[selinux-policy: 232/3172] more cab work
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:25:01 UTC 2010
commit d115b24712e9dbc481bbd5a65067bb23f9e3b3ad
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue May 31 23:02:11 2005 +0000
more cab work
refpolicy/policy/modules/kernel/devices.if | 15 +++
refpolicy/policy/modules/system/files.if | 18 ++++
refpolicy/policy/modules/system/getty.te | 8 +-
refpolicy/policy/modules/system/init.if | 62 ++++++++-----
refpolicy/policy/modules/system/init.te | 116 +++++++++++++-----------
refpolicy/policy/modules/system/iptables.te | 32 ++++---
refpolicy/policy/modules/system/locallogin.te | 7 ++
refpolicy/policy/modules/system/logging.te | 20 +++--
refpolicy/policy/modules/system/lvm.te | 19 +++--
refpolicy/policy/modules/system/sysnetwork.fc | 10 +-
refpolicy/policy/modules/system/sysnetwork.te | 90 +++++++++++---------
11 files changed, 240 insertions(+), 157 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 75f8cd4..cfd1c5b 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -124,6 +124,21 @@ class blk_file getattr;
########################################
#
+# devices_manage_generic_block_device(domain)
+#
+define(`devices_manage_generic_block_device',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir rw_dir_perms;
+allow $1 device_t:blk_file create_file_perms;
+')
+
+define(`devices_manage_generic_block_device_depend',`
+type device_t;
+class blk_file create_file_perms;
+')
+
+########################################
+#
# devices_add_generic_character_device(domain)
#
define(`devices_add_generic_character_device',`
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index f584555..8f43850 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1040,6 +1040,24 @@ class file ioctl;
########################################
#
+# files_read_all_daemon_runtime_data(domain)
+#
+define(`files_read_all_daemon_runtime_data',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 pidfile:dir r_dir_perms;
+allow $1 pidfile:file r_file_perms;
+')
+
+define(`files_read_all_daemon_runtime_data_depend',`
+attribute pidfile;
+type var_t;
+class dir r_dir_perms;
+class file r_file_perms;
+')
+
+########################################
+#
# files_remove_all_daemon_runtime_data(domain)
#
define(`files_remove_all_daemon_runtime_data',`
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index ce2f2a6..8d2f593 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -52,15 +52,17 @@ filesystem_get_persistent_filesystem_attributes(getty_t)
terminal_use_all_terminals(getty_t)
terminal_set_console_attributes(getty_t)
-init_script_modify_runtime_data(getty_t)
-init_script_use_pseudoterminal(getty_t)
+authlogin_modify_login_records(getty_t)
+
+corecommands_search_general_programs_directory(getty_t)
files_modify_system_runtime_data(getty_t)
files_manage_system_lock_files(getty_t)
files_read_runtime_system_config(getty_t)
files_read_general_system_config(getty_t)
-authlogin_modify_login_records(getty_t)
+init_script_modify_runtime_data(getty_t)
+init_script_use_pseudoterminal(getty_t)
libraries_use_dynamic_loader(getty_t)
libraries_use_shared_libraries(getty_t)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index a0e3d42..61e2c01 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -70,12 +70,14 @@ define(`init_make_daemon_domain',`
')
define(`init_make_daemon_domain_depend',`
-type initrc_t;
-class file { getattr read execute };
-class fifo_file rw_file_perms;
-class fd use;
-class process { transition noatsecure siginh rlimitinh sigchld };
-role system_r;
+ type initrc_t;
+
+ role system_r;
+
+ class file { getattr read execute };
+ class fifo_file rw_file_perms;
+ class fd use;
+ class process { transition noatsecure siginh rlimitinh sigchld };
')
########################################
@@ -83,27 +85,39 @@ role system_r;
# init_make_system_domain(domain,entrypointfile)
#
define(`init_make_system_domain',`
-requires_block_template(`$0'_depend)
-domain_make_domain($1)
-domain_make_entrypoint_file($1,$2)
-role system_r types $1;
-allow initrc_t $1:process transition;
