[selinux-policy: 1132/3172] patch from Dan, sent Thu, 19 Jan 2006 14:16:26 -0500
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:42:53 UTC 2010
commit a225f9832d7dcc4fcf516891509659dd7789e879
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jan 19 23:00:23 2006 +0000
patch from Dan, sent Thu, 19 Jan 2006 14:16:26 -0500
refpolicy/Changelog | 2 ++
refpolicy/policy/global_tunables | 3 +++
refpolicy/policy/modules/admin/logwatch.te | 9 ++++++++-
refpolicy/policy/modules/apps/mono.fc | 1 +
refpolicy/policy/modules/apps/mono.if | 23 +++++++++++++++++++++++
refpolicy/policy/modules/apps/mono.te | 25 +++++++++++++++++++++++++
refpolicy/policy/modules/apps/wine.fc | 1 +
refpolicy/policy/modules/apps/wine.if | 23 +++++++++++++++++++++++
refpolicy/policy/modules/apps/wine.te | 25 +++++++++++++++++++++++++
refpolicy/policy/modules/kernel/filesystem.if | 16 ++++++++++++++++
refpolicy/policy/modules/services/bind.if | 3 ++-
refpolicy/policy/modules/services/xdm.te | 2 +-
refpolicy/policy/modules/system/libraries.fc | 2 +-
refpolicy/policy/modules/system/unconfined.if | 6 ++++++
refpolicy/policy/modules/system/unconfined.te | 14 +++++++-------
15 files changed, 144 insertions(+), 11 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 8eb8a53..f2811d3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -6,9 +6,11 @@
for greater clarity.
- Added modules:
certwatch
+ mono (Dan Walsh)
portage
userhelper
usernetctl
+ wine (Dan Walsh)
xserver
* Tue Jan 17 2006 Chris PeBenito <selinux at tresys.com> - 20060117
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 287f9ea..76b7bb3 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -12,6 +12,9 @@
## Allow cvs daemon to read shadow
gen_tunable(allow_cvs_read_shadow,false)
+## Allow making the heap executable.
+gen_tunable(allow_execheap,false)
+
## Allow making anonymous memory executable, e.g.
## for runtime-code generation or executable stack.
gen_tunable(allow_execmem,false)
diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te
index c03ddbd..6a39b5c 100644
--- a/refpolicy/policy/modules/admin/logwatch.te
+++ b/refpolicy/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
-policy_module(logwatch,1.0.0)
+policy_module(logwatch,1.0.1)
#################################
#
@@ -38,6 +38,7 @@ kernel_read_fs_sysctl(logwatch_t)
kernel_read_kernel_sysctl(logwatch_t)
kernel_read_system_state(logwatch_t)
+corecmd_read_sbin_symlink(logwatch_t)
corecmd_read_sbin_file(logwatch_t)
corecmd_exec_bin(logwatch_t)
corecmd_exec_shell(logwatch_t)
@@ -68,6 +69,8 @@ logging_read_all_logs(logwatch_t)
miscfiles_read_localization(logwatch_t)
+selinux_dontaudit_getattr_dir(logwatch_t)
+
userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
@@ -94,6 +97,10 @@ optional_policy(`nscd',`
nscd_use_socket(logwatch_t)
')
+optional_policy(`ntp',`
+ ntp_domtrans(logwatch_t)
+')
+
optional_policy(`rpc',`
rpc_search_nfs_state_data(logwatch_t)
')
diff --git a/refpolicy/policy/modules/apps/mono.fc b/refpolicy/policy/modules/apps/mono.fc
new file mode 100644
index 0000000..bc1c679
--- /dev/null
+++ b/refpolicy/policy/modules/apps/mono.fc
@@ -0,0 +1 @@
+/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/mono.if b/refpolicy/policy/modules/apps/mono.if
new file mode 100644
index 0000000..ea2e1f7
--- /dev/null
+++ b/refpolicy/policy/modules/apps/mono.if
@@ -0,0 +1,23 @@
+## <summary>Run .NET server and client applications on Linux.</summary>
+
+########################################
+## <summary>
+## Execute the mono program in the mono domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mono_domtrans',`
+ gen_require(`
+ type mono_t, mono_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, mono_exec_t, mono_t)
+
+ allow $1 mono_t:fd use;
+ allow mono_t $1:fd use;
+ allow mono_t $1:fifo_file rw_file_perms;
+ allow mono_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
new file mode 100644
index 0000000..6ca236f
--- /dev/null
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -0,0 +1,25 @@
+
+policy_module(mono,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mono_t;
+domain_type(mono_t)
+
+type mono_exec_t;
+domain_entry_file(mono_t,mono_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+ allow mono_t self:process execheap;
+ unconfined_domain_template(mono_t)
