[selinux-policy: 1014/3172] many loadable module build fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:32:37 UTC 2010
commit 6f81e1d3805c5fe00a196314677ec87c99d6aa1c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Dec 2 22:06:05 2005 +0000
many loadable module build fixes
refpolicy/policy/modules/admin/dmesg.if | 4 +
refpolicy/policy/modules/admin/dmesg.te | 16 ++--
refpolicy/policy/modules/admin/updfstab.if | 19 -----
refpolicy/policy/modules/admin/updfstab.te | 4 +-
refpolicy/policy/modules/kernel/files.if | 17 ++++
refpolicy/policy/modules/kernel/filesystem.if | 18 ++++-
refpolicy/policy/modules/kernel/mls.te | 3 +-
refpolicy/policy/modules/services/bind.if | 37 +++++++++
refpolicy/policy/modules/services/bind.te | 84 +++++++-------------
refpolicy/policy/modules/services/bluetooth.if | 19 +++++
refpolicy/policy/modules/services/bluetooth.te | 15 +---
refpolicy/policy/modules/services/cups.if | 19 +++++
refpolicy/policy/modules/services/cups.te | 24 ++++--
.../policy/modules/services/networkmanager.if | 52 ++++++++++++
.../policy/modules/services/networkmanager.te | 6 ++
refpolicy/policy/modules/services/rpc.if | 17 ++++
refpolicy/policy/modules/services/snmp.te | 42 +++++-----
refpolicy/policy/modules/system/authlogin.if | 2 +-
refpolicy/policy/modules/system/init.if | 20 +++++-
refpolicy/policy/modules/system/init.te | 12 ++--
refpolicy/policy/modules/system/sysnetwork.if | 19 +++++
refpolicy/policy/modules/system/sysnetwork.te | 13 +---
refpolicy/policy/modules/system/unconfined.if | 33 ++++++++
refpolicy/policy/modules/system/unconfined.te | 8 ++
refpolicy/policy/modules/system/userdomain.if | 8 ++
refpolicy/policy/modules/system/userdomain.te | 6 +-
26 files changed, 374 insertions(+), 143 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index 4471ed6..3eba936 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -10,6 +10,10 @@
#
interface(`dmesg_domtrans',`
ifdef(`targeted_policy',`
+ gen_require(`
+ type dmesg_exec_t;
+ ')
+
# $0(): disabled in targeted policy as there
# is no dmesg domain.
',`
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index a46294b..fa1861e 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -6,24 +6,26 @@ policy_module(dmesg, 1.0)
# Declarations
#
-ifdef(`targeted_policy',`
- # for compatibility with strict:
- corecmd_bin_alias(dmesg_exec_t)
-',`
+ifdef(`strict_policy',`
type dmesg_t;
type dmesg_exec_t;
init_system_domain(dmesg_t,dmesg_exec_t)
role system_r types dmesg_t;
')
+ifdef(`targeted_policy',`
+ # dmesg domain is disabled in the
+ # targeted policy. for compatibility
+ # with strict:
+ corecmd_bin_alias(dmesg_exec_t)
+')
+
########################################
#
# Local policy
#
-ifdef(`targeted_policy',`
- # dmesg domain disabled in targeted policy
-',`
+ifdef(`strict_policy',`
allow dmesg_t self:capability sys_admin;
dontaudit dmesg_t self:capability sys_tty_config;
diff --git a/refpolicy/policy/modules/admin/updfstab.if b/refpolicy/policy/modules/admin/updfstab.if
index 5474833..753454f 100644
--- a/refpolicy/policy/modules/admin/updfstab.if
+++ b/refpolicy/policy/modules/admin/updfstab.if
@@ -22,22 +22,3 @@ interface(`updfstab_domtrans',`
allow updfstab_t $1:fifo_file rw_file_perms;
allow updfstab_t $1:process sigchld;
')
-
-########################################
-## <summary>
-## Send and receive messages from
-## updfstab over dbus.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`updfstab_dbus_chat',`
- gen_require(`
- type updfstab_t;
- class dbus send_msg;
- ')
-
- allow $1 updfstab_t:dbus send_msg;
- allow updfstab_t $1:dbus send_msg;
-')
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index 60a1468..7fa74b4 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -1,5 +1,5 @@
-policy_module(updfstab,1.0.2)
+policy_module(updfstab,1.0.3)
########################################
#
@@ -94,6 +94,8 @@ optional_policy(`authlogin',`
')
optional_policy(`dbus',`
+ init_dbus_chat_script(updfstab_t)
+
dbus_system_bus_client_template(updfstab,updfstab_t)
dbus_send_system_bus_msg(updfstab_t)
')
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index c43fa98..b78d961 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -2130,6 +2130,23 @@ interface(`files_read_generic_tmp_symlinks',`
########################################
## <summary>
+## Read and write generic named sockets in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_rw_generic_tmp_sockets',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:sock_file { read write };
+')
+
+########################################
+## <summary>
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index c067a6e..f089669 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1229,10 +1229,26 @@ interface(`fs_read_nfs_symlinks',`