-allow initrc_t $2:file { getattr read execute };
-dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-type_transition initrc_t $2:process $1;
-allow initrc_t $1:fd use;
-allow $1 initrc_t:fd use;
-allow $1 initrc_t:fifo_file rw_file_perms;
-allow $1 initrc_t:process sigchld;
+ requires_block_template(`$0'_depend)
+
+ domain_make_domain($1)
+ domain_make_entrypoint_file($1,$2)
+
+ role system_r types $1;
+
+ allow initrc_t $1:process transition;
+ allow initrc_t $2:file { getattr read execute };
+ dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
+ type_transition initrc_t $2:process $1;
+
+ allow initrc_t $1:fd use;
+ allow $1 initrc_t:fd use;
+ allow $1 initrc_t:fifo_file rw_file_perms;
+ allow $1 initrc_t:process sigchld;
+
+ # Red Hat systems seem to have a stray
+ # fd open from the initrd
+ optional_policy(`distro_redhat',`
+ kernel_ignore_use_file_descriptors($1)
+ files_ignore_read_rootfs_file($1)
+ ')
')
define(`init_make_system_domain_depend',`
-type initrc_t;
-class file { getattr read execute };
-class fd use;
-class fifo_file rw_file_perms;
-class process { transition noatsecure siginh rlimitinh sigchld };
-role system_r;
+ type initrc_t;
+ role system_r;
+
+ class file { getattr read execute };
+ class fd use;
+ class fifo_file rw_file_perms;
+ class process { transition noatsecure siginh rlimitinh sigchld };
')
########################################
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 7670b6c..10726ae 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -141,17 +141,17 @@ selinux_read_config(init_t)
miscfiles_read_localization(init_t)
tunable_policy(`distro_redhat',`
-filesystem_use_tmpfs_character_devices(init_t)
-filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
+ filesystem_use_tmpfs_character_devices(init_t)
+ filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
')
optional_policy(`authlogin.te',`
-authlogin_modify_login_records(init_t)
+ authlogin_modify_login_records(init_t)
')
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`userdomain.te',`
-userdomain_sysadm_shell_transition(init_t)
+ userdomain_sysadm_shell_transition(init_t)
')
########################################
@@ -272,6 +272,7 @@ domain_ignore_get_all_domains_pipe_attributes(initrc_t)
files_get_all_file_attributes(initrc_t)
files_remove_all_tmp_data(initrc_t)
files_remove_all_lock_files(initrc_t)
+files_read_all_daemon_runtime_data(initrc_t)
files_remove_all_daemon_runtime_data(initrc_t)
files_read_general_system_config(initrc_t)
files_manage_runtime_system_config(initrc_t)
@@ -279,6 +280,7 @@ files_manage_system_lock_files(initrc_t)
files_execute_system_config_script(initrc_t)
files_read_general_application_resources(initrc_t)
files_manage_pseudorandom_saved_seed(initrc_t)
+files_manage_system_spools(initrc_t)
libraries_modify_dynamic_loader_cache(initrc_t)
libraries_use_dynamic_loader(initrc_t)
@@ -307,61 +309,71 @@ userdomain_read_all_users_data(initrc_t)
userdomain_use_admin_terminals(initrc_t)
tunable_policy(`distro_debian', `
-filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
+ filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
')
tunable_policy(`distro_redhat',`
-kernel_set_selinux_enforcement_mode(initrc_t)
+ # Red Hat systems seem to have a stray
+ # fd open from the initrd
+ kernel_ignore_use_file_descriptors(initrc_t)
+ files_ignore_read_rootfs_file(initrc_t)
-# Create and read /boot/kernel.h and /boot/System.map.
-# Redhat systems typically create this file at boot time.
-bootloader_create_runtime_data(initrc_t)
-bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
+ kernel_set_selinux_enforcement_mode(initrc_t)
-# These seem to be from the initrd:
-kernel_use_file_descriptors(initrc_t)
-# during device initialization:
-devices_legacy_use_dev_zero(initrc_t)
-devices_legacy_raw_read_memory(initrc_t)
-devices_legacy_raw_write_memory(initrc_t)
-storage_raw_read_fixed_disk(initrc_t)
-storage_raw_write_fixed_disk(initrc_t)
+ # Create and read /boot/kernel.h and /boot/System.map.
+ # Redhat systems typically create this file at boot time.
