[selinux-policy: 220/3172] fixes from cab
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:23:57 UTC 2010
commit d490eb6b5c2bd7b4dc5436e8e72be2d76f0d7812
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu May 26 20:38:45 2005 +0000
fixes from cab
refpolicy/policy/modules/admin/dmesg.te | 4 +-
refpolicy/policy/modules/kernel/bootloader.if | 29 ++++++++++--
refpolicy/policy/modules/kernel/devices.if | 34 +++++++++++++++
refpolicy/policy/modules/kernel/kernel.te | 1 +
refpolicy/policy/modules/kernel/terminal.if | 10 ++--
refpolicy/policy/modules/system/authlogin.if | 4 +-
refpolicy/policy/modules/system/authlogin.te | 5 +--
refpolicy/policy/modules/system/clock.te | 2 +
refpolicy/policy/modules/system/domain.if | 57 +++++++++++++++++++++++--
refpolicy/policy/modules/system/files.if | 36 +++++++++++-----
refpolicy/policy/modules/system/hotplug.te | 2 +-
refpolicy/policy/modules/system/init.if | 24 +++++++++-
refpolicy/policy/modules/system/init.te | 48 ++++++++++++++-------
refpolicy/policy/modules/system/iptables.if | 2 +-
refpolicy/policy/modules/system/logging.if | 17 +++++++
refpolicy/policy/modules/system/lvm.te | 4 +-
refpolicy/policy/modules/system/modutils.te | 8 ++--
refpolicy/policy/modules/system/mount.te | 2 +-
refpolicy/policy/modules/system/udev.te | 3 +-
refpolicy/policy/modules/system/userdomain.if | 24 +++++++++-
20 files changed, 252 insertions(+), 64 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 4aa192c..4878a04 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -9,7 +9,7 @@ policy_module(dmesg, 1.0)
type dmesg_t;
type dmesg_exec_t;
-init_make_daemon_domain(dmesg_t,dmesg_exec_t)
+init_make_system_domain(dmesg_t,dmesg_exec_t)
role system_r types dmesg_t;
########################################
@@ -32,6 +32,8 @@ terminal_ignore_use_console(dmesg_t)
domain_use_widely_inheritable_file_descriptors(dmesg_t)
+files_read_general_system_config_directory(dmesg_t)
+
init_use_file_descriptors(dmesg_t)
init_script_use_pseudoterminal(dmesg_t)
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 742e7a5..8681739 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -282,28 +282,47 @@ class dir { getattr search read };
define(`bootloader_read_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:dir { getattr search read };
-allow $1 modules_object_t:{ lnk_file file } { getattr read };
+allow $1 modules_object_t:lnk_file { getattr read };
+allow $1 modules_object_t:file { getattr read lock };
')
define(`bootloader_read_kernel_modules_depend',`
type modules_object_t;
class dir { getattr search read };
class lnk_file { getattr read };
-class file { getattr read };
+class file { getattr read lock };
+')
+
+########################################
+#
+# bootloader_write_kernel_modules(domain)
+#
+define(`bootloader_write_kernel_modules',`
+requires_block_template(`$0'_depend)
+allow $1 modules_object_t:dir { getattr search read };
+allow $1 modules_object_t:file write;
+typeattribute $1 can_modify_kernel_modules;
+')
+
+define(`bootloader_write_kernel_modules_depend',`
+attribute can_modify_kernel_modules;
+type modules_object_t;
+class dir { getattr search read };
+class file write;
')
########################################
#
-# bootloader_modify_kernel_modules(domain)
+# bootloader_manage_kernel_modules(domain)
#
-define(`bootloader_modify_kernel_modules',`
+define(`bootloader_manage_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:file { getattr create read write setattr unlink };
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
typeattribute $1 can_modify_kernel_modules;
')
-define(`bootloader_modify_kernel_modules_depend',`
+define(`bootloader_manage_kernel_modules_depend',`
attribute can_modify_kernel_modules;
type modules_object_t;
class file { getattr create read write setattr unlink };
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index d64ae40..afe9f5f 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -689,20 +689,54 @@ class chr_file { getattr write ioctl };
########################################
#
+# devices_read_lvm_control_channel(domain)
+#
+define(`devices_read_lvm_control_channel',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr read search };
+allow $1 lvm_control_t:chr_file { getattr read };
+')
+
+define(`devices_read_lvm_control_channel_depend',`
+type lvm_control_t;
+class dir { getattr read search };
+class chr_file { ioctl read getattr lock write append };
+')
+
+########################################
+#
# devices_use_lvm_control_channel(domain)
#
define(`devices_use_lvm_control_channel',`
requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read };
allow $1 lvm_control_t:chr_file { ioctl read getattr lock write append };
')
define(`devices_use_lvm_control_channel_depend',`
type lvm_control_t;
+class dir { getattr read search };
class chr_file { ioctl read getattr lock write append };
')
########################################
#
+# devices_remove_lvm_control_channel(domain)
+#
+define(`devices_remove_lvm_control_channel',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write remove_name };
+allow $1 lvm_control_t:chr_file unlink;
+')
+
