[selinux-policy: 2100/3172] trunk: 6 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:06:20 UTC 2010
commit 3c9b2e9bc6c12678fa609e8af702ebb32a605398
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Mar 19 17:56:10 2009 +0000
trunk: 6 patches from dan.
Changelog | 3 ++
policy/modules/admin/logwatch.te | 12 +++++---
policy/modules/admin/usermanage.if | 19 +++++++++++++
policy/modules/admin/usermanage.te | 11 +++++++-
policy/modules/roles/logadm.fc | 1 +
policy/modules/roles/logadm.if | 50 ++++++++++++++++++++++++++++++++++
policy/modules/roles/logadm.te | 20 +++++++++++++
policy/modules/services/rpc.fc | 1 +
policy/modules/services/rpc.if | 45 ++++++++++++++++++++++++++++--
policy/modules/services/rpc.te | 20 +++++++++++---
policy/modules/services/zosremote.fc | 1 +
policy/modules/services/zosremote.if | 45 ++++++++++++++++++++++++++++++
policy/modules/services/zosremote.te | 28 +++++++++++++++++++
policy/modules/system/udev.fc | 2 +
policy/modules/system/udev.if | 28 ++++++++++++++++---
policy/modules/system/udev.te | 15 +++++++++-
16 files changed, 283 insertions(+), 18 deletions(-)
---
diff --git a/Changelog b/Changelog
index b2cfb6c..a3656ff 100644
--- a/Changelog
+++ b/Changelog
@@ -11,6 +11,9 @@
- Add support for labeled Booleans.
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
+- Added modules:
+ logadm (Dan Walsh)
+ zosremote (Dan Walsh)
* Wed Dec 10 2008 Chris PeBenito <selinux at tresys.com> - 2.20081210
- Fix consistency of audioentropy and iscsi module naming.
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 3d24189..cb86035 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
-policy_module(logwatch, 1.9.0)
+policy_module(logwatch, 1.9.1)
#################################
#
@@ -43,6 +43,8 @@ files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
+kernel_read_net_sysctls(logwatch_t)
+kernel_read_network_state(logwatch_t)
corecmd_exec_bin(logwatch_t)
corecmd_exec_shell(logwatch_t)
@@ -54,6 +56,7 @@ dev_read_sysfs(logwatch_t)
domain_read_all_domains_state(logwatch_t)
files_list_var(logwatch_t)
+files_read_var_symlinks(logwatch_t)
files_read_etc_files(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
files_read_usr_files(logwatch_t)
@@ -66,10 +69,12 @@ files_dontaudit_search_all_dirs(logwatch_t)
fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
+fs_list_inotifyfs(logwatch_t)
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
+auth_use_nsswitch(logwatch_t)
auth_dontaudit_read_shadow(logwatch_t)
init_read_utmp(logwatch_t)
@@ -85,6 +90,7 @@ miscfiles_read_localization(logwatch_t)
selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_dns_name_resolve(logwatch_t)
+sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -95,10 +101,6 @@ optional_policy(`
')
optional_policy(`
- auth_use_nsswitch(logwatch_t)
-')
-
-optional_policy(`
avahi_dontaudit_search_pid(logwatch_t)
')
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index ac74240..0950bc7 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -117,6 +117,24 @@ interface(`usermanage_domtrans_passwd',`
########################################
## <summary>
+## Send sigkills to passwd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_kill_passwd',`
+ gen_require(`
+ type passwd_t;
+ ')
+
+ allow $1 passwd_t:process sigkill;
+')
