[selinux-policy: 2390/3172] Misc fixes for 1031ee6.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:32:10 UTC 2010
commit 27eab81f2f73121c52731006941d466791fa9c14
Author: Chris PeBenito <pebenito at gentoo.org>
Date: Mon Feb 8 13:38:48 2010 -0500
Misc fixes for 1031ee6.
policy/modules/kernel/files.if | 18 ++++----
policy/modules/services/apache.if | 1 -
policy/modules/services/apache.te | 2 +-
policy/modules/services/bind.if | 41 +++++++++----------
policy/modules/services/cobbler.fc | 10 ++--
policy/modules/services/cobbler.if | 74 +++++++++++++++++-----------------
policy/modules/services/cobbler.te | 9 +---
policy/modules/services/dnsmasq.fc | 2 +-
policy/modules/services/dnsmasq.if | 64 +++++++++++++++---------------
policy/modules/services/dnsmasq.te | 3 +-
policy/modules/services/rsync.if | 4 +-
policy/modules/services/rsync.te | 2 +-
policy/modules/services/tftp.if | 30 +++-----------
policy/modules/system/miscfiles.fc | 4 +-
policy/modules/system/sysnetwork.fc | 2 +-
15 files changed, 122 insertions(+), 144 deletions(-)
---
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f853bf5..1cdf376 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1504,7 +1504,7 @@ interface(`files_dontaudit_getattr_boot_dirs',`
########################################
## <summary>
-## List the /boot directory.
+## Search the /boot directory.
## </summary>
## <param name="domain">
## <summary>
@@ -1512,17 +1512,17 @@ interface(`files_dontaudit_getattr_boot_dirs',`
## </summary>
## </param>
#
-interface(`files_list_boot',`
+interface(`files_search_boot',`
gen_require(`
type boot_t;
')
- allow $1 boot_t:dir list_dir_perms;
+ allow $1 boot_t:dir search_dir_perms;
')
########################################
## <summary>
-## Search the /boot directory.
+## Do not audit attempts to search the /boot directory.
## </summary>
## <param name="domain">
## <summary>
@@ -1530,17 +1530,17 @@ interface(`files_list_boot',`
## </summary>
## </param>
#
-interface(`files_search_boot',`
+interface(`files_dontaudit_search_boot',`
gen_require(`
type boot_t;
')
- allow $1 boot_t:dir search_dir_perms;
+ dontaudit $1 boot_t:dir search_dir_perms;
')
########################################
## <summary>
-## Do not audit attempts to search the /boot directory.
+## List the /boot directory.
## </summary>
## <param name="domain">
## <summary>
@@ -1548,12 +1548,12 @@ interface(`files_search_boot',`
## </summary>
## </param>
#
-interface(`files_dontaudit_search_boot',`
+interface(`files_list_boot',`
gen_require(`
type boot_t;
')
- dontaudit $1 boot_t:dir search_dir_perms;
+ allow $1 boot_t:dir list_dir_perms;
')
########################################
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index c1139e4..2dc0a81 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -773,7 +773,6 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 3deb7cb..014ee44 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -451,7 +451,7 @@ optional_policy(`
')
optional_policy(`
- cobbler_search_var_lib(httpd_t)
+ cobbler_search_lib(httpd_t)
')
optional_policy(`
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index aef64b7..31032a6 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -6,11 +6,10 @@
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
-#
interface(`bind_initrc_domtrans',`
gen_require(`
type named_initrc_exec_t;
@@ -211,25 +210,6 @@ interface(`bind_manage_config_dirs',`
########################################
## <summary>
-## Manage BIND zone files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_manage_zone',`
- gen_require(`
- type named_zone_t;
- ')
-
- files_search_var($1)
- manage_files_pattern($1, named_zone_t, named_zone_t)
-')
-
-########################################
-## <summary>
## Search the BIND cache directory.
## </summary>
## <param name="domain">
@@ -311,6 +291,25 @@ interface(`bind_read_zone',`
########################################
## <summary>
+## Manage BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_zone',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
## Send and receive datagrams to and from named. (Deprecated)
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
index 0a811f6..1cf6c4e 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
@@ -1,7 +1,7 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
index 433099f..1f2c492 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -12,45 +12,43 @@
########################################
## <summary>
-## Read Cobbler content in /etc
+## Execute a domain transition to run cobblerd.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
-interface(`cobbler_read_config',`
+interface(`cobblerd_domtrans',`
gen_require(`
- type cobbler_etc_t;
+ type cobblerd_t, cobblerd_exec_t;
')
- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
- files_search_etc($1)
+ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
')
########################################
## <summary>
-## Do not audit attempts to read and write
-## Cobbler log files (leaked fd).
