000000000000000000552311364162476014761 0ustar #!/bin/sh # postrm script for refpolicy # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in remove|upgrade) modules=" \ /etc/selinux.d/ubuntu/alsa.pp \ /etc/selinux.d/ubuntu/apm.pp \ /etc/selinux.d/ubuntu/apt.pp \ /etc/selinux.d/ubuntu/application.pp \ /etc/selinux.d/ubuntu/authlogin.pp \ /etc/selinux.d/ubuntu/avahi.pp \ /etc/selinux.d/ubuntu/base.pp \ /etc/selinux.d/ubuntu/bluetooth.pp \ /etc/selinux.d/ubuntu/clock.pp \ /etc/selinux.d/ubuntu/consolekit.pp \ /etc/selinux.d/ubuntu/consoletype.pp \ /etc/selinux.d/ubuntu/cron.pp \ /etc/selinux.d/ubuntu/cups.pp \ /etc/selinux.d/ubuntu/devicekit.pp \ /etc/selinux.d/ubuntu/dbus.pp \ /etc/selinux.d/ubuntu/dpkg.pp \ /etc/selinux.d/ubuntu/fstools.pp \ /etc/selinux.d/ubuntu/getty.pp \ /etc/selinux.d/ubuntu/gnomeclock.pp \ /etc/selinux.d/ubuntu/hal.pp \ /etc/selinux.d/ubuntu/hostname.pp \ /etc/selinux.d/ubuntu/inetd.pp \ /etc/selinux.d/ubuntu/init.pp \ /etc/selinux.d/ubuntu/iptables.pp \ /etc/selinux.d/ubuntu/libraries.pp \ /etc/selinux.d/ubuntu/locallogin.pp \ /etc/selinux.d/ubuntu/logging.pp \ /etc/selinux.d/ubuntu/lpd.pp \ /etc/selinux.d/ubuntu/miscfiles.pp \ /etc/selinux.d/ubuntu/modemmanager.pp \ /etc/selinux.d/ubuntu/modutils.pp \ /etc/selinux.d/ubuntu/mount.pp \ /etc/selinux.d/ubuntu/mta.pp \ /etc/selinux.d/ubuntu/netutils.pp \ /etc/selinux.d/ubuntu/networkmanager.pp \ /etc/selinux.d/ubuntu/ntp.pp \ /etc/selinux.d/ubuntu/policykit.pp \ /etc/selinux.d/ubuntu/raid.pp \ /etc/selinux.d/ubuntu/rtkit.pp \ /etc/selinux.d/ubuntu/selinuxutil.pp \ /etc/selinux.d/ubuntu/ssh.pp \ /etc/selinux.d/ubuntu/storage.pp \ /etc/selinux.d/ubuntu/stunnel.pp \ /etc/selinux.d/ubuntu/sudo.pp \ /etc/selinux.d/ubuntu/sysadm.pp \ /etc/selinux.d/ubuntu/sysnetwork.pp \ /etc/selinux.d/ubuntu/udev.pp \ /etc/selinux.d/ubuntu/unconfined.pp \ /etc/selinux.d/ubuntu/userdomain.pp \ /etc/selinux.d/ubuntu/usermanage.pp \ /etc/selinux.d/ubuntu/xserver.pp \ " for i in $modules do /bin/rm -f $i done /usr/bin/dpkg-trigger semodule ;; purge|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/changelog0000664000000000000000000007372711743657403011074 0ustar refpolicy-ubuntu (0.2.20091117-0ubuntu2) precise; urgency=low * fix-ftbfs.patch: Fix build failures from new checkpolicy (LP: #935407) -- Tyler Hicks Wed, 18 Apr 2012 01:08:52 -0500 refpolicy-ubuntu (0.2.20091117-0ubuntu1) lucid; urgency=low * New upstream release, converted to source format 3. * Updated Ubuntu-specific patches thanks to Steve Lawrence (LP: #568744). * Extracted Makefile change to debian/patches/bashisms.patch. -- Kees Cook Thu, 22 Apr 2010 17:10:43 -0700 refpolicy-ubuntu (0.2.20090730-0ubuntu3) lucid; urgency=low * devtmpfs.patch: allow /dev to be devtmpfs (LP: #556823). -- Kees Cook Tue, 06 Apr 2010 14:23:17 -0700 refpolicy-ubuntu (0.2.20090730-0ubuntu2) lucid; urgency=low * Fixes minor typo in debian/control (LP: #487779) -- arky Thu, 11 Feb 2010 15:33:55 +0530 refpolicy-ubuntu (0.2.20090730-0ubuntu1) karmic; urgency=low * Updated to upstream release 2.20090730 * Handle Upstart direct execution of daemons. * Pre-depend on selinux to ensure that the trigger is handled (LP: #434084). -- Caleb Case Mon, 19 Oct 2009 01:48:39 -0400 refpolicy-ubuntu (0.2.20090324-0ubuntu2) jaunty; urgency=low * debian/control: Conflict, Replace, and Provides: selinux-policy-default (LP: #360727). -- Kees Cook Mon, 13 Apr 2009 14:41:33 -0700 refpolicy-ubuntu (0.2.20090324-0ubuntu1) jaunty; urgency=low * Updated to upstream trunk r2936 * Forced symlink creation in /etc/selinux.d/refpolicy * Enabled alsa module * Enabled fstools module * Package renamed to refpolicy-ubuntu to avoid conflict with debian package (LP: #352801). -- Marshall Miller Tue, 24 Mar 2009 02:17:01 -0400 refpolicy (0.2.20081210-0ubuntu1) jaunty; urgency=low * Updated to upstream release 2.20081210 * Removed the dbus optional elses (dbus policy is always installed now) * Removed the -cups and -unconfined packages as they are not needed to maintain flexibility in which modules are installed. You can still removed them or override via /etc/selinux.d * Changed -dev Recommend: setools to a Suggest -- Caleb Case Fri, 13 Mar 2009 02:48:01 -0400 refpolicy (0.0.20071214-0ubuntu3) hardy; urgency=low * debian/patches/cups.patch * debian/patches/files.patch * debian/patches/lpd.patch - Allow cups to use dhcp. - Allow most accesses necessary for cups-pdf. - Allow cups access to dbus when no dbus policy is loaded. * debian/patches/init.patch * debian/patches/ssh.patch - Allow init to change oom priority of sshd. * debian/patches/unconfined.patch * debian/patches/users.patch - Allowing unconfined_r system_r and access to run_init so that unconfined root user's can start/stop/restart services via init scripts (LP: #202983, #209773, #211305, #216132) -- Caleb Case Tue, 25 Mar 2008 16:42:08 -0400 refpolicy (0.0.20071214-0ubuntu2) hardy; urgency=low * debian/patches/conf.patch - Adding root to config/appconfig-standard/seusers so that its home directory will get labeled correctly. -- Caleb Case Fri, 29 Feb 2008 12:31:15 -0500 refpolicy (0.0.20071214-0ubuntu1) hardy; urgency=low [ Caleb Case ] * New upstream SVN HEAD. - Labeled networking peer object class updates. - Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik. - Improve several tunables descriptions from Dan Walsh. - Patch to clean up ns switch usage in the policy from Dan Walsh. - More complete labeled networking infrastructure from KaiGai Kohei. - Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs. - Patch to restructure user role templates to create restricted user roles from Dan Walsh. - Russian man page translations from Andrey Markelov. - Remove unused types from dbus. - Add infrastructure for managing all user web content. - Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros. - Patch to clean up unescaped periods in several file context entries from Jan-Frode Myklebust. - Merge shlib_t into lib_t. - Merge strict and targeted policies. The policy will now behave like the strict policy if the unconfined module is not present. If it is, it will behave like the targeted policy. Added an unconfined role to have a mix of confined and unconfined users. - Added modules: exim (Dan Walsh) postfixpolicyd (Jan-Frode Myklebust) - Add support for setting the unknown permissions handling. - Fix XML building for external reference builds and headers builds. - Patch to add missing requirements in userdomain interfaces from Shintaro Fujiwara. - Add tcpd_wrapped_domain() for services that use tcp wrappers. - Update MLS constraints from LSPP evaluated policy. - Allow initrc_t file descriptors to be inherited regardless of MLS level. Accordingly drop MLS permissions from daemons that inherit from any level. - Files and radvd updates from Stefan Schulze Frielinghaus. - Deprecate mls_file_write_down() and mls_file_read_up(), replaced with mls_write_all_levels() and mls_read_all_levels(), for consistency. - Add make kernel and init ranged interfaces pass the range transition MLS constraints. Also remove calls to mls_rangetrans_target() in modules that use the kernel and init interfaces, since its redundant. - Add interfaces for all MLS attributes except X object classes. - Require all sensitivities and categories for MLS and MCS policies, not just the low and high sensitivity and category. - Database userspace object manager classes from KaiGai Kohei. - Add third-party interface for Apache CGI. - Add getserv and shmemserv nscd permissions. - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. - Added modules: application awstats (Stefan Schulze Frielinghaus) bitlbee (Devin Carraway) brctl (Dan Walsh) - Fix incorrectly named files_lib_filetrans_shared_lib() interface in the libraries module. - Unified labeled networking policy from Paul Moore. - Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. - Xen