[selinux-policy: 1979/3172] trunk: 11 more cherry picks from fedora policy, by david hardeman.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:55:56 UTC 2010 

commit 8a948caf2b88f6249a6b94c09e13ee46cf2e0964
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Aug 7 14:17:50 2008 +0000

    trunk: 11 more cherry picks from fedora policy, by david hardeman.

 Changelog                            |    2 +-
 policy/modules/admin/amanda.fc       |    1 +
 policy/modules/admin/amanda.te       |    9 ++++++---
 policy/modules/admin/anaconda.te     |   12 +++++-------
 policy/modules/admin/kismet.te       |    4 ++--
 policy/modules/admin/netutils.if     |   18 ++++++++++++++++++
 policy/modules/admin/netutils.te     |    2 +-
 policy/modules/apps/usernetctl.if    |    5 +++++
 policy/modules/apps/usernetctl.te    |    8 +++++++-
 policy/modules/kernel/storage.fc     |    2 ++
 policy/modules/kernel/storage.if     |   20 ++++++++++++++++++++
 policy/modules/kernel/storage.te     |    2 +-
 policy/modules/services/fetchmail.te |    4 ++--
 policy/modules/services/oav.te       |    6 +++---
 policy/modules/services/ricci.te     |    3 ++-
 policy/modules/services/rsync.fc     |    4 ++++
 policy/modules/services/rsync.te     |   12 +++++++-----
 policy/modules/services/stunnel.if   |   24 ++++++++++++++++++++++++
 policy/modules/services/stunnel.te   |    4 ++--
 policy/modules/system/hotplug.te     |    3 ++-
 20 files changed, 115 insertions(+), 30 deletions(-)
---
diff --git a/Changelog b/Changelog
index 23fab1a..3cd8425 100644
--- a/Changelog
+++ b/Changelog
@@ -3,7 +3,7 @@
   Carter.
 - Database labeled networking update from KaiGai Kohei.
 - Several misc changes from the Fedora policy, cherry picked by David
-  Hrdeman.
+  Hardeman.
 - Large whitespace fix from Dominick Grift.
 - Pam_mount fix for local login from Stefan Schulze Frielinghaus.
 - Issuing commands to upstart is over a datagram socket, not the initctl
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index 74ebff5..3006bff 100644
--- a/policy/modules/admin/amanda.fc
+++ b/policy/modules/admin/amanda.fc
@@ -3,6 +3,7 @@
 /etc/amanda/.*/tapelist(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
 /etc/amandates				gen_context(system_u:object_r:amanda_amandates_t,s0)
 /etc/dumpdates				gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+/etc/amanda/.*/index(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
 
 /root/restore			-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
 
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index fc0672b..5d6087d 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
 
-policy_module(amanda, 1.9.0)
+policy_module(amanda, 1.9.1)
 
 #######################################
 #
@@ -82,8 +82,9 @@ allow amanda_t amanda_amandates_t:file { getattr lock read write };
 allow amanda_t amanda_config_t:file { getattr read };
 
 # access to amandas data structure
-allow amanda_t amanda_data_t:dir { read search write };
-allow amanda_t amanda_data_t:file manage_file_perms;
+manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
 
 # access to amanda_dumpdates_t
 allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
@@ -146,6 +147,8 @@ fs_getattr_xattr_fs(amanda_t)
 fs_list_all(amanda_t)
 
 storage_raw_read_fixed_disk(amanda_t)
+storage_read_tape(amanda_t)
+storage_write_tape(amanda_t)
 
 # Added for targeted policy
 term_use_unallocated_ttys(amanda_t)
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index 626acf4..3ce6be8 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -1,5 +1,5 @@
 
-policy_module(anaconda, 1.3.0)
+policy_module(anaconda, 1.3.1)
 
 ########################################
 #
@@ -32,15 +32,9 @@ modutils_domtrans_insmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
 
-unconfined_domain(anaconda_t)
-
 unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
-	dmesg_domtrans(anaconda_t)
-')
-
-optional_policy(`
 	kudzu_domtrans(anaconda_t)
 ')
 
@@ -58,5 +52,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_domain(anaconda_t)
+')
+
+optional_policy(`
 	usermanage_domtrans_admin_passwd(anaconda_t)
 ')
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index 57c94e8..92c9db8 100644
--- a/policy/modules/admin/kismet.te
+++ b/policy/modules/admin/kismet.te
@@ -1,5 +1,5 @@
 
