[selinux-policy: 1899/3172] trunk: 4 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:49:09 UTC 2010
commit f508567646cf738d9ae1fe7b515607b738728322
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Feb 18 14:55:25 2008 +0000
trunk: 4 patches from dan.
policy/modules/admin/alsa.fc | 7 ++++++-
policy/modules/admin/alsa.if | 18 ++++++++++++++++++
policy/modules/admin/alsa.te | 26 ++++++++++++++++++--------
policy/modules/admin/brctl.te | 3 ++-
policy/modules/admin/consoletype.te | 11 +++++++----
policy/modules/admin/vpn.fc | 10 ++++++----
policy/modules/admin/vpn.if | 23 ++++++++++++++++++++++-
policy/modules/admin/vpn.te | 24 ++++++++++++++----------
8 files changed, 93 insertions(+), 29 deletions(-)
---
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index e4ca1cb..545a817 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@@ -1,8 +1,13 @@
+/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 791fdaa..ffbe9bc 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -74,3 +74,21 @@ interface(`alsa_read_rw_config',`
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
')
+
+########################################
+## <summary>
+## Read alsa lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index d329402..cc86fc3 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
-policy_module(alsa,1.3.0)
+policy_module(alsa,1.3.1)
########################################
#
@@ -8,12 +8,15 @@ policy_module(alsa,1.3.0)
type alsa_t;
type alsa_exec_t;
-application_domain(alsa_t, alsa_exec_t)
+init_system_domain(alsa_t, alsa_exec_t)
role system_r types alsa_t;
type alsa_etc_rw_t;
files_type(alsa_etc_rw_t)
+type alsa_var_lib_t;
+files_type(alsa_var_lib_t)
+
########################################
#
# Local policy
@@ -26,18 +29,28 @@ allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
-manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
+manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
+manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+can_exec(alsa_t, alsa_exec_t)
+
+manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+files_search_var_lib(alsa_t)
+
kernel_read_system_state(alsa_t)
dev_read_sound(alsa_t)
dev_write_sound(alsa_t)
+corecmd_exec_bin(alsa_t)
+
files_search_home(alsa_t)
files_read_etc_files(alsa_t)
+auth_use_nsswitch(alsa_t)
+
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
@@ -48,10 +61,7 @@ miscfiles_read_localization(alsa_t)
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_generic_user_home_dirs(alsa_t)
-
-optional_policy(`
- nscd_socket_use(alsa_t)
-')
+userdom_dontaudit_search_sysadm_home_dirs(alsa_t)
optional_policy(`
hal_use_fds(alsa_t)
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
index 4fc4b6b..403e639 100644
--- a/policy/modules/admin/brctl.te
+++ b/policy/modules/admin/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl,1.1.0)
+policy_module(brctl,1.1.1)
########################################
#
@@ -40,4 +40,5 @@ miscfiles_read_localization(brctl_t)
optional_policy(`
xen_append_log(brctl_t)
+ xen_dontaudit_rw_unix_stream_sockets(brctl_t)
')
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 64ae1ba..5e5ea15 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -1,5 +1,5 @@
-policy_module(consoletype,1.5.0)
+policy_module(consoletype,1.5.1)
########################################
#
@@ -42,13 +42,12 @@ fs_write_nfs_files(consoletype_t)
mls_file_read_all_levels(consoletype_t)
mls_file_write_all_levels(consoletype_t)
-term_use_console(consoletype_t)
-term_use_unallocated_ttys(consoletype_t)
+term_use_all_terms(consoletype_t)
init_use_fds(consoletype_t)
init_use_script_ptys(consoletype_t)
init_use_script_fds(consoletype_t)
-init_write_script_pipes(consoletype_t)
+init_rw_script_pipes(consoletype_t)
domain_use_interactive_fds(consoletype_t)
@@ -88,6 +87,10 @@ optional_policy(`
')
optional_policy(`
+ hotplug_dontaudit_use_fds(consoletype_t)
+')
+
+optional_policy(`
logrotate_dontaudit_use_fds(consoletype_t)
')
diff --git a/policy/modules/admin/vpn.fc b/policy/modules/admin/vpn.fc
index e323978..7409148 100644
--- a/policy/modules/admin/vpn.fc
+++ b/policy/modules/admin/vpn.fc
@@ -1,9 +1,11 @@
#
-# /usr
+# sbin
#
-/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
#
-# sbin
+# /usr
#
-/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index 76916e1..795cbfa 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -15,7 +15,7 @@ interface(`vpn_domtrans',`
type vpnc_t, vpnc_exec_t;
')
- domtrans_pattern($1,vpnc_exec_t,vpnc_t)
+ domtrans_pattern($1, vpnc_exec_t,vpnc_t)
')
########################################
@@ -67,3 +67,24 @@ interface(`vpn_signal',`
allow $1 vpnc_t:process signal;
')
+
+########################################
+## <summary>
+## Send and receive messages from
+## Vpnc over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpnc_dbus_chat',`
+ gen_require(`
+ type vpnc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 vpnc_t:dbus send_msg;
+ allow vpnc_t $1:dbus send_msg;
+')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index e498970..c74cfbe 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
-policy_module(vpn,1.7.0)
+policy_module(vpn,1.7.1)
########################################
#
@@ -8,7 +8,7 @@ policy_module(vpn,1.7.0)
type vpnc_t;
type vpnc_exec_t;
-application_domain(vpnc_t,vpnc_exec_t)
+application_domain(vpnc_t, vpnc_exec_t)
role system_r types vpnc_t;
type vpnc_tmp_t;
@@ -22,10 +22,9 @@ files_pid_file(vpnc_var_run_t)
# Local policy
#
-allow vpnc_t self:capability { net_admin ipc_lock net_raw };
+allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
allow vpnc_t self:process getsched;
allow vpnc_t self:fifo_file { getattr ioctl read write };
-allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
allow vpnc_t self:tcp_socket create_stream_socket_perms;
allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
@@ -34,12 +33,13 @@ allow vpnc_t self:unix_stream_socket create_socket_perms;
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
-manage_dirs_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
-manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
+manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
+manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
-manage_files_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t)
-files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
+manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
@@ -59,6 +59,7 @@ corenet_udp_sendrecv_all_ports(vpnc_t)
corenet_udp_bind_all_nodes(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_udp_bind_ipsecnat_port(vpnc_t)
corenet_tcp_connect_all_ports(vpnc_t)
corenet_sendrecv_all_client_packets(vpnc_t)
corenet_sendrecv_isakmp_server_packets(vpnc_t)
@@ -69,6 +70,8 @@ dev_read_rand(vpnc_t)
dev_read_urand(vpnc_t)
dev_read_sysfs(vpnc_t)
+domain_use_interactive_fds(vpnc_t)
+
fs_getattr_xattr_fs(vpnc_t)
fs_getattr_tmpfs(vpnc_t)
@@ -92,13 +95,14 @@ libs_use_shared_libs(vpnc_t)
locallogin_use_fds(vpnc_t)
logging_send_syslog_msg(vpnc_t)
+logging_dontaudit_search_logs(vpnc_t)
miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
-sysnet_exec_ifconfig(vpnc_t)
+sysnet_domtrans_ifconfig(vpnc_t)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
@@ -106,7 +110,7 @@ userdom_use_all_users_fds(vpnc_t)
userdom_dontaudit_search_all_users_home_content(vpnc_t)
optional_policy(`
- dbus_system_bus_client_template(vpnc,vpnc_t)
+ dbus_system_bus_client_template(vpnc, vpnc_t)
optional_policy(`
networkmanager_dbus_chat(vpnc_t)
More information about the scm-commits
mailing list