updates from Dan Walsh. - Filesystem updates from Dan Walsh. - Large samba update from Dan Walsh. - Drop snmpd_etc_t. - Confine sendmail and logrotate on targeted. - Tunable connection to postgresql for users from KaiGai Kohei. - Memprotect support patch from Stephen Smalley. - Add logging_send_audit_msgs() interface and deprecate send_audit_msgs_pattern(). - Openct updates patch from Dan Walsh. - Merge restorecon into setfiles. - Patch to begin separating out hald helper programs from Dan Walsh. - Fixes for squid, dovecot, and snmp from Dan Walsh. - Miscellaneous consolekit fixes from Dan Walsh. - Patch to have avahi use the nsswitch interface rather than individual permissions from Dan Walsh. - Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh. - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes to handle usage from userhelper from Dan Walsh. - Patch to allow amavis to read spamassassin libraries from Dan Walsh. - Patch to allow slocate to getattr other filesystems and directories on those filesystems from Dan Walsh. - Fixes for RHEL4 from the CLIP project. - Replace the old lrrd fc entries with munin ones. - Move program admin template usage out of userdom_admin_user_template() to sysadm policy in userdomain.te to fix usage of the template for third parties. - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a template instead of an interface. - Added modules: amtu (Dan Walsh) apcupsd (Dan Walsh) rpcbind (Dan Walsh) rwho (Nalin Dahyabhai) * debian/control * selinux-policy-refpolicy depends on *-cups an *-unconfined policies. * selinux-policy-refpolicy-(cups|unconfined) provide selinux-policy-(cups|unconfined) (potentially allowing a user to install a dummy package to satisfy). * debian/patches/conf.patch * added seusers patch that makes all users unconfined by default. * debian/selinux-policy-refpolicy.* * adding in dbus policy [ Joseph Jackson IV ] * debian/control - Update Debian Maintainer field [ J. Tang ] * debian/postinst - Invoke /usr/sbin/update-selinux-policy to change the policy to refpolicy, if possible. * debian/selinux-policy-refpolicy.*postrrm - Handle purging correctly. -- Caleb Case Fri, 08 Feb 2008 03:22:20 -0500 refpolicy (0.0.20070507-5) unstable; urgency=low * Allow users to read the dpkg database. With this change, every user of the strict policy now has access to dpkg-checkbuildeps, grep-dctrl, etc, which was not the case previously. * Change the example localStrict.te policy file to silently ignore apt searching for something in /var/lib. With this example policy loaded in my strict policy UML virtual machine, I can compile packages in enforcing mode. Based on advice on the mailing list, allow more things to access /selinux * Merge in changes from Russell Coker. These include a better fix for /lib.init/rw. -- Manoj Srivastava Fri, 18 May 2007 00:34:07 -0500 refpolicy (0.0.20070507-4) unstable; urgency=low * Allow apt to run update by giving r_netlink_socket_perms to self:netlink_route_socket. * Allow apt/aptitude to update, and install files - Added an interface to apt.if allow silently ignoring processes that attempt to use file descriptors from apt. - Bump the apt policy module version number, since we have added to the interface. - Added some stuff to dpkg.te to allow debconf .config file interactions back to the user - Add an optional dontaudit rule to libraries.te to allow apt-get/aptitude to install packages silently. * Very early in boot, /lib/init/rw is created as a mandatory tmpfs for state information. Label that directory as initrc_tmp_t to allow mount.te to be permitted to mount a tmpfs there. * In init.te, allow /etc/network/if-up.d/mountnfs to create /var/run/network/mountnfs as a poor mans lock. -- Manoj Srivastava Fri, 11 May 2007 00:55:07 -0500 refpolicy (0.0.20070507-3) unstable; urgency=low * Add hostfs as a recognized remote file-system. This should allow a UML virtual machine to function in a