## The type of the domain reading the symbolic links.
## </param>
#
+interface(`fs_getattr_rpc_dirs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:dir getattr;
+
+')
+
+########################################
+## <summary>
+## Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## The type of the domain reading the symbolic links.
+## </param>
+#
interface(`fs_read_rpc_dirs',`
gen_require(`
type rpc_pipefs_t;
- class dir { getattr read search };
')
allow $1 rpc_pipefs_t:dir { getattr read search };
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index da7bb73..1a040dd 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
-policy_module(mls,1.0)
+policy_module(mls,1.0.1)
########################################
#
@@ -58,6 +58,7 @@ type login_exec_t;
type init_t;
type init_exec_t;
type initrc_t;
+type initrc_exec_t;
type sshd_exec_t;
type su_exec_t;
type udev_exec_t;
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index e0f730b..c84daf6 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -23,6 +23,22 @@ interface(`bind_domtrans_ndc',`
########################################
## <summary>
+## Send generic signals to BIND.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`bind_signal',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signal;
+')
+
+########################################
+## <summary>
## Execute ndc in the ndc domain, and
## allow the specified role the ndc domain.
## </summary>
@@ -137,6 +153,27 @@ interface(`bind_manage_config_dir',`
########################################
## <summary>
+## Create, read, write, and delete
+## BIND cache files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`bind_manage_cache',`
+ gen_require(`
+ type named_cache_t, named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ allow $1 named_cache_t:dir rw_dir_perms;
+ allow $1 named_cache_t:file create_file_perms;
+ allow $1 named_cache_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the attributes
## of the BIND pid directory.
## </summary>
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index a5869ea..9ecba81 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,0.9)
+policy_module(bind,1.0.0)
########################################
#
@@ -150,15 +150,37 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(named_t)
')
+tunable_policy(`named_write_master_zones',`
+ allow named_t named_zone_t:dir create_dir_perms;
+ allow named_t named_zone_t:file create_file_perms;
+ allow named_t named_zone_t:lnk_file create_lnk_perms;
+')
+
optional_policy(`dbus',`
- gen_require(`
- class dbus send_msg;
- ')
+ init_dbus_chat_script(named_t)
+
+ sysnet_dbus_chat_dhcpc(named_t)
- allow named_t self:dbus send_msg;
dbus_system_bus_client_template(named,named_t)
dbus_connect_system_bus(named_t)
dbus_send_system_bus_msg(named_t)
+
+ optional_policy(`networkmanager',`
+ networkmanager_dbus_chat(named_t)
+ ')
+')
+
+optional_policy(`mount',`
+ mount_send_nfs_client_request(named_t)
+')
+
+optional_policy(`networkmanager',`
+ # this seems like fds that arent being
+ # closed. these should probably be
+ # dontaudits instead.
