[selinux-policy: 1545/3172] fix up audit message perms now that audit_write denials are being audited by the kernel.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:18:46 UTC 2010 

commit da9bbc655a1590d27c356d9da9f8589181daab6d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jul 13 17:22:08 2006 +0000

    fix up audit message perms now that audit_write denials are being audited by the kernel.

 policy/modules/admin/usermanage.te   |    6 +++---
 policy/modules/services/dbus.if      |    1 +
 policy/modules/services/dbus.te      |    4 ++--
 policy/modules/services/nscd.te      |    4 ++--
 policy/modules/system/authlogin.if   |    1 +
 policy/modules/system/authlogin.te   |    2 +-
 policy/modules/system/selinuxutil.te |    4 ++--
 7 files changed, 12 insertions(+), 10 deletions(-)
---
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 446197e..5472419 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.6)
+policy_module(usermanage,1.3.7)
 
 ########################################
 #
@@ -187,7 +187,7 @@ optional_policy(`
 # Groupadd local policy
 #
 
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource };
+allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
 dontaudit groupadd_t self:capability fsetid;
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
@@ -450,7 +450,7 @@ optional_policy(`
 # Useradd local policy
 #
 
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
 allow useradd_t self:fd use;
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index dd77cfc..f134efa 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -69,6 +69,7 @@ template(`dbus_per_userdomain_template',`
 	# Local policy
 	#
 
+	allow $1_dbusd_t self:capability audit_write;
 	allow $1_dbusd_t self:process { getattr sigkill signal };
 	allow $1_dbusd_t self:file { getattr read write };
 	allow $1_dbusd_t self:dbus { send_msg acquire_svc };
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 6fd0076..1be84ef 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.2.6)
+policy_module(dbus,1.2.7)
 
 gen_require(`
 	class dbus { send_msg acquire_svc };
@@ -30,7 +30,7 @@ files_pid_file(system_dbusd_var_run_t)
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 # cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid audit_write };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr signal_perms setcap };
 allow system_dbusd_t self:fifo_file { read write };
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 1b44ce8..94ab050 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.2.5)
+policy_module(nscd,1.2.6)
 
 gen_require(`
 	class nscd all_nscd_perms;
@@ -28,7 +28,7 @@ logging_log_file(nscd_log_t)
 # Local policy
 #
 
-allow nscd_t self:capability { kill setgid setuid };
+allow nscd_t self:capability { kill setgid setuid audit_write };
 dontaudit nscd_t self:capability sys_tty_config;
 allow nscd_t self:process { getattr setsched signal_perms };
 allow nscd_t self:fifo_file { read write };
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index a6bdb4e..4df9bc8 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -29,6 +29,7 @@ template(`authlogin_common_auth_domain_template',`
 
 	allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
 	allow $1_chkpwd_t self:process getattr;
+	allow $1_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 	files_list_etc($1_chkpwd_t)
 	allow $1_chkpwd_t shadow_t:file { getattr read };
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 209101a..7e6ca34 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.3.7)
+policy_module(authlogin,1.3.8)
 
 ########################################
 #
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 05aea9f..aada013 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.8)
+policy_module(selinuxutil,1.2.9)
 
 gen_require(`
 	bool secure_mode;
@@ -534,7 +534,7 @@ ifdef(`targeted_policy',`',`
 # semodule local policy
 #
 
-allow semanage_t self:capability dac_override;
+allow semanage_t self:capability { dac_override audit_write };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

More information about the scm-commits mailing list