fully enforcing mode. -- Manoj Srivastava Wed, 9 May 2007 15:48:26 -0500 refpolicy (0.0.20070507-2) unstable; urgency=medium * Keep track of modules that are really built into the base policy in Debian. We then use this list to remove the modules .pp files from the policy shipped, since they can not be installed along with the base policy anyway. Make sure we don't add such modules hen considering module dependencies either. * Added Module ricci to modules.conf for both strict and targeted. -- Manoj Srivastava Mon, 7 May 2007 09:07:36 -0500 refpolicy (0.0.20070507-1) unstable; urgency=low * New upstream SVN HEAD. - Miscellaneous consolekit fixes from Dan Walsh. - Patch to have avahi use the nsswitch interface rather than individual permissions from Dan Walsh. - Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh. - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes to handle usage from userhelper from Dan Walsh. - Patch to allow amavis to read spamassassin libraries from Dan Walsh. - Patch to allow slocate to getattr other filesystems and directories on those filesystems from Dan Walsh. - Fixes for RHEL4 from the CLIP project. - Replace the old lrrd fc entries with munin ones. - Move program admin template usage out of userdom_admin_user_template() to sysadm policy in userdomain.te to fix usage of the template for third parties. - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a template instead of an interface. - Added modules: rwho (Nalin Dahyabhai) * Updated dependencies, since this refpolicy needs newer toolchain, -- Manoj Srivastava Mon, 7 May 2007 01:47:44 -0500 refpolicy (0.0.20070417-1) unstable; urgency=low * New upstream release. * Added XS-VCS-Arch and XS-VCS-Browse to debian/control, and updated build dependencies. * Bug fix: "selinux-policy-refpolicy-targeted: need file_contexts for gcj-dbtool-4.1 and /var/log/account", thanks to Russell Coker (Closes: #416910). -- Manoj Srivastava Thu, 19 Apr 2007 02:28:29 -0500 refpolicy (0.0.20061018-5) unstable; urgency=high * Add policy for log and lock files for aptitude. This is needed for proper function; so one does not need to go into permissive mode to run aptitude. Stolen from Erich. This is a low risk change. * Debian puts grub in /usr/sbin/grub. Reflect that in the initial file context. * Debian creates /dev/xconsole independently of whether or not a xserver has been installed or not. So move the policy related to /dev/sconsole out of the xserver policy, and into places where relevant (init.te, logging.fc), to reflect the status that /dev/console is present anyway. * Add support for /etc/network/run and /dev/shm/network, which seem to be Debian specific as well. * Allow udev to manage configuration files. -- Manoj Srivastava Fri, 9 Mar 2007 00:22:19 -0600 refpolicy (0.0.20061018-4) unstable; urgency=low * Bug fix: "selinux-policy-refpolicy-targeted: does not suggest a way to fix the 'maybe failing' attempt in postinst", thanks to Eddy Petrisor. While this does not belong in the postinst, I have addedthis to the README.Debian file. This should be a low risk change. (Closes: #407691). * Bug fix: "Default build.conf doesn't match default strict/targeted policy", thanks to Stefan.The build.conf included in the reference source policy describe to build a policy of the type "strict". The default binary policies coming with Debian are build with the policy type "strict-mcs" or "targeted-mcs". Change the build.conf shipped in source to conform to what we really use. (changes TYPE=strict to TYPE=strict-mcs, very low risk change. (Closes: #411256). * Bug fix: "selinux-policy-refpolicy-targeted: openvpn policy do not allow tcp connection mode", thanks to Rafal Kupka. This bug really should be at least important, and we should fully support a class of security product like OpenVPN on machines which are running SELinux, and this is a very low risk change. (Closes: #409041). * Install header files