[selinux-policy: 2868/3172] Allow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can s
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:15:25 UTC 2010
commit f5b49a5e0bdc3268e5ea148beb3649bee126e810
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Sep 7 16:23:09 2010 -0400
Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fprintd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
policy/modules/admin/shorewall.if | 19 +++++++++++++++++++
policy/modules/admin/usermanage.te | 7 ++-----
policy/modules/apps/execmem.fc | 1 +
policy/modules/apps/gnome.if | 18 ++++++++++++++++++
policy/modules/apps/mozilla.if | 2 ++
policy/modules/apps/mozilla.te | 31 ++++++++++++++++++++++++++++++-
policy/modules/apps/nsplugin.te | 1 +
policy/modules/apps/telepathy.te | 5 ++++-
policy/modules/apps/vmware.te | 3 +++
policy/modules/kernel/corecommands.fc | 2 ++
policy/modules/kernel/devices.fc | 1 -
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/filesystem.fc | 4 ++++
policy/modules/services/apache.if | 3 +++
policy/modules/services/apm.te | 4 ----
policy/modules/services/clamav.te | 5 ++++-
policy/modules/services/devicekit.te | 7 +------
policy/modules/services/icecast.te | 14 ++++++++++++++
policy/modules/services/openvpn.te | 2 +-
policy/modules/services/piranha.te | 4 ++++
policy/modules/services/policykit.te | 2 +-
policy/modules/services/rgmanager.te | 4 ----
policy/modules/services/rwho.te | 3 +++
policy/modules/services/virt.te | 4 ----
policy/modules/services/xserver.if | 1 +
policy/modules/services/xserver.te | 5 +----
policy/modules/system/authlogin.if | 4 ++++
policy/modules/system/fstools.te | 4 ----
policy/modules/system/init.if | 1 +
policy/modules/system/iptables.te | 1 +
policy/modules/system/libraries.if | 20 ++++++++++++++++++++
policy/modules/system/libraries.te | 4 ----
policy/modules/system/lvm.te | 8 --------
policy/modules/system/modutils.te | 8 --------
policy/modules/system/raid.te | 8 +++-----
policy/modules/system/selinuxutil.te | 4 ----
policy/modules/system/sosreport.te | 4 ----
policy/modules/system/udev.te | 4 ----
policy/modules/system/userdomain.fc | 1 +
policy/modules/system/userdomain.if | 2 +-
40 files changed, 168 insertions(+), 75 deletions(-)
---
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index 992a7fc..b83f3db 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -135,6 +135,25 @@ interface(`shorewall_rw_lib_files',`
#######################################
## <summary>
+## Read shorewall tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_tmp_files',`
+ gen_require(`
+ type shorewall_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
+')
+
+#######################################
+## <summary>
## All of the rules required to administrate
## an shorewall environment
## </summary>
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 3045a19..961424f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
+auth_use_pam(chfn_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
@@ -297,11 +295,10 @@ term_use_all_ttys(passwd_t)
term_use_all_ptys(passwd_t)
term_use_generic_ptys(passwd_t)
-auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
+auth_use_pam(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
index 9bd4f45..e049042 100644
--- a/policy/modules/apps/execmem.fc
+++ b/policy/modules/apps/execmem.fc
@@ -10,6 +10,7 @@
/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/vlc -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index ffd9870..09beb26 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -526,6 +526,24 @@ template(`gnome_read_home_config',`
########################################
## <summary>
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_manage_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
## Read/Write all inherited gnome home config
## </summary>
## <param name="domain">
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 99a3d49..47aa143 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -216,6 +216,8 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
+
+ allow mozilla_plugin_t $1:process signull;
')
########################################
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 52c2cce..04f5196 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -42,6 +42,10 @@ role system_r types mozilla_plugin_t;
type mozilla_plugin_tmp_t;
files_tmp_file(mozilla_plugin_tmp_t)
+type mozilla_plugin_tmpfs_t;
+files_tmpfs_file(mozilla_plugin_tmpfs_t)
+ubac_constrained(mozilla_plugin_tmpfs_t)
+
permissive mozilla_plugin_t;
########################################
@@ -292,7 +296,7 @@ optional_policy(`
#
# mozilla_plugin local policy
#
-allow mozilla_plugin_t self:process setsched;
