[selinux-policy: 861/3172] pile o fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:19:31 UTC 2010
commit 33acca55ce3c5d6ab22cd0865df9b9a4daf8dd10
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Oct 26 16:00:13 2005 +0000
pile o fixes
refpolicy/policy/modules/admin/consoletype.te | 5 +++++
refpolicy/policy/modules/admin/dmidecode.te | 5 +++++
refpolicy/policy/modules/admin/firstboot.te | 2 +-
refpolicy/policy/modules/kernel/devices.if | 2 +-
refpolicy/policy/modules/kernel/terminal.te | 2 ++
refpolicy/policy/modules/services/bluetooth.te | 2 +-
refpolicy/policy/modules/services/comsat.te | 2 ++
refpolicy/policy/modules/services/cups.te | 8 +++++++-
refpolicy/policy/modules/services/cvs.te | 1 +
refpolicy/policy/modules/services/cyrus.te | 2 ++
refpolicy/policy/modules/services/dbskk.te | 1 +
refpolicy/policy/modules/services/dbus.te | 4 ++++
refpolicy/policy/modules/services/dhcp.te | 5 +++++
refpolicy/policy/modules/services/dictd.te | 10 +++++++++-
refpolicy/policy/modules/services/kerberos.te | 6 ++++--
refpolicy/policy/modules/services/lpd.te | 6 ++++++
refpolicy/policy/modules/system/getty.te | 17 +++++++++++++++++
refpolicy/policy/modules/system/logging.if | 21 +++++++++++++++++++++
refpolicy/policy/modules/system/logging.te | 11 +++++++++++
refpolicy/policy/modules/system/miscfiles.if | 1 +
refpolicy/policy/modules/system/pcmcia.te | 2 ++
refpolicy/policy/modules/system/selinuxutil.te | 5 +++++
refpolicy/policy/modules/system/sysnetwork.te | 11 ++++++++++-
refpolicy/policy/modules/system/unconfined.if | 16 ++++++++++++++++
refpolicy/policy/modules/system/unconfined.te | 8 ++++++++
25 files changed, 147 insertions(+), 8 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index c53035a..19295dd 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -26,6 +26,7 @@ allow consoletype_t self:capability sys_admin;
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow consoletype_t self:fd use;
allow consoletype_t self:fifo_file rw_file_perms;
+allow consoletype_t self:sock_file r_file_perms;
allow consoletype_t self:unix_dgram_socket create_socket_perms;
allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
allow consoletype_t self:unix_dgram_socket sendto;
@@ -88,6 +89,10 @@ optional_policy(`logrotate.te',`
logrotate_dontaudit_use_fd(consoletype_t)
')
+optional_policy(`lpd.te',`
+ lpd_read_config(consoletype_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(consoletype_t)
')
diff --git a/refpolicy/policy/modules/admin/dmidecode.te b/refpolicy/policy/modules/admin/dmidecode.te
index 5f28f71..d0e23d2 100644
--- a/refpolicy/policy/modules/admin/dmidecode.te
+++ b/refpolicy/policy/modules/admin/dmidecode.te
@@ -29,3 +29,8 @@ files_list_usr(dmidecode_t)
libs_use_ld_so(dmidecode_t)
libs_use_shared_libs(dmidecode_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_pty(dmidecode_t)
+ term_use_unallocated_tty(dmidecode_t)
+')
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index 7534083..f0f5807 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -79,7 +79,7 @@ files_manage_var_dirs(firstboot_t)
files_manage_var_files(firstboot_t)
files_manage_var_symlinks(firstboot_t)
-init_read_script(firstboot_t)
+init_domtrans_script(firstboot_t)
init_rw_script_pid(firstboot_t)
libs_use_ld_so(firstboot_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index c6f5225..aa11b47 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2170,7 +2170,7 @@ interface(`dev_unconfined',`
')
allow $1 device_node:devfile_class_set *;
- allow $1 mtrr_device_t:file *;
+ allow $1 mtrr_device_t:{ dir file } *;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write, memory_raw_read;
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 05c7d8d..699028d 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -27,6 +27,8 @@ dev_node(console_device_t)
#
type devpts_t;
files_mountpoint(devpts_t)
+fs_associate_tmpfs(devpts_t)
+files_associate_tmp(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 7601de6..af421ec 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -60,7 +60,7 @@ allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