+ networkmanager_rw_udp_socket(named_t)
+ networkmanager_rw_packet_socket(named_t)
+ networkmanager_rw_routing_socket(named_t)
')
optional_policy(`nis',`
@@ -250,16 +272,6 @@ ifdef(`targeted_policy',`
term_use_generic_pty(ndc_t)
')
-tunable_policy(`named_write_master_zones',`
- allow named_t named_zone_t:dir create_dir_perms;
- allow named_t named_zone_t:file create_file_perms;
- allow named_t named_zone_t:lnk_file create_lnk_perms;
-')
-
-optional_policy(`mount',`
- mount_send_nfs_client_request(named_t)
-')
-
optional_policy(`nis',`
nis_use_ypbind(ndc_t)
')
@@ -268,46 +280,6 @@ optional_policy(`nscd',`
nscd_use_socket(ndc_t)
')
-optional_policy(`bind',`
+optional_policy(`ppp',`
ppp_dontaudit_use_fd(ndc_t)
')
-
-###########################################################
-#
-# Partially converted rules. THESE ARE ONLY TEMPORARY
-#
-
-allow named_t initrc_t:dbus send_msg;
-allow initrc_t named_t:dbus send_msg;
-allow named_t dhcpc_t:dbus send_msg;
-allow dhcpc_t named_t:dbus send_msg;
-
-# cjp: this whole block was originally in networkmanager
-optional_policy(`networkmanager',`
- gen_require(`
- type NetworkManager_t;
- ')
-
-# optional_policy(`dbus',`
- gen_require(`
- class dbus send_msg;
- ')
-
- allow NetworkManager_t named_t:dbus send_msg;
- allow named_t NetworkManager_t:dbus send_msg;
-# ')
-
- bind_domtrans(NetworkManager_t)
-
- allow NetworkManager_t named_zone_t:dir search;
-
- allow NetworkManager_t named_cache_t:dir rw_dir_perms;
- allow NetworkManager_t named_cache_t:file create_file_perms;
- allow NetworkManager_t named_cache_t:lnk_file create_lnk_perms;
-
- allow named_t NetworkManager_t:udp_socket { read write };
- allow named_t NetworkManager_t:netlink_route_socket { read write };
-
- allow NetworkManager_t named_t:process signal;
- allow named_t NetworkManager_t:packet_socket { read write };
-')
diff --git a/refpolicy/policy/modules/services/bluetooth.if b/refpolicy/policy/modules/services/bluetooth.if
index a0b1bc1..e2db8fe 100644
--- a/refpolicy/policy/modules/services/bluetooth.if
+++ b/refpolicy/policy/modules/services/bluetooth.if
@@ -23,6 +23,25 @@ interface(`bluetooth_domtrans_helper',`
########################################
## <summary>
+## Send and receive messages from
+## bluetooth over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`bluetooth_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 bluetooth_t:dbus send_msg;
+ allow bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Execute bluetooth_helper in the bluetooth_helper domain, and
## allow the specified role the bluetooth_helper domain.
## </summary>
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index b17758d..8b35c1d 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth,1.0)
+policy_module(bluetooth,1.0.1)
########################################
#
@@ -214,22 +214,15 @@ ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')
-ifdef(`targeted_policy', `', `
- ifdef(`xdm.te', `
+ifdef(`strict_policy',`
+ ifdef(`xdm.te',`
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
')
-
- allow bluetooth_t unpriv_userdomain:dbus send_msg;
- allow unpriv_userdomain bluetooth_t:dbus send_msg;
')
') dnl end TODO
ifdef(`targeted_policy',`
- allow bluetooth_helper_t tmp_t:sock_file { read write };
+ files_rw_generic_tmp_sockets(bluetooth_helper_t)
allow bluetooth_helper_t tmpfs_t:file { read write };
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
- allow bluetooth_t unconfined_t:dbus send_msg;
- allow unconfined_t bluetooth_t:dbus send_msg;
- allow bluetooth_t unconfined_t:dbus send_msg;
- allow unconfined_t bluetooth_t:dbus send_msg;
')
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index d918292..c1d77ab 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -23,6 +23,25 @@ interface(`cups_domtrans',`
########################################
## <summary>
+## Send and receive messages from
+## cups over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cups_dbus_chat',`
+ gen_require(`
+ type cupsd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cupsd_t:dbus send_msg;
+ allow cupsd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Execute cups_config in the cups_config domain.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 62862a3..34be188 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.0.1)
+policy_module(cups,1.0.2)
########################################
#
@@ -627,13 +627,23 @@ allow cupsd_config_t printconf_t:file { getattr read };
allow cupsd_config_t initrc_exec_t:file getattr;
ifdef(`targeted_policy', `
- allow cupsd_t initrc_t:unix_stream_socket connectto;
- allow cupsd_t initrc_t:dbus send_msg;
- allow initrc_t cupsd_t:dbus send_msg;
- allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
- allow unconfined_t cupsd_config_t:dbus send_msg;
- allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file r_file_perms;
+ init_unix_connect_script(cupsd_t)
+
+ unconfined_read_pipe(cupsd_t)
+
+ optional_policy(`dbus',`
+ init_dbus_chat_script(cupsd_t)
+
+ unconfined_dbus_send(cupsd_t)
+
+ dbus_stub(cupsd_t)
+ ')
+')
+
+ifdef(`targeted_policy',`
term_use_generic_pty(cupsd_config_t)
+
+ unconfined_read_pipe(cupsd_config_t)
')
########################################
diff --git a/refpolicy/policy/modules/services/networkmanager.if b/refpolicy/policy/modules/services/networkmanager.if
index e07d97d..200795e 100644
--- a/refpolicy/policy/modules/services/networkmanager.if
+++ b/refpolicy/policy/modules/services/networkmanager.if
@@ -2,6 +2,58 @@
########################################
## <summary>
+## Read and write NetworkManager UDP sockets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_udp_socket',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+## Read and write NetworkManager packet sockets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_packet_socket',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+## Read and write NetworkManager netlink
+## routing sockets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_routing_socket',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:netlink_route_socket { read write };
+')
