[selinux-policy: 1986/3172] trunk: 6 patches from the fedora policy, cherry picked by david hardeman.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:56:32 UTC 2010 

commit 3e59876583f477157022a9b3bfa32a4b6c2c7b3b
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Aug 14 14:19:50 2008 +0000

    trunk: 6 patches from the fedora policy, cherry picked by david hardeman.

 policy/modules/admin/bootloader.if |    5 ++
 policy/modules/admin/bootloader.te |    6 ++-
 policy/modules/admin/kudzu.te      |   26 +------------
 policy/modules/services/courier.fc |    2 +
 policy/modules/services/courier.if |   74 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/courier.te |    7 ++-
 policy/modules/services/rdisc.te   |    4 +-
 policy/modules/services/rpc.te     |   33 ++++++++++------
 policy/modules/system/getty.fc     |    4 +-
 policy/modules/system/getty.te     |    3 +-
 10 files changed, 121 insertions(+), 43 deletions(-)
---
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 1b14ab6..e083200 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -49,6 +49,11 @@ interface(`bootloader_run',`
 
 	role $2 types bootloader_t;
 	allow bootloader_t $3:chr_file rw_term_perms;
+
+	ifdef(`distro_redhat',`
+		# for mke2fs
+		mount_run(bootloader_t, $2, $3)
+	')
 ')
 
 ########################################
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 27b1658..bc86203 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
 
-policy_module(bootloader, 1.8.0)
+policy_module(bootloader, 1.8.1)
 
 ########################################
 #
@@ -172,6 +172,10 @@ ifdef(`distro_redhat',`
 
 	# for mke2fs
 	mount_domtrans(bootloader_t)
+
+	optional_policy(`
+		unconfined_domain(bootloader_t)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index b641523..ec78261 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
 
-policy_module(kudzu, 1.6.0)
+policy_module(kudzu, 1.6.1)
 
 ########################################
 #
@@ -143,28 +143,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# cjp: this was originally in the else block
-	# of ifdef userhelper.te, but it seems to
-	# make more sense here.  also, require
-	# blocks curently do not work in the
-	# else block of optionals
+	unconfined_domtrans(kudzu_t)
 	unconfined_domain(kudzu_t)
 ')
-
-ifdef(`TODO',`
-allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`
-	allow kudzu_t printconf_t:file { getattr read };
-')
-optional_policy(`
-	allow kudzu_t xserver_exec_t:file getattr;
-')
-optional_policy(`
-	allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-optional_policy(`
-	role system_r types sysadm_userhelper_t;
-	domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;
-')
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 3009c73..7a91fd2 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -19,3 +19,5 @@
 /var/lib/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_lib_t,s0)
 
 /var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
+
+/var/spool/courier(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 18ca6f9..88f0170 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -123,3 +123,77 @@ interface(`courier_domtrans_pop',`
 
 	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
 ')
+
+########################################
+## <summary>
+##	Read courier config files
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_read_config',`
+	gen_require(`
+		type courier_etc_t;
+	')
+
+	read_files_pattern($1, courier_etc_t, courier_etc_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete courier
+##	spool directories.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_dirs',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete courier
+##	spool files.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_files',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Read and write to courier spool pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`courier_rw_spool_pipes',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 664c227..213bebf 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
 
-policy_module(courier, 1.5.0)
+policy_module(courier, 1.5.1)
 
 ########################################
 #
@@ -9,12 +9,15 @@ policy_module(courier, 1.5.0)
 courier_domain_template(authdaemon)
 
 type courier_etc_t;
-files_type(courier_etc_t)
+files_config_file(courier_etc_t)
 
 courier_domain_template(pcp)
 
 courier_domain_template(pop)
 
+type courier_spool_t;
+files_type(courier_spool_t)
+
 courier_domain_template(tcpd)
 
 type courier_var_lib_t;
diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te
index 10b72b0..e1db9f0 100644
--- a/policy/modules/services/rdisc.te
+++ b/policy/modules/services/rdisc.te
@@ -1,5 +1,5 @@
 
