[selinux-policy: 207/3172] another cleanup pass
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:22:51 UTC 2010
commit dc771ff40edec3e7a02695983982ca6196bcf120
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue May 24 15:55:57 2005 +0000
another cleanup pass
refpolicy/policy/modules/admin/rpm.if | 39 ++++++++--
refpolicy/policy/modules/kernel/bootloader.if | 15 ++++
refpolicy/policy/modules/kernel/bootloader.te | 3 -
refpolicy/policy/modules/kernel/devices.if | 25 ++++++-
refpolicy/policy/modules/kernel/filesystem.if | 28 +++++++
refpolicy/policy/modules/kernel/kernel.if | 14 ++++
refpolicy/policy/modules/system/authlogin.if | 100 +++++++++++++++++++++++-
refpolicy/policy/modules/system/authlogin.te | 14 +---
refpolicy/policy/modules/system/files.if | 102 +++++++++++++++++++++++++
refpolicy/policy/modules/system/hotplug.te | 35 +++++----
refpolicy/policy/modules/system/init.te | 39 ++++------
refpolicy/policy/modules/system/locallogin.te | 13 ++-
refpolicy/policy/modules/system/modutils.te | 4 +-
refpolicy/policy/modules/system/mount.te | 15 ++--
refpolicy/policy/modules/system/userdomain.if | 2 +
refpolicy/policy/modules/system/userdomain.te | 4 +
16 files changed, 372 insertions(+), 80 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 9d3925e..a3fcfbd 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -30,13 +30,13 @@ class process { transition noatsecure siginh rlimitinh };
########################################
## <interface name="rpm_transition_add_role_use_terminal">
## <description>
-## Execute rpm programs in the rpm domain.
+## Execute RPM programs in the RPM domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
-## The role to allow the rpm domain.
+## The role to allow the RPM domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the RPM domain to use.
@@ -100,18 +100,43 @@ class fifo_file { getattr read };
')
########################################
+## <interface name="rpm_read_package_database">
+## <description>
+## Read RPM package database.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="read" weight="10"/>
+## </interface>
#
-# rpm_read_library_state(domain)
-#
-define(`rpm_read_library_state',`
+define(`rpm_read_package_database',`
requires_block_template(`$0'_depend)
allow $1 rpm_var_lib_t:dir { getattr read search };
allow $1 rpm_var_lib_t:file { read getattr };
allow $1 rpm_var_lib_t:lnk_file { getattr read };
')
-define(`kernel_read_system_state_depend',`
-type proc_t;
+define(`rpm_read_package_database_depend',`
+type rpm_var_lib_t_t;
+class dir { search getattr read };
+class lnk_file { getattr read };
+class file { getattr read };
+')
+
+########################################
+#
+# rpm_manage_package_database(domain)
+#
+define(`rpm_manage_package_database',`
+requires_block_template(`$0'_depend)
+allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
+allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
+allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
+')
+
+define(`rpm_manage_package_database_depend',`
+type rpm_var_lib_t_t;
class dir { search getattr read };
class lnk_file { getattr read };
class file { getattr read };
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index e617929..5eeed99 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -88,6 +88,21 @@ class dir search;
########################################
#
+# bootloader_modify_bootloader_data_directory_symbolic_links(domain)
+#
+define(`bootloader_modify_bootloader_data_directory_symbolic_links',`
+requires_block_template(`$0'_depend)
+allow $1 boot_t:dir { getattr search read };
+allow $1 boot_t:lnk_file { getattr read write };
+')
+
+define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
+type boot_t;
+class dir { getattr search read };
+')
+
+########################################
+#
# bootloader_install_kernel(domain)
#
define(`bootloader_install_kernel',`
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index a5e9bbc..292dad7 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -179,9 +179,6 @@ modutils_update_modules_execute(bootloader_t)
')
ifdef(`TODO',`
-# admin runs bootloader:
-domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
-allow bootloader_t admin_tty_type:chr_file rw_file_perms;
allow bootloader_t initrc_t:fifo_file { read write };
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 3a94fc2..151b359 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -133,6 +133,30 @@ class chr_file getattr;
')
########################################
+## <interface name="devices_remove_dev_symbolic_links">
+## <description>
+## Delete symbolic links in /dev.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="1"/>
+## </interface>
+#
+define(`devices_remove_dev_symbolic_links',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr read write remove_name };
+allow $1 device_t:lnk_file unlink;
+')
+
+define(`devices_remove_dev_symbolic_links_depend',`