+ role system_r types mono_t;
+')
+
diff --git a/refpolicy/policy/modules/apps/wine.fc b/refpolicy/policy/modules/apps/wine.fc
new file mode 100644
index 0000000..e9898da
--- /dev/null
+++ b/refpolicy/policy/modules/apps/wine.fc
@@ -0,0 +1 @@
+/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/wine.if b/refpolicy/policy/modules/apps/wine.if
new file mode 100644
index 0000000..829367c
--- /dev/null
+++ b/refpolicy/policy/modules/apps/wine.if
@@ -0,0 +1,23 @@
+## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
+
+########################################
+## <summary>
+## Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`wine_domtrans',`
+ gen_require(`
+ type wine_t, wine_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, wine_exec_t, wine_t)
+
+ allow $1 wine_t:fd use;
+ allow wine_t $1:fd use;
+ allow wine_t $1:fifo_file rw_file_perms;
+ allow wine_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/apps/wine.te b/refpolicy/policy/modules/apps/wine.te
new file mode 100644
index 0000000..c400c8d
--- /dev/null
+++ b/refpolicy/policy/modules/apps/wine.te
@@ -0,0 +1,25 @@
+
+policy_module(wine,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wine_t;
+domain_type(wine_t)
+
+type wine_exec_t;
+domain_entry_file(wine_t,wine_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+ allow wine_t self:process { execstack execmem };
+ unconfined_domain_template(wine_t)
+ role system_r types wine_t;
+ allow wine_t file_type:file execmod;
+')
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index a161fb0..3a51441 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1826,6 +1826,22 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
+## Dontaudit Search directories on a ramfs
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_search_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ dontaudit $1 ramfs_t:dir search;
+')
+
+########################################
+## <summary>
## Write to named pipe on a ramfs filesystem.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index 6ad3bd6..2a9ddaa 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -161,10 +161,11 @@ interface(`bind_manage_config_dir',`
#
interface(`bind_search_cache',`
gen_require(`
- type named_cache_t, named_zone_t;
+ type named_conf_t, named_cache_t, named_zone_t;
')
files_search_var($1)
+ allow $1 named_conf_t:dir search_dir_perms;
allow $1 named_zone_t:dir search_dir_perms;
allow $1 named_cache_t:dir search_dir_perms;
')
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index 387464d..2f33fa7 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -68,7 +68,7 @@ selinux_compute_user_contexts(xdm_t)
files_read_etc_runtime_files(xdm_t)
ifdef(`targeted_policy',`
- allow xdm_t self:process execmem;
+ allow xdm_t self:process { execheap execmem };
unconfined_domain_template(xdm_t)
unconfined_domtrans(xdm_t)
',`
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 28c4f03..b563a0d 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -166,7 +166,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
/usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 59fe009..3a10295 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -38,6 +38,12 @@ template(`unconfined_domain_template',`
fs_unconfined($1)
selinux_unconfined($1)
+ tunable_policy(`allow_execheap',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execheap;
+ auditallow $1 self:process execheap;
+ ')
+
tunable_policy(`allow_execmem',`
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 87f7af6..d5d0110 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.2.0)
+policy_module(unconfined,1.2.1)
########################################
#
@@ -97,6 +97,10 @@ ifdef(`targeted_policy',`
modutils_domtrans_update_mods(unconfined_t)
')
+ optional_policy(`mono',`
+ mono_domtrans(unconfined_t)
+ ')
+
optional_policy(`netutils',`
netutils_domtrans_ping(unconfined_t)
')
@@ -141,11 +145,7 @@ ifdef(`targeted_policy',`
webalizer_domtrans(unconfined_t)
')
- ifdef(`TODO',`
- ifdef(`use_mcs',`
- rw_dir_create_file(sysadm_su_t, home_dir_type)
+ optional_policy(`wine',`
+ wine_domtrans(unconfined_t)
')
- allow unconfined_t initrc_t : dbus { send_msg acquire_svc };
- allow initrc_t unconfined_t : dbus { send_msg acquire_svc };
- ') dnl end TODO
')
More information about the scm-commits
mailing list