[selinux-policy: 1838/3172] trunk: 11 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:44:00 UTC 2010
commit 495df41602aab2b2baee8bc1b78316a61ae358c5
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Oct 29 18:35:32 2007 +0000
trunk: 11 patches from dan.
policy/modules/admin/alsa.fc | 4 +
policy/modules/admin/alsa.te | 20 ++++-
policy/modules/kernel/corecommands.fc | 10 ++
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/corenetwork.if.in | 41 +++++++++
policy/modules/kernel/corenetwork.te.in | 34 +++++---
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 39 +++++++++
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/domain.if | 25 ++++++
policy/modules/kernel/domain.te | 13 +++-
policy/modules/kernel/files.fc | 2 +-
policy/modules/kernel/files.if | 138 +++++++++++++++++++++++++++++++
policy/modules/kernel/files.te | 3 +-
policy/modules/kernel/filesystem.te | 10 ++-
policy/modules/kernel/kernel.if | 57 +++++++++++++
policy/modules/kernel/kernel.te | 2 +-
policy/modules/kernel/storage.fc | 3 +-
policy/modules/kernel/storage.if | 57 +++++++++++++
policy/modules/kernel/storage.te | 8 ++-
policy/modules/kernel/terminal.fc | 1 +
policy/modules/kernel/terminal.te | 2 +-
22 files changed, 448 insertions(+), 26 deletions(-)
---
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index 99c414d..e4ca1cb 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@@ -1,4 +1,8 @@
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 5fbd613..2d0415f 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
-policy_module(alsa,1.2.0)
+policy_module(alsa,1.2.1)
########################################
#
@@ -19,7 +19,7 @@ files_type(alsa_etc_rw_t)
# Local policy
#
-allow alsa_t self:capability { setgid setuid ipc_owner };
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
dontaudit alsa_t self:capability sys_admin;
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
@@ -28,11 +28,15 @@ allow alsa_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
+files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
-files_read_etc_files(alsa_t)
+kernel_read_system_state(alsa_t)
+
+dev_read_sound(alsa_t)
+dev_write_sound(alsa_t)
-term_use_generic_ptys(alsa_t)
-term_dontaudit_use_unallocated_ttys(alsa_t)
+files_search_home(alsa_t)
+files_read_etc_files(alsa_t)
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
@@ -43,7 +47,13 @@ miscfiles_read_localization(alsa_t)
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
+userdom_search_generic_user_home_dirs(alsa_t)
optional_policy(`
nscd_socket_use(alsa_t)
')
+
+optional_policy(`
+ hal_use_fds(alsa_t)
+ hal_write_log(alsa_t)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index f307057..6182ce3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -36,6 +36,11 @@ ifdef(`distro_redhat',`
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -164,6 +169,7 @@ ifdef(`distro_gentoo',`
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -187,6 +193,10 @@ ifdef(`distro_gentoo', `
')
ifdef(`distro_redhat', `
+/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
+
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 9058d48..fb03c18 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.8.2)
+policy_module(corecommands,1.8.3)
########################################
#
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 969da70..a8ec213 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -867,9 +867,11 @@ interface(`corenet_udp_sendrecv_generic_port',`
interface(`corenet_tcp_bind_generic_port',`
gen_require(`
type port_t;
+ attribute port_type;
')
allow $1 port_t:tcp_socket name_bind;
+ dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
')
########################################
@@ -903,9 +905,11 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
interface(`corenet_udp_bind_generic_port',`
gen_require(`
type port_t;
+ attribute port_type;
')
allow $1 port_t:udp_socket name_bind;
+ dontaudit $1 { port_type -port_t }:udp_socket name_bind;
')
########################################
@@ -1449,6 +1453,43 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
########################################
## <summary>
+## Connect TCP sockets to rpc ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to connect TCP sockets
+## all rpc ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
## Read and write the TUN/TAP virtual network device.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b0a25be..349ae6e 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.12)
+policy_module(corenetwork,1.2.13)
########################################
#
@@ -55,6 +55,11 @@ sid port gen_context(system_u:object_r:port_t,s0)
type reserved_port_t, port_type, reserved_port_type;
#
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
@@ -67,7 +72,7 @@ network_port(afs_vl, udp,7003,s0)
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
-network_port(aol, tcp,5190,s0, udp,5190,s0)
+network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
@@ -94,12 +99,13 @@ network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
+network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