+attribute device_node, memory_raw_read, memory_raw_write;
+type device_t;
+class dir { getattr read write remove_name };
+class lnk_file unlink;
+')
+
+########################################
#
# devices_manage_dev_symbolic_links(domain)
#
@@ -143,7 +167,6 @@ allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
')
define(`devices_manage_dev_symbolic_links_depend',`
-attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
class lnk_file { create read getattr setattr link unlink rename };
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 9357d48..e226fec 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -119,6 +119,20 @@ class filesystem getattr;
########################################
#
+# filesystem_relabelfrom_persistent_filesystem(domain)
+#
+define(`filesystem_relabelfrom_persistent_filesystem',`
+requires_block_template(`$0'_depend)
+allow $1 fs_t:filesystem relabelfrom;
+')
+
+define(`filesystem_relabelfrom_persistent_filesystem_depend',`
+type fs_t;
+class filesystem relabelfrom;
+')
+
+########################################
+#
# filesystem_mount_automount_filesystem(domain)
#
define(`filesystem_mount_automount_filesystem',`
@@ -397,6 +411,20 @@ class filesystem getattr;
########################################
#
+# filesystem_relabelfrom_dos_filesystem(domain)
+#
+define(`filesystem_relabelfrom_dos_filesystem',`
+requires_block_template(`$0'_depend)
+allow $1 dosfs_t:filesystem relabelfrom;
+')
+
+define(`filesystem_relabelfrom_dos_filesystem_depend',`
+type dosfs_t;
+class filesystem relabelfrom;
+')
+
+########################################
+#
# filesystem_mount_cd_filesystem(domain)
#
define(`filesystem_mount_cd_filesystem',`
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index cc23bf3..0a6eece 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -144,6 +144,20 @@ class process sigkill;
########################################
#
+# kernel_ignore_get_unlabeled_block_device_attributes(domain)
+#
+define(`kernel_ignore_get_unlabeled_block_device_attributes',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:blk_file getattr;
+')
+
+define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
+type unlabeled_t;
+class process getattr;
+')
+
+########################################
+#
# kernel_relabel_unlabeled_object(domain)
#
define(`kernel_relabel_unlabeled_object',`
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 1e4154b..7fd505e 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -1,4 +1,6 @@
# Copyright (C) 2005 Tresys Technology, LLC
+## <module name="authlogin" layer="system">
+## <summary>Common policy for authentication and user login.</summary>
#######################################
#
@@ -249,9 +251,16 @@ type lastlog_t;
class file { getattr read write setattr };
')
-#######################################
-#
-# authlogin_pam_transition(domain)
+########################################
+## <interface name="authlogin_pam_transition">
+## <description>
+## Execute pam programs in the pam domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`authlogin_pam_transition',`
requires_block_template(`$0'_depend)
@@ -267,6 +276,35 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+## <interface name="authlogin_pam_transition_add_role_use_terminal">
+## <description>
+## Execute pam programs in the PAM domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <parameter name="role">
+## The role to allow the PAM domain.
+## </parameter>
+## <parameter name="terminal">
+## The type of the terminal allow the PAM domain to use.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`authlogin_pam_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+authlogin_pam_transition($1)
+role $2 types pam_t;
+allow pam_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`authlogin_pam_transition_add_role_use_terminal_depend',`
+type pam_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# authlogin_pam_execute(domain)
@@ -373,6 +411,60 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
class lnk_file { create read getattr setattr link unlink rename };
')
+########################################
+## <interface name="authlogin_utempter_transition">
+## <description>
+## Execute utempter programs in the utempter domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`authlogin_utempter_transition',`
+requires_block_template(`$0'_depend)
+allow $1 utempter_exec_t:file { getattr read execute };
+allow $1 utempter_t:process transition;
+type_transition $1 utempter_exec_t:file utempter_t;
+dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`authlogin_utempter_transition_depend',`
+type utempter_t, utempter_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+## <interface name="authlogin_utempter_transition_add_role_use_terminal">
+## <description>
+## Execute utempter programs in the utempter domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <parameter name="role">
+## The role to allow the utempter domain.