+allow mozilla_plugin_t self:process { setsched signal_perms execmem };
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
@@ -305,6 +309,12 @@ manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
kernel_read_kernel_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
kernel_request_load_module(mozilla_plugin_t)
@@ -313,6 +323,8 @@ corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -324,18 +336,35 @@ files_read_usr_files(mozilla_plugin_t)
fs_rw_tmpfs_files(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+
+optional_policy(`
+ dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_home_config(mozilla_plugin_t)
+')
optional_policy(`
nsplugin_domtrans(mozilla_plugin_t)
nsplugin_rw_exec(mozilla_plugin_t)
+ nsplugin_manage_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ pulseaudio_rw_home_files(mozilla_plugin_t)
')
optional_policy(`
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
')
+
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
index b4f0852..23890a7 100644
--- a/policy/modules/apps/nsplugin.te
+++ b/policy/modules/apps/nsplugin.te
@@ -129,6 +129,7 @@ fs_rw_anon_inodefs_files(nsplugin_t)
fs_list_inotifyfs(nsplugin_t)
storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
term_dontaudit_getattr_all_ptys(nsplugin_t)
term_dontaudit_getattr_all_ttys(nsplugin_t)
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 7e8fd3a..6cd47ee 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -53,6 +53,7 @@ exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
+can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
corenet_sendrecv_http_client_packets(telepathy_msn_t)
corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
@@ -72,6 +73,8 @@ kernel_read_system_state(telepathy_msn_t)
auth_use_nsswitch(telepathy_msn_t)
+libs_exec_ldconfig(telepathy_msn_t)
+
logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_certs(telepathy_msn_t)
@@ -122,7 +125,7 @@ corenet_tcp_connect_vnc_port(telepathy_gabble_t)
dev_read_rand(telepathy_gabble_t)
dev_read_urand(telepathy_gabble_t)
-files_read_etc_files(telepathy_gabble_t)
+files_read_config_files(telepathy_gabble_t)
files_read_usr_files(telepathy_gabble_t)
miscfiles_read_certs(telepathy_gabble_t)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index ab99aa0..8a97303 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -160,7 +160,10 @@ netutils_domtrans_ping(vmware_host_t)
optional_policy(`
seutil_sigchld_newrole(vmware_host_t)
+')
+optional_policy(`
+ shutdown_domtrans(vmware_host_t)
')
optional_policy(`
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index a71e2d5..b267560 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -115,6 +115,8 @@ ifdef(`distro_debian',`
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
+/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
#
# /lib
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 18f3f4c..7c29e17 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -159,7 +159,6 @@ ifdef(`distro_suse', `
/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-/dev/hugepages(/.*)? <<none>>
/dev/mqueue(/.*)? <<none>>
/dev/pts(/.*)? <<none>>
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index e896bf7..3fb8756 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -318,6 +318,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
########################################
## <summary>
+## read generic files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_read_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ read_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## Read and write generic files in /dev.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index ff835aa..16f0f9e 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -4,4 +4,8 @@
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/cgroup/.* <<none>>
+/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup(/.*)? <<none>>
+
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index c96d035..46d0960 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -18,6 +18,7 @@ template(`apache_content_template',`
type httpd_t, httpd_suexec_t, httpd_log_t;
type httpd_sys_content_t;
')
+
#This type is for webpages
type httpd_$1_content_t; # customizable;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
@@ -32,6 +33,8 @@ template(`apache_content_template',`
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
+ search_dirs_pattern($1, httpd_sys_content_t, httpd_script_exec_type)
+
# This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index c6832b0..c7cba00 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -228,13 +228,9 @@ optional_policy(`
udev_read_state(apmd_t) #necessary?
