Index: /selinux/Makefile =================================================================== --- /selinux/Makefile (revision 28) +++ /selinux/Makefile (revision 28) @@ -0,0 +1,3 @@ +include /usr/share/selinux/devel/include/Makefile + +build/%.fc: %.fc Index: /selinux/build/afsd.fc =================================================================== --- /selinux/build/afsd.fc (revision 28) +++ /selinux/build/afsd.fc (revision 28) @@ -0,0 +1,9 @@ +# afs executable will have: +# label: system_u:object_r:afsd_exec_t +# MLS sensitivity: s0 +# MCS categories: + +/usr/vice/etc/afsd -- gen_context(system_u:object_r:afsd_exec_t,s0) +/usr/vice/etc(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0) +/usr/vice/cache(/.*)? gen_context(system_u:object_r:afsd_cache_t,s0) +/afs -d gen_context(system_u:object_r:default_t,s0) Index: /selinux/build/afsd.if =================================================================== --- /selinux/build/afsd.if (revision 28) +++ /selinux/build/afsd.if (revision 28) @@ -0,0 +1,38 @@ +## policy for afs + +######################################## +## +## Execute a domain transition to run afs. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`afsd_domtrans',` + gen_require(` + type afsd_t, afsd_exec_t; + ') + + domain_auto_trans($1,afsd_exec_t,afsd_t) + + allow $1 afsd_t:fd use; + allow afsd_t $1:fd use; + allow afsd_t $1:fifo_file rw_file_perms; + allow afsd_t $1:process sigchld; +') + +interface(`afs_access',` + gen_require(` + type afsd_t, afsd_etc_t; + type autofs_t, nfs_t; + ') + allow $1 afsd_t:udp_socket all_udp_socket_perms; + allow $1 afsd_etc_t:dir r_dir_perms; + allow $1 afsd_etc_t:file r_file_perms; + allow $1 autofs_t:dir r_dir_perms; + allow $1 autofs_t:lnk_file r_file_perms; + allow $1 nfs_t:dir manage_dir_perms; + allow $1 nfs_t:file_class_set manage_file_perms; +') Index: /selinux/build/afsd.te =================================================================== --- /selinux/build/afsd.te (revision 28) +++ /selinux/build/afsd.te (revision 28) @@ -0,0 +1,79 @@ +policy_module(afsd,1.0.0) + +######################################## +# +# Declarations +# + +type afsd_t; +type afsd_exec_t; +domain_type(afsd_t) +init_daemon_domain(afsd_t, afsd_exec_t) + +# var/lib files +type afsd_etc_t; +type afsd_cache_t; +files_type(afsd_etc_t) +files_type(afsd_cache_t) + +allow afsd_t { afsd_etc_t afsd_cache_t }:dir manage_dir_perms; +allow afsd_t { afsd_etc_t afsd_cache_t }:file_class_set manage_file_perms; +#files_var_lib_filetrans(afsd_t,afsd_cache_t, { file dir sock_file }) + +######################################## +# +# AFS local policy + +files_read_etc_files(afsd_t) +files_rw_etc_runtime_files(afsd_t) +libs_use_ld_so(afsd_t) +libs_use_shared_libs(afsd_t) +miscfiles_read_localization(afsd_t) + +# Init script handling +init_use_fds(afsd_t) +init_use_script_ptys(afsd_t) +domain_use_interactive_fds(afsd_t) + +files_mounton_default(afsd_t) +kernel_read_system_state(afsd_t) +kernel_write_proc_files(afsd_t) +fs_mount_nfs(afsd_t) +fs_remount_nfs(afsd_t) +fs_unmount_nfs(afsd_t) +fs_manage_nfs_files(afsd_t) +fs_manage_nfs_symlinks(afsd_t) +fs_manage_nfs_named_pipes(afsd_t) +fs_manage_nfs_named_sockets(afsd_t) + +fs_getattr_xattr_fs(afsd_t); + +allow afsd_t self:dir mounton; +allow afsd_t self:process setsched; +allow afsd_t self:capability { sys_admin sys_nice sys_tty_config}; + +require { + type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t; + type netif_t, node_t; +} +allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms; +allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:udp_socket