+ bootloader_create_runtime_data(initrc_t)
+ bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
-filesystem_use_tmpfs_character_devices(initrc_t)
+ # These seem to be from the initrd
+ # during device initialization:
+ devices_legacy_use_dev_zero(initrc_t)
+ devices_legacy_raw_read_memory(initrc_t)
+ devices_legacy_raw_write_memory(initrc_t)
+ storage_raw_read_fixed_disk(initrc_t)
+ storage_raw_write_fixed_disk(initrc_t)
-files_create_boot_flag(initrc_t)
+ filesystem_use_tmpfs_character_devices(initrc_t)
-# readahead asks for these
-mta_read_mail_aliases(initrc_t)
+ files_create_boot_flag(initrc_t)
+
+ # readahead asks for these
+ mta_read_mail_aliases(initrc_t)
') dnl end distro_redhat
optional_policy(`hotplug.te',`
-kernel_read_usb_hardware_state(initrc_t)
-# init scripts run /etc/hotplug/usb.rc
-hotplug_read_config(initrc_t)
-modutils_read_kernel_module_dependencies(initrc_t)
+ kernel_read_usb_hardware_state(initrc_t)
+
+ # init scripts run /etc/hotplug/usb.rc
+ hotplug_read_config(initrc_t)
+
+ modutils_read_kernel_module_dependencies(initrc_t)
')
optional_policy(`lvm.te',`
-#allow initrc_t lvm_control_t:chr_file unlink;
-devices_read_lvm_control_channel(initrc_t)
-devices_add_generic_character_device(initrc_t)
+ #allow initrc_t lvm_control_t:chr_file unlink;
+
+ devices_read_lvm_control_channel(initrc_t)
+ devices_add_generic_character_device(initrc_t)
')
optional_policy(`rhgb.te',`
-corecommands_make_shell_entrypoint(initrc_t)
+ corecommands_make_shell_entrypoint(initrc_t)
')
optional_policy(`rpm.te',`
-# why is this needed:
-rpm_manage_package_database(initrc_t)
-# for a bug in rm
-files_ignore_write_all_daemon_runtime_data(initrc_t)
-# bash tries ioctl for some reason
-files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
-# bash tries to access a block device in the initrd
-kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
+ # bash tries to access a block device in the initrd
+ kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
+
+ # for a bug in rm
+ files_ignore_write_all_daemon_runtime_data(initrc_t)
+
+ # bash tries ioctl for some reason
+ files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
+
+ # why is this needed:
+ rpm_manage_package_database(initrc_t)
') dnl end rpm.te
ifdef(`TODO',`
@@ -369,8 +381,6 @@ ifdef(`TODO',`
# Mount and unmount file systems.
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
-allow initrc_t var_spool_t:file rw_file_perms;
-
# Set device ownerships/modes.
allow initrc_t xconsole_device_t:fifo_file setattr;
@@ -388,24 +398,24 @@ role system_r types initrc_su_t;
')
tunable_policy(`distro_debian', `
-allow initrc_t { etc_t device_t }:dir setattr;
+ allow initrc_t { etc_t device_t }:dir setattr;
-# for storing state under /dev/shm
-allow initrc_t tmpfs_t:dir setattr;
-file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
-')dnl end distro_debian
+ # for storing state under /dev/shm
+ allow initrc_t tmpfs_t:dir setattr;
+ file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
+')
tunable_policy(`distro_redhat', `
-# readahead asks for these
-allow initrc_t var_lib_nfs_t:file { getattr read };
-')dnl end distro_redhat
+ # readahead asks for these
+ allow initrc_t var_lib_nfs_t:file { getattr read };
+')
tunable_policy(`targeted_policy', `
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-') dnl endif targeted policy
+ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+ allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+ allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+ domain_trans(initrc_t, shell_exec_t, unconfined_t)
+')
#
# Shutting down xinet causes these
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 883d7a6..7968851 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -72,32 +72,36 @@ sysnetwork_ifconfig_transition(iptables_t)
userdomain_use_all_users_file_descriptors(iptables_t)
tunable_policy(`use_dns',`
-allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_network_udp_on_all_interfaces(iptables_t)
-corenetwork_network_raw_on_all_interfaces(iptables_t)
-corenetwork_network_udp_on_all_nodes(iptables_t)
-corenetwork_network_raw_on_all_nodes(iptables_t)
-corenetwork_bind_udp_on_all_nodes(iptables_t)
-corenetwork_network_udp_on_dns_port(iptables_t)
-sysnetwork_read_network_config(iptables_t)
+ allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+
+ corenetwork_network_udp_on_all_interfaces(iptables_t)
+ corenetwork_network_raw_on_all_interfaces(iptables_t)
+ corenetwork_network_udp_on_all_nodes(iptables_t)
+ corenetwork_network_raw_on_all_nodes(iptables_t)
+ corenetwork_bind_udp_on_all_nodes(iptables_t)
+ corenetwork_network_udp_on_dns_port(iptables_t)
+
+ sysnetwork_read_network_config(iptables_t)
')
optional_policy(`modutils.te', `
-modutils_insmod_transition(iptables_t)
+ corecommands_search_system_programs_directory(iptables_t)
+ modutils_insmod_transition(iptables_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(iptables_t)
+ selinux_newrole_sigchld(iptables_t)
')
optional_policy(`udev.te', `
-udev_read_database(iptables_t)
+ udev_read_database(iptables_t)
')
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(iptables_t)
-terminal_ignore_use_general_pseudoterminal(iptables_t)
-files_ignore_read_rootfs_file(iptables_t)
+ terminal_ignore_use_general_physical_terminal(iptables_t)
+ terminal_ignore_use_general_pseudoterminal(iptables_t)
+
+ files_ignore_read_rootfs_file(iptables_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 23ddcdc..b3e4fb5 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -107,6 +107,13 @@ userdomain_use_all_unprivileged_users_file_descriptors(local_login_t)