-type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
+type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
allow bluetooth_t bluetooth_helper_t:fd use;
diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te
index 58e53b8..57eb700 100644
--- a/refpolicy/policy/modules/services/comsat.te
+++ b/refpolicy/policy/modules/services/comsat.te
@@ -29,12 +29,14 @@ allow comsat_t self:fifo_file rw_file_perms;
allow comsat_t self:{ lnk_file file } { getattr read };
allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow comsat_t self:tcp_socket connected_stream_socket_perms;
+allow comsat_t self:udp_socket connected_socket_perms;
allow comsat_t comsat_tmp_t:dir create_dir_perms;
allow comsat_t comsat_tmp_t:file create_file_perms;
files_create_tmp_files(comsat_t, comsat_tmp_t, { file dir })
allow comsat_t comsat_var_run_t:file create_file_perms;
+allow comsat_t comsat_var_run_t:dir rw_dir_perms;
files_create_pid(comsat_t,comsat_var_run_t)
kernel_read_kernel_sysctl(comsat_t)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 4513ef3..9baa6dd 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -105,7 +105,8 @@ logging_create_log(cupsd_t,cupsd_log_t,{ file dir })
allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
allow cupsd_t cupsd_tmp_t:file create_file_perms;
-files_create_tmp_files(cupsd_t, cupsd_tmp_t, { file dir })
+allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
+files_create_tmp_files(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
allow cupsd_t cupsd_var_run_t:file create_file_perms;
allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
@@ -504,10 +505,12 @@ allow hplip_t devpts_t:chr_file { getattr ioctl };
#
allow cupsd_config_t self:capability { chown sys_tty_config };
+dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_config_t self:tcp_socket create_socket_perms;
allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
@@ -569,6 +572,8 @@ corecmd_exec_shell(cupsd_config_t)
domain_use_wide_inherit_fd(cupsd_config_t)
files_read_usr_files(cupsd_config_t)
+files_read_etc_files(cupsd_config_t)
+files_read_etc_runtime_files(cupsd_config_t)
init_use_fd(cupsd_config_t)
init_use_script_pty(cupsd_config_t)
@@ -687,6 +692,7 @@ ifdef(`targeted_policy', `
allow cupsd_lpd_t self:process signal_perms;
allow cupsd_lpd_t self:fifo_file rw_file_perms;
allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
+allow cupsd_lpd_t self:udp_socket create_socket_perms;
# for identd
# cjp: this should probably only be inetd_child rules?
diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te
index 3143e28..d2338c1 100644
--- a/refpolicy/policy/modules/services/cvs.te
+++ b/refpolicy/policy/modules/services/cvs.te
@@ -41,6 +41,7 @@ allow cvs_t cvs_tmp_t:file create_file_perms;
files_create_tmp_files(cvs_t, cvs_tmp_t, { file dir })
allow cvs_t cvs_var_run_t:file create_file_perms;
+allow cvs_t cvs_var_run_t:dir rw_dir_perms;
files_create_pid(cvs_t,cvs_var_run_t)
kernel_read_kernel_sysctl(cvs_t)
diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te
index 38aead8..14c0787 100644
--- a/refpolicy/policy/modules/services/cyrus.te
+++ b/refpolicy/policy/modules/services/cyrus.te
@@ -30,6 +30,7 @@ allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit ex
allow cyrus_t self:process setrlimit;
allow cyrus_t self:fd use;
allow cyrus_t self:fifo_file rw_file_perms;
+allow cyrus_t self:sock_file r_file_perms;
allow cyrus_t self:shm create_shm_perms;
allow cyrus_t self:sem create_sem_perms;
allow cyrus_t self:msgq create_msgq_perms;
@@ -90,6 +91,7 @@ files_read_etc_files(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
init_use_fd(cyrus_t)
+init_use_script_pty(cyrus_t)
libs_use_ld_so(cyrus_t)
libs_use_shared_libs(cyrus_t)
diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te
index 5c5403e..96c3388 100644
--- a/refpolicy/policy/modules/services/dbskk.te
+++ b/refpolicy/policy/modules/services/dbskk.te
@@ -25,6 +25,7 @@ files_pid_file(dbskkd_var_run_t)
allow dbskkd_t self:process signal_perms;
allow dbskkd_t self:fifo_file rw_file_perms;
allow dbskkd_t self:tcp_socket connected_stream_socket_perms;
+allow dbskkd_t self:udp_socket create_socket_perms;