+define(`devices_remove_lvm_control_channel_depend',`
+type lvm_control_t;
+class dir { getattr search read write remove_name };
+class chr_file unlink;
+')
+
+########################################
+#
# devices_read_misc(domain)
#
define(`devices_read_misc',`
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 4e108d2..dec1ddd 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -95,6 +95,7 @@ genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
# /proc/sys directory, base directory of sysctls
type sysctl_t;
+files_make_mountpoint(sysctl_t)
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
# /proc/sys/fs directory and files
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index ea24f98..4033f2f 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -93,14 +93,14 @@ define(`terminal_use_all_terminals',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 devpts_t:dir { getattr search read };
-allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write };
+allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { getattr read write ioctl };
')
define(`terminal_use_all_terminals_depend',`
attribute ttynode, ptynode;
type console_device_t, devtty_t, devpts_t;
class dir { getattr search read };
-class chr_file { read write };
+class chr_file { getattr read write };
')
########################################
@@ -117,7 +117,7 @@ class chr_file { read write };
define(`terminal_use_console',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
-allow $1 console_device_t:chr_file { read write };
+allow $1 console_device_t:chr_file { getattr read write ioctl };
')
define(`terminal_use_console_depend',`
@@ -228,12 +228,12 @@ class chr_file { read write };
define(`terminal_use_controlling_terminal',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
-allow $1 devtty_t:chr_file { read write };
+allow $1 devtty_t:chr_file { getattr read write ioctl };
')
define(`terminal_use_controlling_terminal_depend',`
type devtty_t;
-class chr_file { read write };
+class chr_file { getattr read write ioctl };
')
########################################
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index de01298..b90c7d9 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -582,12 +582,12 @@ class file write;
define(`authlogin_modify_login_records',`
requires_block_template(`$0'_depend)
logging_search_system_log_directory($1)
-allow $1 wtmp_t:file { getattr read write setattr };
+allow $1 wtmp_t:file { getattr read write append setattr lock };
')
define(`authlogin_modify_login_records_depend',`
type wtmp_t;
-class file { getattr read write setattr };
+class file { getattr read write append setattr lock };
')
## </module>
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 32c4fc8..b7b6f8a 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -160,6 +160,7 @@ domain_use_widely_inheritable_file_descriptors(pam_console_t)
files_read_general_system_config(pam_console_t)
files_search_runtime_data_directory(pam_console_t)
+files_read_mnt_dir(pam_console_t)
libraries_use_dynamic_loader(pam_console_t)
libraries_use_shared_libraries(pam_console_t)
@@ -214,8 +215,6 @@ removable_device_t
scsi_generic_device_t
}:chr_file { getattr setattr };
-allow pam_console_t mnt_t:dir r_dir_perms;
-
ifdef(`gpm.te', `
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
')
@@ -223,8 +222,6 @@ allow pam_console_t gpmctl_t:sock_file { getattr setattr };
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
-
-allow initrc_t pam_var_console_t:dir r_dir_perms;
') dnl endif TODO
########################################
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index dc47297..e8badbe 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -47,6 +47,8 @@ init_script_use_pseudoterminal(hwclock_t)
domain_use_widely_inheritable_file_descriptors(hwclock_t)
+files_read_general_system_config_directory(hwclock_t)
+
libraries_use_dynamic_loader(hwclock_t)
libraries_use_shared_libraries(hwclock_t)
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 42de0c9..63c73d7 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -14,7 +14,7 @@ typeattribute $1 domain;
# allow the domain to read its /proc/pid entries
allow $1 self:dir { getattr search read };
-allow $1 self:{ file lnk_file } { getattr read };
+allow $1 self:{ file lnk_file } { getattr read write };
# allow $1 to create child processes in this domain
allow $1 self:process { fork sigchld };
@@ -23,7 +23,7 @@ allow $1 self:process { fork sigchld };
define(`domain_make_base_domain_depend',`
attribute domain;
class dir { getattr search read };
-class file { getattr read };
+class file { getattr read write };
class lnk_file { getattr read };
')
@@ -192,7 +192,12 @@ requires_block_template(`$0'_depend)
allow $1 domain:dir { getattr search read };
allow $1 domain:lnk_file { getattr read };
allow $1 domain:file { getattr read };
-allow $1 domain:process { getattr getsession };
+allow $1 domain:process getattr;
+# We need to suppress this denial because procps tries to access
+# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+# (2.4 and 2.6). Might want to change procps to not do this, or only if
+# running in a privileged domain.