required for policy building for both strict and targeted policies in a new -dev package, so it becomes really useful to work with the source package. Moved the examples from the -src package to this new -dev package, since the example is only useful in with the headers provided. This is a new package, but it contains only files already in the sources (No upstream changes at all), and is the result of make install-headers. This new package has no rdepends, and should be a very low risk addition to Debian. * This release should be a whole lot better for building local policies, including the policygentool for creating a new policy from scratch, and ability to build local policy modular packages. The build.conf files have been cleaned up, and the source policy defaults to targeted policy, which is standard in Debian, as opposed to the strict policy, which has priority optional. -- Manoj Srivastava Mon, 26 Feb 2007 22:37:17 -0600 refpolicy (0.0.20061018-3) unstable; urgency=high * Bug fix: "refpolicy: FTBFS: /bin/sh: debian/stamp/config-strict: No such file or directory", thanks to Lucas Nussbaum. This was fixed by moving all the stamps into ./debian instead. I'll re-visit the ./debian/stamp/ directory in lenny. This is a pretty minor packaging change. (Closes: #405613). * Bug fix: "selinux-policy-refpolicy-targeted: Policy for dcc misses Debian's FHS paths", thanks to Devin Carraway. From the bug report: Many of the files in these packages are overlooked when labelling files, because refpolicy's dcc module stipulates paths not consistent with the Debian FHS layout. The files go unlabelled and dcc-client (at least) stops working. The two major problems are the references to /usr/libexec/dcc (damons, placed in /usr/sbin by the Debian packages) and to /var/dcc (all sorts of things, placed under /var/lib/dcc). A side effect of the latter is that dccifd_t and probably others need search on var_lib_t, through which it must pass to get to /var/lib/dcc. Fixed the policy; will send upstream. (Closes: #404309). * Bug fix: "selinux-policy-refpolicy-targeted: clamav policy forbids clamd_t search on /var/lib", thanks to Devin Carraway. This is a simple one line change, and obviously an oversight; I think getting clamd to work is fairly important. (Closes: #404895). * Bug fix: "selinux-policy-refpolicy-targeted: Multiple problems with courier policy", thanks to Devin Carraway. There is detailed information of the changes made in the bug report, and in the commit logs. Again, fixing courier daemons seems pretty important; SELinux tends to get used a lot on remote mail servers, and this fixes issues with the policy. (Closes: #405103). -- Manoj Srivastava Mon, 15 Jan 2007 13:20:30 -0600 refpolicy (0.0.20061018-2) unstable; urgency=high * The This update enables MCS for targeted and strict, uses 1024 categories (as Fedora uses - necessary for compatability). Please note that enabling MCS categories is required for compatibility with filesystems created on Fedora Core 5 and above, RHEL 5 and above, and CentOS 5 and above. MCS categories is also a feature that we plan for all future releases of SE Linux and does not have a nice upgrade path - releasing etch without MCS will make things painful for SE Linux users on the upgrade to lenny. This feature has been extensively tested by Russel Coker and myself, and does not otherwise impact the install. * Allow semanage to use the initrd file descriptor in targeted policy. * Fix a bug with restorecon. * Bug fix: "refpolicy: qemu should have execmem permissions", thanks to David Härdeman (Closes: #402293). -- Manoj Srivastava Fri, 22 Dec 2006 10:33:22 -0600 refpolicy (0.0.20061018-1) unstable; urgency=low * New upstream release * Updated copyright file with the new location of the sources, and added a watch file. * Bug fix: "selinux-policy-refpolicy-targeted: postinst package list retrieval suggestion", thanks to Alexander Buerger. Thanks