[selinux-policy: 231/3172] add some file_t interfaces, and console write
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:24:56 UTC 2010
commit 3b857eae09a81b01575df135d6262c31bd02c234
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue May 31 21:25:45 2005 +0000
add some file_t interfaces, and console write
refpolicy/policy/modules/admin/consoletype.te | 3 +-
refpolicy/policy/modules/admin/dmesg.te | 5 +-
refpolicy/policy/modules/kernel/devices.if | 6 ++
refpolicy/policy/modules/kernel/kernel.if | 32 +++++++++-
refpolicy/policy/modules/kernel/terminal.if | 35 +++++++++--
refpolicy/policy/modules/services/cron.if | 14 ++++
refpolicy/policy/modules/services/cron.te | 4 +-
refpolicy/policy/modules/system/clock.te | 5 +-
refpolicy/policy/modules/system/files.if | 28 +++++++++
refpolicy/policy/modules/system/hostname.te | 7 +-
refpolicy/policy/modules/system/hotplug.te | 4 +-
refpolicy/policy/modules/system/init.if | 82 ++++++++++++++++---------
refpolicy/policy/modules/system/init.te | 48 ++++++---------
refpolicy/policy/modules/system/locallogin.te | 5 +-
refpolicy/policy/modules/system/logging.te | 37 ++++++-----
refpolicy/policy/modules/system/lvm.te | 5 +-
refpolicy/policy/modules/system/modutils.te | 8 +--
refpolicy/policy/modules/system/sysnetwork.te | 12 ++--
refpolicy/policy/modules/system/udev.te | 2 +-
19 files changed, 227 insertions(+), 115 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 1000a52..97b9552 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -37,7 +37,7 @@ kernel_ignore_read_system_state(consoletype_t)
filesystem_get_all_filesystems_attributes(consoletype_t)
-terminal_ignore_use_console(consoletype_t)
+terminal_use_console(consoletype_t)
terminal_use_general_physical_terminal(consoletype_t)
init_use_file_descriptors(consoletype_t)
@@ -69,7 +69,6 @@ allow consoletype_t sysadm_t:fd use;
allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
-allow consoletype_t initrc_t:fifo_file write;
allow consoletype_t nfs_t:file write;
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 4878a04..58cf018 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -33,6 +33,8 @@ terminal_ignore_use_console(dmesg_t)
domain_use_widely_inheritable_file_descriptors(dmesg_t)
files_read_general_system_config_directory(dmesg_t)
+# for when /usr is not mounted:
+files_ignore_search_isid_type_dir(dmesg_t)
init_use_file_descriptors(dmesg_t)
init_script_use_pseudoterminal(dmesg_t)
@@ -73,7 +75,4 @@ allow dmesg_t rhgb_t:fifo_file { read write };
')
allow dmesg_t autofs_t:dir { search getattr };
-
-# for when /usr is not mounted
-dontaudit dmesg_t file_t:dir search;
') dnl endif TODO
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 227e8b2..75f8cd4 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1,4 +1,8 @@
# Copyright (C) 2005 Tresys Technology, LLC
+## <module name="devices" layer="kernel">
+## <summary>
+## Policy for all devices except mass storage and terminal devices.
