[selinux-policy: 1512/3172] patch from dan Mon, 12 Jun 2006 15:32:00 -0400
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:15:59 UTC 2010
commit 2dbd3824250efdb9725ee6a824ecdd7a7ca16761
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jun 12 21:36:38 2006 +0000
patch from dan Mon, 12 Jun 2006 15:32:00 -0400
refpolicy/config/appconfig-strict-mls/default_type | 1 +
refpolicy/policy/modules/admin/prelink.fc | 2 +-
refpolicy/policy/modules/admin/prelink.te | 2 +-
refpolicy/policy/modules/admin/rpm.te | 10 +++-
refpolicy/policy/modules/apps/webalizer.te | 3 +-
refpolicy/policy/modules/kernel/filesystem.te | 5 +-
refpolicy/policy/modules/kernel/kernel.te | 3 +-
refpolicy/policy/modules/services/automount.te | 10 ++++-
refpolicy/policy/modules/services/cron.te | 3 +-
refpolicy/policy/modules/services/cups.te | 6 ++-
refpolicy/policy/modules/services/ftp.te | 5 +-
refpolicy/policy/modules/services/hal.te | 4 +-
refpolicy/policy/modules/services/kerberos.te | 3 +-
refpolicy/policy/modules/services/mysql.te | 6 +-
.../policy/modules/services/networkmanager.te | 6 ++-
refpolicy/policy/modules/services/ntp.te | 4 +-
refpolicy/policy/modules/services/procmail.te | 6 ++-
refpolicy/policy/modules/services/pyzor.te | 6 ++-
refpolicy/policy/modules/services/xfs.te | 4 +-
refpolicy/policy/modules/system/authlogin.if | 2 +
refpolicy/policy/modules/system/authlogin.te | 2 +-
refpolicy/policy/modules/system/logging.fc | 7 +--
refpolicy/policy/modules/system/logging.te | 4 +-
refpolicy/policy/modules/system/selinuxutil.te | 10 ++++-
refpolicy/policy/modules/system/userdomain.if | 29 -------------
refpolicy/policy/modules/system/userdomain.te | 43 +++++++++++++++++---
refpolicy/policy/rolemap | 1 +
refpolicy/policy/users | 6 +-
28 files changed, 123 insertions(+), 70 deletions(-)
---
diff --git a/refpolicy/config/appconfig-strict-mls/default_type b/refpolicy/config/appconfig-strict-mls/default_type
index 09ff05b..c3315fe 100644
--- a/refpolicy/config/appconfig-strict-mls/default_type
+++ b/refpolicy/config/appconfig-strict-mls/default_type
@@ -2,3 +2,4 @@ sysadm_r:sysadm_t
secadm_r:secadm_t
staff_r:staff_t
user_r:user_t
+auditadm_r:auditadm_t
diff --git a/refpolicy/policy/modules/admin/prelink.fc b/refpolicy/policy/modules/admin/prelink.fc
index b94700c..729f75a 100644
--- a/refpolicy/policy/modules/admin/prelink.fc
+++ b/refpolicy/policy/modules/admin/prelink.fc
@@ -3,6 +3,6 @@
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
-/var/lib/misc/prelink\.* -- gen_context(system_u:object_r:prelink_cache_t,s0)
+/var/lib/misc/prelink\..* -- gen_context(system_u:object_r:prelink_cache_t,s0)
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
index f8bc84d..3f18fca 100644
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
-policy_module(prelink,1.1.2)
+policy_module(prelink,1.1.3)
########################################
#
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 3d17e7e..b7d32b6 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
-policy_module(rpm,1.3.7)
+policy_module(rpm,1.3.8)
########################################
#
@@ -341,9 +341,9 @@ ifdef(`targeted_policy',`
optional_policy(`
mono_domtrans(rpm_script_t)
')
-',`
+
optional_policy(`
- bootloader_domtrans(rpm_script_t)
+ unconfined_domtrans(rpm_script_t)
')
')
@@ -358,6 +358,10 @@ tunable_policy(`allow_execmem',`
')
optional_policy(`
+ bootloader_domtrans(rpm_script_t)
+')
+
+optional_policy(`
nis_use_ypbind(rpm_script_t)
')
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index 50a988f..4b309ea 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -1,5 +1,5 @@
-policy_module(webalizer,1.2.1)
+policy_module(webalizer,1.2.2)
########################################
#
@@ -44,6 +44,7 @@ allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
allow webalizer_t self:unix_dgram_socket sendto;
allow webalizer_t self:unix_stream_socket connectto;