+## </parameter>
+## <parameter name="terminal">
+## The type of the terminal allow the utempter domain to use.
+## </parameter>
+## <infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`authlogin_utempter_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+authlogin_utempter_transition($1)
+role $2 types utempter_t;
+allow utempter_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
+type utempter_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# authlogin_read_login_records(domain)
@@ -416,3 +508,5 @@ define(`authlogin_modify_login_records_depend',`
type wtmp_t;
class file { getattr read write setattr };
')
+
+## </module>
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 7b7f227..32c4fc8 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -107,19 +107,18 @@ libraries_use_shared_libraries(pam_t)
logging_send_system_log_message(pam_t)
+userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
+
optional_policy(`locallogin.te',`
locallogin_use_file_descriptors(pam_t)
')
ifdef(`TODO',`
-allow pam_t unpriv_userdomain:fd use;
can_ypbind(pam_t)
ifdef(`automount.te', `
allow pam_t autofs_t:dir { search getattr };
')
-in_user_role(pam_t)
-domain_auto_trans(userdomain, pam_exec_t, pam_t)
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
') dnl endif TODO
@@ -169,6 +168,8 @@ logging_send_system_log_message(pam_console_t)
selinux_read_file_contexts(pam_console_t)
+userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
+
tunable_policy(`direct_sysadm_daemon', `
dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
')
@@ -198,7 +199,6 @@ allow pam_console_t rhgb_t:process sigchld;
allow pam_console_t rhgb_t:fd use;
allow pam_console_t rhgb_t:fifo_file { read write };
')
-dontaudit pam_console_t unpriv_userdomain:fd use;
allow pam_console_t autofs_t:dir { search getattr };
allow pam_console_t {
@@ -214,8 +214,6 @@ removable_device_t
scsi_generic_device_t
}:chr_file { getattr setattr };
-
-
allow pam_console_t mnt_t:dir r_dir_perms;
ifdef(`gpm.te', `
@@ -306,10 +304,6 @@ libraries_use_shared_libraries(utempter_t)
logging_search_system_log_directory(utempter_t)
ifdef(`TODO',`
-in_user_role(utempter_t)
-role sysadm_r types utempter_t;
-domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
-
# Allow utemper to write to /tmp/.xses-*
allow utempter_t user_tmpfile:file { getattr write append };
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 2d8f3c9..03542e2 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -200,6 +200,48 @@ attribute file_type;
class dir { getattr search read };
')
+#######################################
+#
+# files_relabelto_all_file_type_filesystems(domain)
+#
+define(`files_relabelto_all_file_type_filesystems',`
+requires_block_template(`$0'_depend)
+allow $1 file_type:filesystem relabelto;
+')
+
+define(`files_relabelto_all_file_type_filesystems_depend',`
+attribute file_type;
+filesystem relabelto;
+')
+
+#######################################
+#
+# files_mount_all_file_type_filesystems(domain)
+#
+define(`files_mount_all_file_type_filesystems',`
+requires_block_template(`$0'_depend)
+allow $1 file_type:filesystem mount;
+')
+
+define(`files_mount_all_file_type_filesystems_depend',`
+attribute file_type;
+filesystem mount;
+')
+
+#######################################
+#
+# files_unmount_all_file_type_filesystems(domain)
+#
+define(`files_unmount_all_file_type_filesystems',`
+requires_block_template(`$0'_depend)
+allow $1 file_type:filesystem mount;
+')
+
+define(`files_unmount_all_file_type_filesystems_depend',`
+attribute file_type;
+filesystem mount;
+')
+
########################################
#
# files_mount_on_all_mountpoints(domain)
@@ -712,6 +754,22 @@ class file { getattr create read write setattr unlink };
########################################