+dontaudit $1 domain:process ptrace;
')
define(`domain_read_all_domains_process_state_depend',`
@@ -200,7 +205,51 @@ attribute domain;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read };
-class process { getattr getsession };
+class process { getattr ptrace };
+')
+
+########################################
+## <interface name="domain_ignore_read_all_domains_process_dirs">
+## <description>
+## Do not audit attempts to read the process state
+## directories of all domains.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="none"/>
+## </interface>
+#
+define(`domain_ignore_read_all_domains_process_dirs',`
+requires_block_template(`$0'_depend)
+dontaudit $1 domain:dir { getattr search read };
+')
+
+define(`domain_ignore_read_all_domains_process_dirs_depend',`
+attribute domain;
+class dir { getattr search read };
+')
+
+
+########################################
+## <interface name="domain_get_all_domains_session_id">
+## <description>
+## Get the session ID of all domains.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="1"/>
+## </interface>
+#
+define(`domain_get_all_domains_session_id',`
+requires_block_template(`$0'_depend)
+allow $1 domain:process getsession;
+')
+
+define(`domain_get_all_domains_session_id_depend',`
+attribute domain;
+class process getsession;
')
########################################
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 6735cf0..6d7c4a5 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -183,7 +183,7 @@ allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setat
allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
# satisfy the assertions:
selinux_write_binary_policy($1)
-bootloader_modify_kernel_modules($1)
+bootloader_manage_kernel_modules($1)
')
define(`files_manage_all_files_depend',`
@@ -476,7 +476,7 @@ class dir { getattr search read };
define(`files_read_general_system_config',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir { getattr search read };
-allow $1 etc_t:file { getattr read };
+allow $1 etc_t:file { getattr read ioctl };
allow $1 etc_t:lnk_file { getattr read };
')
@@ -494,14 +494,14 @@ class lnk_file { getattr read };
define(`files_modify_general_system_config',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir { getattr search read };
-allow $1 etc_t:file { getattr read write };
+allow $1 etc_t:file { getattr read write ioctl };
allow $1 etc_t:lnk_file { getattr read };
')
define(`files_modify_general_system_config_depend',`
type etc_t;
class dir { getattr search read };
-class file { getattr read write };
+class file { getattr read write ioctl };
class lnk_file { getattr read };
')
@@ -558,7 +558,7 @@ allow $1 etc_t:file { getattr read execute execute_no_trans };
')
define(`files_execute_system_config_script_depend',`
-type etc_t, etc_runtime_t;
+type etc_t;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read execute execute_no_trans };
@@ -585,19 +585,19 @@ class file { create read write setattr };
########################################
#
-# files_create_runtime_system_config(type)
+# files_manage_runtime_system_config(type)
#
-define(`files_create_runtime_system_config',`
+define(`files_manage_runtime_system_config',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir { getattr search read write add_name remove_name };
-allow $1 etc_runtime_t:file { create read write setattr unlink };
+allow $1 etc_runtime_t:file { getattr create read write append setattr rename link unlink lock };
type_transition $1 etc_t:file etc_runtime_t;
')
-define(`files_create_runtime_system_config_depend',`
+define(`files_manage_runtime_system_config_depend',`
type etc_t, etc_runtime_t;
class dir { getattr search read write add_name };
-class file { create read write setattr };
+class file { getattr create read write append setattr rename unlink unlink lock };
')
########################################
@@ -610,7 +610,7 @@ allow $1 etc_t:dir { getattr search read };
allow $1 etc_runtime_t:file { getattr read };
')
-define(`files_create_runtime_system_config_depend',`