# for identd
# cjp: this should probably only be inetd_child rules?
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 83ec8c5..af8f877 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -132,6 +132,10 @@ optional_policy(`nscd.te',`
nscd_use_socket(system_dbusd_t)
')
+optional_policy(`sysnetwork.te',`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
optional_policy(`udev.te', `
udev_read_db(system_dbusd_t)
')
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index d738e10..8fab93b 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -48,6 +48,7 @@ allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
files_create_tmp_files(dhcpd_t, dhcpd_tmp_t, { file dir })
allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
+allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
files_create_pid(dhcpd_t,dhcpd_var_run_t)
kernel_read_system_state(dhcpd_t)
@@ -122,6 +123,10 @@ optional_policy(`mount.te',`
mount_send_nfs_client_request(dhcpd_t)
')
+optional_policy(`netutils.te',`
+ netutils_domtrans(dhcpd_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(dhcpd_t)
')
diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te
index ba4f132..4cb2e39 100644
--- a/refpolicy/policy/modules/services/dictd.te
+++ b/refpolicy/policy/modules/services/dictd.te
@@ -8,7 +8,7 @@ policy_module(dictd,1.0)
type dictd_t;
type dictd_exec_t;
-init_daemon_domain(dictd_t,dictd_exec_t)
+init_system_domain(dictd_t,dictd_exec_t)
type dictd_etc_t;
files_config_file(dictd_etc_t)
@@ -25,6 +25,8 @@ allow dictd_t self:capability { setuid setgid };
dontaudit dictd_t self:capability sys_tty_config;
allow dictd_t self:process { signal_perms setpgid };
allow dictd_t self:unix_stream_socket create_stream_socket_perms;
+allow dictd_t self:tcp_socket create_stream_socket_perms;
+allow dictd_t self:udp_socket create_socket_perms;
allow dictd_t dictd_etc_t:file r_file_perms;
files_search_etc(dictd_t)
@@ -74,6 +76,8 @@ logging_send_syslog_msg(dictd_t)
miscfiles_read_localization(dictd_t)
+sysnet_read_config(dictd_t)
+
userdom_dontaudit_use_unpriv_user_fd(dictd_t)
ifdef(`targeted_policy',`
@@ -86,6 +90,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(dictd_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(dictd_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(dictd_t)
')
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index 1bc3da6..b8d10eb 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -159,8 +159,9 @@ optional_policy(`rhgb.te',`
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
+allow krb5kdc_t self:udp_socket create_socket_perms;
allow krb5kdc_t krb5_conf_t:file r_file_perms;
dontaudit krb5kdc_t krb5_conf_t:file write;
@@ -181,7 +182,8 @@ allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms;
allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms;
files_create_tmp_files(krb5kdc_t, krb5kdc_tmp_t, { file dir })
-allow krb5kdc_t krb5kdc_var_run_t:file { getattr create read write append setattr unlink };
+allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms;
+allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
files_create_pid(krb5kdc_t,krb5kdc_var_run_t)
kernel_read_system_state(krb5kdc_t)
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index e9dbcb4..d9ff6ed 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -79,6 +79,7 @@ dev_append_printer(checkpc_t)
# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
corecmd_exec_shell(checkpc_t)
corecmd_exec_bin(checkpc_t)
+corecmd_search_sbin(checkpc_t)
domain_use_wide_inherit_fd(checkpc_t)
@@ -94,6 +95,11 @@ libs_use_shared_libs(checkpc_t)
sysnet_read_config(checkpc_t)
+ifdef(`targeted_policy',`
+ term_use_generic_pty(checkpc_t)
+ term_use_unallocated_tty(checkpc_t)
+')
+
optional_policy(`cron.te',`
cron_system_entry(checkpc_t,checkpc_exec_t)
')
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index ee7cda2..7c2b7ea 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -38,10 +38,12 @@ files_pid_file(getty_var_run_t)