-policy_module(rdisc, 1.5.0)
+policy_module(rdisc, 1.5.1)
 
 ########################################
 #
@@ -47,6 +47,8 @@ libs_use_shared_libs(rdisc_t)
 
 logging_send_syslog_msg(rdisc_t)
 
+miscfiles_read_localization(rdisc_t)
+
 sysnet_read_config(rdisc_t)
 
 userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index f35086c..32dad66 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc, 1.8.0)
+policy_module(rpc, 1.8.1)
 
 ########################################
 #
@@ -62,22 +62,23 @@ files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
 
 # rpc.statd executes sm-notify
 can_exec(rpcd_t, rpcd_exec_t)
-corecmd_search_bin(rpcd_t)
 
 kernel_read_system_state(rpcd_t) 
-kernel_search_network_state(rpcd_t) 
+kernel_read_network_state(rpcd_t)
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)  
 kernel_rw_fs_sysctls(rpcd_t)
 
+corecmd_exec_bin(rpcd_t)
+
+files_manage_mounttab(rpcd_t)
+
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
 fs_read_rpc_symlinks(rpcd_t)
 fs_read_rpc_sockets(rpcd_t) 
-term_use_controlling_term(rpcd_t)
 
-# cjp: this should really have its own type
-files_manage_mounttab(rpcd_t)
+selinux_dontaudit_read_fs(rpcd_t)
 
 miscfiles_read_certs(rpcd_t)
 
@@ -104,12 +105,9 @@ kernel_read_network_state(nfsd_t)
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
 
-fs_mount_nfsd_fs(nfsd_t) 
-fs_search_nfsd_fs(nfsd_t) 
-fs_getattr_all_fs(nfsd_t) 
-fs_rw_nfsd_fs(nfsd_t) 
-
-term_use_controlling_term(nfsd_t) 
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+dev_rw_lvm_control(nfsd_t)
 
 # does not really need this, but it is easier to just allow it
 files_search_pids(nfsd_t) 
@@ -118,6 +116,14 @@ files_getattr_tmp_dirs(nfsd_t)
 # cjp: this should really have its own type
 files_manage_mounttab(rpcd_t)
 
+fs_mount_nfsd_fs(nfsd_t) 
+fs_search_nfsd_fs(nfsd_t) 
+fs_getattr_all_fs(nfsd_t) 
+fs_getattr_all_dirs(nfsd_t)
+fs_rw_nfsd_fs(nfsd_t) 
+
+storage_dontaudit_read_fixed_disk(nfsd_t)
+
 # Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)
 
@@ -149,6 +155,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
+kernel_read_system_state(gssd_t)
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
@@ -162,6 +169,8 @@ fs_read_rpc_files(gssd_t)
 files_list_tmp(gssd_t) 
 files_read_usr_symlinks(gssd_t) 
 
+auth_use_nsswitch(gssd_t)
+
 miscfiles_read_certs(gssd_t)
 
 tunable_policy(`allow_gssd_read_tmp',`
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
index ff413c7..e1a1848 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
@@ -8,5 +8,5 @@
 
 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
 
-/var/spool/fax		--	gen_context(system_u:object_r:getty_var_run_t,s0)
-/var/spool/voice	--	gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/fax(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/voice(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index b951f30..275fda7 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,5 +1,5 @@
 
-policy_module(getty,1.6.0)
+policy_module(getty, 1.6.1)
 
 ########################################
 #
@@ -9,6 +9,7 @@ policy_module(getty,1.6.0)
 type getty_t;
 type getty_exec_t;
 init_domain(getty_t,getty_exec_t)
+init_system_domain(getty_t, getty_exec_t)
 domain_interactive_fd(getty_t)
 
 type getty_etc_t;

More information about the scm-commits mailing list