+
+########################################
+## <summary>
## Execute passwd in the passwd domain, and
## allow the specified role the passwd domain.
## </summary>
@@ -138,6 +156,7 @@ interface(`usermanage_run_passwd',`
usermanage_domtrans_passwd($1)
role $2 types passwd_t;
+ auth_run_chk_passwd(passwd_t, $2)
')
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 7388b53..ac4e7ff 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage, 1.12.0)
+policy_module(usermanage, 1.12.1)
########################################
#
@@ -288,6 +288,7 @@ selinux_compute_user_contexts(passwd_t)
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
+auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
@@ -307,6 +308,7 @@ files_relabel_etc_files(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
+init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -320,6 +322,7 @@ userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
userdom_read_all_users_state(passwd_t)
+userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -492,6 +495,12 @@ userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_se
mta_manage_spool(useradd_t)
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_domain(useradd_t)
+ ')
+')
+
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
diff --git a/policy/modules/roles/logadm.fc b/policy/modules/roles/logadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/logadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/logadm.if b/policy/modules/roles/logadm.if
new file mode 100644
index 0000000..6bd00f9
--- /dev/null
+++ b/policy/modules/roles/logadm.if
@@ -0,0 +1,50 @@
+## <summary>Log administrator role</summary>
+
+########################################
+## <summary>
+## Change to the log administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change',`
+ gen_require(`
+ role logadm_r;
+ ')
+
+ allow $1 logadm_r;
+')
+
+########################################
+## <summary>
+## Change from the log administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the log administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change_to',`
+ gen_require(`
+ role logadm_r;
+ ')
+
+ allow logadm_r $1;
+')
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
new file mode 100644
index 0000000..dfd9310
--- /dev/null
+++ b/policy/modules/roles/logadm.te
@@ -0,0 +1,20 @@
+
+policy_module(logadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role logadm_r;
+
+userdom_base_user_template(logadm)
+
+########################################
+#
+# logadmin local policy
+#
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 629f473..b492db5 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -16,6 +16,7 @@
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
#
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 7584b3e..20b2e7b 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -83,12 +83,13 @@ template(`rpc_domain_template', `
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_portmap_client_packets($1_t)
# do not log when it tries to bind to a port belonging to another domain
- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
- corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
+ corenet_dontaudit_tcp_bind_all_ports($1_t)
+ corenet_dontaudit_udp_bind_all_ports($1_t)
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
- corenet_udp_bind_reserved_port($1_t)
+ corenet_tcp_bind_all_rpc_ports($1_t)
+ corenet_udp_bind_all_rpc_ports($1_t)
corenet_sendrecv_generic_server_packets($1_t)
fs_rw_rpc_named_pipes($1_t)
@@ -205,6 +206,25 @@ interface(`rpc_domtrans_nfsd',`
########################################
## <summary>
+## Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_t, rpcd_exec_t;
+ ')
+
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ allow rpcd_t $1:process signal;
+')
+
+########################################
+## <summary>
## Read NFS exported content.
## </summary>
## <param name="domain">
@@ -335,3 +355,22 @@ interface(`rpc_read_nfs_state_data',`
files_search_var_lib($1)
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
')
+
+########################################
+## <summary>
+## Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 012cb34..808154d 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc, 1.10.3)
+policy_module(rpc, 1.10.4)
########################################
#
@@ -68,6 +68,7 @@ kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
+kernel_dontaudit_getattr_core_if(rpcd_t)
corecmd_exec_bin(rpcd_t)
@@ -101,6 +102,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
+kernel_dontaudit_getattr_core_if(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -133,12 +135,23 @@ tunable_policy(`allow_nfsd_anon_write',`
')
tunable_policy(`nfs_export_all_rw',`
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
+
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
- fs_read_noxattr_fs_files(nfsd_t)
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
+
+ files_getattr_all_pipes(nfsd_t)
+ files_getattr_all_sockets(nfsd_t)
+
+ fs_read_noxattr_fs_files(nfsd_t)
+
+ auth_read_all_dirs_except_shadow(nfsd_t)
auth_read_all_files_except_shadow(nfsd_t)
')
@@ -180,8 +193,7 @@ tunable_policy(`allow_gssd_read_tmp',`
')
optional_policy(`
- kerberos_use(gssd_t)
- kerberos_read_keytab(gssd_t)
+ kerberos_keytab_template(gssd, gssd_t)
')
optional_policy(`
diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc
new file mode 100644
index 0000000..d719d0b
--- /dev/null
+++ b/policy/modules/services/zosremote.fc
@@ -0,0 +1 @@
+/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
new file mode 100644
index 0000000..3e49a8c
--- /dev/null
+++ b/policy/modules/services/zosremote.if
@@ -0,0 +1,45 @@
+## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run audispd-zos-remote.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zosremote_domtrans',`
+ gen_require(`
+ type zos_remote_t, type zos_remote_exec_t;
+ ')
+
+ domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
+')
+
+########################################
+## <summary>
+## Allow specified type and role to transition and
+## run in the zos_remote_t domain. Allow specified type
+## to use zos_remote_t terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the zos_remote domain.
