[selinux-policy: 1086/3172] add prelink.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:38:43 UTC 2010 

commit 2c243586e54cccc7cfc82e0ccd03a6a60b1c8123
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Jan 11 23:20:28 2006 +0000

    add prelink.

 refpolicy/Changelog                             |    3 +-
 refpolicy/policy/modules/admin/amanda.te        |    6 +-
 refpolicy/policy/modules/admin/prelink.fc       |    6 +
 refpolicy/policy/modules/admin/prelink.if       |   92 ++++++++++++++++++
 refpolicy/policy/modules/admin/prelink.te       |   79 ++++++++++++++++
 refpolicy/policy/modules/kernel/corecommands.if |  104 +++++++++++++++++++++
 refpolicy/policy/modules/kernel/corecommands.te |    2 +-
 refpolicy/policy/modules/kernel/domain.if       |   53 +++++++++++
 refpolicy/policy/modules/kernel/domain.te       |    2 +-
 refpolicy/policy/modules/services/apache.te     |    6 +-
 refpolicy/policy/modules/services/cron.te       |    8 ++-
 refpolicy/policy/modules/services/xdm.te        |    4 +
 refpolicy/policy/modules/system/libraries.if    |  113 +++++++++++++++++++++++
 refpolicy/policy/modules/system/libraries.te    |    2 +-
 refpolicy/policy/modules/system/unconfined.te   |    6 +-
 15 files changed, 474 insertions(+), 12 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 0ceec0a..f5cd8e6 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -3,7 +3,7 @@
 - Add apache relay and db connect tunables.
 - Rename texrel_shlib_t to textrel_shlib_t.
 - Add swat to samba module.
-- Miscellaneous fixes from Dan Walsh.
+- Numerous miscellaneous fixes from Dan Walsh.
 - Added modules:
 	automount
 	ddcprobe
@@ -12,6 +12,7 @@
 	lockdev
 	logwatch (Dan Walsh)
 	openct
+	prelink (Dan Walsh)
 	readahead
 	roundup
 	screen
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index ad505e5..b951681 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
 
-policy_module(amanda,1.1.0)
+policy_module(amanda,1.1.1)
 
 #######################################
 #
@@ -77,6 +77,10 @@ role system_r types amanda_recover_t;
 type amanda_recover_dir_t;
 files_type(amanda_recover_dir_t)
 
