[selinux-policy: 1582/3172] patch from dan Thu, 31 Aug 2006 15:16:30 -0400
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:21:57 UTC 2010
commit eac818f040ae43f429e9ac5a7974766b5db67417
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Sep 1 15:52:05 2006 +0000
patch from dan Thu, 31 Aug 2006 15:16:30 -0400
Changelog | 1 +
policy/modules/admin/anaconda.te | 4 +
policy/modules/apps/mono.te | 3 +
policy/modules/kernel/corecommands.fc | 2 +
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/kernel/devices.fc | 2 +-
policy/modules/kernel/files.fc | 1 +
policy/modules/kernel/kernel.if | 36 +++++++++
policy/modules/kernel/terminal.fc | 4 +-
policy/modules/services/dovecot.te | 1 +
policy/modules/services/hal.te | 7 +--
policy/modules/services/pyzor.te | 9 ++-
policy/modules/services/rhgb.te | 1 +
policy/modules/services/setroubleshoot.fc | 7 ++
policy/modules/services/setroubleshoot.if | 1 +
policy/modules/services/setroubleshoot.te | 111 +++++++++++++++++++++++++++++
policy/modules/services/spamassassin.te | 3 +
policy/modules/services/ssh.if | 21 ++++++
policy/modules/services/xserver.if | 32 ++++++++-
policy/modules/services/xserver.te | 18 ++++-
policy/modules/system/hotplug.te | 2 +-
policy/modules/system/logging.fc | 1 +
policy/modules/system/mount.te | 5 ++
policy/modules/system/selinuxutil.te | 4 +
policy/modules/system/setrans.te | 3 +
policy/modules/system/udev.te | 36 +++++-----
policy/modules/system/unconfined.fc | 7 +-
27 files changed, 288 insertions(+), 35 deletions(-)
---
diff --git a/Changelog b/Changelog
index 1d8999f..812cdec 100644
--- a/Changelog
+++ b/Changelog
@@ -64,6 +64,7 @@
Tue, 20 Jun 2006
Wed, 26 Jul 2006
Wed, 23 Aug 2006
+ Thu, 31 Aug 2006
- Added modules:
afs
amavis (Erich Schubert)
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index 69a3c68..888eca3 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -54,6 +54,10 @@ optional_policy(`
')
optional_policy(`
+ ssh_domtrans_keygen(anaconda_t)
+')
+
+optional_policy(`
udev_domtrans(anaconda_t)
')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 5769ceb..0505302 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -19,9 +19,12 @@ domain_entry_file(mono_t,mono_exec_t)
ifdef(`targeted_policy',`
allow mono_t self:process { execheap execmem };
+
unconfined_domain_noaudit(mono_t)
unconfined_dbus_chat(mono_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+
init_dbus_chat_script(mono_t)
optional_policy(`
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index e5101fd..9a162b0 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -54,7 +54,9 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 6d978b2..526a375 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -126,6 +126,7 @@ network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
+network_port(setroubleshoot, tcp,3267,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index c2737f8..9a25b78 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -3,7 +3,7 @@
/dev/.* gen_context(system_u:object_r:device_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/adsp -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index e2c8421..e80a186 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -57,6 +57,7 @@ ifdef(`distro_suse',`
/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/reader.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/smartd\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6f7d442..e5f3a6d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1050,6 +1050,24 @@ interface(`kernel_write_xen_state',`
########################################
## <summary>
+## Do not audit attempts to list all proc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_proc',`
+ gen_require(`
+ attribute proc_type;
+ ')
+
+ dontaudit $1 proc_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -1606,6 +1624,24 @@ interface(`kernel_rw_rpc_sysctls',`
########################################
## <summary>
+## Do not audit attempts to list all sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
+ ')
+
+ dontaudit $1 sysctl_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Allow caller to read all sysctls.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 22ef391..a39e999 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -22,11 +22,13 @@
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/usb/tty.* -c gen_context(system_u:object_r:usbtty_device_t,s0)
+
/dev/vcc?/.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/vcs[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/usb/tty.* -c gen_context(system_u:object_r:usbtty_device_t,s0)
+/dev/xvc[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
ifdef(`distro_gentoo',`
/dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 6b914fb..14dc4bd 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -185,6 +185,7 @@ files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
+files_read_var_lib_files(dovecot_t)
libs_use_ld_so(dovecot_auth_t)
libs_use_shared_libs(dovecot_auth_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 9bccaa9..71b1ab9 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -110,10 +110,6 @@ storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
storage_raw_write_fixed_disk(hald_t)
-term_dontaudit_use_console(hald_t)
-term_dontaudit_use_generic_ptys(hald_t)
-term_use_unallocated_ttys(hald_t)
-
auth_use_nsswitch(hald_t)
init_use_fds(hald_t)
@@ -145,7 +141,8 @@ sysnet_read_config(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
+ term_dontaudit_use_console(hald_t)
term_setattr_unallocated_ttys(hald_t)
term_dontaudit_use_unallocated_ttys(hald_t)
term_dontaudit_use_generic_ptys(hald_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index f433f2c..8ead65c 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -58,6 +58,8 @@ libs_use_shared_libs(pyzor_t)
miscfiles_read_localization(pyzor_t)
+userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
+
optional_policy(`
amavis_manage_lib_files(pyzor_t)
amavis_manage_spool_files(pyzor_t)
@@ -104,13 +106,13 @@ corenet_sendrecv_pyzor_server_packets(pyzord_t)
files_read_etc_files(pyzord_t)
-term_dontaudit_use_generic_ptys(pyzord_t)
-
auth_use_nsswitch(pyzord_t)
libs_use_ld_so(pyzord_t)
libs_use_shared_libs(pyzord_t)
+locallogin_dontaudit_use_fds(pyzord_t)
+
miscfiles_read_localization(pyzord_t)