+## </summary>
########################################
#
@@ -1015,3 +1019,5 @@ type device_t, power_device_t;
class dir r_dir_perms;
class chr_file { getattr read write ioctl };
')
+
+## </module>
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 4cbb309..2ce1ec2 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -14,7 +14,7 @@ dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
allow $1 kernel_t:fd use;
allow kernel_t $1:fd use;
allow kernel_t $1:fifo_file rw_file_perms;
-allow kernel_t $1:process sigchld;
+allow $1 kernel_t:process sigchld;
')
define(`kernel_make_userland_entrypoint_depend',`
@@ -406,7 +406,7 @@ class system ipc_info;
define(`kernel_get_selinuxfs_mount_point',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
+allow $1 proc_t:{ file lnk_file } read;
allow $1 self:dir search;
allow $1 self:file { getattr read };
')
@@ -563,6 +563,20 @@ class file { getattr read };
########################################
#
+# kernel_ignore_search_sysctl_dir(domain)
+#
+define(`kernel_ignore_search_sysctl_dir',`
+requires_block_template(`$0'_depend)
+dontaudit $1 sysctl_t:dir search;
+')
+
+define(`kernel_ignore_search_sysctl_dir_depend',`
+type sysctl_t;
+class dir search;
+')
+
+########################################
+#
# kernel_read_device_sysctl(domain)
#
define(`kernel_read_device_sysctl',`
@@ -632,6 +646,20 @@ class file { getattr read write };
########################################
#
+# kernel_ignore_search_network_sysctl_dir(domain)
+#
+define(`kernel_ignore_search_network_sysctl_dir',`
+requires_block_template(`$0'_depend)
+dontaudit $1 sysctl_net_t:dir search;
+')
+
+define(`kernel_ignore_search_network_sysctl_dir_depend',`
+type sysctl_net_t;
+class dir search;
+')
+
+########################################
+#
# kernel_read_network_sysctl(domain)
#
define(`kernel_read_network_sysctl',`
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index c5cc8e2..595bede 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -97,15 +97,38 @@ class chr_file { getattr read write };
define(`terminal_use_all_terminals',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr search read };
-allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file { getattr read write ioctl };
+allow $1 devpts_t:dir r_dir_perms;
+allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
')
define(`terminal_use_all_terminals_depend',`
attribute ttynode, ptynode;
type console_device_t, devpts_t, tty_device_t;
-class dir { getattr search read };
-class chr_file { getattr read write };
+class dir r_dir_perms;
+class chr_file rw_file_perms;
+')
+
+########################################
+## <interface name="terminal_write_console">
+## <description>
+## Write to the console.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`terminal_write_console',`
+ requires_block_template(`$0'_depend)
+
+ devices_list_device_nodes($1)
+ allow $1 console_device_t:chr_file write;
+')
+
+define(`terminal_use_console_depend',`
+ type console_device_t;
+ class chr_file write;
')
########################################
@@ -122,12 +145,12 @@ class chr_file { getattr read write };
define(`terminal_use_console',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
-allow $1 console_device_t:chr_file { getattr read write ioctl };
+allow $1 console_device_t:chr_file rw_file_perms;
')
define(`terminal_use_console_depend',`
type console_device_t;
-class chr_file { read write };
+class chr_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 8cf7256..d4d4981 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -234,3 +234,17 @@ kernel_compute_selinux_create_context($1_crontab_t)
kernel_compute_selinux_relabel_context($1_crontab_t)
kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
')
+
+########################################
+#
+# cron_modify_log(domain)
+#
+define(`cron_modify_log',`
+requires_block_template(`$0'_depend)
+allow $1 crond_log_t:file { getattr read write ioctl lock append };
+')
+
+define(`cron_modify_log_depend',`
+type crond_log_t;
+class file rw_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 8b4c7e2..ede07b3 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,6 +1,6 @@
# Copyright (C) 2005 Tresys Technology, LLC
-policy_module(consoletype, 1.0)
+policy_module(cron, 1.0)
########################################
#
@@ -67,7 +67,7 @@ allow crond_t self:msg { send receive };
allow crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow crond_t crond_var_run_t:file { getattr create read write append setattr unlink };
+allow crond_t crond_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(crond_t,crond_var_run_t)
allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index e8badbe..5003e5b 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -48,6 +48,8 @@ init_script_use_pseudoterminal(hwclock_t)
domain_use_widely_inheritable_file_descriptors(hwclock_t)
files_read_general_system_config_directory(hwclock_t)
+# for when /usr is not mounted:
+files_ignore_search_isid_type_dir(hwclock_t)
libraries_use_dynamic_loader(hwclock_t)
libraries_use_shared_libraries(hwclock_t)
@@ -93,7 +95,4 @@ optional_policy(`apmd.te', `
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
')
-# for when /usr is not mounted
-dontaudit hwclock_t file_t:dir search;
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index bdebc30..f584555 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -622,6 +622,34 @@ class dir { getattr search read write add_name remove_name };
')
########################################
+#
+# files_ignore_get_isid_type_dir_attrib(domain)
+#
+define(`files_ignore_get_isid_type_dir_attrib',`
+requires_block_template(`$0'_depend)
+dontaudit $1 file_t:dir search;
+')
+
+define(`files_ignore_get_isid_type_dir_attrib_depend',`
+type file_t;
+class dir search;
+')
+
+########################################
+#
+# files_ignore_search_isid_type_dir(domain)
+#
+define(`files_ignore_search_isid_type_dir',`
+requires_block_template(`$0'_depend)
+dontaudit $1 file_t:dir search;
+')
+
+define(`files_ignore_search_isid_type_dir_depend',`
+type file_t;
+class dir search;
+')