+optional_policy(`prelink',`
+	prelink_object_file(amanda_usr_lib_t)
+')
+
 ########################################
 #
 # Amanda local policy
diff --git a/refpolicy/policy/modules/admin/prelink.fc b/refpolicy/policy/modules/admin/prelink.fc
new file mode 100644
index 0000000..ee0cf31
--- /dev/null
+++ b/refpolicy/policy/modules/admin/prelink.fc
@@ -0,0 +1,6 @@
+
+/etc/prelink\.cache		--	gen_context(system_u:object_r:prelink_cache_t,s0)
+
+/usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
+
+/var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
diff --git a/refpolicy/policy/modules/admin/prelink.if b/refpolicy/policy/modules/admin/prelink.if
new file mode 100644
index 0000000..e76434d
--- /dev/null
+++ b/refpolicy/policy/modules/admin/prelink.if
@@ -0,0 +1,92 @@
+## <summary>Prelink ELF shared library mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`prelink_domtrans',`
+	gen_require(`
+		type prelink_t, prelink_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1, prelink_exec_t, prelink_t)
+
+	allow $1 prelink_t:fd use;
+	allow prelink_t $1:fd use;
+	allow prelink_t $1:fifo_file rw_file_perms;
+	allow prelink_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Make the specified file type prelinkable.
+## </summary>
+## <param name="file_type">
+##	File type to be prelinked.
+## </param>
+#
+# cjp: added for misc non-entrypoint objects
+interface(`prelink_object_file',`
+	gen_require(`
+		attribute prelink_object;
+	')
+
+	typeattribute $1 prelink_object;
+')
+
+########################################
+## <summary>
+##	Read the prelink cache.
+## </summary>
+## <param name="file_type">
+##	Domain allowed access.
+## </param>
+#
+interface(`prelink_read_cache',`
+	gen_require(`
+		type prelink_cache_t;
+	')
+
+	files_search_etc($1)
+	allow $1 prelink_cache_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Delete the prelink cache.
+## </summary>
+## <param name="file_type">
+##	Domain allowed access.
+## </param>
+#
+interface(`prelink_delete_cache',`
+	gen_require(`
+		type prelink_cache_t;
+	')
+
+	allow $1 prelink_cache_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	prelink log files.
+## </summary>
+## <param name="file_type">
+##	Domain allowed access.
+## </param>
+#
+interface(`prelink_manage_log',`
+	gen_require(`
+		type prelink_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 prelink_log_t:dir rw_dir_perms;
+	allow $1 prelink_log_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
new file mode 100644
index 0000000..91c5f86
--- /dev/null
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -0,0 +1,79 @@
+
+policy_module(prelink,1.0.0)
+
+########################################
+#
+# Declarations
+
+attribute prelink_object;
+
+type prelink_t;
+type prelink_exec_t;
+init_system_domain(prelink_t,prelink_exec_t)
+
+type prelink_cache_t;
+files_type(prelink_cache_t)
+
+type prelink_log_t;
+logging_log_file(prelink_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:process { execheap execmem execstack };
+allow prelink_t self:fifo_file rw_file_perms;
+
+allow prelink_t prelink_cache_t:file manage_file_perms;
+files_create_etc_config(prelink_t, prelink_cache_t, file)
+
+allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
+allow prelink_t prelink_log_t:file { create ra_file_perms };
+allow prelink_t prelink_log_t:lnk_file read;
+logging_create_log(prelink_t, prelink_log_t)
+
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
+
+kernel_read_system_state(prelink_t)
+kernel_dontaudit_search_kernel_sysctl(prelink_t)
+kernel_dontaudit_search_sysctl(prelink_t)
+
+corecmd_manage_bin_files(prelink_t)
+corecmd_relabel_bin_files(prelink_t)
+corecmd_mmap_bin_files(prelink_t)
+corecmd_manage_sbin_files(prelink_t)
+corecmd_relabel_sbin_files(prelink_t)
+corecmd_mmap_sbin_files(prelink_t)
+
+dev_read_urand(prelink_t)
+
+domain_manage_all_entry_files(prelink_t)
+domain_relabel_all_entry_files(prelink_t)
+domain_mmap_all_entry_files(prelink_t)
+
+files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dir(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+
+fs_getattr_xattr_fs(prelink_t)
+
+libs_use_ld_so(prelink_t)
+libs_manage_ld_so(prelink_t)
+libs_relabel_ld_so(prelink_t)
+libs_use_shared_libs(prelink_t)
+libs_manage_shared_libs(prelink_t)
+libs_relabel_shared_libs(prelink_t)
+libs_use_lib(prelink_t)
+libs_manage_lib_files(prelink_t)
+libs_relabel_lib_files(prelink_t)
+
+miscfiles_read_localization(prelink_t)
+
+optional_policy(`cron',`
+	cron_system_entry(prelink_t, prelink_exec_t)
+')
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
index 0033679..f6f09fe 100644
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -190,6 +190,57 @@ interface(`corecmd_exec_bin',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete bin files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_manage_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir rw_dir_perms;
+	allow $1 bin_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_relabel_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Mmap a bin file as executable.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_mmap_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:file { getattr read execute };
+')
+
+########################################
+## <summary>
 ##	Execute a file in a bin directory
 ##	in the specified domain.
 ## </summary>
@@ -389,7 +440,60 @@ interface(`corecmd_exec_sbin',`
 	allow $1 sbin_t:dir r_dir_perms;
 	allow $1 sbin_t:lnk_file r_file_perms;
 	can_exec($1,sbin_t)
+')
 
+########################################
+## <summary>
+##	Create, read, write, and delete sbin files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_manage_sbin_files',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	allow $1 sbin_t:dir rw_dir_perms;
+	allow $1 sbin_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from the sbin type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_relabel_sbin_files',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	allow $1 sbin_t:dir search_dir_perms;
+	allow $1 sbin_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Mmap a sbin file as executable.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_mmap_sbin_files',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	allow $1 sbin_t:dir search_dir_perms;
+	allow $1 sbin_t:file { getattr read execute };
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index ff88d10..d157fec 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.1.0)
+policy_module(corecommands,1.1.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index 58d3c7d..d02815b 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -1021,6 +1021,59 @@ interface(`domain_exec_all_entry_files',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete all
+##	entrypoint files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_manage_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from all entry point
+##	file types.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_relabel_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Mmap all entry point files as executable.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_mmap_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:file { getattr read execute };
+')
+
+########################################
+## <summary>
 ##	Unconfined access to domains.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
index 099269e..6956584 100644
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
 
