[selinux-policy: 864/3172] more fixing
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:19:46 UTC 2010
commit 4614e83fbb848ef2d4daebc77281d506b3d61a45
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Oct 26 21:03:19 2005 +0000
more fixing
refpolicy/policy/global_tunables | 4 ++
refpolicy/policy/modules/admin/amanda.te | 2 +-
refpolicy/policy/modules/admin/usermanage.te | 3 +
refpolicy/policy/modules/kernel/kernel.te | 1 +
refpolicy/policy/modules/services/apache.if | 7 +++
refpolicy/policy/modules/services/apache.te | 54 +++++++++++++++++--------
refpolicy/policy/modules/services/cups.te | 8 +++-
refpolicy/policy/modules/services/hal.if | 21 ++++++++++
refpolicy/policy/modules/services/hal.te | 1 +
refpolicy/policy/modules/services/inetd.if | 13 +++++-
refpolicy/policy/modules/services/postfix.te | 5 ++-
refpolicy/policy/modules/services/ppp.te | 8 +++-
refpolicy/policy/modules/services/privoxy.te | 1 +
refpolicy/policy/modules/services/stunnel.te | 12 +++++
refpolicy/policy/modules/system/logging.te | 5 ++-
refpolicy/policy/modules/system/modutils.te | 4 ++
refpolicy/policy/modules/system/sysnetwork.te | 2 +
refpolicy/policy/modules/system/userdomain.if | 16 +++++++
18 files changed, 140 insertions(+), 27 deletions(-)
---
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 199d41a..f2ad128 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -135,6 +135,10 @@ gen_tunable(ssh_sysadm_login,false)
## dir and read files (such as ~/.bashrc)
gen_tunable(staff_read_sysadm_file,false)
+## Configure stunnel to be a standalone daemon or
+## inetd service.
+gen_tunable(stunnel_is_daemon,false)
+
## Support NFS home directories
gen_tunable(use_nfs_home_dirs,false)
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index 6f801ac..6779f20 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -45,7 +45,7 @@ type amanda_script_exec_t;
files_type(amanda_script_exec_t)
# temp:
-typeattribute amanda_user_exec_t entry_type;
+typeattribute amanda_script_exec_t entry_type;
# type for the shell configuration files
type amanda_shellconfig_t;
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 46edd9c..6b226d2 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -304,6 +304,9 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
+term_use_all_user_ttys(passwd_t)
+term_use_all_user_ptys(passwd_t)
+
auth_manage_shadow(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index b444765..5fa2c8e 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -166,6 +166,7 @@ allow kernel_t self:unix_stream_socket create_stream_socket_perms;
allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file rw_file_perms;
+allow kernel_t self:sock_file r_file_perms;
allow kernel_t self:fd use;
# old general_proc_read_access():
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index b66ba87..c66ebbb 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -178,6 +178,13 @@ template(`apache_content_template',`
libs_read_lib(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
+
+ # added back to make sediff nicer
+ dev_rw_null_dev(httpd_$1_script_t)
+ term_use_controlling_term(httpd_$1_script_t)
+ allow httpd_$1_script_t self:dir r_dir_perms;
+ allow httpd_$1_script_t self:file r_file_perms;
+ allow httpd_$1_script_t self:lnk_file read;
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 0bd436d..ba0b385 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -289,6 +289,10 @@ ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(httpd_t)
term_dontaudit_use_generic_pty(httpd_t)
files_dontaudit_read_root_file(httpd_t)
+
+ tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_generic_user_home_dir(httpd_t)
+ ')
')
tunable_policy(`allow_httpd_anon_write',`
@@ -335,6 +339,9 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
allow httpd_t httpdcontent:dir create_dir_perms;
allow httpd_t httpdcontent:file create_file_perms;
allow httpd_t httpdcontent:lnk_file create_lnk_perms;
+
+ # make sediff easier
+ allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint };
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -407,17 +414,6 @@ optional_policy(`rhgb.te',`
can_tcp_connect(web_client_domain, httpd_t)
-ifdef(`targeted_policy',`
- if (httpd_enable_homedirs) {
- allow httpd_t user_home_dir_t:dir { getattr search };
- }
- if (httpd_enable_homedirs) {
- allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
- }
- if (httpd_enable_homedirs) {
- allow httpd_suexec_t user_home_dir_t:dir { getattr search };
- }
-')
') dnl end TODO
########################################