# Do not audit attempts to access /root.
@@ -120,6 +122,9 @@ userdom_dontaudit_search_staff_home_dirs(pyzord_t)
mta_manage_spool(pyzord_t)
ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(pyzord_t)
+ term_dontaudit_use_unallocated_ttys(pyzord_t)
+
userdom_read_generic_user_home_content_files(pyzord_t)
')
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index c12d219..7170171 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -105,6 +105,7 @@ xserver_kill_xdm_xserver(rhgb_t)
xserver_read_xkb_libs(rhgb_t)
ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(rhgb_t)
term_dontaudit_use_generic_ptys(rhgb_t)
files_dontaudit_read_root_files(rhgb_t)
')
diff --git a/policy/modules/services/setroubleshoot.fc b/policy/modules/services/setroubleshoot.fc
new file mode 100644
index 0000000..2dca066
--- /dev/null
+++ b/policy/modules/services/setroubleshoot.fc
@@ -0,0 +1,7 @@
+/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
+/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+
+/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+
+/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
new file mode 100644
index 0000000..1627cae
--- /dev/null
+++ b/policy/modules/services/setroubleshoot.if
@@ -0,0 +1 @@
+## <summary>SELinux troubleshooting service</summary>
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
new file mode 100644
index 0000000..5286e4f
--- /dev/null
+++ b/policy/modules/services/setroubleshoot.te
@@ -0,0 +1,111 @@
+
+policy_module(setroubleshoot,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type setroubleshootd_t alias setroubleshoot_t;
+type setroubleshootd_exec_t;
+domain_type(setroubleshootd_t)
+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+
+type setroubleshoot_var_lib_t;
+files_type(setroubleshoot_var_lib_t)
+
+# log files
+type setroubleshoot_var_log_t;
+logging_log_file(setroubleshoot_var_log_t)
+
+# pid files
+type setroubleshoot_var_run_t;
+files_pid_file(setroubleshoot_var_run_t)
+
+########################################
+#
+# setroubleshootd local policy
+#
+
+allow setroubleshootd_t self:capability { dac_override sys_tty_config };
+allow setroubleshootd_t self:process { signal getattr };
+allow setroubleshootd_t self:fifo_file rw_file_perms;
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
+
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:file create_file_perms;
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir { rw_dir_perms setattr };
+files_var_lib_filetrans(setroubleshootd_t,setroubleshoot_var_lib_t,{ file dir })
+
+# log files
+allow setroubleshootd_t setroubleshoot_var_log_t:file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_log_t:sock_file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(setroubleshootd_t,setroubleshoot_var_log_t,{ file dir })
+
+# pid file
+allow setroubleshootd_t setroubleshoot_var_run_t:file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_run_t:sock_file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(setroubleshootd_t)
+kernel_read_system_state(setroubleshootd_t)
+
+corecmd_exec_sbin(setroubleshootd_t)
+corecmd_exec_bin(setroubleshootd_t)
+corecmd_exec_shell(setroubleshootd_t)
+
+corenet_non_ipsec_sendrecv(setroubleshootd_t)
+corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
+corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
+corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
+corenet_tcp_bind_all_nodes(setroubleshootd_t)
+corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
+corenet_tcp_connect_smtp_port(setroubleshootd_t)
+corenet_sendrecv_setroubleshoot_server_packets(setroubleshootd_t)
+corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+
+dev_read_urand(setroubleshootd_t)
+
+files_read_usr_files(setroubleshootd_t)
+files_read_etc_files(setroubleshootd_t)
+files_getattr_all_dirs(setroubleshootd_t)
+
+selinux_get_enforce_mode(setroubleshootd_t)
+
+term_dontaudit_use_console(setroubleshootd_t)
+term_dontaudit_use_all_user_ptys(setroubleshootd_t)
+term_dontaudit_use_all_user_ttys(setroubleshootd_t)
+
+init_read_utmp(setroubleshootd_t)
+init_dontaudit_write_utmp(setroubleshootd_t)
+init_use_fds(setroubleshootd_t)
+
+libs_use_ld_so(setroubleshootd_t)
+libs_use_shared_libs(setroubleshootd_t)
+
+miscfiles_read_localization(setroubleshootd_t)
+
