[selinux-policy: 1799/3172] trunk: 5 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:40:27 UTC 2010
commit 0a0b8078ca9d3e7f10ad99682f26ea3f56ce2906
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Sep 4 18:57:58 2007 +0000
trunk: 5 patches from dan.
policy/modules/admin/readahead.fc | 5 ++---
policy/modules/admin/readahead.te | 17 ++++++++++++++---
policy/modules/admin/usermanage.if | 2 +-
policy/modules/admin/usermanage.te | 22 ++++++++++++++++------
policy/modules/apps/loadkeys.te | 8 ++++++--
policy/modules/services/setroubleshoot.if | 20 ++++++++++++++++++++
policy/modules/services/setroubleshoot.te | 12 ++++++------
policy/modules/system/logging.if | 19 +++++++++++++++++++
policy/modules/system/logging.te | 2 +-
policy/modules/system/netlabel.te | 4 +++-
10 files changed, 88 insertions(+), 23 deletions(-)
---
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
index 26c1128..09cc902 100644
--- a/policy/modules/admin/readahead.fc
+++ b/policy/modules/admin/readahead.fc
@@ -1,4 +1,3 @@
-#
-# /usr
-#
+/etc/readahead.d(/.*)? gen_context(system_u:object_r:readahead_etc_rw_t,s0)
+
/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index 849d2d5..4f90974 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
-policy_module(readahead,1.3.1)
+policy_module(readahead,1.3.2)
########################################
#
@@ -11,6 +11,9 @@ type readahead_exec_t;
init_daemon_domain(readahead_t,readahead_exec_t)
application_domain(readahead_t,readahead_exec_t)
+type readahead_etc_rw_t;
+files_pid_file(readahead_etc_rw_t)
+
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
@@ -19,9 +22,12 @@ files_pid_file(readahead_var_run_t)
# Local policy
#
-dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
+allow readahead_t self:capability { dac_override dac_read_search };
+dontaudit readahead_t self:capability sys_tty_config;
allow readahead_t self:process signal_perms;
+manage_files_pattern(readahead_t,readahead_etc_rw_t,readahead_etc_rw_t)
+
manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t)
files_pid_filetrans(readahead_t,readahead_var_run_t,file)
@@ -37,7 +43,7 @@ dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t)
dev_dontaudit_getattr_nvram_dev(readahead_t)
-storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
+storage_raw_read_fixed_disk(readahead_t)
domain_use_interactive_fds(readahead_t)
@@ -68,6 +74,7 @@ libs_use_ld_so(readahead_t)
libs_use_shared_libs(readahead_t)
logging_send_syslog_msg(readahead_t)
+logging_dontaudit_search_audit_config(readahead_t)
miscfiles_read_localization(readahead_t)
@@ -81,5 +88,9 @@ ifdef(`targeted_policy',`
')
optional_policy(`
+ cron_system_entry(readahead_t, readahead_exec_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(readahead_t)
')
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index df6cfed..e3300d8 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -278,5 +278,5 @@ interface(`usermanage_read_crack_db',`
type crack_db_t;
')
- allow $1 crack_db_t:file read_file_perms;
+ read_files_pattern($1,crack_db_t,crack_db_t)
')
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index a393442..7c5a96a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage,1.7.1)
+policy_module(usermanage,1.7.2)
########################################
#
@@ -191,7 +191,6 @@ allow groupadd_t self:unix_dgram_socket create_socket_perms;
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
allow groupadd_t self:unix_dgram_socket sendto;
allow groupadd_t self:unix_stream_socket connectto;
-allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
fs_getattr_xattr_fs(groupadd_t)
fs_search_auto_mountpoints(groupadd_t)
@@ -223,6 +222,7 @@ libs_use_shared_libs(groupadd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
+logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
miscfiles_read_localization(groupadd_t)
@@ -245,6 +245,10 @@ optional_policy(`
')
optional_policy(`
+ nscd_domtrans(groupadd_t)
+')
+
+optional_policy(`
rpm_use_fds(groupadd_t)
rpm_rw_pipes(groupadd_t)
')
@@ -254,7 +258,7 @@ optional_policy(`
# Passwd local policy
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
@@ -264,7 +268,6 @@ allow passwd_t self:unix_dgram_socket create_socket_perms;
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
allow passwd_t self:unix_stream_socket connectto;
-allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
@@ -316,6 +319,7 @@ init_dontaudit_rw_utmp(passwd_t)
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
+logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
miscfiles_read_localization(passwd_t)
@@ -336,6 +340,7 @@ optional_policy(`
optional_policy(`
nscd_socket_use(passwd_t)
+ nscd_domtrans(passwd_t)
')
########################################
@@ -426,6 +431,7 @@ optional_policy(`
optional_policy(`
nscd_socket_use(sysadm_passwd_t)
+ nscd_domtrans(sysadm_passwd_t)
')
########################################
@@ -433,7 +439,7 @@ optional_policy(`
# Useradd local policy
#
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
@@ -447,7 +453,6 @@ allow useradd_t self:unix_dgram_socket create_socket_perms;
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
-allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
@@ -492,6 +497,7 @@ init_rw_utmp(useradd_t)
libs_use_ld_so(useradd_t)
libs_use_shared_libs(useradd_t)
+logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
@@ -519,6 +525,10 @@ optional_policy(`
')
optional_policy(`
+ nscd_domtrans(useradd_t)
+')
+
+optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index ff89083..6798756 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -1,5 +1,5 @@
-policy_module(loadkeys,1.1.0)
+policy_module(loadkeys,1.1.1)
########################################
#
@@ -39,7 +39,7 @@ ifdef(`targeted_policy',`
files_read_etc_runtime_files(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
- term_dontaudit_use_unallocated_ttys(loadkeys_t)
+ term_use_unallocated_ttys(loadkeys_t)
init_dontaudit_use_script_ptys(loadkeys_t)
@@ -49,4 +49,8 @@ ifdef(`targeted_policy',`
locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
+
+ optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+ ')
')
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
index 50c7135..ec02d93 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -19,3 +19,23 @@ interface(`setroubleshoot_stream_connect',`
allow $1 setroubleshoot_var_run_t:sock_file write;
allow $1 setroubleshootd_t:unix_stream_socket connectto;
')
+
+########################################
+## <summary>
+## Dontaudit attempts to connect to setroubleshootd
+## over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dontaudit_stream_connect',`
+ gen_require(`
+ type setroubleshootd_t, setroubleshoot_var_run_t;
+ ')
+
+ dontaudit $1 setroubleshoot_var_run_t:sock_file write;
+ dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index b292f9e..d6e6bb9 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot,1.4.0)
+policy_module(setroubleshoot,1.4.1)
########################################
#
@@ -33,7 +33,6 @@ allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
-allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
# database files
allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
@@ -76,12 +75,17 @@ files_read_etc_files(setroubleshootd_t)
files_getattr_all_dirs(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
+fs_getattr_all_dirs(setroubleshootd_t)
+fs_getattr_all_files(setroubleshootd_t)
+
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
term_dontaudit_use_all_user_ptys(setroubleshootd_t)
term_dontaudit_use_all_user_ttys(setroubleshootd_t)
+auth_use_nsswitch(setroubleshootd_t)
+
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@@ -112,7 +116,3 @@ optional_policy(`
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
-
-optional_policy(`
- nis_use_ypbind(setroubleshootd_t)
-')
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 6ee2f5b..7841e71 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -317,6 +317,25 @@ interface(`logging_read_audit_config',`
########################################
## <summary>
+## dontaudit search of auditd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_dontaudit_search_audit_config',`
+ gen_require(`
+ type auditd_etc_t;
+ ')
+
+ dontaudit $1 auditd_etc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index a649c07..12332f0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.7.2)
+policy_module(logging,1.7.3)
########################################
#
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index 232d203..4237f55 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -1,5 +1,5 @@
-policy_module(netlabel,1.0.1)
+policy_module(netlabel,1.0.2)
########################################
#
@@ -21,6 +21,8 @@ allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
kernel_read_network_state(netlabel_mgmt_t)
+files_read_etc_files(netlabel_mgmt_t)
+
libs_use_ld_so(netlabel_mgmt_t)
libs_use_shared_libs(netlabel_mgmt_t)
More information about the scm-commits
mailing list