to the provided suggestion, the selection of policy modules to install is not only faster, it is actually correct :) (Closes: #388744). * Bug fix: "Makefile for building policy modules?", thanks to Uwe Hermann. Provided an intial version, may have bugs. (Closes: #389116). -- Manoj Srivastava Tue, 24 Oct 2006 14:31:22 -0500 refpolicy (0.0.20060911-2) unstable; urgency=low * Fixed a typo in policy postinst that made all the policies reload at every update. -- Manoj Srivastava Tue, 12 Sep 2006 10:28:11 -0500 refpolicy (0.0.20060911-1) unstable; urgency=low * New upstream SCM HEAD. * Synched with Erich Schubert + Added first draft of python-support. You'll want to relabel these files. + Build python-support and setroubleshoot modules + Removed modules from guessing hintfile that are included in base. * Bug fix: "Defaults should match the strict/targeted policy", thanks to Uwe Hermann. Makde them match strict. (Closes: #386931). * Bug fix: "selinux-policy-refpolicy-src: Duplicate entries in policy files", thanks to Simon Richard Grint (Closes: #386909). * Bug fix: "modules.conf vs. modules.conf.dist", thanks to Uwe Hermann (Closes: #386887). * Bug fix: "OUTPUT_POLICY and policy-version comments", thanks to Uwe Hermann (Closes: #386930). * Bug fix: "s/bzip2/gzip/?", thanks to Uwe Hermann (Closes: #386885). * Bug fix: "selinux-refpolicy-src: include modules.conf files of strict and targeted for -src package", thanks to Erich Schubert (Closes: #386573). -- Manoj Srivastava Mon, 11 Sep 2006 17:46:10 -0500 refpolicy (0.0.20060907-3) unstable; urgency=low * Updated a few more policy modules to latest versions for Debian. -- Manoj Srivastava Fri, 8 Sep 2006 12:42:22 -0500 refpolicy (0.0.20060907-2) unstable; urgency=low * Update the module/package mapping. * In the selinux-policy-refpolicy-src package, now ship the modules.conf.strict and the modules.conf.targeted files which are used to build the corresponding policy packages, snce the raw modules.conf package has issues on Debian. * With this version, we no longer ship the selinux-policy-refpolicy-src unpacked into /etc with a gazillion conffiles; instead, we now ship a compressed tarball in /usr/src, which the user may unpack where they wish, and install policies as they wish. -- Manoj Srivastava Fri, 8 Sep 2006 10:49:40 -0500 refpolicy (0.0.20060907-1) unstable; urgency=low * New upstream SCM HEAD. * Bug fix: "selinux-policy-refpolicy-src: Compile failure of modular targeted policy", thanks to Simon Richard Grint. Put a wrapper around the offending lines to only take effect when running a strict policy. (Closes: #384502). * Bug fix: "make: /usr/sbin/setfiles: Command not found", thanks to Uwe Hermann. Fixed upstream. (Closes: #384850). -- Manoj Srivastava Fri, 8 Sep 2006 00:27:39 -0500 refpolicy (0.0.20060813-2) unstable; urgency=low * Bug fix: "Needs gawk", thanks to Simon Richard Grint (Closes: #382821). * Bug fix: "Move /etc/selinux/refpolicy/src/policy/man/man8/* manpages?", thanks to Uwe Hermann (Closes: #372789). * Fix errors in post installation initial policy creation process in the postinst. * Add directories required during policy build during postinst. This bug prevented any policies being built when the package was initially installed. Also, create an empty file_contexts.local file if it does not already exist. * Make selinux-policy-refpolicy-targeted provide and replace the obsolete package selinux-policy-default; which should in the future be just a virtual package. * Added postrm packages to strict and targeted policy packages, in order to clean out the directories in which files are created during policy build. * Rewrote the postinst in perl to allow us to do module dependency checks, and to map policy modules to debian packages, in order to better detect the modules that would be necessary for the target machine. * Also, compiling with either MCS or MLS produced errors while installing policy, since