@@ -109,14 +115,15 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
-network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(monopd, tcp,1234,s0)
-network_port(mysqld, tcp,3306,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
+portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
@@ -149,7 +156,7 @@ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
-network_port(soundd, tcp,8000,s0, tcp,9433,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
@@ -163,16 +170,21 @@ network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
+network_port(wccp, udp,2048,s0)
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
-portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
-portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
+
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
########################################
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 7334fc7..6145844 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -98,6 +98,7 @@ ifdef(`distro_suse', `
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 2864179..3951c51 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -161,6 +161,7 @@ interface(`dev_create_generic_dirs',`
type device_t;
')
+ allow $1 device_t:dir list_dir_perms;
create_dirs_pattern($1,device_t,device_t)
')
@@ -1305,6 +1306,44 @@ interface(`dev_manage_dri_dev',`
########################################
## <summary>
+## Get the attributes of the event devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ allow $1 event_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the event devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ allow $1 event_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 949f009..1a89be4 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.6.0)
+policy_module(devices,1.6.1)
########################################
#
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index cc331e0..069f6a3 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -45,6 +45,12 @@ interface(`domain_type',`
# start with basic domain
domain_base_type($1)
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_use_fds($1)
+ ')
+ ')
+
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
@@ -59,6 +65,7 @@ interface(`domain_type',`
')
optional_policy(`
+ selinux_dontaudit_getattr_fs($1)
selinux_dontaudit_read_fs($1)
')
@@ -1270,3 +1277,21 @@ interface(`domain_mmap_low',`
typeattribute $1 mmap_low_domain_type;
')
+
+########################################
+## <summary>
+## Allow specified type to associate ipsec packets from any domain
+## </summary>
+## <param name="type">
+## <summary>
+## Type of subject to be allowed this.
+## </summary>
+## </param>
+#
+interface(`domain_ipsec_labels',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:association { sendto recvfrom };
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 8078685..3fa734c 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
-policy_module(domain,1.4.1)
+policy_module(domain,1.4.2)
########################################
#
@@ -80,6 +80,11 @@ allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
+# Every domain gets the key ring, so we should default
+# to no one allowed to look at it; afs kernel support creates
+# a keyring
+kernel_dontaudit_search_key(domain)
+kernel_dontaudit_link_key(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
@@ -104,6 +109,12 @@ optional_policy(`
setrans_translate_context(domain)
')
+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
+')
+
########################################
#
# Unconfined access to this module
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index f63a5c7..6def969 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -209,7 +209,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
-/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e2b5f79..7ea2918 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1106,6 +1106,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
## <summary>
+## Search all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## List the contents of the root directory.
## </summary>
## <param name="domain">
@@ -1125,6 +1143,25 @@ interface(`files_list_root',`
########################################
## <summary>
+## Do not audit attempts to write
+## files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
## Create an object in the root directory, with a private
## type using a type transition.
## </summary>
@@ -3107,6 +3144,24 @@ interface(`files_read_generic_tmp_files',`
########################################
## <summary>
+## Manage temporary directories in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ manage_dirs_pattern($1,tmp_t,tmp_t)
+')
+
+########################################
+## <summary>
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
@@ -3198,6 +3253,44 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
########################################
## <summary>
+## Allow attempts to get the attributes
+## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all tmp sock_file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ dontaudit $1 tmpfile:sock_file getattr;
+')