+locallogin_dontaudit_use_fds(setroubleshootd_t)
+
+logging_send_syslog_msg(setroubleshootd_t)
+logging_stream_connect_auditd(setroubleshootd_t)
+
+seutil_read_config(setroubleshootd_t)
+
+sysnet_read_config(setroubleshootd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(setroubleshootd_t)
+ term_dontaudit_use_unallocated_ttys(setroubleshootd_t)
+')
+
+optional_policy(`
+ rpm_read_db(setroubleshootd_t)
+ rpm_dontaudit_manage_db(setroubleshootd_t)
+ rpm_use_script_fds(setroubleshootd_t)
+')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 5367cd3..fedeae5 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -132,8 +132,11 @@ userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(spamd_t)
term_dontaudit_use_generic_ptys(spamd_t)
+
files_dontaudit_read_root_files(spamd_t)
+
tunable_policy(`spamd_enable_home_dirs',`
+ userdom_home_filetrans_generic_user_home_dir(spamd_t)
userdom_manage_generic_user_home_content_dirs(spamd_t)
userdom_manage_generic_user_home_content_files(spamd_t)
userdom_manage_generic_user_home_content_symlinks(spamd_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 9309129..e31296f 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -696,6 +696,27 @@ interface(`ssh_exec',`
########################################
## <summary>
+## Execute the ssh key generator in the ssh keygen domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_domtrans_keygen',`
+ gen_require(`
+ type ssh_keygen_t, ssh_keygen_exec_t;
+ ')
+
+ domain_auto_trans($1,ssh_keygen_exec_t,ssh_keygen_t)
+ allow ssh_keygen_t $1:fd use;
+ allow ssh_keygen_t $1:fifo_file rw_file_perms;
+ allow ssh_keygen_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Read ssh server keys
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index aefc9e2..7e33cf8 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -45,7 +45,6 @@ template(`xserver_common_domain_template',`
allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_xserver_t self:process { execmem execheap execstack setsched };
allow $1_xserver_t self:fd use;
allow $1_xserver_t self:fifo_file rw_file_perms;
allow $1_xserver_t self:sock_file r_file_perms;
@@ -159,6 +158,14 @@ template(`xserver_common_domain_template',`
sysnet_read_config($1_xserver_t)
+ ifndef(`distro_redhat',`
+ allow $1_xserver_t self:process { execmem execheap execstack };
+ ')
+
+ ifdef(`distro_rhel4',`
+ allow $1_xserver_t self:process { execmem execheap execstack };
+ ')
+
optional_policy(`
apm_stream_connect($1_xserver_t)
')
@@ -770,9 +777,12 @@ interface(`xserver_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
- type xdm_t;
+ type xdm_t, xdm_tmp_t;
')
+ files_search_tmp($1)
+ allow $1 xdm_tmp_t:dir search_dir_perms;
+ allow $1 xdm_tmp_t:sock_file write;
allow $1 xdm_t:unix_stream_socket connectto;
')
@@ -1049,6 +1059,24 @@ interface(`xserver_read_xdm_xserver_tmp_files',`
########################################
## <summary>
+## Read xdm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_tmp_files',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:file { getattr read };
+')
+
+########################################
+## <summary>
## Kill XDM X servers
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5121a2b..6099a00 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -292,11 +292,17 @@ ifdef(`strict_policy',`
')
ifdef(`targeted_policy',`
- allow xdm_t self:process { execheap execmem };
unconfined_domain(xdm_t)
unconfined_domtrans(xdm_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
+ ifndef(`distro_redhat',`
+ allow xdm_t self:process { execheap execmem };
+ ')
+
+ ifdef(`distro_rhel4',`
+ allow xdm_t self:process { execheap execmem };
+ ')
')
tunable_policy(`use_nfs_home_dirs',`
@@ -420,10 +426,16 @@ ifdef(`strict_policy',`
')
ifdef(`targeted_policy',`
- allow xdm_xserver_t self:process { execheap execmem };
-
unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
+
+ ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
+ ')
+
+ ifdef(`distro_rhel4',`
+ allow xdm_xserver_t self:process { execheap execmem };
+ ')
')
optional_policy(`
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index cddc6c9..84205ea 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -27,7 +27,7 @@ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