-policy_module(kismet, 1.0.1)
+policy_module(kismet, 1.0.2)
 
 ########################################
 #
@@ -25,7 +25,7 @@ logging_log_file(kismet_log_t)
 # kismet local policy
 #
 
-allow kismet_t self:capability { net_admin setuid setgid };
+allow kismet_t self:capability { net_admin net_raw setuid setgid };
 allow kismet_t self:packet_socket create_socket_perms;
 
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index 0f65859..0e3fd06 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -70,6 +70,24 @@ interface(`netutils_exec',`
 
 ########################################
 ## <summary>
+##	Send generic signals to network utilities.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`netutils_signal',`
+	gen_require(`
+		type netutils_t;
+	')
+
+	allow $1 netutils_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Execute ping in the ping domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index d61c1e0..506b222 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
 
-policy_module(netutils, 1.6.0)
+policy_module(netutils, 1.6.1)
 
 ########################################
 #
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
index 166724b..2dbc328 100644
--- a/policy/modules/apps/usernetctl.if
+++ b/policy/modules/apps/usernetctl.if
@@ -63,4 +63,9 @@ interface(`usernetctl_run',`
 	optional_policy(`
 		modutils_run_insmod(usernetctl_t, $2, $3)
 	')
+
+
+	optional_policy(`
+		ppp_run(usernetctl_t,$2,$3)
+	')
 ')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index 4f9a4f6..49cbf29 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -1,5 +1,5 @@
 
-policy_module(usernetctl, 1.3.0)
+policy_module(usernetctl, 1.3.1)
 
 ########################################
 #
@@ -49,15 +49,21 @@ files_read_usr_files(usernetctl_t)
 
 fs_search_auto_mountpoints(usernetctl_t)
 
+auth_use_nsswitch(usernetctl_t)
+
 libs_use_ld_so(usernetctl_t)
 libs_use_shared_libs(usernetctl_t)
 
+logging_send_syslog_msg(usernetctl_t)
+
 miscfiles_read_localization(usernetctl_t)
 
 seutil_read_config(usernetctl_t)
 
 sysnet_read_config(usernetctl_t)
 
+term_search_ptys(usernetctl_t)
+
 optional_policy(`
 	hostname_exec(usernetctl_t)
 ')
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index af07b7a..3a63d3a 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -13,6 +13,7 @@
 /dev/cm20.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/drbd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/fd[^/]+		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
@@ -48,6 +49,7 @@ ifdef(`distro_redhat', `
 /dev/tw[a-z][^/]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/ub[a-z][^/]+	-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
 /dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/vd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/xvd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
 /dev/ataraid/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 2b05767..63e7842 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -81,6 +81,26 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
 
 ########################################
 ## <summary>
+##	dontaudit the caller attempts to read from a fixed disk.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_read_fixed_disk',`
+	gen_require(`
+		attribute fixed_disk_raw_read;
+		type fixed_disk_device_t;
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+	dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Allow the caller to directly read from a fixed disk.
 ##	This is extremly dangerous as it can bypass the
 ##	SELinux protections for filesystem objects, and
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 864e111..75524d9 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,5 +1,5 @@
 
-policy_module(storage, 1.6.0)
+policy_module(storage, 1.6.1)
 
 ########################################
 #
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index b534aca..ff04fb2 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
 
-policy_module(fetchmail, 1.6.0)
+policy_module(fetchmail, 1.6.1)
 
 ########################################
 #
@@ -14,7 +14,7 @@ type fetchmail_var_run_t;
 files_pid_file(fetchmail_var_run_t)
 
 type fetchmail_etc_t;
-files_type(fetchmail_etc_t)
+files_config_file(fetchmail_etc_t)
 
 type fetchmail_uidl_cache_t;
 files_type(fetchmail_uidl_cache_t)
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index 2c93c85..bf24c47 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -1,5 +1,5 @@
 
-policy_module(oav, 1.6.0)
+policy_module(oav, 1.6.1)
 
 ########################################
 #
@@ -12,7 +12,7 @@ application_domain(oav_update_t, oav_update_exec_t)
 
 # cjp: may be collapsable to etc_t
 type oav_update_etc_t;
-files_type(oav_update_etc_t)
+files_config_file(oav_update_etc_t)
 
 type oav_update_var_lib_t;
 files_type(oav_update_var_lib_t)
@@ -22,7 +22,7 @@ type scannerdaemon_exec_t;
 init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t)
 
 type scannerdaemon_etc_t;
-files_type(scannerdaemon_etc_t)
+files_config_file(scannerdaemon_etc_t)
 
 type scannerdaemon_log_t;
 logging_log_file(scannerdaemon_log_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index dc94414..3ee2dd7 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -1,5 +1,5 @@
 