+
+########################################
+## <summary>
## Read all tmp files.
## </summary>
## <param name="domain">
@@ -3323,6 +3416,24 @@ interface(`files_rw_usr_dirs',`
########################################
## <summary>
+## dontaudit Add and remove entries from /usr directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
@@ -3417,6 +3528,24 @@ interface(`files_relabelto_usr_files',`
########################################
## <summary>
+## Relabel a file from the type used in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelfrom_files_pattern($1,usr_t,usr_t)
+')
+
+########################################
+## <summary>
## Read symbolic links in /usr.
## </summary>
## <param name="domain">
@@ -4582,6 +4711,15 @@ interface(`files_polyinstantiate_all',`
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
+
+ ifdef(`distro_redhat',`
+ # namespace.init
+ files_search_home($1)
+ corecmd_exec_bin($1)
+ seutil_domtrans_setfiles($1)
+ fs_mount_tmpfs($1)
+ fs_unmount_tmpfs($1)
+ ')
')
########################################
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index cb086e6..2380629 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.7.2)
+policy_module(files,1.7.3)
########################################
#
@@ -188,6 +188,7 @@ allow file_type self:filesystem associate;
fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
+fs_associate_ramfs(file_type)
########################################
#
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 01806d7..8a620d1 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.8.1)
+policy_module(filesystem,1.8.2)
########################################
#
@@ -21,6 +21,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
# Use xattrs for the following filesystem types.
# Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
@@ -28,6 +29,7 @@ fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
@@ -110,6 +112,7 @@ genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
type ramfs_t;
fs_type(ramfs_t)
+files_mountpoint(ramfs_t)
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
type romfs_t;
@@ -127,6 +130,11 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
+type squash_t;
+fs_type(squash_t)
+genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+files_mountpoint(squash_t)
+
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 4995f99..2704cda 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -352,6 +352,24 @@ interface(`kernel_search_key',`
########################################
## <summary>
+## dontaudit search the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key search;
+')
+
+########################################
+## <summary>
## Allow link to the kernel key ring.
## </summary>
## <param name="domain">
@@ -370,6 +388,24 @@ interface(`kernel_link_key',`
########################################
## <summary>
+## dontaudit link to the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_link_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key link;
+')
+
+########################################
+## <summary>
## Allows caller to read the ring buffer.
## </summary>
## <param name="domain">
@@ -1867,6 +1903,27 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
+## Read the process state (/proc/pid) of all unlabeled_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_unlabeled_state',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
+ read_files_pattern($1,unlabeled_t,unlabeled_t)
+ read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
+')
+
+
+########################################
+## <summary>
## Do not audit attempts to list unlabeled directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 3828ab4..f858edb 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.8.1)
+policy_module(kernel,1.8.2)
########################################
#
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index d414357..c2a6e65 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -8,6 +8,7 @@
/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -52,7 +53,7 @@ ifdef(`distro_redhat', `
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index b8721b2..7522e6f 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -269,6 +269,63 @@ interface(`storage_swapon_fixed_disk',`
########################################
## <summary>
+## Allow the caller to get the attributes
+## of device nodes of fuse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_fuse_dev',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fuse_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## read or write fuse device interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_rw_fuse',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ allow $1 fuse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## fuse device interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_rw_fuse',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ dontaudit $1 fuse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
## </summary>
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 9f01528..717cdfa 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,5 +1,5 @@
-policy_module(storage,1.4.0)
+policy_module(storage,1.4.1)
########################################
#
@@ -23,6 +23,12 @@ neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
#
+# fuse_device_t is the type of /dev/fuse
+#
+type fuse_device_t;
+dev_node(fuse_device_t)
+
+#
# scsi_generic_device_t is the type of /dev/sg*
# it gives access to ALL SCSI devices (both fixed and removable)
#
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 61ce491..9799153 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -8,6 +8,7 @@
/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index c7df3ed..1d87526 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
-policy_module(terminal,1.6.1)
+policy_module(terminal,1.6.2)
########################################
#
More information about the scm-commits
mailing list