# Use capabilities.
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
+dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid getsession signal_perms };
allow getty_t getty_etc_t:dir r_dir_perms;
allow getty_t getty_etc_t:file r_file_perms;
+allow getty_t getty_etc_t:lnk_file { getattr read };
files_create_etc_config(getty_t,getty_etc_t,{ file dir })
allow getty_t getty_lock_t:file create_file_perms;
@@ -58,8 +60,12 @@ allow getty_t getty_var_run_t:file create_file_perms;
allow getty_t getty_var_run_t:dir rw_dir_perms;
files_create_pid(getty_t,getty_var_run_t)
+kernel_list_proc(getty_t)
+kernel_read_proc_symlinks(getty_t)
+
dev_read_sysfs(getty_t)
+fs_search_auto_mountpoints(getty_t)
# for error condition handling
fs_getattr_xattr_fs(getty_t)
@@ -69,6 +75,7 @@ term_use_unallocated_tty(getty_t)
term_setattr_all_user_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
+term_dontaudit_use_console(getty_t)
auth_rw_login_records(getty_t)
@@ -81,6 +88,7 @@ files_read_etc_files(getty_t)
init_rw_script_pid(getty_t)
init_use_script_pty(getty_t)
+init_dontaudit_use_script_pty(getty_t)
libs_use_ld_so(getty_t)
libs_use_shared_libs(getty_t)
@@ -91,6 +99,11 @@ logging_send_syslog_msg(getty_t)
miscfiles_read_localization(getty_t)
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(getty_t)
+ term_dontaudit_use_generic_pty(getty_t)
+')
+
optional_policy(`nscd.te',`
nscd_use_socket(getty_t)
')
@@ -98,3 +111,7 @@ optional_policy(`nscd.te',`
optional_policy(`ppp.te',`
ppp_domtrans(getty_t)
')
+
+optional_policy(`udev.te',`
+ udev_read_db(system_dbusd_t)
+')
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index c57eb21..fa44e26 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -22,6 +22,27 @@ interface(`logging_log_file',`
########################################
## <summary>
+## Execute auditctl in the auditctl domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`logging_domtrans_auditctl',`
+ gen_require(`
+ type auditctl_t, auditctl_exec_t;
+ ')
+
+ domain_auto_trans($1,auditctl_exec_t,auditctl_t)
+
+ allow $1 auditctl_t:fd use;
+ allow auditctl_t $1:fd use;
+ allow auditctl_t $1:fifo_file rw_file_perms;
+ allow auditctl_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute syslogd in the syslog domain.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index f02503e..cfa6a2f 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -80,6 +80,11 @@ locallogin_dontaudit_use_fd(auditctl_t)
logging_send_syslog_msg(auditctl_t)
+ifdef(`targeted_policy',`
+ term_use_generic_pty(auditctl_t)
+ term_use_unallocated_tty(auditctl_t)
+')
+
ifdef(`TODO',`
role secadm_r types auditctl_t;
role sysadm_r types auditctl_t;
@@ -156,6 +161,12 @@ userdom_dontaudit_search_sysadm_home_dir(auditd_t)
# cjp: this is questionable
userdom_use_sysadm_tty(auditd_t)
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_pty(auditd_t)
+ term_dontaudit_use_unallocated_tty(auditd_t)
+ unconfined_dontaudit_read_pipe(auditd_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(auditd_t)
')
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index bd6cfae..501189e 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -37,6 +37,7 @@ interface(`miscfiles_read_fonts',`
# cjp: fonts can be in either of the above dirs
allow $1 fonts_t:dir r_dir_perms;
allow $1 fonts_t:file r_file_perms;
+ allow $1 fonts_t:lnk_file { getattr read };
')
########################################