+
+########################################
+## <summary>
## Send and receive messages from
## NetworkManager over dbus.
## </summary>
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index 69472b9..c0a7805 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -117,6 +117,12 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(NetworkManager_t)
')
+optional_policy(`bind',`
+ bind_domtrans(NetworkManager_t)
+ bind_manage_cache(NetworkManager_t)
+ bind_signal(NetworkManager_t)
+')
+
optional_policy(`bluetooth',`
bluetooth_dontaudit_read_helper_files(NetworkManager_t)
')
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index 0e854fc..da50403 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -272,3 +272,20 @@ interface(`rpc_udp_sendto_nfs',`
allow nfsd_t $1:udp_socket sendto;
allow $1 nfsd_t:udp_socket recvfrom;
')
+
+########################################
+## <summary>
+## Search NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`rpc_search_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir search;
+')
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index e8f3794..a7ed81b 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
-policy_module(snmp,1.0.1)
+policy_module(snmp,1.0.2)
########################################
#
@@ -56,6 +56,10 @@ kernel_read_system_state(snmpd_t)
kernel_read_network_state(snmpd_t)
kernel_tcp_recvfrom(snmpd_t)
+corecmd_exec_bin(snmpd_t)
+corecmd_exec_sbin(snmpd_t)
+corecmd_exec_shell(snmpd_t)
+
corenet_tcp_sendrecv_all_if(snmpd_t)
corenet_udp_sendrecv_all_if(snmpd_t)
corenet_raw_sendrecv_all_if(snmpd_t)
@@ -74,18 +78,6 @@ dev_read_sysfs(snmpd_t)
dev_read_urand(snmpd_t)
dev_read_rand(snmpd_t)
-fs_getattr_all_fs(snmpd_t)
-fs_search_auto_mountpoints(snmpd_t)
-
-storage_dontaudit_read_fixed_disk(snmpd_t)
-storage_dontaudit_read_removable_device(snmpd_t)
-
-term_dontaudit_use_console(snmpd_t)
-
-corecmd_exec_bin(snmpd_t)
-corecmd_exec_sbin(snmpd_t)
-corecmd_exec_shell(snmpd_t)
-
domain_use_wide_inherit_fd(snmpd_t)
domain_signull_all_domains(snmpd_t)
domain_read_all_domains_state(snmpd_t)
@@ -95,6 +87,15 @@ files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
+fs_getattr_all_fs(snmpd_t)
+fs_getattr_rpc_dirs(snmpd_t)
+fs_search_auto_mountpoints(snmpd_t)
+
+storage_dontaudit_read_fixed_disk(snmpd_t)
+storage_dontaudit_read_removable_device(snmpd_t)
+
+term_dontaudit_use_console(snmpd_t)
+
init_read_script_pid(snmpd_t)
init_use_fd(snmpd_t)
init_use_script_pty(snmpd_t)
@@ -131,6 +132,10 @@ optional_policy(`amanda',`
amanda_dontaudit_read_dumpdates(snmpd_t)
')
+optional_policy(`cups',`
+ cups_read_rw_config(snmpd_t)
+')
+
optional_policy(`nis',`
nis_use_ypbind(snmpd_t)
')
@@ -139,6 +144,10 @@ optional_policy(`nscd',`
nscd_use_socket(snmpd_t)
')
+optional_policy(`rpc',`
+ rpc_search_nfs_state_data(snmpd_t)
+')
+
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(snmpd_t)
')
@@ -150,11 +159,4 @@ optional_policy(`udev',`
ifdef(`TODO',`
can_udp_send(sysadm_t, snmpd_t)
can_udp_send(snmpd_t, sysadm_t)
-
-optional_policy(`cupsd',`
- allow snmpd_t cupsd_rw_etc_t:file { getattr read };
-')
') dnl end TODO
-
-allow snmpd_t rpc_pipefs_t:dir getattr;
-allow snmpd_t var_lib_nfs_t:dir search;
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 0afd82a..f6a54b3 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -138,7 +138,7 @@ template(`authlogin_per_userdomain_template',`
template(`auth_domtrans_user_chk_passwd',`
ifdef(`targeted_policy',`
gen_require(`
- type chkpwd_exec_t;
+ type system_chkpwd_t, chkpwd_exec_t;
')
domain_auto_trans($2,chkpwd_exec_t,system_chkpwd_t)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index d12b7f2..73bfa56 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -469,7 +469,6 @@ interface(`init_unix_connect_script',`
interface(`init_dontaudit_unix_connect_script',`
gen_require(`
type initrc_t;
- class unix_stream_socket connectto;
')
dontaudit $1 initrc_t:unix_stream_socket connectto;
@@ -693,6 +692,25 @@ interface(`init_unix_connect_script',`
########################################
## <summary>
+## Send and receive messages from
+## init scripts over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`init_dbus_chat_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+ allow initrc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Read and write the init script pty.