+
+########################################
## <interface name="files_list_home_directories">
## <description>
## Get listing home home directories.
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index e3236d7..588acde 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -43,6 +43,9 @@ init_script_use_pseudoterminal(hostname_t)
domain_use_widely_inheritable_file_descriptors(hostname_t)
+# for when /usr is not mounted:
+files_ignore_search_isid_type_dir(hostname_t)
+
libraries_use_dynamic_loader(hostname_t)
libraries_use_shared_libraries(hostname_t)
@@ -100,8 +103,4 @@ allow hostname_t rhgb_t:fifo_file { read write };
allow hostname_t autofs_t:dir { search getattr };
##end daemon_base_domain
-
-# for when /usr is not mounted
-dontaudit hostname_t file_t:dir search;
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 06a27f6..b56a667 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -78,6 +78,8 @@ domain_use_widely_inheritable_file_descriptors(hotplug_t)
files_read_general_system_config(hotplug_t)
files_manage_runtime_system_config(hotplug_t)
files_execute_system_config_script(hotplug_t)
+# for when filesystems are not mounted early in the boot:
+files_ignore_search_isid_type_dir(hotplug_t)
init_use_file_descriptors(hotplug_t)
init_script_use_pseudoterminal(hotplug_t)
@@ -173,8 +175,6 @@ dbusd_client(system, hotplug)
allow hotplug_t kernel_t:process sigchld;
-# for when filesystems are not mounted early in the boot
-dontaudit hotplug_t file_t:dir { search getattr };
# for ps
dontaudit hotplug_t domain:dir { getattr search };
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index db255bb..a0e3d42 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -5,27 +5,38 @@
# init_make_init_domain(domain,entrypointfile)
#
define(`init_make_init_domain',`
-requires_block_template(`$0'_depend)
-domain_make_domain($1)
-domain_make_entrypoint_file($1,$2)
-role system_r types $1;
-allow init_t $1:process transition;
-allow init_t $2:file { getattr read execute };
-dontaudit init_t $1:process { noatsecure siginh rlimitinh };
-type_transition init_t $2:process $1;
-allow $1 init_t:fd use;
-allow init_t $1:fd use;
-allow $1 init_t:fifo_file rw_file_perms;
-allow $1 init_t:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ domain_make_domain($1)
+ domain_make_entrypoint_file($1,$2)
+
+ role system_r types $1;
+
+ allow init_t $1:process transition;
+ allow init_t $2:file { getattr read execute };
+ dontaudit init_t $1:process { noatsecure siginh rlimitinh };
+ type_transition init_t $2:process $1;
+
+ allow $1 init_t:fd use;
+ allow init_t $1:fd use;
+ allow $1 init_t:fifo_file rw_file_perms;
+ allow $1 init_t:process sigchld;
+
+ # Red Hat systems seem to have a stray
+ # fd open from the initrd
+ optional_policy(`distro_redhat',`
+ kernel_ignore_use_file_descriptors($1)
+ files_ignore_read_rootfs_file($1)
+ ')
')
define(`init_make_init_domain_depend',`
-type init_t;
-class file { getattr read execute };
-class fd use;
-class fifo_file rw_file_perms;
-class process { transition noatsecure siginh rlimitinh sigchld };
-role system_r;
+ type init_t;
+ class file { getattr read execute };
+ class fd use;
+ class fifo_file rw_file_perms;
+ class process { transition noatsecure siginh rlimitinh sigchld };
+ role system_r;
')
########################################
@@ -33,18 +44,29 @@ role system_r;
# init_make_daemon_domain(domain,entrypointfile)
#
define(`init_make_daemon_domain',`
-requires_block_template(`$0'_depend)
-domain_make_domain($1)
-domain_make_entrypoint_file($1,$2)