+define(`files_read_runtime_system_config_depend',`
type etc_t, etc_runtime_t;
class dir { getattr search read };
class file { getattr read };
@@ -658,6 +658,20 @@ class dir { getattr search read };
########################################
#
+# files_read_mnt_dir(domain)
+#
+define(`files_read_mnt_dir',`
+requires_block_template(`$0'_depend)
+allow $1 mnt_t:dir { getattr search read };
+')
+
+define(`files_read_runtime_system_config_depend',`
+type mnt_t;
+class dir { getattr search read };
+')
+
+########################################
+#
# files_create_private_tmp_data(domain,private_type,[object class(es)])
#
define(`files_create_private_tmp_data',`
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index bc63bb8..547fa29 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -75,7 +75,7 @@ corecommands_execute_system_programs(hotplug_t)
domain_use_widely_inheritable_file_descriptors(hotplug_t)
files_read_general_system_config(hotplug_t)
-files_create_runtime_system_config(hotplug_t)
+files_manage_runtime_system_config(hotplug_t)
files_execute_system_config_script(hotplug_t)
init_use_file_descriptors(hotplug_t)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index efbf5e5..fca0f60 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -35,8 +35,8 @@ role system_r types $1;
allow initrc_t $1:process transition;
allow initrc_t $2:file { getattr read execute };
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-allow $1 initrc_t:fd use;
type_transition initrc_t $2:process $1;
+allow $1 initrc_t:fd use;
')
define(`init_make_daemon_domain_depend',`
@@ -59,15 +59,19 @@ role system_r types $1;
allow initrc_t $1:process transition;
allow initrc_t $2:file { getattr read execute };
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-allow $1 initrc_t:fd use;
type_transition initrc_t $2:process $1;
+allow $1 initrc_t:fd use;
+allow $1 initrc_t:process sigchld;
+# cjp: probably for logging
+allow $1 initrc_t:fifo_file write;
')
define(`init_make_system_domain_depend',`
type initrc_t;
class file { getattr read execute };
class fd use;
-class process { transition noatsecure siginh rlimitinh };
+class fifo_file write;
+class process { transition noatsecure siginh rlimitinh sigchld };
role system_r;
')
@@ -119,6 +123,20 @@ class fifo_file getattr;
########################################
#
+# init_ignore_get_control_channel_attributes(domain)
+#
+define(`init_ignore_get_control_channel_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 initctl_t:fifo_file getattr;
+')
+
+define(`init_get_control_channel_attributes_depend',`
+type initctl_t;
+class fifo_file getattr;
+')
+
+########################################
+#
# init_use_control_channel(domain)
#
define(`init_use_control_channel',`
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 937b98c..f9c1fba 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -61,6 +61,8 @@ files_make_temporary_file(initrc_tmp_t)
# Init local policy
#
+allow init_t self:fifo_file { read write ioctl };
+
# Re-exec itself
allow init_t init_exec_t:file { getattr read execute execute_no_trans };
@@ -79,8 +81,6 @@ allow init_t initrc_exec_t:file { getattr read execute };
type_transition init_t initrc_exec_t:process initrc_t;
dontaudit init_t initrc_t:process { noatsecure siginh rlimitinh };
-allow init_t self:fifo_file { read write ioctl };
-
kernel_sigchld_from(init_t)
# If you load a new policy that removes active domains, processes can
@@ -121,13 +121,18 @@ tunable_policy(`distro_redhat',`
filesystem_use_tmpfs_character_devices(init_t)
')
+# Run the shell in the sysadm_t domain for single-user mode.
+optional_policy(`userdomain.te',`
+userdomain_sysadm_shell_transition(init_t)
+')
+
########################################
#
# the following seem questionable
#
libraries_modify_dynamic_loader_cache(init_t)
-files_create_runtime_system_config(init_t)
+files_manage_runtime_system_config(init_t)
authlogin_modify_login_records(init_t)
logging_modify_system_logs(init_t)
@@ -141,7 +146,7 @@ allow init_t self:capability ~sys_module;
# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
# Modify utmp.
-allow init_t initrc_var_run_t:file { getattr read write setattr };
+allow init_t initrc_var_run_t:file { getattr read write setattr lock };
ifdef(`TODO',`
@@ -161,10 +166,12 @@ allow initrc_t self:passwd rootok;
# Allow IPC with self
allow initrc_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
-allow initrc_t self:fifo_file { read write ioctl };
+allow initrc_t self:fifo_file { getattr read write ioctl };
allow initrc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
+allow initrc_t init_t:fd use;
+
allow initrc_t initrc_state_t:dir { create read getattr lock setattr ioctl unlink rename search add_name remove_name reparent write rmdir };
allow initrc_t initrc_state_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
@@ -172,6 +179,7 @@ allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rena
allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow initrc_t initrc_var_run_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_daemon_runtime_data(initrc_t,initrc_var_run_t)
allow initrc_t initrc_tmp_t : file { create ioctl read getattr lock write setattr append link unlink rename };
@@ -216,6 +224,8 @@ devices_read_realtime_clock(initrc_t)
devices_read_sound_mixer_levels(initrc_t)
devices_write_sound_mixer_levels(initrc_t)
devices_set_all_character_device_attributes(initrc_t)
+devices_read_lvm_control_channel(initrc_t)
+devices_remove_lvm_control_channel(initrc_t)
# Wants to remove udev.tbl:
devices_remove_dev_symbolic_links(initrc_t)
@@ -233,12 +243,16 @@ storage_set_removable_device_attributes(initrc_t)
terminal_use_all_terminals(initrc_t)
terminal_reset_physical_terminal_labels(initrc_t)
+authlogin_modify_login_records(initrc_t)
+authlogin_modify_last_login_log(initrc_t)
+
corecommands_execute_general_programs(initrc_t)
corecommands_execute_system_programs(initrc_t)
corecommands_execute_shell(initrc_t)
domain_kill_all_domains(initrc_t)
domain_read_all_domains_process_state(initrc_t)
+domain_get_all_domains_session_id(initrc_t)
domain_use_widely_inheritable_file_descriptors(initrc_t)
files_get_all_file_attributes(initrc_t)
@@ -246,7 +260,7 @@ files_remove_all_tmp_data(initrc_t)
files_remove_all_lock_files(initrc_t)
files_remove_all_daemon_runtime_data(initrc_t)
files_read_general_system_config(initrc_t)
-files_create_runtime_system_config(initrc_t)
+files_manage_runtime_system_config(initrc_t)
files_manage_system_lock_files(initrc_t)
files_execute_system_config_script(initrc_t)
files_read_general_application_resources(initrc_t)
@@ -258,21 +272,17 @@ libraries_use_shared_libraries(initrc_t)
libraries_execute_library_scripts(initrc_t)
logging_send_system_log_message(initrc_t)
+logging_modify_system_logs(initrc_t)
+logging_read_all_logs(initrc_t)
+logging_append_all_logs(initrc_t)
-selinux_read_config(initrc_t)
-
-sysnetwork_read_network_config(initrc_t)
+miscfiles_read_localization(initrc_t)
modutils_read_kernel_module_loading_config(initrc_t)
-authlogin_modify_login_records(initrc_t)
-authlogin_modify_last_login_log(initrc_t)
-
-miscfiles_read_localization(initrc_t)
+selinux_read_config(initrc_t)
-logging_modify_system_logs(initrc_t)
-logging_read_all_logs(initrc_t)
-logging_append_all_logs(initrc_t)
+sysnetwork_read_network_config(initrc_t)
udev_modify_database(initrc_t)
@@ -314,6 +324,10 @@ hotplug_read_config(initrc_t)
modutils_read_kernel_module_dependencies(initrc_t)
')
+optional_policy(`rhgb.te',`
+corecommands_make_shell_entrypoint(initrc_t)
+')
+
optional_policy(`rpm.te',`
# why is this needed:
rpm_manage_package_database(initrc_t)
@@ -327,6 +341,8 @@ kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
ifdef(`TODO',`
+allow initrc_t pam_var_console_t:dir r_dir_perms;
+
# Mount and unmount file systems.
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
index 7ba45fe..b8e9aa0 100644
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@@ -63,7 +63,7 @@ class chr_file { getattr read write ioctl };
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
-## <infoflow type="read" weight="10"/>
+## <infoflow type="none"/>
## </interface>
#
define(`iptables_execute',`
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 80f0987..0b4c0a5 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -150,6 +150,23 @@ class file { getattr read };
#######################################
#
+# logging_write_system_logs(domain)
+#
+define(`logging_write_system_logs',`
+requires_block_template(`$0'_depend)
+files_search_system_state_data_directory($1)
+allow $1 var_log_t:dir { getattr search read };
+allow $1 var_log_t:file { getattr write };
+')
+
+define(`logging_write_system_logs_depend',`
+type var_log_t;
+class dir { getattr search read };
+class file { getattr write };
+')
+
+#######################################
+#
# logging_modify_system_logs(domain)
#
define(`logging_modify_system_logs',`
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index af279df..bc1746a 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -107,8 +107,9 @@ files_search_system_state_data_directory(lvm_t)
files_read_general_system_config(lvm_t)
files_read_runtime_system_config(lvm_t)
-init_script_use_pseudoterminal(lvm_t)
init_use_file_descriptors(lvm_t)
+init_ignore_get_control_channel_attributes(lvm_t)
+init_script_use_pseudoterminal(lvm_t)
libraries_use_dynamic_loader(lvm_t)
libraries_use_shared_libraries(lvm_t)
@@ -156,7 +157,6 @@ allow lvm_t device_t:lnk_file { relabelfrom relabelto };
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dontaudit lvm_t device_t:fifo_file getattr;
-dontaudit lvm_t initctl_t:fifo_file getattr;
dontaudit lvm_t sbin_t:file getattr;
dontaudit lvm_t var_run_t:dir getattr;
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 7080d0b..d5e20d1 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -51,13 +51,15 @@ allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
kernel_load_module(insmod_t)
-
+kernel_read_system_state(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctl(insmod_t)
kernel_modify_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctl(insmod_t)
bootloader_read_kernel_modules(insmod_t)
+# for locking: (cjp: ????)