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(apmd_t)
')
-', `
- permissive apmd_t;
-')
optional_policy(`
vbetool_domtrans(apmd_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 0a0f374..16598a4 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -183,12 +183,15 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
allow freshclam_t freshclam_var_log_t:dir setattr;
-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
kernel_read_kernel_sysctls(freshclam_t)
kernel_read_system_state(freshclam_t)
+corecmd_exec_shell(freshclam_t)
+corecmd_exec_bin(freshclam_t)
+
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index ca3a848..6cee08f 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -182,17 +182,11 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(devicekit_t)
unconfined_domain(devicekit_power_t)
unconfined_domain(devicekit_disk_t)
')
-', `
- permissive devicekit_t;
- permissive devicekit_power_t;
- permissive devicekit_disk_t;
-')
########################################
#
@@ -251,6 +245,7 @@ modutils_domtrans_insmod(devicekit_power_t)
sysnet_read_config(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
+sysnet_domtrans_dhcpc(devicekit_power_t)
userdom_read_all_users_state(devicekit_power_t)
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
index f441c9a..4992511 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow icecast to connect to all ports, not just
+## sound ports.
+## </p>
+## </desc>
+gen_tunable(icecast_connect_any, false)
+
type icecast_t;
type icecast_exec_t;
init_daemon_domain(icecast_t, icecast_exec_t)
@@ -42,6 +50,12 @@ kernel_read_system_state(icecast_t)
corenet_tcp_bind_soundd_port(icecast_t)
corenet_tcp_connect_soundd_port(icecast_t)
+tunable_policy(`icecast_connect_any',`
+ corenet_tcp_connect_all_ports(icecast_t)
+ corenet_tcp_bind_all_ports(icecast_t)
+ corenet_sendrecv_all_packets(icecast_t)
+')
+
# Init script handling
domain_use_interactive_fds(icecast_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 9be673c..196f2a2 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -51,7 +51,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket server_stream_socket_perms;
-allow openvpn_t self:tun_socket create;
+allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
can_exec(openvpn_t, openvpn_etc_t)
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
index 17d6b45..0a5f27d 100644
--- a/policy/modules/services/piranha.te
+++ b/policy/modules/services/piranha.te
@@ -115,6 +115,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(piranha_web_t)
+')
+
+optional_policy(`
sasl_connect(piranha_web_t)
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index ab881a1..e731afa 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -107,7 +107,7 @@ optional_policy(`
# polkit_auth local policy
#
-allow policykit_auth_t self:capability { setgid setuid };
+allow policykit_auth_t self:capability { ipc_lock setgid setuid };
dontaudit policykit_auth_t self:capability sys_tty_config;
allow policykit_auth_t self:process { getattr getsched signal };
allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index ce5dbc0..9ab1d80 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -209,13 +209,9 @@ optional_policy(`
virt_stream_connect(rgmanager_t)
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(rgmanager_t)
')
-', `
- permissive rgmanager_t;
-')
optional_policy(`
xen_domtrans_xm(rgmanager_t)
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index a07b2f4..d78daf4 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -55,6 +55,9 @@ files_read_etc_files(rwho_t)
init_read_utmp(rwho_t)
init_dontaudit_write_utmp(rwho_t)
+logging_send_syslog_msg(rwho_t)
+
miscfiles_read_localization(rwho_t)
sysnet_dns_name_resolve(rwho_t)
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 8040c74..8f0fac9 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -446,13 +446,9 @@ optional_policy(`
udev_read_db(virtd_t)
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(virtd_t)
')
-', `
- permissive virtd_t;
-')
########################################
#
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index a5b3186..81c0af8 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1283,6 +1283,7 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow xserver $1:shm rw_shm_perms;
')
########################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 50b4a08..9b9e013 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -775,6 +775,7 @@ optional_policy(`
optional_policy(`
plymouthd_search_spool(xdm_t)
plymouthd_exec_plymouth(xdm_t)
+ plymouthd_stream_connect(xdm_t)
')
optional_policy(`
@@ -1093,14 +1094,10 @@ optional_policy(`
udev_read_db(xserver_t)
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
-', `
- permissive xserver_t;
-')
optional_policy(`
userhelper_search_config(xserver_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 227958c..304bc75 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -66,6 +66,10 @@ interface(`auth_use_pam',`
optional_policy(`
consolekit_dbus_chat($1)
')
+
+ optional_policy(`
+ fprintd_dbus_chat($1)
+ ')
')
optional_policy(`
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index e8dd9c8..7cb7582 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -154,13 +154,9 @@ seutil_read_config(fsadm_t)
term_use_all_terms(fsadm_t)
ifdef(`distro_redhat',`
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(fsadm_t)
')
-', `
- permissive fsadm_t;
-')
')
optional_policy(`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7da8294..c504f34 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -745,6 +745,7 @@ interface(`init_telinit',`
type init_t;
')
+ allow $1 init_t:process signal;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index e9bd52a..bce3aea 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -135,6 +135,7 @@ optional_policy(`
optional_policy(`
shorewall_rw_lib_files(iptables_t)
+ shorewall_read_tmp_files(iptables_t)
')
optional_policy(`
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index d97d16d..8b174c8 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
########################################
## <summary>
+## Execute ldconfig in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`libs_exec_ldconfig',`
+ gen_require(`
+ type ldconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ldconfig_exec_t)
+')