-role system_r types $1;
-allow initrc_t $1:process transition;
-allow initrc_t $2:file { getattr read execute };
-dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-type_transition initrc_t $2:process $1;
-allow initrc_t $1:fd use;
-allow $1 initrc_t:fd use;
-allow $1 initrc_t:fifo_file rw_file_perms;
-allow $1 initrc_t:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ domain_make_domain($1)
+ domain_make_entrypoint_file($1,$2)
+
+ role system_r types $1;
+
+ allow initrc_t $1:process transition;
+ allow initrc_t $2:file { getattr read execute };
+ dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
+ type_transition initrc_t $2:process $1;
+
+ allow initrc_t $1:fd use;
+ allow $1 initrc_t:fd use;
+ allow $1 initrc_t:fifo_file rw_file_perms;
+ allow $1 initrc_t:process sigchld;
+
+ # Red Hat systems seem to have a stray
+ # fd open from the initrd
+ optional_policy(`distro_redhat',`
+ kernel_ignore_use_file_descriptors($1)
+ files_ignore_read_rootfs_file($1)
+ ')
')
define(`init_make_daemon_domain_depend',`
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index e382d75..7670b6c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -61,6 +61,15 @@ files_make_temporary_file(initrc_tmp_t)
# Init local policy
#
+# Use capabilities. old rule:
+allow init_t self:capability ~sys_module;
+# is ~sys_module really needed? observed:
+# sys_boot
+# sys_tty_config
+# kill: now provided by domain_kill_all_domains()
+# setuid (from /sbin/shutdown)
+# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
+
allow init_t self:fifo_file { read write ioctl };
# Re-exec itself
@@ -74,6 +83,9 @@ allow init_t initctl_t:fifo_file { create getattr read append write setattr unli
filesystem_tmpfs_associate(initctl_t)
devices_create_dev_entry(init_t,initctl_t,fifo_file)
+# Modify utmp.
+allow init_t initrc_var_run_t:file { getattr read write setattr lock };
+
# Run init scripts. this is ok since initrc
# is also in this module
allow init_t initrc_t:process transition;
@@ -109,6 +121,8 @@ domain_sigchld_all_domains(init_t)
files_read_general_system_config(init_t)
files_modify_system_runtime_data(init_t)
+files_ignore_search_isid_type_dir(init_t)
+files_manage_runtime_system_config(init_t)
# Run /etc/X11/prefdm:
files_execute_system_config_script(init_t)
# file descriptors inherited from the rootfs:
@@ -117,8 +131,10 @@ files_ignore_modify_rootfs_device(init_t)
libraries_use_dynamic_loader(init_t)
libraries_use_shared_libraries(init_t)
+libraries_modify_dynamic_loader_cache(init_t)
logging_send_system_log_message(init_t)
+logging_modify_system_logs(init_t)
selinux_read_config(init_t)
@@ -129,6 +145,10 @@ filesystem_use_tmpfs_character_devices(init_t)
filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
')
+optional_policy(`authlogin.te',`
+authlogin_modify_login_records(init_t)
+')
+
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`userdomain.te',`
userdomain_sysadm_shell_transition(init_t)
@@ -136,34 +156,6 @@ userdomain_sysadm_shell_transition(init_t)
########################################
#
-# the following seem questionable
-#
-
-libraries_modify_dynamic_loader_cache(init_t)
-files_manage_runtime_system_config(init_t)
-authlogin_modify_login_records(init_t)
-logging_modify_system_logs(init_t)
-
-# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
-# is ~sys_module really needed? observed:
-# sys_boot
-# sys_tty_config
-# kill: now provided by domain_kill_all_domains()
-# setuid (from /sbin/shutdown)
-# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
-
-# Modify utmp.