all_udp_socket_perms; +allow afsd_t netif_t:netif { udp_recv udp_send }; +allow afsd_t node_t:node { udp_recv udp_send }; + +require { + type crond_t, kernel_t, sshd_t, user_t; +} +afs_access(afsd_t); +afs_access(crond_t); +afs_access(kernel_t); +afs_access(sshd_t); +afs_access(user_t); + +require { + type initrc_t; +} +# init.d script sets up cell files: +allow initrc_t afsd_etc_t:file { setattr write }; +# permit aklog: +allow user_t proc_t:file write; Index: /selinux/build/misc.fc =================================================================== --- /selinux/build/misc.fc (revision 28) +++ /selinux/build/misc.fc (revision 28) @@ -0,0 +1,2 @@ +/var/empty/sshd(.*) gen_context(system_u:object_r:sshd_t,s0) +/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) Index: /selinux/build/misc.te =================================================================== --- /selinux/build/misc.te (revision 28) +++ /selinux/build/misc.te (revision 28) @@ -0,0 +1,2 @@ +policy_module(misc,1.0.0) + Index: /selinux/selinux.conf =================================================================== --- /selinux/selinux.conf (revision 28) +++ /selinux/selinux.conf (revision 28) @@ -0,0 +1,15 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - SELinux is fully disabled. +SELINUX=enforcing +# SELINUXTYPE= type of policy in use. Possible values are: +# targeted - Only targeted network daemons are protected. +# strict - Full SELinux protection. +SELINUXTYPE=strict + +# SETLOCALDEFS= Check local definition changes +SETLOCALDEFS=0 + +CRONTYPE=relabel Index: /selinux/set_booleans.sh =================================================================== --- /selinux/set_booleans.sh (revision 28) +++ /selinux/set_booleans.sh (revision 28) @@ -0,0 +1,27 @@ +#!/bin/bash + +setsebool -P allow_kerberos=1 \ + allow_httpd_anon_write=1 \ + allow_httpd_staff_script_anon_write=1 \ + allow_httpd_sys_script_anon_write=1 \ + allow_httpd_sysadm_script_anon_write=1 \ + allow_httpd_user_script_anon_write=1 \ + allow_java_execstack=1 \ + allow_user_mysql_connect=1 \ + cron_can_relabel=1 \ + httpd_builtin_scripting=1 \ + httpd_can_network_connect=1 \ + httpd_can_network_connect_db=1 \ + httpd_can_network_relay=1 \ + httpd_enable_cgi=1 \ + httpd_enable_homedirs=1 \ + httpd_ssi_exec=1 \ + httpd_tty_comm=1 \ + nfs_export_all_ro=1 \ + nfs_export_all_rw=1 \ + ssh_sysadm_login=1 \ + staff_read_sysadm_file=1 \ + use_nfs_home_dirs=1 \ + use_samba_home_dirs=1 \ + user_ping=1 \ + user_rw_noexattrfile=1 Index: /server/common/patches/openafs-scripts.patch =================================================================== --- /server/common/patches/openafs-scripts.patch (revision 27) +++ /server/common/patches/openafs-scripts.patch (revision 28) @@ -18,4 +18,16 @@ # See /COPYRIGHT in this repository for more information. # +diff -ur openafs-1.4.1-rc10/src/config/param.amd64_linux26.h openafs-1.4.1-rc10-scripts/src/config/param.amd64_linux26.h +--- openafs-1.4.1-rc10/src/config/param.amd64_linux26.h 2003-08-27 17:43:16.000000000 -0400 ++++ openafs-1.4.1-rc10-scripts/src/config/param.amd64_linux26.h 2006-04-18 16:38:55.000000000 -0400 +@@ -33,7 +33,7 @@ + #if defined(__KERNEL__) && !defined(KDUMP_KERNEL) + #include + +-#include ++#include + #ifdef CONFIG_SMP + #ifndef AFS_SMP + #define AFS_SMP 1 diff -ur openafs-1.4.1-rc10/src/afs/afs_analyze.c openafs-1.4.1-rc10-scripts/src/afs/afs_analyze.c --- openafs-1.4.1-rc10/src/afs/afs_analyze.c 2003-08-27 17:43:16.000000000 -0400