+
+########################################
+## <summary>
## Use the dynamic link/loader for automatic loading
## of shared libraries.
## </summary>
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index af2af2d..561a849 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -151,10 +151,6 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(ldconfig_t)
')'
-, `
- permissive ldconfig_t;
-')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 7eb67d1..7f649d5 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -142,13 +142,9 @@ lvm_domtrans(clvmd_t)
lvm_read_config(clvmd_t)
ifdef(`distro_redhat',`
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(clvmd_t)
')
-', `
- permissive clvmd_t;
-')
')
optional_policy(`
@@ -326,13 +322,9 @@ ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(lvm_t)
')
-', `
- permissive lvm_t;
-')
')
optional_policy(`
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f39f39f..9abf3b1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -99,14 +99,10 @@ optional_policy(`
rpm_manage_script_tmp_files(depmod_t)
')
-ifdef(`enforcing',`
optional_policy(`
# Read System.map from home directories.
unconfined_domain(depmod_t)
')
-', `
- permissive depmod_t;
-')
########################################
#
@@ -247,14 +243,10 @@ optional_policy(`
rpm_rw_pipes(insmod_t)
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(insmod_t)
unconfined_dontaudit_rw_pipes(insmod_t)
')
-', `
- permissive insmod_t;
-')
optional_policy(`
virt_dontaudit_write_pipes(insmod_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 5ccaca7..2fe5969 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -53,6 +53,7 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
+dev_read_generic_files(mdadm_t)
domain_use_interactive_fds(mdadm_t)
@@ -60,7 +61,8 @@ files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
files_dontaudit_getattr_tmpfs_files(mdadm_t)
-fs_search_auto_mountpoints(mdadm_t)
+fs_list_hugetlbfs(mdadm_t)
+fs_list_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
mls_file_read_all_levels(mdadm_t)
@@ -97,10 +99,6 @@ optional_policy(`
udev_read_db(mdadm_t)
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(mdadm_t)
')
-', `
- permissive mdadm_t;
-')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index a0cf928..edee963 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -536,10 +536,6 @@ ifdef(`hide_broken_symptoms',`
')
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(setfiles_mac_t)
')
-', `
- permissive lvm_t;
-')
diff --git a/policy/modules/system/sosreport.te b/policy/modules/system/sosreport.te
index 593a206..c15bcea 100644
--- a/policy/modules/system/sosreport.te
+++ b/policy/modules/system/sosreport.te
@@ -149,10 +149,6 @@ optional_policy(`
xserver_stream_connect(sosreport_t)
')
-ifdef(`enforcing',`
optional_policy(`
unconfined_domain(sosreport_t)
')
-', `
- permissive sosreport_t;
-')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 7cc3698..f99fdcb 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -196,13 +196,9 @@ ifdef(`distro_redhat',`
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
- ifdef(`enforcing',`
optional_policy(`
unconfined_domain(udev_t)
')
- ', `
- permissive udev_t;
- ')
')
optional_policy(`
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 9068325..61db6da 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -8,6 +8,7 @@ HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1456a83..e1da594 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3205,7 +3205,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
')
########################################
More information about the scm-commits
mailing list