+## </summary>
+## </param>
+#
+interface(`zosremote_run',`
+ gen_require(`
+ type zos_remote_t;
+ ')
+
+ zosremote_domtrans($1)
+ role $2 types zos_remote_t;
+')
diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te
new file mode 100644
index 0000000..bdddee3
--- /dev/null
+++ b/policy/modules/services/zosremote.te
@@ -0,0 +1,28 @@
+policy_module(zosremote,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type zos_remote_t;
+type zos_remote_exec_t;
+init_system_domain(zos_remote_t, zos_remote_exec_t)
+logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
+
+########################################
+#
+# zos_remote local policy
+#
+
+allow zos_remote_t self:process signal;
+allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(zos_remote_t)
+
+auth_use_nsswitch(zos_remote_t);
+
+miscfiles_read_localization(zos_remote_t)
+
+logging_send_syslog_msg(zos_remote_t)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 571f028..9b924c3 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -17,3 +17,5 @@
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 573a890..e1f3c65 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -96,6 +96,24 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
########################################
## <summary>
+## Do not audit search of udev database directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`udev_dontaudit_search_db',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ dontaudit $1 udev_tbl_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Allow process to read list of devices.
## </summary>
## <param name="domain">
@@ -106,11 +124,13 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
#
interface(`udev_read_db',`
gen_require(`
- type udev_tdb_t;
+ type udev_tbl_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tdb_t:file read_file_perms;
+ allow $1 udev_tbl_t:dir list_dir_perms;
+ read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
')
########################################
@@ -125,9 +145,9 @@ interface(`udev_read_db',`
#
interface(`udev_rw_db',`
gen_require(`
- type udev_tdb_t;
+ type udev_tbl_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tdb_t:file rw_file_perms;
+ allow $1 udev_tbl_t:file rw_file_perms;
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 40d3ac2..f51a3af 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev, 1.10.1)
+policy_module(udev, 1.10.2)
########################################
#
@@ -55,6 +55,7 @@ allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
allow udev_t udev_helper_exec_t:dir list_dir_perms;
+can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -78,10 +79,12 @@ kernel_rw_hotplug_sysctls(udev_t)
kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
+kernel_search_debugfs(udev_t)
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
kernel_read_network_state(udev_t)
+kernel_read_software_raid_state(udev_t)
corecmd_exec_all_executables(udev_t)
@@ -134,6 +137,7 @@ init_getattr_initctl(udev_t)
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
+logging_send_audit_msgs(udev_t)
miscfiles_read_localization(udev_t)
@@ -181,6 +185,7 @@ ifdef(`distro_redhat',`
optional_policy(`
alsa_domtrans(udev_t)
+ alsa_read_lib(udev_t)
alsa_read_rw_config(udev_t)
')
@@ -189,6 +194,10 @@ optional_policy(`
')
optional_policy(`
+ clock_domtrans(udev_t)
+')
+
+optional_policy(`
consoletype_exec(udev_t)
')
@@ -197,6 +206,10 @@ optional_policy(`
')
optional_policy(`
+ lvm_domtrans(udev_t)
+')
+
+optional_policy(`
fstools_domtrans(udev_t)
')
More information about the scm-commits
mailing list