[selinux-policy: 1579/3172] more testing fixes

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:21:41 UTC 2010 

commit ce6bf7cc233822df5dff9f22f0cd23aa5a2da707
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Aug 28 02:46:20 2006 +0000

    more testing fixes

 policy/modules/kernel/terminal.if  |   39 ++++++++++++++++++++++++++++++++
 policy/modules/kernel/terminal.te  |    2 +-
 policy/modules/system/authlogin.te |    1 +
 policy/modules/system/clock.if     |   43 +++++++++++++++++++++++++-----------
 policy/modules/system/clock.te     |    2 +-
 policy/modules/system/init.te      |    3 ++
 policy/modules/system/logging.te   |    9 ++++++-
 7 files changed, 83 insertions(+), 16 deletions(-)
---
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 44faeed..774450e 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -90,6 +90,7 @@ interface(`term_tty',`
 	typeattribute $2 ttynode, serial_device;
 	type_change $1 tty_device_t:chr_file $2;
 
+	fs_associate($1)
 	files_associate_tmp($1)
 
 	# Debian login is from shadow utils and does not allow resetting the perms.
@@ -715,6 +716,25 @@ interface(`term_setattr_unallocated_ttys',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to set the attributes
+##	of unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_setattr_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dontaudit $1 tty_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to ioctl
 ##	unallocated tty device nodes.
 ## </summary>
@@ -776,6 +796,25 @@ interface(`term_reset_tty_labels',`
 
 ########################################
 ## <summary>
+##	Append to unallocated ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_append_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file { getattr append };
+')
+
+########################################
+## <summary>
 ##	Write to unallocated ttys.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 497652a..c2f3639 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.4)
+policy_module(terminal,1.1.5)
 
 ########################################
 #
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 1006dc4..1b0376d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -265,6 +265,7 @@ term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
 term_dontaudit_use_generic_ptys(system_chkpwd_t)
 
 userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
 
 ########################################
 #
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index d5c66e3..542db15 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -55,14 +55,14 @@ interface(`clock_run',`
 ')
 
 ########################################
-##     <summary>
-##             Execute hwclock in the caller domain.
-##     </summary>
-##     <param name="domain">
+## <summary>
+## 	Execute hwclock in the caller domain.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##             The type of the process performing this action.
+## 	The type of the process performing this action.
 ##	</summary>
-##     </param>
+## </param>
 #
 interface(`clock_exec',`
 	gen_require(`
@@ -73,14 +73,32 @@ interface(`clock_exec',`
 ')
 
 ########################################
-##     <summary>
-##             Allow executing domain to modify clock drift
-##     </summary>
-##     <param name="domain">
+## <summary>
+##	Do not audit attempts to write clock drift adjustments.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##             The type of the process performing this action.
+##	Domain to not audit.
 ##	</summary>
-##     </param>
+## </param>
+#
+interface(`clock_dontaudit_write_adjtime',`
+	gen_require(`
+		type adjtime_t;
+	')
+
+	dontaudit $1 adjtime_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write clock drift adjustments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`clock_rw_adjtime',`
 	gen_require(`
@@ -90,4 +108,3 @@ interface(`clock_rw_adjtime',`
 	allow $1 adjtime_t:file rw_file_perms;
 	files_list_etc($1)
 ')
-
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 03d9885..8b7cef3 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -1,5 +1,5 @@
 
-policy_module(clock,1.0.1)
+policy_module(clock,1.0.2)
 
 ########################################
 #
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ab9d4b3..2cb9b8c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -416,6 +416,9 @@ ifdef(`distro_gentoo',`
 	# mounting tmpfs on /dev
 	fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
 
+	# init scripts touch this
+	clock_dontaudit_write_adjtime(initrc_t)
+
 	optional_policy(`
 		arpwatch_manage_data_files(initrc_t)
 	')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0c1b3ed..195a1a1 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.9)
+policy_module(logging,1.3.10)
 
 ########################################
 #
@@ -349,6 +349,13 @@ miscfiles_read_localization(syslogd_t)
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
 
+ifdef(`distro_gentoo',`
+	# default gentoo syslog-ng config appends kernel
+	# and high priority messages to /dev/tty12
+	term_append_unallocated_ttys(syslogd_t)
+	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
+')
+
 ifdef(`distro_suse',`
 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
 	files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)

More information about the scm-commits mailing list