-allow init_t initrc_var_run_t:file { getattr read write setattr lock };
-
-ifdef(`TODO',`
-
-# for mount points
-allow init_t file_t:dir search;
-') dnl end TODO
-
-########################################
-#
# Init script local policy
#
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 2426a07..23ddcdc 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -207,6 +207,8 @@ kernel_read_system_state(sulogin_t)
init_script_get_process_group(sulogin_t)
files_read_general_system_config(sulogin_t)
+# because file systems are not mounted:
+files_ignore_search_isid_type_dir(sulogin_t)
libraries_use_dynamic_loader(sulogin_t)
libraries_use_shared_libraries(sulogin_t)
@@ -250,7 +252,4 @@ allow sulogin_t autofs_t:dir { search getattr };
')
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-
-# because file systems are not mounted
-dontaudit sulogin_t file_t:dir search;
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index a8335de..22ac4cb 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -35,10 +35,10 @@ files_make_file(var_log_t)
# klogd local policy
#
-allow klogd_t klogd_tmp_t:file { getattr create read write append setattr unlink };
+allow klogd_t klogd_tmp_t:file create_file_perms;
files_create_private_tmp_data(klogd_t,klogd_tmp_t)
-allow klogd_t klogd_var_run_t:file { getattr create read write append setattr unlink };
+allow klogd_t klogd_var_run_t:file create_file_perms;
allow klogd_t self:capability sys_admin;
dontaudit klogd_t self:capability sys_resource;
@@ -60,6 +60,8 @@ files_read_runtime_system_config(klogd_t)
# read /etc/nsswitch.conf
files_read_general_system_config(klogd_t)
+init_use_file_descriptors(klogd_t)
+
libraries_use_dynamic_loader(klogd_t)
libraries_use_shared_libraries(klogd_t)
@@ -77,12 +79,15 @@ allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys
dontaudit syslogd_t self:capability sys_tty_config;
# create/append log files.
-allow syslogd_t var_log_t:dir { read getattr search add_name write };
-allow syslogd_t var_log_t:file { create ioctl getattr setattr append link };
+allow syslogd_t var_log_t:dir rw_dir_perms;
+allow syslogd_t var_log_t:file create_file_perms;
# manage temporary files
-allow syslogd_t syslogd_tmp_t:file { getattr create read write append setattr unlink };
-allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
+allow syslogd_t syslogd_tmp_t:file create_file_perms;
+files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
+
+allow syslogd_t syslogd_var_run_t:file create_file_perms;
+files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
# receive messages to be logged
allow syslogd_t devlog_t:unix_stream_socket name_bind;
@@ -94,6 +99,7 @@ allow syslogd_t self:fifo_file { getattr read write ioctl lock };
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
# manage pid file
allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
@@ -129,9 +135,6 @@ init_script_use_pseudoterminal(syslogd_t)
domain_use_widely_inheritable_file_descriptors(syslogd_t)
files_read_general_system_config(syslogd_t)
-files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
-files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
-files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
libraries_use_dynamic_loader(syslogd_t)
libraries_use_shared_libraries(syslogd_t)
@@ -145,7 +148,7 @@ userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
#
# /initrd is not umounted before minilog starts
#
-#dontaudit syslogd_t file_t:dir search;
+files_ignore_search_isid_type_dir(syslogd_t)
#allow syslogd_t tmpfs_t:dir search;
#dontaudit syslogd_t unlabeled_t:file read;
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
@@ -159,6 +162,12 @@ kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
')
+tunable_policy(`targeted_policy', `
+terminal_ignore_use_general_physical_terminal(syslogd_t)
+terminal_ignore_use_general_pseudoterminal(syslogd_t)
+files_ignore_read_rootfs_file(syslogd_t)
+')
+
optional_policy(`selinux.te',`
selinux_newrole_sigchld(syslogd_t)
')
@@ -167,10 +176,8 @@ optional_policy(`udev.te', `
udev_read_database(syslogd_t)
')
-tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(syslogd_t)
-terminal_ignore_use_general_pseudoterminal(syslogd_t)
-files_ignore_read_rootfs_file(syslogd_t)
+optional_policy(`cron.te',`
+cron_modify_log(syslogd_t)
')
ifdef(`TODO',`
@@ -198,8 +205,6 @@ can_ypbind(syslogd_t)
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
ifdef(`crond.te', `
-# Write to the cron log.
