[selinux-policy: 1600/3172] gentoo testing fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:23:28 UTC 2010
commit bf469d766928777faac4fb50be06f53457f7de93
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Sep 19 17:02:29 2006 +0000
gentoo testing fixes
policy/modules/kernel/corenetwork.if.in | 124 +++++++++++++++++++++++++++++++
policy/modules/kernel/corenetwork.if.m4 | 109 +++++++++++++++++++++++++++
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/kernel/devices.if | 18 +++++
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/files.if | 47 +++++++++---
policy/modules/kernel/files.te | 2 +-
policy/modules/kernel/kernel.if | 33 ++++++++
policy/modules/kernel/kernel.te | 2 +-
policy/modules/services/ssh.if | 7 +-
policy/modules/services/ssh.te | 2 +-
policy/modules/system/getty.te | 16 ++++-
policy/modules/system/init.te | 8 ++-
policy/modules/system/modutils.te | 3 +-
14 files changed, 351 insertions(+), 24 deletions(-)
---
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 65fbe15..af360bc 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -42,6 +42,25 @@ interface(`corenet_udp_send_generic_if',`
########################################
## <summary>
+## Dontaudit attempts to send UDP network traffic
+## on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ dontaudit $1 netif_t:netif udp_send;
+')
+
+########################################
+## <summary>
## Receive UDP network traffic on generic interfaces.
## </summary>
## <param name="domain">
@@ -60,6 +79,25 @@ interface(`corenet_udp_receive_generic_if',`
########################################
## <summary>
+## Do not audit attempts to receive UDP network
+## traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ dontaudit $1 netif_t:netif udp_recv;
+')
+
+########################################
+## <summary>
## Send and Receive UDP network traffic on generic interfaces.
## </summary>
## <param name="domain">
@@ -75,6 +113,22 @@ interface(`corenet_udp_sendrecv_generic_if',`
########################################
## <summary>
+## Do not audit attempts to send and receive UDP network
+## traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_generic_if',`
+ corenet_dontaudit_udp_send_generic_if($1)
+ corenet_dontaudit_udp_receive_generic_if($1)
+')
+
+########################################
+## <summary>
## Send raw IP packets on generic interfaces.
## </summary>
## <param name="domain">
@@ -438,6 +492,25 @@ interface(`corenet_udp_send_all_nodes',`
########################################
## <summary>
+## Do not audit attempts to send UDP network
+## traffic on any nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ dontaudit $1 node_type:node udp_send;
+')
+
+########################################
+## <summary>
## Receive UDP network traffic on all nodes.
## </summary>
## <param name="domain">
@@ -456,6 +529,25 @@ interface(`corenet_udp_receive_all_nodes',`
########################################
## <summary>
+## Do not audit attempts to receive UDP
+## network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ dontaudit $1 node_type:node udp_recv;
+')
+
+########################################
+## <summary>
## Send and receive UDP network traffic on all nodes.
## </summary>
## <param name="domain">
@@ -471,6 +563,22 @@ interface(`corenet_udp_sendrecv_all_nodes',`
########################################
## <summary>
+## Do not audit attempts to send and receive UDP
+## network traffic on any nodes nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_all_nodes',`
+ corenet_dontaudit_udp_send_all_nodes($1)
+ corenet_dontaudit_udp_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
## Send raw IP packets on all nodes.
## </summary>
## <param name="domain">
@@ -1312,6 +1420,22 @@ interface(`corenet_non_ipsec_sendrecv',`
########################################
## <summary>
+## Do not audit attempts to send and receive
+## messages on a non-encrypted (no IPSEC) network
+## session.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_non_ipsec_sendrecv',`
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
## Send generic client packets.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index 51908e2..c20c7a4 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -360,6 +360,25 @@ interface(`corenet_udp_send_$1_port',`
########################################
## <summary>
+## Do not audit attempts to send UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ dontaudit dollarsone $1_$2:udp_socket send_msg;
+')
+
+########################################
+## <summary>
## Receive UDP traffic on the $1 port.
## </summary>
## <param name="domain">
@@ -379,6 +398,25 @@ interface(`corenet_udp_receive_$1_port',`
########################################
## <summary>
+## Do not audit attempts to receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ dontaudit dollarsone $1_$2:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
## Send and receive UDP traffic on the $1 port.
## </summary>
## <param name="domain">
@@ -395,6 +433,23 @@ interface(`corenet_udp_sendrecv_$1_port',`
########################################
## <summary>
+## Do not audit attempts to send and receive
+## UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_$1_port',`
+ corenet_dontaudit_udp_send_$1_port(dollarsone)
+ corenet_dontaudit_udp_receive_$1_port(dollarsone)
+')
+
+########################################
+## <summary>
## Bind TCP sockets to the $1 port.
## </summary>
## <param name="domain">
@@ -474,6 +529,25 @@ interface(`corenet_send_$1_packets',`
########################################
## <summary>
+## Do not audit attempts to send $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ dontaudit dollarsone $1_packet_t:packet send;
+')
+
+########################################
+## <summary>
## Receive $1 packets.
## </summary>
## <param name="domain">
@@ -493,6 +567,25 @@ interface(`corenet_receive_$1_packets',`
########################################
## <summary>
+## Do not audit attempts to receive $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ dontaudit dollarsone $1_packet_t:packet recv;
+')
+
+########################################
+## <summary>
## Send and receive $1 packets.
## </summary>
## <param name="domain">
@@ -509,6 +602,22 @@ interface(`corenet_sendrecv_$1_packets',`
########################################
## <summary>
+## Do not audit attempts to send and receive $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_$1_packets',`
+ corenet_dontaudit_send_$1_packets(dollarsone)
+ corenet_dontaudit_receive_$1_packets(dollarsone)
+')
+
+########################################
+## <summary>
## Relabel packets to $1 the packet type.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 169e582..65dfdd0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.1.15)
+policy_module(corenetwork,1.1.16)
########################################
#
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 8583729..918657b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -147,6 +147,24 @@ interface(`dev_create_generic_dirs',`
########################################
## <summary>
+## Delete a directory in the device directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to create the directory.