## </summary>
## <desc>
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 28fda4c..72b8312 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.0.2)
+policy_module(init,1.0.3)
gen_require(`
class passwd rootok;
@@ -61,7 +61,11 @@ gen_require(`
domain_type(initrc_t)
role system_r types initrc_t;
-type initrc_exec_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type initrc_exec_t;
+')
domain_entry_file(initrc_t,initrc_exec_t)
type initrc_devpts_t;
@@ -506,10 +510,6 @@ optional_policy(`dbus',`
optional_policy(`networkmanager',`
networkmanager_dbus_chat(initrc_t)
')
-
- optional_policy(`updfstab',`
- updfstab_dbus_chat(initrc_t)
- ')
')
optional_policy(`ftp',`
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 386661c..6ecf59d 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -129,6 +129,25 @@ interface(`sysnet_signal_dhcpc',`
########################################
## <summary>
+## Send and receive messages from
+## dhcpc over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`sysnet_dbus_chat_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dhcpc_t:dbus send_msg;
+ allow dhcpc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Read and write dhcp configuration files.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index c1a479f..a68c3c1 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
-policy_module(sysnetwork,1.0.1)
+policy_module(sysnetwork,1.0.2)
########################################
#
@@ -161,21 +161,12 @@ optional_policy(`consoletype',`
')
optional_policy(`dbus',`
- gen_require(`
- class dbus send_msg;
- ')
-
- allow dhcpc_t self:dbus send_msg;
+ init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client_template(dhcpc,dhcpc_t)
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus_msg(dhcpc_t)
- domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
-
- allow initrc_t dhcpc_t:dbus send_msg;
- allow dhcpc_t initrc_t:dbus send_msg;
-
optional_policy(`networkmanager',`
networkmanager_dbus_chat(dhcpc_t)
')
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 39b43b7..b6fe603 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -203,6 +203,22 @@ interface(`unconfined_signal',`
########################################
## <summary>
+## Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`unconfined_read_pipe',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
@@ -264,6 +280,23 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
########################################
## <summary>
+## Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`unconfined_dbus_send',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Add an alias type to the unconfined domain.
## </summary>
## <desc>
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 8160f15..b7d7b6c 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -64,6 +64,14 @@ ifdef(`targeted_policy',`
avahi_dbus_chat(unconfined_t)
')
+ optional_policy(`bluetooth',`
+ bluetooth_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`cups',`
+ cups_dbus_chat_config(unconfined_t)
+ ')
+
optional_policy(`hal',`
hal_dbus_chat(unconfined_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 56a6796..9167d69 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -611,6 +611,14 @@ template(`unpriv_user_template', `
corenet_tcp_bind_generic_port($1_t)
')
+ optional_policy(`dbus',`
+ dbus_stub($1_t)
+
+ optional_policy(`bluetooth',`
+ bluetooth_dbus_chat($1_t)
+ ')
+ ')
+
optional_policy(`kerberos',`
kerberos_use($1_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 3805172..6c228fa 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,9 @@
-policy_module(userdomain,1.0.5)
+policy_module(userdomain,1.0.6)
+
+gen_require(`
+ role sysadm_r, staff_r, user_r;
+')
########################################
#
More information about the scm-commits
mailing list