-allow syslogd_t crond_log_t:file rw_file_perms;
# for daemon re-start
allow system_crond_t syslogd_t:lnk_file read;
')
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 6ca7a36..7438aa9 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -117,6 +117,8 @@ domain_use_widely_inheritable_file_descriptors(lvm_t)
files_search_system_state_data_directory(lvm_t)
files_read_general_system_config(lvm_t)
files_read_runtime_system_config(lvm_t)
+# for when /usr is not mounted:
+files_ignore_search_isid_type_dir(lvm_t)
init_use_file_descriptors(lvm_t)
init_ignore_get_control_channel_attributes(lvm_t)
@@ -159,9 +161,6 @@ allow lvm_t device_t:lnk_file { relabelfrom relabelto };
dontaudit lvm_t var_run_t:dir getattr;
-# for when /usr is not mounted
-dontaudit lvm_t file_t:dir search;
-
optional_policy(`gnome-pty-helper.te', `
allow lvm_t sysadm_gph_t:fd use;
')
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index dab29e7..092c2f7 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -80,8 +80,10 @@ files_read_runtime_system_config(insmod_t)
files_read_general_system_config(insmod_t)
files_read_general_application_resources(insmod_t)
files_execute_system_config_script(insmod_t)
-# for nscd
+# for nscd:
files_ignore_search_runtime_data_directory(insmod_t)
+# for when /var is not mounted early in the boot:
+files_ignore_search_isid_type_dir(insmod_t)
init_use_control_channel(insmod_t)
init_use_file_descriptors(insmod_t)
@@ -113,10 +115,6 @@ allow insmod_t xserver_log_t:file getattr;
# why is this needed? insmod cannot mounton any dir
# and it also transitions to mount
allow insmod_t usbfs_t:filesystem mount;
-
-# for when /var is not mounted early in the boot
-dontaudit insmod_t file_t:dir search;
-
') dnl if TODO
########################################
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index b1db4f2..afd7f46 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -45,7 +45,12 @@ files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
# transition to ifconfig
allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
allow dhcpc_t ifconfig_t:process transition;
+type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
+allow dhcpc_t ifconfig_t:fd use;
+allow ifconfig_t dhcpc_t:fd use;
+allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
+allow ifconfig_t dhcpc_t:process sigchld;
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -253,6 +258,8 @@ files_read_general_system_config(ifconfig_t);
kernel_use_file_descriptors(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
+kernel_ignore_search_sysctl_dir(ifconfig_t)
+kernel_ignore_search_network_sysctl_dir(ifconfig_t)
filesystem_get_persistent_filesystem_attributes(ifconfig_t)
@@ -290,11 +297,6 @@ ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
-# ifconfig attempts to search some sysctl entries.
-# Do not audit those attempts; comment out these rules if it is desired to
-# see the denials.
-dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
-
optional_policy(`rhgb.te', `
allow ifconfig_t rhgb_t:process sigchld;
allow ifconfig_t rhgb_t:fd use;
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 3e332f1..6be0d62 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -92,6 +92,7 @@ domain_ignore_read_all_domains_process_dirs(udev_t)
files_read_runtime_system_config(udev_t)
files_read_general_system_config(udev_t)
files_execute_system_config_script(udev_t)
+files_ignore_search_isid_type_dir(udev_t)
init_use_file_descriptors(udev_t)
init_script_read_runtime_data(udev_t)
@@ -150,7 +151,6 @@ allow udev_t sysadm_tty_device_t:chr_file { read write };
# Dontaudits
dontaudit udev_t staff_home_dir_t:dir search;
-dontaudit udev_t file_t:dir search;
dontaudit udev_t ttyfile:chr_file unlink;
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
More information about the scm-commits
mailing list