#
+# files_get_system_lock_file_attributes(domain)
+#
+define(`files_get_system_lock_file_attributes',`
+requires_block_template(`$0'_depend)
+allow $1 var_lock_t:dir { getattr search read };
+allow $1 var_lock_t:file getattr;
+')
+
+define(`files_get_system_lock_file_attributes_depend',`
+type var_lock_t;
+class dir { getattr search read };
+class file getattr;
+')
+
+########################################
+#
# files_manage_system_lock_files(domain)
#
define(`files_manage_system_lock_files',`
@@ -844,6 +902,50 @@ class file { getattr read write };
')
########################################
+## <interface name="files_ignore_write_all_daemon_runtime_data">
+## <description>
+## Do not audit attempts to write to daemon runtime data files.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="none"/>
+## </interface>
+#
+
+define(`files_ignore_write_all_daemon_runtime_data',`
+requires_block_template(`$0'_depend)
+dontaudit $1 pidfile:file write;
+')
+
+define(`files_ignore_write_all_daemon_runtime_data_depend',`
+attribute pidfile;
+class file write;
+')
+
+########################################
+## <interface name="files_ignore_ioctl_all_daemon_runtime_data">
+## <description>
+## Do not audit attempts to ioctl daemon runtime data files.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="none"/>
+## </interface>
+#
+
+define(`files_ignore_ioctl_all_daemon_runtime_data',`
+requires_block_template(`$0'_depend)
+dontaudit $1 pidfile:file ioctl;
+')
+
+define(`files_ignore_ioctl_all_daemon_runtime_data_depend',`
+attribute pidfile;
+class file ioctl;
+')
+
+########################################
#
# files_remove_all_daemon_runtime_data(domain)
#
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 8adac10..3acb8cc 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -32,6 +32,7 @@ allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:fifo_file { read write getattr ioctl };
allow hotplug_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow hotplug_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept };
allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl };
allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl };
@@ -50,6 +51,13 @@ kernel_read_usb_hardware_state(hotplug_t)
bootloader_read_kernel_modules(hotplug_t)
+corenetwork_network_tcp_on_all_interfaces(hotplug_t)
+corenetwork_network_raw_on_all_interfaces(hotplug_t)
+corenetwork_network_tcp_on_all_nodes(hotplug_t)
+corenetwork_network_raw_on_all_nodes(hotplug_t)
+corenetwork_network_tcp_on_all_ports(hotplug_t)
+corenetwork_bind_tcp_on_all_nodes(hotplug_t)
+
# for SSP
devices_get_pseudorandom_data(hotplug_t)
@@ -94,8 +102,19 @@ miscfiles_read_localization(hotplug_t)
mount_transition(hotplug_t)
+sysnetwork_read_network_config(hotplug_t)
+
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
+tunable_policy(`distro_redhat', `
+optional_policy(`netutils.te', `
+# for arping used for static IP addresses on PCMCIA ethernet
+netutils_transition(hotplug_t)
+filesystem_use_tmpfs_character_devices(hotplug_t)
+') dnl endif netutils optional
+files_get_system_lock_file_attribues(hotplug_t)
+')dnl end distro_redhat tunable
+
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hotplug_t)
terminal_ignore_use_general_pseudoterminal(hotplug_t)
@@ -144,13 +163,10 @@ allow hotplug_t rhgb_t:fd use;
allow hotplug_t rhgb_t:fifo_file { read write };
')
-can_exec(hotplug_t, { ls_exec_t })
-
allow kernel_t hotplug_etc_t:dir search;
allow hotplug_t sound_device_t:chr_file setattr;
-can_network_server(hotplug_t)
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
@@ -159,23 +175,10 @@ allow hotplug_t kernel_t:process sigchld;
# for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr };
-allow hotplug_t udev_runtime_t:file rw_file_perms;