we lack setrans daemon. So we are now building with out them, created an easy to modify option to re-enable it later. * Updated modules.conf to use the latest offerings from Erich. -- Manoj Srivastava Mon, 21 Aug 2006 14:59:52 -0500 refpolicy (0.0.20060813-1) unstable; urgency=low * New upstream SCM HEAD. * Bug fix: "refpolicy: FTBFS: tmp/generated_definitions.conf:597:ERROR 'syntax error' at token '' on line 3416:", thanks to Andreas Jochens (Closes: #379559). * Bug fix: "FTBFS while generating selinux-policy-refpolicy-strict", thanks to Devin Carraway (Closes: #379376). * Python transition (#2): you are building a private python module. (Closes: #380930). -- Manoj Srivastava Tue, 15 Aug 2006 09:53:06 -0500 refpolicy (0.0.20060509-2) unstable; urgency=low * Modified some paths to be more in line with upstream standards. -- Manoj Srivastava Fri, 12 May 2006 08:30:08 -0500 refpolicy (0.0.20060509-1) unstable; urgency=low * New upstream release. First packaging for Sid. -- Manoj Srivastava Tue, 9 May 2006 13:56:10 -0500 refpolicy (20060506-1) sesarge; urgency=low * New upstream checkout from CVS. * Even more new modules. -- Erich Schubert Sat, 6 May 2006 21:44:07 +0200 refpolicy (20060418-2) sesarge; urgency=low * New upstream checkout from CVS. -- Erich Schubert Fri, 21 Apr 2006 19:17:05 +0200 refpolicy (20060417-1) sesarge; urgency=low * New upstream checkout from CVS. * Until module linking is fixed, build everything into base. (Sorry, this will result in a much larger policy than necessary. Feel free to use the -src package to build your own!) -- Erich Schubert Mon, 17 Apr 2006 21:04:49 +0200 refpolicy (20060414-1) sesarge; urgency=low * New upstream version with tons of new policy files -- Erich Schubert Mon, 17 Apr 2006 20:48:50 +0200 refpolicy (20060329-2) sesarge; urgency=low * Merge upstream 20060329-2 -- Erich Schubert Mon, 3 Apr 2006 00:44:06 +0200 refpolicy (20060324-2) sesarge; urgency=low * Merge upstream 20060324-4 -- Erich Schubert Sat, 25 Mar 2006 03:34:36 +0100 refpolicy (20060324-1) sesarge; urgency=low * Merge upstream 20060323-2 * Merge changes by Thomas Bleher * Build with checkpolicy 1.30.1 * Sorry, still doesn't work with make > 3.80 -- Erich Schubert Sat, 25 Mar 2006 02:21:00 +0100 refpolicy (20060315-2) sesarge; urgency=low * Make modular policy actually work. Hopefully. (Up to now, optional_policy(`module') in base was not working upstream!) * Revamp build process, don't use CDBS anymore since I didn't figure out how to do two clean runs of the same source tree, and there is little benefit here without any autotools or library magic needed -- Erich Schubert Fri, 17 Mar 2006 20:51:55 +0100 refpolicy (20060315-1.1) sesarge; urgency=low * Small tweaks and bugfixes to policy -- Erich Schubert Thu, 16 Mar 2006 23:13:40 +0100 refpolicy (20060315-1) sesarge; urgency=low * Merge with upstream and debian changes as of 20060309, rev 50 * Merge with upstream and debian changes as of 20060315, rev 55 * Added "netuser" role, similar to user_tcp_server boolean, but you can enable it for single users only. -- Erich Schubert Thu, 16 Mar 2006 00:23:54 +0100 refpolicy (20060306-1) sesarge; urgency=low * Merge with upstream and debian policy changes as of 20060306, Rev 31 * Try to auto-build a policy after a fresh install in postinst * Add inetd module to base for now * Increase policycoreutils build-dep to hopefully solve the users_extra issues by using a newer policycoreutils for building... -- Erich Schubert Mon, 6 Mar 2006 17:10:43 +0100 refpolicy (20060227-1) sesarge; urgency=low * Merge with upstream and debian policy changes as of 20060227, Rev 20 -- Erich Schubert Tue, 28 Feb 2006 03:48:48 +0100 refpolicy (20060224-2) sesarge; urgency=low * Update build process to not require a tarball, include previous patches into our "branch" of the reference policy instead. -- Erich Schubert Tue, 28 Feb 2006 03:13:51 +0100 refpolicy (20060224-1) sesarge; urgency=low * New upstream CVS checkout. * Move policy src from /etc to /usr/share/selinux/refpolicy This avoids an apt-get size limitation and follows Fedora. * Ship edited build.conf with policy source. * Use debhelper for installing documentation. * Add dependency for source onto gawk. -- Erich Schubert Sat, 25 Feb 2006 01:01:44 +0100 refpolicy (20060222-1) sesarge; urgency=low * New upstream CVS checkout. * Thomas also provided a workaround for the make issues in his version. * Update dpkg/apt policy to interface renamings * Remove dpkg_script_exec_t, as supporting this would require bad hacks to dpkg and/or tar. Use dpkg_var_lib_t instead. -- Erich Schubert Thu, 23 Feb 2006 02:01:35 +0100 refpolicy (20060217-3) sesarge; urgency=low * Create selinux-policy-refpolicy-doc package * DIRECT_INITRC=y -- Thomas Bleher Mon, 20 Feb 2006 23:43:53 +0000 refpolicy (20060217-2) sesarge; urgency=low * Added first drafts of dpkg, apt policy -- Erich Schubert Sat, 18 Feb 2006 03:20:59 +0100 refpolicy (20060217-1) sesarge; urgency=low * New upstream CVS checkout * Document make incompaibility via build-dep * Don't build some redhat specific policy modules, minor tweaks -- Erich Schubert Tue, 14 Feb 2006 02:35:04 +0100 refpolicy (20060213-1) sesarge; urgency=low * New upstream CVS checkout. * Still not really useable -- Erich Schubert Tue, 14 Feb 2006 02:35:04 +0100 refpolicy (20060117-1) sesarge; urgency=low * Experimental release -- Erich Schubert Mon, 13 Feb 2006 22:50:03 +0100 debian/copyright0000664000000000000000000000372411345550112011126 0ustar This is the Debian package for the SELinux Reference policy, and it is built from sources obtained from: http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease This package was originally debianized by Erich Schubert on Mon, 13 Feb 2006 22:50:03 +0100. The package was later maintained by Manoj Srivastava . The package has since changed maintainers for the Ubuntu fork, and the current maintainer is Caleb Case . Changes: * added Debian GNU/Linux package maintenance system files * Some Debian specific tweaks and changes to policy also exist * Some Ubuntu specific tweaks and changes to policy also exist The reference policy is Copyright (C) 2002 Michael Droettboom Copyright (C) 2003 - 2006 Tresys Technology, LLC License: This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License. This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA The debian specific changes are Copyright © 2006 Manoj Srivastava, and distributed under the terms of the GNU General Public License, version 2. On Debian GNU/Linux systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL'. A copy of the GNU General Public License is also available at . You may also obtain it by writing to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA debian/dirs0000664000000000000000000000006511345550112010052 0ustar etc/selinux/ubuntu/modules etc/selinux/ubuntu/policy debian/README.Debian0000664000000000000000000000055011345550112011226 0ustar It would be useful for most users to be familiar with policycoreutils tools in order to manipulate policies installed on the system. Specifically, it is useful to be familiar with: semodule(8) - Manage SELinux policy modules. load_policy(8) - load a new policy into the kernel -- Manoj Srivastava , Tue, 9 May 2006 14:07:31 -0500 debian/selinux-policy-ubuntu-dev.install0000664000000000000000000000004411345550112015633 0ustar /usr/share/selinux/ubuntu/include/* debian/rules0000775000000000000000000000064111364162452010255 0ustar #!/usr/bin/make -f include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/makefile.mk # Add here any variable or target overrides you need. DEB_DH_INSTALL_ARGS = --sourcedir=debian/tmp DEB_MAKE_CLEAN_TARGET = clean DEB_MAKE_BUILD_TARGET = xml DEB_MAKE_INSTALL_TARGET = DESTDIR=$(CURDIR)/debian/tmp install install-headers install-docs DEB_MAKE_CHECK_TARGET = DEB_COMPRESS_EXCLUDE = .py