@@ -495,12 +491,17 @@ allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-# cjp: need transitionbool
-domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-allow httpd_t httpd_suexec_t:fd use;
-allow httpd_suexec_t httpd_t:fd use;
-allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
-allow httpd_suexec_t httpd_t:process sigchld;
+ifdef(`targeted_policy',`
+ gen_tunable(httpd_suexec_disable_trans,false)
+
+ tunable_policy(`httpd_suexec_disable_trans',`',`
+ domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+ allow httpd_t httpd_suexec_t:fd use;
+ allow httpd_suexec_t httpd_t:fd use;
+ allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_suexec_t httpd_t:process sigchld;
+ ')
+')
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
@@ -534,6 +535,12 @@ logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
+ifdef(`targeted_policy',`
+ tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_generic_user_home_dir(httpd_suexec_t)
+ ')
+')
+
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
@@ -555,6 +562,13 @@ tunable_policy(`httpd_can_network_connect',`
tunable_policy(`httpd_enable_cgi',`
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ allow httpd_suexec_t httpd_unconfined_script_t:fd use;
+ allow httpd_unconfined_script_t httpd_suexec_t:fd use;
+ allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
+ allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
+
+ # make sediff happy
+ allow httpd_unconfined_script_t httpd_unconfined_script_exec_t:file { ioctl read getattr lock execute entrypoint };
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -619,6 +633,12 @@ ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
+ifdef(`targeted_policy',`
+ tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_generic_user_home_dir(httpd_sys_script_t)
+ ')
+')
+
optional_policy(`mysql.te',`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_socket(httpd_sys_script_t)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 9baa6dd..d8fc342 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -598,8 +598,8 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(cupsd_config_t)
')
-optional_policy(`nis.te',`
- nis_use_ypbind(cupsd_config_t)
+optional_policy(`hal.te',`
+ hal_domtrans(cupsd_config_t)
')
optional_policy(`hostname.te',`
@@ -610,6 +610,10 @@ optional_policy(`logrotate.te',`
logrotate_use_fd(cupsd_config_t)
')
+optional_policy(`nis.te',`
+ nis_use_ypbind(cupsd_config_t)
+')
+
optional_policy(`nscd.te',`
nscd_use_socket(cupsd_config_t)
')
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
index f363b35..68f262d 100644
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@@ -1 +1,22 @@
## <summary>Hardware abstraction layer</summary>
+
+########################################
+## <summary>
+## Execute hal in the hal domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`hal_domtrans',`
+ gen_require(`
+ type hald_t, hald_exec_t;
+ ')
+
+ domain_auto_trans($1,hald_exec_t,hald_t)
+
+ allow $1 hald_t:fd use;
+ allow hald_t $1:fd use;
+ allow hald_t $1:fifo_file rw_file_perms;
+ allow hald_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 1478299..6a94b41 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -39,6 +39,7 @@ allow hald_t hald_tmp_t:file create_file_perms;
files_create_tmp_files(hald_t, hald_tmp_t, { file dir })
allow hald_t hald_var_run_t:file create_file_perms;
+allow hald_t hald_var_run_t:dir rw_dir_perms;
files_create_pid(hald_t,hald_var_run_t)
kernel_read_system_state(hald_t)
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 3d97f1c..b144729 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -32,15 +32,18 @@ interface(`inetd_core_service_domain',`
role system_r types $1;
- allow inetd_t $1:process sigkill;
-
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
- can_exec(inetd_t,$2)
+# can_exec(inetd_t,$2)
+ # cjp: this must be wrong
+ gen_require(`
+ type initrc_t, unconfined_t;
+ ')
+ can_exec({ unconfined_t initrc_t },$2)
} else {
domain_auto_trans(inetd_t,$2,$1)
allow inetd_t $1:fd use;
@@ -49,6 +52,8 @@ interface(`inetd_core_service_domain',`
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+ allow inetd_t $1:process sigkill;
+
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
}
@@ -60,6 +65,8 @@ interface(`inetd_core_service_domain',`
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+ allow inetd_t $1:process sigkill;
+
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
')
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 0888803..969692f 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -38,7 +38,10 @@ type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