allow webalizer_t self:tcp_socket connected_stream_socket_perms;
+allow webalizer_t self:udp_socket { connect connected_socket_perms };
allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
allow webalizer_t webalizer_etc_t:file { getattr read };
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 17d90fa..aeeccb6 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.3.8)
+policy_module(filesystem,1.3.9)
########################################
#
@@ -23,7 +23,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
-fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
@@ -174,6 +174,7 @@ genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 3e9fc74..b58eb79 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.10)
+policy_module(kernel,1.3.11)
########################################
#
@@ -28,6 +28,7 @@ role user_r;
ifdef(`enable_mls',`
role secadm_r;
+ role auditadm_r;
')
#
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index adc123f..9d364af 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.2.5)
+policy_module(automount,1.2.6)
########################################
#
@@ -30,7 +30,7 @@ files_mountpoint(automount_tmp_t)
allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
dontaudit automount_t self:capability sys_tty_config;
-allow automount_t self:process { signal_perms getpgid setpgid setsched };
+allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_file_perms;
allow automount_t self:unix_stream_socket create_socket_perms;
allow automount_t self:unix_dgram_socket create_socket_perms;
@@ -58,9 +58,11 @@ allow automount_t automount_var_run_t:dir rw_dir_perms;
files_pid_filetrans(automount_t,automount_var_run_t,file)
kernel_read_kernel_sysctls(automount_t)
+kernel_read_irq_sysctls(automount_t)
kernel_read_fs_sysctls(automount_t)
kernel_read_proc_symlinks(automount_t)
kernel_read_system_state(automount_t)
+kernel_read_network_state(automount_t)
kernel_list_proc(automount_t)
files_search_boot(automount_t)
@@ -92,6 +94,7 @@ dev_read_sysfs(automount_t)
dev_read_urand(automount_t)
domain_use_interactive_fds(automount_t)
+domain_dontaudit_read_all_domains_state(automount_t)
files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
@@ -104,11 +107,14 @@ files_getattr_isid_type_dirs(automount_t)
files_getattr_default_dirs(automount_t)
# because config files can be shell scripts
files_exec_etc_files(automount_t)
+files_mounton_mnt(automount_t)
fs_getattr_all_fs(automount_t)
fs_getattr_all_dirs(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_manage_auto_mountpoints(automount_t)
+fs_unmount_autofs(automount_t)
+fs_mount_autofs(automount_t)
term_dontaudit_use_console(automount_t)
term_dontaudit_getattr_pty_dirs(automount_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 9984e94..3b48afb 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.3.8)
+policy_module(cron,1.3.9)
gen_require(`
class passwd rootok;
@@ -353,6 +353,7 @@ ifdef(`targeted_policy',`
tunable_policy(`cron_can_relabel',`
seutil_domtrans_setfiles(system_crond_t)
+ seutil_domtrans_restorecon(system_crond_t)
',`
selinux_get_fs_mount(system_crond_t)
selinux_validate_context(system_crond_t)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 924ce5d..0918d8a 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.3.7)
+policy_module(cups,1.3.8)
########################################
#
@@ -630,6 +630,10 @@ ifdef(`targeted_policy', `
')
optional_policy(`
+ mount_send_nfs_client_request(hplip_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index a36c4dd..7ef0911 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp,1.2.5)
+policy_module(ftp,1.2.6)
########################################
#
@@ -57,8 +57,9 @@ allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-allow ftpd_t ftpd_var_run_t:file create_file_perms;
+allow ftpd_t ftpd_var_run_t:file manage_file_perms;
allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
+allow ftpd_t ftpd_var_run_t:sock_file manage_file_perms;