# Search for mail spool file.
mta_get_mail_spool_attributes(local_login_t)
+# Red Hat systems seem to have a stray
+# fd open from the initrd
+optional_policy(`distro_redhat',`
+ kernel_ignore_use_file_descriptors(local_login_t)
+ files_ignore_read_rootfs_file(local_login_t)
+')
+
ifdef(`TODO',`
can_ypbind(local_login_t)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 22ac4cb..3354d25 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -74,9 +74,16 @@ miscfiles_read_localization(klogd_t)
# syslogd local policy
#
-# Use capabilities.
allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:process signal_perms;
+
+# receive messages to be logged
+allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t self:fifo_file { getattr read write ioctl lock };
+allow syslogd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
# create/append log files.
allow syslogd_t var_log_t:dir rw_dir_perms;
@@ -89,17 +96,12 @@ files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
-# receive messages to be logged
-allow syslogd_t devlog_t:unix_stream_socket name_bind;
-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
-allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:fifo_file { getattr read write ioctl lock };
-
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
+# I belive these are not needed:
+allow syslogd_t devlog_t:unix_stream_socket name_bind;
+allow syslogd_t devlog_t:unix_dgram_socket name_bind;
# manage pid file
allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 7438aa9..f3cd829 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -90,6 +90,7 @@ devices_get_random_data(lvm_t)
devices_get_pseudorandom_data(lvm_t)
devices_use_lvm_control_channel(lvm_t)
devices_manage_dev_symbolic_links(lvm_t)
+devices_manage_generic_block_device(lvm_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
devices_ignore_get_all_character_device_attributes(lvm_t)
@@ -136,27 +137,29 @@ selinux_read_file_contexts(lvm_t)
selinux_newrole_sigchld(lvm_t)
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(lvm_t)
-terminal_ignore_use_general_pseudoterminal(lvm_t)
-files_ignore_read_rootfs_file(lvm_t)
-')dnl end targeted_policy tunable
+ terminal_ignore_use_general_physical_terminal(lvm_t)
+ terminal_ignore_use_general_pseudoterminal(lvm_t)
+
+ files_ignore_read_rootfs_file(lvm_t)
+')
optional_policy(`bootloader.te',`
-bootloader_modify_temporary_data(lvm_t)
+ bootloader_modify_temporary_data(lvm_t)
')
optional_policy(`udev.te', `
-udev_read_database(lvm_t)
+ udev_read_database(lvm_t)
')
ifdef(`TODO',`
allow lvm_t autofs_t:dir { search getattr };
-allow lvm_t device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
-
allow lvm_t default_context_t:dir search;
allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
+
+# cjp: ? this has no effect since LVM does not
+# have lnk_file relabelto for anything else.