-
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
-tunable_policy(`distro_redhat', `
-optional_policy(`netutils.te', `
-# for arping used for static IP addresses on PCMCIA ethernet
-netutils_transition(hotplug_t)
-allow hotplug_t tmpfs_t:dir search;
-allow hotplug_t tmpfs_t:chr_file rw_file_perms;
-') dnl endif netutils optional
-allow hotplug_t var_lock_t:dir search;
-allow hotplug_t var_lock_t:file getattr;
-')dnl end distro_redhat tunable
-
optional_policy(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 4ea8f37..e78c4a9 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -209,6 +209,8 @@ devices_read_realtime_clock(initrc_t)
devices_read_sound_mixer_levels(initrc_t)
devices_write_sound_mixer_levels(initrc_t)
devices_set_all_character_device_attributes(initrc_t)
+# Wants to remove udev.tbl:
+devices_remove_dev_symbolic_links(initrc_t)
filesystem_register_binary_executable_type(initrc_t)
# cjp: not sure why these are here; should use mount policy
@@ -283,6 +285,7 @@ kernel_set_selinux_enforcement_mode(initrc_t)
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
bootloader_create_runtime_data(initrc_t)
+bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
filesystem_use_tmpfs_character_devices(initrc_t)
@@ -304,6 +307,17 @@ hotplug_read_config(initrc_t)
modutils_read_kernel_module_dependencies(initrc_t)
')
+optional_policy(`rpm.te',`
+# why is this needed:
+rpm_manage_package_database(initrc_t)
+# for a bug in rm
+files_ignore_write_all_daemon_runtime_data(initrc_t)
+# bash tries ioctl for some reason
+files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
+# bash tries to access a block device in the initrd
+kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
+') dnl end rpm.te
+
ifdef(`TODO',`
# Mount and unmount file systems.
@@ -320,12 +334,6 @@ dontaudit initrc_t krb5_conf_t:file write;
allow initrc_t krb5_conf_t:file { getattr read };
#
-# Wants to remove udev.tbl
-#
-allow initrc_t device_t:dir rw_dir_perms;
-allow initrc_t device_t:lnk_file unlink;
-
-#
# These rules are here to allow init scripts to su
#
optional_policy(`su.te', `
@@ -343,10 +351,6 @@ file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
')dnl end distro_debian
tunable_policy(`distro_redhat', `
-# Create and read /boot/kernel.h and /boot/System.map.
-# Redhat systems typically create this file at boot time.
-allow initrc_t boot_t:lnk_file rw_file_perms;
-
# readahead asks for these
allow initrc_t var_lib_nfs_t:file { getattr read };
')dnl end distro_redhat
@@ -360,19 +364,4 @@ dontaudit initrc_t mail_spool_t:lnk_file read;
# for lsof which is used by alsa shutdown
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
-optional_policy(`rpm.te',`
-# Access /var/lib/rpm.
-allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
-allow initrc_t rpm_var_lib_t:file create_file_perms;
-
-# for a bug in rm
-dontaudit initrc_t pidfile:file write;
-
-# bash tries to access a block device in the initrd
-dontaudit initrc_t unlabeled_t:blk_file getattr;
-
-# bash tries ioctl for some reason
-dontaudit initrc_t pidfile:file ioctl;
-') dnl end rpm.te
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index fdaad08..9a611c6 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -94,9 +94,10 @@ miscfiles_read_localization(local_login_t)
selinux_read_config(local_login_t)
selinux_read_default_contexts(local_login_t)
+userdomain_use_all_unprivileged_users_file_descriptors(local_login_t)
ifdef(`TODO',`
-allow local_login_t unpriv_userdomain:fd use;
+
can_ypbind(local_login_t)
ifdef(`automount.te', `
allow local_login_t autofs_t:dir { search getattr };
@@ -240,6 +241,8 @@ selinux_read_default_contexts(sulogin_t)
authlogin_read_shadow_passwords(sulogin_t)
+userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)