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
# Create and modify /var/log/xferlog.
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index b882b91..74c9809 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.8)
+policy_module(hal,1.3.9)
########################################
#
@@ -114,6 +114,8 @@ term_dontaudit_use_console(hald_t)
term_dontaudit_use_generic_ptys(hald_t)
term_use_unallocated_ttys(hald_t)
+auth_use_nsswitch(hald_t)
+
init_use_fds(hald_t)
init_use_script_ptys(hald_t)
init_domtrans_script(hald_t)
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index 627681c..2a9c1dd 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
-policy_module(kerberos,1.1.2)
+policy_module(kerberos,1.1.3)
########################################
#
@@ -188,6 +188,7 @@ kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctls(krb5kdc_t)
kernel_list_proc(krb5kdc_t)
kernel_read_proc_symlinks(krb5kdc_t)
+kernel_read_network_state(krb5kdc_t)
corenet_non_ipsec_sendrecv(krb5kdc_t)
corenet_tcp_sendrecv_all_if(krb5kdc_t)
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index d0e51f3..09f43fa 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
-policy_module(mysql,1.2.3)
+policy_module(mysql,1.2.4)
########################################
#
@@ -34,7 +34,6 @@ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bin
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file { read write };
-allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
@@ -91,6 +90,8 @@ files_read_etc_files(mysqld_t)
files_read_usr_files(mysqld_t)
files_search_var_lib(mysqld_t)
+auth_use_nsswitch(mysqld_t)
+
init_use_fds(mysqld_t)
init_use_script_ptys(mysqld_t)
@@ -101,7 +102,6 @@ logging_send_syslog_msg(mysqld_t)
miscfiles_read_localization(mysqld_t)
-sysnet_use_ldap(mysqld_t)
sysnet_read_config(mysqld_t)
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index 64d10e5..c5228b6 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.3.3)
+policy_module(networkmanager,1.3.4)
########################################
#
@@ -161,6 +161,10 @@ optional_policy(`
')
optional_policy(`
+ ppp_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(NetworkManager_t)
')
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 8f8ab87..af22a7e 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp,1.1.1)
+policy_module(ntp,1.1.2)
########################################
#
@@ -86,6 +86,8 @@ fs_search_auto_mountpoints(ntpd_t)
term_dontaudit_use_console(ntpd_t)
+auth_use_nsswitch(ntpd_t)
+
corecmd_exec_bin(ntpd_t)
corecmd_exec_sbin(ntpd_t)
corecmd_exec_ls(ntpd_t)
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
index a4460d6..15f8dea 100644
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail,1.2.2)
+policy_module(procmail,1.2.3)
########################################
#
@@ -77,6 +77,10 @@ ifdef(`targeted_policy', `
')
optional_policy(`
+ clamav_domtrans_clamscan(procmail_t)
+')
+
+optional_policy(`
logging_send_syslog_msg(procmail_t)
')
diff --git a/refpolicy/policy/modules/services/pyzor.te b/refpolicy/policy/modules/services/pyzor.te
index 928ad8e..547a1c7 100644
--- a/refpolicy/policy/modules/services/pyzor.te
+++ b/refpolicy/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
-policy_module(pyzor,1.0.3)
+policy_module(pyzor,1.0.4)
########################################
#
@@ -119,6 +119,10 @@ userdom_dontaudit_search_staff_home_dirs(pyzord_t)
mta_manage_spool(pyzord_t)
+ifdef(`targeted_policy',`
+ userdom_read_generic_user_home_content_files(pyzord_t)
+')
+
optional_policy(`
logging_send_syslog_msg(pyzord_t)
')
diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te
index b48189d..5752f5d 100644
--- a/refpolicy/policy/modules/services/xfs.te
+++ b/refpolicy/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
-policy_module(xfs,1.0.2)
+policy_module(xfs,1.0.3)
########################################
#
@@ -58,6 +58,8 @@ files_read_usr_files(xfs_t)
term_dontaudit_use_console(xfs_t)
+auth_use_nsswitch(xfs_t)
+
init_use_fds(xfs_t)