-allow hotplug_t self:process { getsession getattr signal_perms };
+allow hotplug_t self:process { setpgid getsession getattr signal_perms };
allow hotplug_t self:fifo_file rw_file_perms;
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index b9d91bf..6730fd2 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -30,6 +30,7 @@ ifdef(`distro_suse', `
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
+/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 03a2156..3920f15 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -11,6 +11,9 @@ type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
+type mount_loopback_t; # customizable
+files_type(mount_loopback_t)
+
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
@@ -28,6 +31,8 @@ ifdef(`targeted_policy',`
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t mount_loopback_t:file r_file_perms;
+
allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms;
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 295ab39..6808918 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -355,6 +355,8 @@ kernel_relabelfrom_unlabeled_files(restorecon_t)
kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
kernel_relabelfrom_unlabeled_pipes(restorecon_t)
kernel_relabelfrom_unlabeled_sockets(restorecon_t)
+kernel_dontaudit_list_all_proc(restorecon_t)
+kernel_dontaudit_list_all_sysctls(restorecon_t)
dev_relabel_all_dev_nodes(restorecon_t)
# cjp: why is this needed?
@@ -458,6 +460,8 @@ init_dontaudit_use_script_ptys(restorecond_t)
libs_use_ld_so(restorecond_t)
libs_use_shared_libs(restorecond_t)
+locallogin_dontaudit_use_fds(restorecond_t)
+
logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 41ae3d8..4ab9df0 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -56,6 +56,7 @@ mls_rangetrans_target(setrans_t)
selinux_compute_access_vector(setrans_t)
term_dontaudit_use_generic_ptys(setrans_t)
+term_dontaudit_use_unallocated_ttys(setrans_t)
init_use_fds(setrans_t)
init_dontaudit_use_script_ptys(setrans_t)
@@ -63,6 +64,8 @@ init_dontaudit_use_script_ptys(setrans_t)
libs_use_ld_so(setrans_t)
libs_use_shared_libs(setrans_t)
+locallogin_dontaudit_use_fds(setrans_t)
+
logging_send_syslog_msg(setrans_t)
miscfiles_read_localization(setrans_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 7fadd24..20b7356 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -84,14 +84,33 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
+corecmd_exec_all_executables(udev_t)
+
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
+domain_read_all_domains_state(udev_t)
+
+files_read_etc_runtime_files(udev_t)
+files_read_etc_files(udev_t)
+files_exec_etc_files(udev_t)
+files_dontaudit_search_isid_type_dirs(udev_t)
+files_getattr_generic_locks(udev_t)
+files_search_mnt(udev_t)
+
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
+mcs_ptrace_all(udev_t)
+
+mls_file_read_up(udev_t)
+mls_file_write_down(udev_t)
+mls_file_upgrade(udev_t)
+mls_file_downgrade(udev_t)
+mls_process_write_down(udev_t)
+
selinux_get_fs_mount(udev_t)
selinux_validate_context(udev_t)
selinux_compute_access_vector(udev_t)
@@ -103,17 +122,6 @@ auth_read_pam_console_data(udev_t)
auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
-corecmd_exec_all_executables(udev_t)
-
-domain_read_all_domains_state(udev_t)
-
-files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
-files_exec_etc_files(udev_t)
-files_dontaudit_search_isid_type_dirs(udev_t)
-files_getattr_generic_locks(udev_t)
-files_search_mnt(udev_t)
-
init_use_fds(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
@@ -126,12 +134,6 @@ logging_send_syslog_msg(udev_t)
miscfiles_read_localization(udev_t)
-mls_file_read_up(udev_t)
-mls_file_write_down(udev_t)
-mls_file_upgrade(udev_t)
-mls_file_downgrade(udev_t)
-mls_process_write_down(udev_t)
-
modutils_domtrans_insmod(udev_t)
seutil_read_config(udev_t)
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index 37d3619..cf3fa5a 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -1,13 +1,14 @@
# Add programs here which should not be confined by SELinux
# e.g.:
-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
ifdef(`targeted_policy',`
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlay/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
More information about the scm-commits
mailing list