[selinux-policy: 2007/3172] trunk: kudzu and mta patches from dan.

Thu Oct 7 21:58:19 UTC 2010

commit 36095d11ce3522964912cc05f8e23ea29c55443f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Sep 12 14:18:20 2008 +0000

    trunk: kudzu and mta patches from dan.

 policy/modules/admin/kudzu.te      |    9 ++++--
 policy/modules/services/courier.te |    4 +-
 policy/modules/services/mta.fc     |    1 +
 policy/modules/services/mta.if     |   50 ++++++++++++++++++++++++++++++------
 policy/modules/services/mta.te     |   14 +++++++---
 policy/modules/system/init.if      |   40 ++++++++++++++++++++++++++++
 policy/modules/system/init.te      |    2 +-
 policy/modules/system/modutils.if  |   21 +++++++++++++++
 policy/modules/system/modutils.te  |    2 +-
 9 files changed, 124 insertions(+), 19 deletions(-)
---

diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index ec78261..61bd502 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
 
-policy_module(kudzu, 1.6.1)
+policy_module(kudzu, 1.6.2)
 
 ########################################
 #
@@ -21,8 +21,8 @@ files_pid_file(kudzu_var_run_t)
 # Local policy
 #
 
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
 allow kudzu_t self:process { signal_perms execmem };
 allow kudzu_t self:fifo_file rw_fifo_file_perms;
 allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -68,6 +68,7 @@ mls_file_write_all_levels(kudzu_t)
 modutils_read_module_deps(kudzu_t)
 modutils_read_module_config(kudzu_t)
 modutils_rename_module_config(kudzu_t)
+modutils_delete_module_config(kudzu_t)
 
 storage_read_scsi_generic(kudzu_t)
 storage_read_tape(kudzu_t)
@@ -103,6 +104,8 @@ files_dontaudit_search_isid_type_dirs(kudzu_t)
 init_use_fds(kudzu_t)
 init_use_script_ptys(kudzu_t)
 init_stream_connect_script(kudzu_t)
+init_read_state(kudzu_t)
+init_ptrace(kudzu_t)
 # kudzu will telinit to make init re-read
 # the inittab after configuring serial consoles
 init_telinit(kudzu_t)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 213bebf..9a70378 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
 
-policy_module(courier, 1.5.1)
+policy_module(courier, 1.5.2)
 
 ########################################
 #
@@ -27,7 +27,7 @@ type courier_var_run_t;
 files_pid_file(courier_var_run_t)
 
 type courier_exec_t;
-files_type(courier_exec_t)
+mta_agent_executable(courier_exec_t)
 
 courier_domain_template(sqwebmail)
 typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 3bd68bb..16ec200 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,3 +1,4 @@
+/bin/mail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 7399a58..a47a55d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -311,6 +311,44 @@ interface(`mta_mailserver',`
 
 ########################################
 ## <summary>
+##	Make the specified type a MTA executable file.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a mail client.
+##	</summary>
+## </param>
+#
+interface(`mta_agent_executable',`
+	gen_require(`
+		attribute mta_exec_type;
+	')
+
+	typeattribute $1 mta_exec_type;
+
+	application_executable_file($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type by a system MTA.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a mail client.
+##	</summary>
+## </param>
+#
+interface(`mta_system_content',`
+	gen_require(`
+		attribute mailcontent_type;
+	')
+
+	typeattribute $1 mailcontent_type;
+')
+
+########################################
+## <summary>
 ##	Modified mailserver interface for
 ##	sendmail daemon use.
 ## </summary>
@@ -440,16 +478,12 @@ interface(`mta_mailserver_user_agent',`
 interface(`mta_send_mail',`
 	gen_require(`
 		attribute mta_user_agent;
-		type system_mail_t, sendmail_exec_t;
+		type system_mail_t;
+		attribute mta_exec_type;
 	')
 
-	allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
-	domain_auto_trans($1, sendmail_exec_t, system_mail_t)
-
-	allow $1 system_mail_t:fd use;
-	allow system_mail_t $1:fd use;
-	allow system_mail_t $1:fifo_file rw_file_perms;
-	allow system_mail_t $1:process sigchld;
+	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+	domtrans_pattern($1, mta_exec_type, system_mail_t)
 
 	allow mta_user_agent $1:fd use;
 	allow mta_user_agent $1:process sigchld;
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index f31347d..a0f10f8 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,11 +1,13 @@
 
-policy_module(mta, 1.10.0)
+policy_module(mta, 1.10.1)
 
 ########################################
 #
 # Declarations
 #
 
+attribute mailcontent_type;
+attribute mta_exec_type;
 attribute mta_user_agent;
 attribute mailserver_delivery;
 attribute mailserver_domain;
@@ -20,13 +22,13 @@ type etc_mail_t;
 files_config_file(etc_mail_t)
 
 type mqueue_spool_t;
-files_type(mqueue_spool_t)
+files_mountpoint(mqueue_spool_t)
 
 type mail_spool_t;
-files_type(mail_spool_t)
+files_mountpoint(mail_spool_t)
 
 type sendmail_exec_t;
-application_executable_file(sendmail_exec_t)
+mta_agent_executable(sendmail_exec_t)
 
 mta_base_mail_template(system)
 role system_r types system_mail_t;
@@ -41,6 +43,10 @@ allow system_mail_t self:capability { dac_override };
 
 read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
 
+allow system_mail_t mta_exec_type:file entrypoint;
+
+allow system_mail_t mailcontent_type:file read_file_perms;
+
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)
 
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3cdd56a..e6e831c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -731,6 +731,46 @@ interface(`init_run_daemon',`
 	dontaudit direct_init $3:chr_file rw_file_perms;
 ')
 
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_state',`
+	gen_require(`
+		attribute init_t;
+	')
+
+	allow $1 init_t:dir search_dir_perms;
+	allow $1 init_t:file read_file_perms;
+	allow $1 init_t:lnk_file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Ptrace init
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace',`
+	gen_require(`
+		attribute init_t;
+	')
+
+	allow $1 init_t:process ptrace;
+')
+
 ########################################
 ## <summary>
 ##	Write an init script unnamed pipe.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ebc586d..751a0f7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init, 1.11.2)
+policy_module(init, 1.11.3)
 
 gen_require(`
 	class passwd rootok;
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 095bd1e..73b4e08 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -66,6 +66,25 @@ interface(`modutils_rename_module_config',`
 
 ########################################
 ## <summary>
+##	Unlink a file with the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_delete_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	allow $1 modules_conf_t:file unlink;
+')
+
+########################################
+## <summary>
 ##	Unconditionally execute insmod in the insmod domain.
 ## </summary>
 ## <param name="domain">
@@ -275,6 +294,8 @@ interface(`modutils_run_update_mods',`
 	modutils_domtrans_update_mods($1)
 	role $2 types update_modules_t;
 	allow update_modules_t $3:chr_file rw_term_perms;
+
+	modutils_run_insmod(update_modules_t, $2, $3)
 ')
 
 ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 34279f5..9fd705d 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils, 1.7.0)
+policy_module(modutils, 1.7.1)
 
 gen_require(`
 	bool secure_mode_insmod;