init_use_script_ptys(xfs_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 5c7a18a..baeccb0 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -1284,6 +1284,8 @@ interface(`auth_use_nsswitch',`
type var_auth_t;
')
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
allow $1 var_auth_t:dir r_dir_perms;
allow $1 var_auth_t:file create_file_perms;
files_list_var_lib($1)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 5bcf97f..3cc57bd 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.3.4)
+policy_module(authlogin,1.3.5)
########################################
#
diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc
index 250db31..cdd15cd 100644
--- a/refpolicy/policy/modules/system/logging.fc
+++ b/refpolicy/policy/modules/system/logging.fc
@@ -1,8 +1,7 @@
-/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
-/etc/auditd.conf -- gen_context(system_u:object_r:auditd_etc_t,s0)
-/etc/audit.rules -- gen_context(system_u:object_r:auditd_etc_t,s0)
+/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
@@ -25,7 +24,7 @@ ifdef(`distro_suse', `
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
+/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
/var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 0ef5e54..74aee44 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.3.6)
+policy_module(logging,1.3.7)
########################################
#
@@ -70,6 +70,7 @@ libs_use_shared_libs(auditctl_t)
allow auditctl_t etc_t:file { getattr read };
+allow auditctl_t auditd_etc_t:dir r_dir_perms;
allow auditctl_t auditd_etc_t:file r_file_perms;
# Needed for adding watches
@@ -111,6 +112,7 @@ allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:fifo_file rw_file_perms;
+allow auditd_t auditd_etc_t:dir r_dir_perms;
allow auditd_t auditd_etc_t:file r_file_perms;
allow auditd_t auditd_log_t:dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 63d0d75..05aea9f 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.2.7)
+policy_module(selinuxutil,1.2.8)
gen_require(`
bool secure_mode;
@@ -115,6 +115,9 @@ files_type(semanage_store_t)
type semanage_read_lock_t;
files_type(semanage_read_lock_t)
+type semanage_tmp_t;
+files_tmp_file(semanage_tmp_t)
+
type semanage_trans_lock_t;
files_type(semanage_trans_lock_t)
@@ -531,12 +534,17 @@ ifdef(`targeted_policy',`',`
# semodule local policy
#
+allow semanage_t self:capability dac_override;
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow semanage_t policy_config_t:file { read write };
+allow semanage_t semanage_tmp_t:dir create_dir_perms;
+allow semanage_t semanage_tmp_t:file create_file_perms;
+files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 985a0ee..25e4ab8 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -473,35 +473,6 @@ template(`base_user_template',`
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($1_t)
')
-
- ifdef(`TODO',`
- #
- # Cups daemon running as user tries to write /etc/printcap
- #
- dontaudit $1_t usr_t:file setattr;
-
- # /initrd is left mounted, various programs try to look at it
- dontaudit $1_t ramfs_t:dir getattr;
-
- #
- # Running ifconfig as a user generates the following
- #
- dontaudit $1_t sysctl_net_t:dir search;
-
- r_dir_file($1_t, usercanread)
-
- # old browser_domain():
- dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
- dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
- dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
-
- allow $1_t usbtty_device_t:chr_file read;
-
- ifdef(`xdm.te', `
- allow $1_t xdm_var_lib_t:file r_file_perms;
- ')
- ') dnl endif TODO
-
')
#######################################
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 7aed674..f690a26 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,11 +1,12 @@
-policy_module(userdomain,1.3.27)
+policy_module(userdomain,1.3.28)
gen_require(`
role sysadm_r, staff_r, user_r;
ifdef(`enable_mls',`
role secadm_r;
+ role auditadm_r;
')
')
@@ -67,6 +68,7 @@ ifdef(`targeted_policy',`
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
unconfined_alias_domain(secadm_t)
+ unconfined_alias_domain(auditadm_t)
unconfined_alias_domain(sysadm_t)