+## Execute cobblerd server in the cobblerd domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## The type of the process performing this action.
## </summary>
## </param>
#
-interface(`cobbler_dontaudit_rw_log',`
+interface(`cobblerd_initrc_domtrans',`
gen_require(`
- type cobbler_var_log_t;
+ type cobblerd_initrc_exec_t;
')
- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
+ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
')
########################################
## <summary>
-## Read cobbler files in /var/lib
+## Read Cobbler content in /etc
## </summary>
## <param name="domain">
## <summary>
@@ -58,18 +56,19 @@ interface(`cobbler_dontaudit_rw_log',`
## </summary>
## </param>
#
-interface(`cobbler_read_var_lib_files',`
+interface(`cobbler_read_config',`
gen_require(`
- type cobbler_var_lib_t;
+ type cobbler_etc_t;
')
- read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- files_search_var_lib($1)
+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
+ files_search_etc($1)
')
########################################
## <summary>
-## Manage cobbler files in /var/lib
+## Do not audit attempts to read and write
+## Cobbler log files (leaked fd).
## </summary>
## <param name="domain">
## <summary>
@@ -77,13 +76,12 @@ interface(`cobbler_read_var_lib_files',`
## </summary>
## </param>
#
-interface(`cobbler_manage_var_lib_files',`
+interface(`cobbler_dontaudit_rw_log',`
gen_require(`
- type cobbler_var_lib_t;
+ type cobbler_var_log_t;
')
- manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- files_search_var_lib($1)
+ dontaudit $1 cobbler_var_log_t:file rw_file_perms;
')
########################################
@@ -96,7 +94,7 @@ interface(`cobbler_manage_var_lib_files',`
## </summary>
## </param>
#
-interface(`cobbler_search_var_lib',`
+interface(`cobbler_search_lib',`
gen_require(`
type cobbler_var_lib_t;
')
@@ -107,38 +105,40 @@ interface(`cobbler_search_var_lib',`
########################################
## <summary>
-## Execute a domain transition to run cobblerd.
+## Read cobbler files in /var/lib
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`cobblerd_domtrans',`
+interface(`cobbler_read_lib_files',`
gen_require(`
- type cobblerd_t, cobblerd_exec_t;
+ type cobbler_var_lib_t;
')
- domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
')
########################################
## <summary>
-## Execute cobblerd server in the cobblerd domain.
+## Manage cobbler files in /var/lib
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`cobblerd_initrc_domtrans',`
+interface(`cobbler_manage_lib_files',`
gen_require(`
- type cobblerd_initrc_exec_t;
+ type cobbler_var_lib_t;
')
- init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
')
########################################
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
index 7e5c614..a267c2f 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -52,6 +52,8 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+kernel_read_system_state(cobblerd_t)
+
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -67,13 +69,9 @@ corenet_tcp_sendrecv_generic_port(cobblerd_t)
dev_read_urand(cobblerd_t)
files_read_usr_files(cobblerd_t)
-
files_list_boot(cobblerd_t)
-
files_list_tmp(cobblerd_t)
-kernel_read_system_state(cobblerd_t)
-
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
@@ -119,6 +117,5 @@ optional_policy(`
')
optional_policy(`
- tftp_manage_tftpdir_dirs(cobblerd_t)
- tftp_manage_tftpdir_files(cobblerd_t)
+ tftp_manage_rw_content(cobblerd_t)
')
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index 89e2e66..21089ca 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -1,4 +1,4 @@
-/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
+/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index 09e1efd..5681e65 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -98,78 +98,78 @@ interface(`dnsmasq_kill',`
########################################
## <summary>
-## Delete dnsmasq pid files
+## Read dnsmasq config files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed.