+bootloader_write_kernel_modules(insmod_t)
devices_write_mtrr(insmod_t)
devices_get_pseudorandom_data(insmod_t)
@@ -72,6 +74,7 @@ files_execute_system_config_script(insmod_t)
# for nscd
files_ignore_search_runtime_data_directory(insmod_t)
+init_use_control_channel(insmod_t)
init_use_file_descriptors(insmod_t)
init_script_use_file_descriptors(insmod_t)
init_script_use_pseudoterminal(insmod_t)
@@ -96,8 +99,6 @@ mount_transition(insmod_t)
ifdef(`TODO',`
-allow insmod_t initrc_t:fifo_file { getattr read write };
-
allow insmod_t { var_t var_log_t }:dir search;
allow insmod_t apm_bios_t:chr_file { read write };
@@ -115,7 +116,6 @@ allow insmod_t usbfs_t:filesystem mount;
# for when /var is not mounted early in the boot
dontaudit insmod_t file_t:dir search;
-
') dnl if TODO
########################################
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 42c28cd..0d1c6a2 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -49,7 +49,7 @@ domain_use_widely_inheritable_file_descriptors(mount_t)
files_search_all_directories(mount_t)
files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
files_read_general_system_config(mount_t)
-files_create_runtime_system_config(mount_t)
+files_manage_runtime_system_config(mount_t)
files_mount_on_all_mountpoints(mount_t)
files_unmount_root_filesystem(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 9b0d8f1..b26e85f 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -89,7 +89,9 @@ files_read_general_system_config(udev_t)
corecommands_execute_general_programs(udev_t)
corecommands_execute_system_programs(udev_t)
corecommands_execute_shell(udev_t)
+
domain_execute_all_entrypoint_programs(udev_t)
+domain_ignore_read_all_domains_process_dirs(udev_t)
# Security
selinux_read_config(udev_t)
@@ -145,7 +147,6 @@ allow udev_t sysadm_tty_device_t:chr_file { read write };
# Dontaudits
dontaudit udev_t staff_home_dir_t:dir search;
dontaudit udev_t file_t:dir search;
-dontaudit udev_t domain:dir r_dir_perms;
dontaudit udev_t ttyfile:chr_file unlink;
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 55d3e48..7763d49 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -688,6 +688,7 @@ authlogin_manage_all_files_except_shadow($1_t)
authlogin_relabel_all_files_except_shadow($1_t)
domain_set_all_domains_priorities($1_t)
+domain_read_all_domains_process_state($1_t)
files_execute_system_source_code_scripts($1_t)
@@ -718,9 +719,6 @@ allow $1_t shadow_t:file getattr;
# for lsof
allow $1_t mtrr_device_t:file getattr;
-# Examine all processes.
-can_ps($1_t, domain)
-
# Send signals to all processes.
allow $1_t { domain unlabeled_t }:process signal_perms;
@@ -790,6 +788,26 @@ allow $1_t eventpollfs_t:file getattr;
')
########################################
+## <interface name="userdomain_sysadm_shell_transition">
+## <description>
+## Execute a shell in the sysadm domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`userdomain_sysadm_shell_transition',`
+requires_block_template(`$0'_depend)
+corecommands_shell_transition($1,sysadm_t)
+')
+
+define(`userdomain_sysadm_shell_transition_depend',`
+type sysadm_t;
+')
+
+########################################
## <interface name="userdomain_use_admin_terminals">
## <description>
## Read and write administrative users
More information about the scm-commits
mailing list