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 8951f70..913c88a 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -42,6 +42,7 @@ dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file)
# Create stab file
allow cardmgr_t cardmgr_var_lib_t:file create_file_perms;
+allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms;
files_create_var_lib(cardmgr_t,cardmgr_var_lib_t)
allow cardmgr_t cardmgr_var_run_t:file create_file_perms;
@@ -69,6 +70,7 @@ term_dontaudit_getattr_all_user_ptys(cardmgr_t)
corecmd_exec_bin(cardmgr_t)
corecmd_exec_sbin(cardmgr_t)
+corecmd_exec_ls(cardmgr_t)
domain_use_wide_inherit_fd(cardmgr_t)
domain_exec_all_entry_files(cardmgr_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 33cf4ee..b9e0700 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -141,6 +141,11 @@ libs_use_shared_libs(checkpolicy_t)
userdom_use_all_user_fd(checkpolicy_t)
+ifdef(`targeted_policy',`
+ term_use_generic_pty(checkpolicy_t)
+ term_use_unallocated_tty(checkpolicy_t)
+')
+
########################################
#
# Load_policy local policy
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 631a5fe..bce2061 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -63,6 +63,7 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
# create pid file
allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
+allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms;
files_create_pid(dhcpc_t,dhcpc_var_run_t)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
@@ -196,6 +197,7 @@ optional_policy(`hotplug.te',`
# for the dhcp client to run ping to check IP addresses
optional_policy(`netutils.te',`
netutils_domtrans_ping(dhcpc_t)
+ netutils_domtrans(dhcpc_t)
',`
allow dhcpc_t self:capability setuid;
allow dhcpc_t self:rawip_socket create_socket_perms;
@@ -214,7 +216,7 @@ optional_policy(`nscd.te',`
nscd_read_pid(dhcpc_t)
')
-optional_policy(`ntpd.te',`
+optional_policy(`ntp.te',`
# dhclient sometimes starts ntpd
init_exec_script(dhcpc_t)
ntp_domtrans(dhcpc_t)
@@ -319,6 +321,8 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
+modutils_domtrans_insmod(ifconfig_t)
+
seutil_use_runinit_fd(ifconfig_t)
userdom_use_all_user_fd(ifconfig_t)
@@ -333,6 +337,11 @@ ifdef(`hide_broken_symptoms',`
')
')
+ifdef(`targeted_policy',`
+ term_use_generic_pty(ifconfig_t)
+ term_use_unallocated_tty(ifconfig_t)
+')
+
optional_policy(`ppp.te',`
ppp_use_fd(ifconfig_t)
')
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 82d9f6e..27fafeb 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -187,6 +187,22 @@ interface(`unconfined_sigchld',`
########################################
## <summary>
+## Do not audit attempts to read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`unconfined_dontaudit_read_pipe',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+## <summary>
## Read and write unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 667cd59..748bb7a 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -36,6 +36,14 @@ ifdef(`targeted_policy',`
userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
+ optional_policy(`logging.te',`
+ logging_domtrans_auditctl(unconfined_t)
+ ')
+
+ optional_policy(`lpd.te',`
+ lpd_domtrans_checkpc(unconfined_t)
+ ')
+
optional_policy(`modutils.te',`
modutils_domtrans_depmod(unconfined_t)
modutils_domtrans_insmod(unconfined_t)
More information about the scm-commits
mailing list