-policy_module(ricci, 1.3.0)
+policy_module(ricci, 1.3.1)
 
 ########################################
 #
@@ -443,6 +443,7 @@ kernel_read_system_state(ricci_modstorage_t)
 create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
 files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
 
+corecmd_exec_shell(ricci_modstorage_t)
 corecmd_exec_bin(ricci_modstorage_t)
 
 dev_read_sysfs(ricci_modstorage_t)
diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc
index 231149a..503812f 100644
--- a/policy/modules/services/rsync.fc
+++ b/policy/modules/services/rsync.fc
@@ -1,2 +1,6 @@
 
 /usr/bin/rsync		--	gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync\.log      --	gen_context(system_u:object_r:rsync_log_t,s0)
+
+/var/run/rsyncd\.lock      --	gen_context(system_u:object_r:rsync_log_t,s0)
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 371d6bc..d7547bb 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
 
-policy_module(rsync, 1.6.0)
+policy_module(rsync, 1.6.1)
 
 ########################################
 #
@@ -31,6 +31,9 @@ role system_r types rsync_t;
 type rsync_data_t;
 files_type(rsync_data_t)
 
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
 type rsync_tmp_t;
 files_tmp_file(rsync_tmp_t)
 
@@ -42,7 +45,7 @@ files_pid_file(rsync_var_run_t)
 # Local policy
 #
 
-allow rsync_t self:capability sys_chroot;
+allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
 allow rsync_t self:process signal_perms;
 allow rsync_t self:fifo_file rw_fifo_file_perms;
 allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -52,7 +55,6 @@ allow rsync_t self:udp_socket connected_socket_perms;
 # cjp: this should probably only be inetd_child_t rules?
 # search home and kerberos also.
 allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rsync_t self:capability { setuid setgid };
 #end for identd
 
 allow rsync_t rsync_data_t:dir list_dir_perms;
@@ -95,7 +97,8 @@ libs_use_ld_so(rsync_t)
 libs_use_shared_libs(rsync_t)
 
 logging_send_syslog_msg(rsync_t)
-logging_dontaudit_search_logs(rsync_t)
+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
+logging_log_filetrans(rsync_t,rsync_log_t,file)
 
 miscfiles_read_localization(rsync_t)
 miscfiles_read_public_files(rsync_t)
@@ -117,7 +120,6 @@ optional_policy(`
 ')
 
 tunable_policy(`rsync_export_all_ro',`
-	allow rsync_t self:capability dac_override;
 	fs_read_noxattr_fs_files(rsync_t) 
 	auth_read_all_files_except_shadow(rsync_t)
 ')
diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
index d137c27..6073656 100644
--- a/policy/modules/services/stunnel.if
+++ b/policy/modules/services/stunnel.if
@@ -1 +1,25 @@
 ## <summary>SSL Tunneling Proxy</summary>
+
+########################################
+## <summary>
+##	Define the specified domain as a stunnel inetd service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type associated with the stunnel inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`stunnel_service_domain',`
+	gen_require(`
+		type stunnel_t;
+	')
+
+	domtrans_pattern(stunnel_t,$2,$1)
+	allow $1 stunnel_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 9c281fa..c0a3e97 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
 
-policy_module(stunnel, 1.6.0)
+policy_module(stunnel, 1.6.1)
 
 ########################################
 #
@@ -20,7 +20,7 @@ ifdef(`distro_gentoo',`
 ')
 
 type stunnel_etc_t;
-files_type(stunnel_etc_t)
+files_config_file(stunnel_etc_t)
 
 type stunnel_tmp_t;
 files_tmp_file(stunnel_tmp_t)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 8c53f6e..1aaee04 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
 
-policy_module(hotplug, 1.9.0)
+policy_module(hotplug, 1.9.1)
 
 ########################################
 #
@@ -121,6 +121,7 @@ ifdef(`distro_redhat', `
 	optional_policy(`
 		# for arping used for static IP addresses on PCMCIA ethernet
 		netutils_domtrans(hotplug_t)
+		netutils_signal(hotplug_t)
 		fs_rw_tmpfs_chr_files(hotplug_t)
 	')
 	files_getattr_generic_locks(hotplug_t)

More information about the scm-commits mailing list