+## </summary>
## </param>
#
-#
-interface(`dnsmasq_delete_pid_files',`
+interface(`dnsmasq_read_config',`
gen_require(`
- type dnsmasq_var_run_t;
+ type dnsmasq_etc_t;
')
- delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ allow $1 dnsmasq_etc_t:file read_file_perms;
+ files_search_etc($1)
')
########################################
## <summary>
-## Read dnsmasq pid files
+## Write to dnsmasq config files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed.
+## </summary>
## </param>
#
-#
-interface(`dnsmasq_read_pid_files',`
+interface(`dnsmasq_write_config',`
gen_require(`
- type dnsmasq_var_run_t;
+ type dnsmasq_etc_t;
')
- read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ allow $1 dnsmasq_etc_t:file write_file_perms;
+ files_search_etc($1)
')
########################################
## <summary>
-## Read dnsmasq config files.
+## Delete dnsmasq pid files
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`dnsmasq_read_config',`
+#
+interface(`dnsmasq_delete_pid_files',`
gen_require(`
- type dnsmasq_etc_t;
+ type dnsmasq_var_run_t;
')
- read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
- files_search_etc($1)
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
########################################
## <summary>
-## Write to dnsmasq config files.
+## Read dnsmasq pid files
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`dnsmasq_write_config',`
+#
+interface(`dnsmasq_read_pid_files',`
gen_require(`
- type dnsmasq_etc_t;
+ type dnsmasq_var_run_t;
')
- write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
- files_search_etc($1)
+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
########################################
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 2f9b213..2865f04 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -37,7 +37,7 @@ allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
-read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
# dhcp leases
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
@@ -71,6 +71,7 @@ dev_read_urand(dnsmasq_t)
domain_use_interactive_fds(dnsmasq_t)
+files_read_etc_files(dnsmasq_t)
files_read_etc_runtime_files(dnsmasq_t)
fs_getattr_all_fs(dnsmasq_t)
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index 7dc8495..6a2d345 100644
--- a/policy/modules/services/rsync.if
+++ b/policy/modules/services/rsync.if
@@ -119,7 +119,7 @@ interface(`rsync_read_config',`
type rsync_etc_t;
')
- read_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ allow $1 rsync_etc_t:file read_file_perms;
files_search_etc($1)
')
@@ -138,6 +138,6 @@ interface(`rsync_write_config',`
type rsync_etc_t;
')
- write_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ allow $1 rsync_etc_t:file read_file_perms;
files_search_etc($1)
')
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index fabe97b..19bbfcb 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -60,7 +60,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd
-read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
+allow rsync_t rsync_etc_t:file read_file_perms;
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 230c5a6..38bb312 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Manage tftp /var/lib files.
+## Read tftp content
## </summary>
## <param name="domain">
## <summary>
@@ -10,13 +10,12 @@
## </summary>
## </param>
#
-interface(`tftp_manage_tftpdir_dirs',`
+interface(`tftp_read_content',`
gen_require(`
- type tftpdir_rw_t;
+ type tftpdir_t;
')
- files_search_var_lib($1)
- manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_files_pattern($1, tftpdir_t, tftpdir_t)
')
########################################
@@ -29,35 +28,18 @@ interface(`tftp_manage_tftpdir_dirs',`
## </summary>
## </param>
#
-interface(`tftp_manage_tftpdir_files',`
+interface(`tftp_manage_rw_content',`
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
## <summary>
-## Read tftp content
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`tftp_read_content',`
- gen_require(`
- type tftpdir_t;
- ')
-
- read_files_pattern($1, tftpdir_t, tftpdir_t)
-')
-
-########################################
-## <summary>
## All of the rules required to administrate
## an tftp environment
## </summary>
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 3051ca7..569c7d0 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -74,8 +74,8 @@ ifdef(`distro_redhat',`
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
-/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 0e77e21..b261e3d 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -12,7 +12,7 @@
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
More information about the scm-commits
mailing list