-policy_module(domain,1.0.0)
+policy_module(domain,1.0.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index f22676a..32b7be4 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.1.1)
+policy_module(apache,1.1.2)
 
 #
 # NOTES: 
@@ -122,6 +122,10 @@ ifdef(`targeted_policy',`
 	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
 ')
 
+optional_policy(`prelink',`
+	prelink_object_file(httpd_modules_t)
+')
+
 ########################################
 #
 # Apache server local policy
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index e89f8c4..90fcf06 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
 
-policy_module(cron,1.1.3)
+policy_module(cron,1.1.4)
 
 gen_require(`
 	class passwd rootok;
@@ -397,6 +397,12 @@ ifdef(`targeted_policy',`
 		nscd_use_socket(system_crond_t)
 	')
 
+	optional_policy(`prelink',`
+		prelink_read_cache(system_crond_t)
+		prelink_manage_log(system_crond_t)
+		prelink_delete_cache(system_crond_t)
+	')
+
 	optional_policy(`samba',`
 		samba_read_config(system_crond_t)
 		samba_read_log(system_crond_t)
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index b71ac92..62086a6 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -319,6 +319,10 @@ allow xdm_xserver_t var_lib_t:dir search;
 allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 
+optional_policy(`prelink',`
+	prelink_object_file(xkb_var_lib_t)
+')
+
 # Insert video drivers.  
 allow xdm_xserver_t self:capability mknod;
 allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 05f6904..8863b6a 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -115,6 +115,44 @@ interface(`libs_exec_ld_so',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete the
+##	dynamic link/loader.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_ld_so',`
+	gen_require(`
+		type lib_t, ld_so_t;
+	')
+
+	allow $1 lib_t:dir rw_dir_perms;
+	allow $1 ld_so_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from the type used for
+##	the dynamic link/loader.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_ld_so',`
+	gen_require(`
+		type lib_t, ld_so_t;
+	')
+
+	allow $1 lib_t:dir search_dir_perms;
+	allow $1 ld_so_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Modify the dynamic link/loader's cached listing
 ##	of shared libraries.
 ## </summary>
@@ -214,6 +252,25 @@ interface(`libs_use_lib',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete generic
+##	files in library directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir search_dir_perms;
+	allow $1 lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel files to the type used in library directories.
 ## </summary>
 ## <param name="domain">
@@ -226,11 +283,49 @@ interface(`libs_relabelto_lib_files',`
 		class file relabelto;
 	')
 
+	allow $1 lib_t:dir search_dir_perms;
 	allow $1 lib_t:file relabelto;
 ')
 
 ########################################
 ## <summary>
+##	Relabel to and from the type used
+##	for generic lib files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir search_dir_perms;
+	allow $1 lib_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete shared libraries.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_shared_libs',`
+	gen_require(`
+		type lib_t, shlib_t, textrel_shlib_t;
+	')
+
+	allow $1 lib_t:dir rw_dir_perms;
+	allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Load and execute functions from shared libraries.
 ## </summary>
 ## <param name="domain">
@@ -269,3 +364,21 @@ interface(`libs_legacy_use_shared_libs',`
 	allow $1 { shlib_t textrel_shlib_t }:file execmod;
 ')
 
+########################################
+## <summary>
+##	Relabel to and from the type used for
+##	shared libraries.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_shared_libs',`
+	gen_require(`
+		type lib_t, shlib_t, textrel_shlib_t;
+	')
+
+	allow $1 lib_t:dir search_dir_perms;
+	allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
+')
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 86b3c8c..e5b3020 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.1.3)
+policy_module(libraries,1.1.4)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index a2f47d1..81fd9be 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.1.4)
+policy_module(unconfined,1.1.5)
 
 ########################################
 #
@@ -129,10 +129,6 @@ ifdef(`targeted_policy',`
 		sendmail_domtrans(unconfined_t)
 	')
 
-	optional_policy(`su',`
-		su_per_userdomain_template(sysadm,unconfined_t,system_r)
-	')
-
 	optional_policy(`sysnetwork',`
 		sysnet_domtrans_dhcpc(unconfined_t)
 	')

More information about the scm-commits mailing list