postfix_domain_template(master)
-mta_mailserver(postfix_master_t,postfix_master_exec_t)
+typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
+mta_mailserver(postfix_t,postfix_master_exec_t)
postfix_public_domain_template(pickup)
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index 5ba2635..3bafb9d 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -70,6 +70,10 @@ allow pppd_t self:udp_socket { connect connected_socket_perms };
allow pppd_t self:packet_socket create_socket_perms;
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+allow pppd_t pptp_t:fd use;
+allow pptp_t pppd_t:fd use;
+allow pptp_t pppd_t:fifo_file rw_file_perms;
+allow pptp_t pppd_t:process sigchld;
allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
@@ -179,10 +183,10 @@ ifdef(`targeted_policy', `
optional_policy(`postfix.te',`
gen_require(`
- bool postfix_master_disable_transgre;
+ bool postfix_disable_trans;
')
- if(!postfix_master_disable_trans) {
+ if(!postfix_disable_trans) {
postfix_domtrans_master(pppd_t)
}
')
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index a39737c..d095dfc 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -30,6 +30,7 @@ allow privoxy_t privoxy_log_t:dir rw_dir_perms;
logging_create_log(privoxy_t,privoxy_log_t)
allow privoxy_t privoxy_var_run_t:file create_file_perms;
+allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
files_create_pid(privoxy_t,privoxy_var_run_t)
kernel_read_kernel_sysctl(privoxy_t)
diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te
index 26c99c1..6f18b9a 100644
--- a/refpolicy/policy/modules/services/stunnel.te
+++ b/refpolicy/policy/modules/services/stunnel.te
@@ -37,6 +37,7 @@ allow stunnel_t self:capability { setgid setuid sys_chroot };
allow stunnel_t self:process signal_perms;
allow stunnel_t self:fifo_file rw_file_perms;
allow stunnel_t self:tcp_socket create_stream_socket_perms;
+allow stunnel_t self:udp_socket create_socket_perms;
allow stunnel_t stunnel_etc_t:dir { getattr read search };
allow stunnel_t stunnel_etc_t:file { read getattr };
@@ -138,3 +139,14 @@ ifdef(`distro_gentoo', `
nscd_use_socket(stunnel_t)
')
')
+
+tunable_policy(`stunnel_is_daemon',`
+ allow stunnel_t self:tcp_socket create_stream_socket_perms;
+
+ # hack since this port has no interfaces since it doesnt
+ # have net_contexts
+ gen_require(`
+ type stunnel_port_t;
+ ')
+ allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index a9516ea..01d4a96 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -187,7 +187,8 @@ rhgb_domain(auditd_t)
#
allow klogd_t klogd_tmp_t:file create_file_perms;
-files_create_tmp_files(klogd_t,klogd_tmp_t)
+allow klogd_t klogd_tmp_t:dir create_dir_perms;
+files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir })
allow klogd_t klogd_var_run_t:file create_file_perms;
@@ -209,6 +210,8 @@ dev_read_sysfs(klogd_t)
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
+term_dontaudit_use_console(klogd_t)
+
domain_use_wide_inherit_fd(klogd_t)
files_create_pid(klogd_t,klogd_var_run_t)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 146d356..dc40fc9 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -50,6 +50,10 @@ allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
can_exec(insmod_t, insmod_exec_t)
+# make sediff happy (no effect)
+dontaudit insmod_t self:process { noatsecure rlimitinh siginh };
+type_transition insmod_t insmod_exec_t:process insmod_t;
+
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
kernel_mount_debugfs(insmod_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index bce2061..6705b1c 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -273,6 +273,8 @@ dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_file_perms;
+allow ifconfig_t self:sock_file r_file_perms;
+allow ifconfig_t self:socket create_socket_perms;
allow ifconfig_t self:unix_dgram_socket create_socket_perms;
allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
allow ifconfig_t self:unix_dgram_socket sendto;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 398c129..953d2cf 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2128,6 +2128,22 @@ interface(`userdom_create_generic_user_home_dir',`
########################################
## <summary>
+## Search generic user home directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_search_generic_user_home_dir',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## generic user home directories.
## </summary>
More information about the scm-commits
mailing list