+
# suse and debian do not use pam with sulogin...
ifdef(`monolithic_policy',`
ifdef(`distro_suse', `define(`sulogin_no_pam')')
@@ -249,7 +252,6 @@ ifdef(`distro_debian', `define(`sulogin_no_pam')')
tunable_policy(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
init_get_process_group(sulogin_t)
-#domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
', `
allow sulogin_t self:process setexec;
kernel_get_selinuxfs_mount_point(sulogin_t)
@@ -258,17 +260,18 @@ kernel_compute_selinux_access_vector(sulogin_t)
kernel_compute_selinux_create_context(sulogin_t)
kernel_compute_selinux_relabel_context(sulogin_t)
kernel_compute_selinux_reachable_user_contexts(sulogin_t)
-#domain_trans(sulogin_t, shell_exec_t, sysadm_t)
')
ifdef(`TODO',`
-allow sulogin_t unpriv_userdomain:fd use;
+
+domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
+allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
+
can_ypbind(sulogin_t)
ifdef(`automount.te', `
allow sulogin_t autofs_t:dir { search getattr };
')
-allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
# because file systems are not mounted
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 97a80d3..7080d0b 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -69,6 +69,8 @@ files_read_runtime_system_config(insmod_t)
files_read_general_system_config(insmod_t)
files_read_general_application_resources(insmod_t)
files_execute_system_config_script(insmod_t)
+# for nscd
+files_ignore_search_runtime_data_directory(insmod_t)
init_use_file_descriptors(insmod_t)
init_script_use_file_descriptors(insmod_t)
@@ -113,8 +115,6 @@ allow insmod_t usbfs_t:filesystem mount;
# for when /var is not mounted early in the boot
dontaudit insmod_t file_t:dir search;
-# for nscd
-dontaudit insmod_t var_run_t:dir search;
') dnl if TODO
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index b2e18b0..42c28cd 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -36,7 +36,7 @@ filesystem_get_persistent_filesystem_attributes(mount_t)
filesystem_mount_all_filesystems(mount_t)
filesystem_unmount_all_filesystems(mount_t)
filesystem_remount_all_filesystems(mount_t)
-files_unmount_root_filesystem(mount_t)
+filesystem_relabelfrom_persistent_filesystem(mount_t)
terminal_use_console(mount_t)
@@ -51,6 +51,11 @@ files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
files_read_general_system_config(mount_t)
files_create_runtime_system_config(mount_t)
files_mount_on_all_mountpoints(mount_t)
+files_unmount_root_filesystem(mount_t)
+# These rules need to be generalized. Only admin, initrc should have it:
+files_relabelto_all_file_type_filesystems(mount_t)
+files_mount_all_file_type_filesystems(mount_t)
+files_mount_all_file_type_filesystems(mount_t)
init_use_file_descriptors(mount_t)
init_script_use_pseudoterminal(mount_t)
@@ -71,7 +76,7 @@ allow mount_t tmpfs_t:dir mounton;
optional_policy(`authlogin.te',`
authlogin_pam_console_read_runtime_data(mount_t)
# mount config by default sets fscontext=removable_t
-allow mount_t dosfs_t:filesystem relabelfrom;
+filesystem_relabelfrom_dos_filesystem(mount_t)
') dnl end authlogin
') dnl end distro_redhat
@@ -112,12 +117,6 @@ files_make_mountpoint(var_lib_nfs_t)
# for when /etc/mtab loses its type
allow mount_t file_t:file { getattr read unlink };
-# TODO: Need macro for granting relabelto, relabelfrom
-allow mount_t fs_t:filesystem relabelfrom;
-
-# This rule needs to be generalized. Only admin, initrc should have it.
-allow mount_t file_type:filesystem { unmount mount relabelto };
-
ifdef(`gnome-pty-helper.te', `
allow mount_t sysadm_gph_t:fd use;
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index d53d9fa..e0b7ab2 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -105,6 +105,8 @@ storage_get_fixed_disk_attributes($1_t)
authlogin_read_login_records($1_t)
authlogin_ignore_write_login_records($1_t)
+authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
corecommands_execute_general_programs($1_t)
corecommands_execute_system_programs($1_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 9daa601..b47b421 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -98,6 +98,10 @@ admin_domain_template(sysadm)
# for su
allow sysadm_t userdomain:fd use;
+optional_policy(`bootloader.te',`
+bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
optional_policy(`iptables.te',`
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
More information about the scm-commits
mailing list