[selinux-policy: 617/3172] fix bugs uncovered from sediff
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:57:59 UTC 2010
commit 9d3bdc25af6aa6d22c9bf5bdba0e235f93ba7078
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Sep 1 20:13:42 2005 +0000
fix bugs uncovered from sediff
refpolicy/policy/modules/admin/acct.te | 2 +-
refpolicy/policy/modules/admin/consoletype.te | 3 +--
refpolicy/policy/modules/admin/logrotate.te | 2 +-
refpolicy/policy/modules/admin/rpm.te | 6 +++---
refpolicy/policy/modules/admin/sudo.if | 2 +-
refpolicy/policy/modules/admin/usermanage.te | 11 ++++++-----
refpolicy/policy/modules/kernel/bootloader.te | 2 +-
refpolicy/policy/modules/services/cron.te | 2 +-
refpolicy/policy/modules/services/remotelogin.te | 2 +-
refpolicy/policy/modules/services/ssh.if | 2 +-
refpolicy/policy/modules/system/authlogin.te | 2 +-
refpolicy/policy/modules/system/domain.if | 2 +-
refpolicy/policy/modules/system/fstools.te | 2 +-
refpolicy/policy/modules/system/init.te | 1 +
refpolicy/policy/modules/system/locallogin.te | 6 +++---
refpolicy/policy/modules/system/logging.te | 2 +-
refpolicy/policy/modules/system/selinuxutil.te | 2 +-
refpolicy/policy/modules/system/sysnetwork.te | 2 +-
refpolicy/policy/modules/system/udev.te | 2 +-
refpolicy/policy/modules/system/userdomain.if | 2 +-
20 files changed, 29 insertions(+), 28 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index 88b7c59..5696994 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -53,7 +53,7 @@ domain_use_wide_inherit_fd(acct_t)
files_read_etc_files(acct_t)
files_read_etc_runtime_files(acct_t)
# for nscd
-files_dontaudit_getattr_pid_dir(acct_t)
+files_dontaudit_search_pids(acct_t)
init_use_fd(acct_t)
init_use_script_pty(acct_t)
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 1c751aa..eefeb83 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -18,8 +18,7 @@ role system_r types consoletype_t;
#
allow consoletype_t self:capability sys_admin;
-
-allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow consoletype_t self:fd use;
allow consoletype_t self:fifo_file rw_file_perms;
allow consoletype_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index c11e1a4..911bca8 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -30,7 +30,7 @@ allow logrotate_t self:capability { chown dac_override dac_read_search kill fset
# for mailx
dontaudit logrotate_t self:capability { setuid setgid };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
# Set a context other than the default one for newly created files.
allow logrotate_t self:process setfscreate;
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index eef0d05..a8864e3 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -55,8 +55,8 @@ domain_entry_file(rpmbuild_t,rpmbuild_exec_t)
# rpm Local policy
#
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod };
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_file_perms;
@@ -204,7 +204,7 @@ allow rpm_t sysadm_gph_t:fd use;
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index 17fd5f2..5a83ccd 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -51,7 +51,7 @@ template(`sudo_per_userdomain_template',`
# Use capabilities.
allow $1_sudo_t self:capability { setuid setgid dac_override sys_resource };
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
allow $1_sudo_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index d2b0a15..72a6365 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -18,6 +18,7 @@ type chfn_exec_t;
domain_entry_file(chfn_t,chfn_exec_t)
type crack_t;
+domain_type(crack_t)
role system_r types crack_t;
type crack_exec_t;
@@ -63,7 +64,7 @@ role system_r types useradd_t;
#
allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
allow chfn_t self:fifo_file rw_file_perms;
@@ -195,7 +196,7 @@ dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
allow groupadd_t self:capability { dac_override chown kill setuid sys_resource };
dontaudit groupadd_t self:capability fsetid;
-allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
allow groupadd_t self:fd use;
allow groupadd_t self:fifo_file rw_file_perms;
@@ -279,7 +280,7 @@ dontaudit groupadd_t sysadm_home_dir_t:dir search;
#
allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
allow passwd_t self:fifo_file rw_file_perms;
@@ -368,7 +369,7 @@ dontaudit passwd_t var_run_t:dir search;
#
allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
allow sysadm_passwd_t self:fifo_file rw_file_perms;
@@ -466,7 +467,7 @@ dontaudit sysadm_passwd_t selinux_config_t:dir search;
#
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
allow useradd_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index be803e6..08aa301 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -99,7 +99,7 @@ storage_raw_read_removable_device(bootloader_t)
storage_raw_write_removable_device(bootloader_t)
dev_getattr_all_chr_files(bootloader_t)
-dev_setattr_all_blk_files(bootloader_t)
+dev_getattr_all_blk_files(bootloader_t)
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 1213e09..cba03ea 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -51,7 +51,7 @@ files_tmp_file(system_crond_tmp_t)
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process setexec;
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 27f01c9..8f6084c 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -24,7 +24,7 @@ files_tmp_file(remote_login_tmp_t)
#
allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
allow remote_login_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 9b7ada4..4489fdc 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -49,7 +49,7 @@ template(`ssh_per_userdomain_template',`
# $1_ssh_t local policy
#
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
- allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+ allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_ssh_t self:fd use;
allow $1_ssh_t self:fifo_file { read getattr lock ioctl write append };
allow $1_ssh_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 0e68a81..f804998 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -70,7 +70,7 @@ logging_log_file(wtmp_t)
# PAM local policy
#
-allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
dontaudit pam_t self:capability sys_tty_config;
allow pam_t self:fd use;
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 3cbb4f4..7aab5d0 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -412,7 +412,7 @@ interface(`domain_dontaudit_getsession_all_domains',`
class process getsession;
')
- allow $1 domain:process getsession;
+ dontaudit $1 domain:process getsession;
')
########################################
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 4331448..f4b0190 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -24,7 +24,7 @@ files_type(swapfile_t)
# ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
-allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use;
allow fsadm_t self:fifo_file rw_file_perms;
allow fsadm_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 3fa5e6b..8eba00e 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -258,6 +258,7 @@ domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getsession_all_domains(initrc_t)
domain_use_wide_inherit_fd(initrc_t)
+domain_exec_all_entry_files(initrc_t)
# for lsof which is used by alsa shutdown:
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 26aa386..447829e 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -33,8 +33,8 @@ role system_r types sulogin_t;
# Local login local policy
#
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow local_login_t self:process { setrlimit setexec };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_file_perms;
@@ -216,7 +216,7 @@ optional_policy(`locallogin.te',`
# Sulogin local policy
#
-allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_file_perms;
allow sulogin_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index dc5dee0..ee7a5ad 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -51,7 +51,7 @@ files_type(var_log_t)
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
-allow auditd_t self:process setsched;
+allow auditd_t self:process { signal_perms setsched };
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow auditd_t var_log_t:dir search;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index c2367e1..5e0db52 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -174,7 +174,7 @@ userdom_use_all_user_fd(load_policy_t)
allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
-allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
allow newrole_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 4086c6a..669ebee 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -217,7 +217,7 @@ dontaudit dhcpc_t domain:dir getattr;
# Ifconfig local policy
#
-allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:capability net_admin;
dontaudit ifconfig_t self:capability sys_module;
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index d4c2038..1277194 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -35,7 +35,7 @@ files_pid_file(udev_var_run_t)
#
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
-allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index bd1a467..3c42fed 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -60,7 +60,7 @@ template(`base_user_template',`
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
- allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:process { ptrace setfscreate };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_file_perms;
More information about the scm-commits
mailing list