# User home directory type.
@@ -82,6 +84,7 @@ ifdef(`targeted_policy',`
# compatibility for switching from strict
# dominance { role secadm_r { role system_r; }}
+# dominance { role auditadm_r { role system_r; }}
# dominance { role sysadm_r { role system_r; }}
# dominance { role user_r { role system_r; }}
# dominance { role staff_r { role system_r; }}
@@ -105,8 +108,10 @@ ifdef(`targeted_policy',`
ifdef(`enable_mls',`
allow secadm_r system_r;
+ allow auditadm_r system_r;
allow secadm_r user_r;
allow staff_r secadm_r;
+ allow staff_r auditadm_r;
')
optional_policy(`
@@ -126,9 +131,19 @@ ifdef(`targeted_policy',`
role_change(staff, sysadm)
ifdef(`enable_mls',`
- admin_user_template(secadm)
+ unpriv_user_template(secadm)
+ unpriv_user_template(auditadm)
+
+ role_change(staff,auditadm)
role_change(staff,secadm)
+
role_change(sysadm,secadm)
+ role_change(sysadm,auditadm)
+
+ role_change(auditadm,secadm)
+ role_change(auditadm,sysadm)
+
+ role_change(secadm,auditadm)
role_change(secadm,sysadm)
')
@@ -172,19 +187,33 @@ ifdef(`targeted_policy',`
')
ifdef(`enable_mls',`
+ seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ domain_kill_all_domains(auditadm_t)
+ seutil_read_bin_policy(auditadm_t)
+ corecmd_exec_shell(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+
+ allow secadm_t self:capability dac_override;
corecmd_exec_shell(secadm_t)
+ domain_obj_id_change_exemption(secadm_t)
mls_process_read_up(secadm_t)
+ mls_file_read_up(secadm_t)
mls_file_write_down(secadm_t)
mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
+ auth_relabel_all_files_except_shadow(secadm_t)
+ auth_relabel_shadow(secadm_t)
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
- logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ logging_read_generic_logs(secadm_t)
userdom_dontaudit_append_staff_home_content_files(secadm_t)
- files_relabel_all_files(secadm_t)
- auth_relabel_shadow(secadm_t)
', `
- logging_read_audit_log(sysadm_t)
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
')
@@ -252,6 +281,7 @@ ifdef(`targeted_policy',`
ifdef(`enable_mls',`
consoletype_exec(secadm_t)
+ consoletype_exec(auditadm_t)
')
')
@@ -270,6 +300,7 @@ ifdef(`targeted_policy',`
ifdef(`enable_mls',`
dmesg_exec(secadm_t)
+ dmesg_exec(auditadm_t)
')
')
diff --git a/refpolicy/policy/rolemap b/refpolicy/policy/rolemap
index 8aed252..3e8d368 100644
--- a/refpolicy/policy/rolemap
+++ b/refpolicy/policy/rolemap
@@ -15,5 +15,6 @@ ifdef(`strict_policy',`
ifdef(`enable_mls',`
secadm_r secadm secadm_t
+ auditadm_r auditadm auditadm_t
')
')
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index 820504f..fecd3c3 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -29,7 +29,7 @@ ifdef(`targeted_policy',`
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
')
@@ -44,8 +44,8 @@ ifdef(`targeted_policy',`
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
')
')
More information about the scm-commits
mailing list