+## </summary>
+## </param>
+#
+interface(`dev_delete_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir { del_entry_dir_perms rmdir };
+')
+
+########################################
+## <summary>
## Allow full relabeling (to and from) of directories in /dev.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 6f30f63..bc5b1c0 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.21)
+policy_module(devices,1.1.22)
########################################
#
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index c390959..a9d4601 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3349,41 +3349,41 @@ interface(`files_usr_filetrans',`
########################################
## <summary>
-## Execute programs in /usr/src in the caller domain.
+## Do not audit attempts to search /usr/src.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`files_exec_usr_src_files',`
+interface(`files_dontaudit_search_src',`
gen_require(`
- type usr_t, src_t;
+ type src_t;
')
- allow $1 usr_t:dir search;
- allow $1 src_t:dir r_dir_perms;
- allow $1 src_t:lnk_file r_file_perms;
- can_exec($1,src_t)
+ dontaudit $1 src_t:dir search;
')
########################################
## <summary>
-## Do not audit attempts to search /usr/src.
+## Get the attributes of files in /usr/src.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`files_dontaudit_search_src',`
+interface(`files_getattr_usr_src_files',`
gen_require(`
- type src_t;
+ type usr_t, src_t;
')
- dontaudit $1 src_t:dir search;
+ allow $1 { usr_t src_t }:dir search_dir_perms;
+
+ allow $1 src_t:lnk_file { getattr read };
+ allow $1 src_t:file getattr;
')
########################################
@@ -3408,6 +3408,27 @@ interface(`files_read_usr_src_files',`
########################################
## <summary>
+## Execute programs in /usr/src in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_usr_src_files',`
+ gen_require(`
+ type usr_t, src_t;
+ ')
+
+ allow $1 usr_t:dir search;
+ allow $1 src_t:dir r_dir_perms;
+ allow $1 src_t:lnk_file r_file_perms;
+ can_exec($1,src_t)
+')
+
+########################################
+## <summary>
## Install a system.map into the /boot directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index dea8e5c..81e4660 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.2.16)
+policy_module(files,1.2.17)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 2aa08cc..11e0807 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2133,6 +2133,39 @@ interface(`kernel_sendrecv_unlabeled_association',`
########################################
## <summary>
+## Do not audit attempts to send and receive messages
+## from an unlabeled IPSEC association.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to send and receive messages
+## from an unlabeled IPSEC association. Network
+## connections that are not protected
+## by IPSEC have use an unlabeled
+## assocation.
+## </p>
+## <p>
+## The corenetwork interface
+## corenet_dontaudit_non_ipsec_sendrecv() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:association { sendto recvfrom };
+')
+
+########################################
+## <summary>
## Send and receive unlabeled packets.
## </summary>
## <desc>
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 34b4d1b..5fe4843 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.15)
+policy_module(kernel,1.3.16)
########################################
#
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index a801eba..0735073 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -470,9 +470,10 @@ template(`ssh_server_template', `
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:process { signal setsched setrlimit setexec };
-
- allow $1_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
- allow $1_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+ # ssh agent connections:
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 232c005..399e913 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.3.10)
+policy_module(ssh,1.3.11)
########################################
#
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index e6a6745..8900a5b 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,5 +1,5 @@
-policy_module(getty,1.1.3)
+policy_module(getty,1.1.4)
########################################
#
@@ -105,6 +105,20 @@ logging_send_syslog_msg(getty_t)
miscfiles_read_localization(getty_t)
+ifdef(`distro_gentoo',`
+ # Gentoo default /etc/issue makes agetty
+ # do a DNS lookup for the hostname
+ dontaudit getty_t self:udp_socket create_socket_perms;
+
+ corenet_dontaudit_non_ipsec_sendrecv(getty_t)
+ corenet_dontaudit_udp_sendrecv_generic_if(getty_t)
+ corenet_dontaudit_udp_sendrecv_all_nodes(getty_t)
+ corenet_dontaudit_udp_sendrecv_dns_port(getty_t)
+ corenet_dontaudit_sendrecv_dns_client_packets(getty_t)
+
+ sysnet_dontaudit_read_config(getty_t)
+')
+
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(getty_t)
term_dontaudit_use_generic_ptys(getty_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2ee4fe0..d35db82 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.23)
+policy_module(init,1.3.24)
gen_require(`
class passwd rootok;
@@ -411,6 +411,12 @@ ifdef(`distro_gentoo',`
dev_create_generic_dirs(initrc_t)
term_create_console_dev(initrc_t)
+ # unfortunately /sbin/rc does stupid tricks
+ # with /dev/.rcboot to decide if we are in
+ # early init
+ dev_create_generic_dirs(initrc_t)
+ dev_delete_generic_dirs(initrc_t)
+
# needed until baselayout is fixed to have the
# restorecon on /dev to again be immediately after
# mounting tmpfs on /dev
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 5184b74..4e702a8 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
-policy_module(modutils,1.1.5)
+policy_module(modutils,1.1.6)
gen_require(`
bool secure_mode_insmod;
@@ -277,6 +277,7 @@ userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
ifdef(`distro_gentoo',`
files_search_pids(update_modules_t)
+ files_getattr_usr_src_files(update_modules_t)
optional_policy(`
consoletype_exec(update_modules_t)
More information about the scm-commits
mailing list