allow lvm_t device_t:lnk_file { relabelfrom relabelto };
dontaudit lvm_t var_run_t:dir getattr;
diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc
index 5a3823a..65b5c53 100644
--- a/refpolicy/policy/modules/system/sysnetwork.fc
+++ b/refpolicy/policy/modules/system/sysnetwork.fc
@@ -8,13 +8,13 @@
#
# /etc
#
-#/etc/dhclient.*conf -- context_template(system_u:object_r:dhcp_etc_t,s0)
-#/etc/dhclient-script -- context_template(system_u:object_r:dhcp_etc_t,s0)
-#/etc/dhcpc.* context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhclient.*conf -- context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhclient-script -- context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpc.* context_template(system_u:object_r:dhcp_etc_t,s0)
/etc/resolv\.conf.* -- context_template(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- context_template(system_u:object_r:net_conf_t,s0)
-#/etc/dhcp3?/dhclient.* context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp3?/dhclient.* context_template(system_u:object_r:dhcp_etc_t,s0)
#
# /sbin
@@ -40,7 +40,7 @@
#
# /var
#
-#/var/lib/dhcp3? -d context_template(system_u:object_r:dhcp_state_t,s0)
+/var/lib/dhcp3? -d context_template(system_u:object_r:dhcp_state_t,s0)
/var/lib/dhcp3?/dhclient.* context_template(system_u:object_r:dhcpc_state_t,s0)
/var/run/dhclient.*\.pid -- context_template(system_u:object_r:dhcpc_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index afd7f46..1531a7a 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -7,6 +7,15 @@ policy_module(sysnetwork,1.0)
# Declarations
#
+# this is shared between dhcpc and dhcpd:
+type dhcp_etc_t; #, usercanread;
+typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+files_make_file(dhcp_etc_t)
+
+# this is shared between dhcpc and dhcpd:
+type dhcp_state_t;
+files_make_file(dhcp_state_t)
+
type dhcpc_t;
type dhcpc_exec_t;
init_make_daemon_domain(dhcpc_t,dhcpc_exec_t)
@@ -38,20 +47,24 @@ dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
+allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
+
+allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
+allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
+allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
+
+allow dhcpc_t dhcpc_state_t:dir rw_dir_perms;
+allow dhcpc_t dhcpc_state_t:file create_file_perms;
+type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
+
# create pid file
allow dhcpc_t dhcpc_var_run_t:file { getattr create read write append setattr unlink };
files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
-# transition to ifconfig
-allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
-allow dhcpc_t ifconfig_t:process transition;
-type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
-dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
-allow dhcpc_t ifconfig_t:fd use;
-allow ifconfig_t dhcpc_t:fd use;
-allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
-allow ifconfig_t dhcpc_t:process sigchld;
-
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
allow dhcpc_t net_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
@@ -62,15 +75,18 @@ allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unli
allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
-allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
-
-allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
-
allow dhcpc_t dhcpc_exec_t:file { getattr read execute execute_no_trans };
+# transition to ifconfig
+allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
+allow dhcpc_t ifconfig_t:process transition;
+type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
+dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
+allow dhcpc_t ifconfig_t:fd use;
+allow ifconfig_t dhcpc_t:fd use;
+allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
+allow ifconfig_t dhcpc_t:process sigchld;
+
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctl(dhcpc_t)
@@ -121,34 +137,39 @@ miscfiles_read_localization(dhcpc_t)
modutils_insmod_transition(dhcpc_t)
+ifdef(`distro_redhat', `
+ files_execute_system_config_script(dhcpc_t)
+')
+
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(dhcpc_t)
-terminal_ignore_use_general_pseudoterminal(dhcpc_t)
-files_ignore_read_rootfs_file(dhcpc_t)
+ terminal_ignore_use_general_physical_terminal(dhcpc_t)
+ terminal_ignore_use_general_pseudoterminal(dhcpc_t)
+
+ files_ignore_read_rootfs_file(dhcpc_t)
')
optional_policy(`consoletype.te',`
-consoletype_transition(dhcpc_t)
+ consoletype_transition(dhcpc_t)
')
optional_policy(`hostname.te',`
-hostname_transition(dhcpc_t)
+ hostname_transition(dhcpc_t)
')
optional_policy(`nscd.te',`
-nscd_transition(dhcpc_t)
+ nscd_transition(dhcpc_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(dhcpc_t)
+ selinux_newrole_sigchld(dhcpc_t)
')
optional_policy(`udev.te',`
-udev_read_database(dhcpc_t)
+ udev_read_database(dhcpc_t)
')
optional_policy(`userdomain.te',`
-userdomain_use_all_users_file_descriptors(dhcpc_t)
+ userdomain_use_all_users_file_descriptors(dhcpc_t)
')
#
@@ -156,10 +177,10 @@ userdomain_use_all_users_file_descriptors(dhcpc_t)
#
init_script_execute(dhcpc_t)
optional_policy(`ypbind.te',`
-ypbind_transition(dhcpc_t)
+ ypbind_transition(dhcpc_t)
')
optional_policy(`ntpd.te',`
-ntpd_transition(dhcpc_t)
+ ntpd_transition(dhcpc_t)
')
ifdef(`TODO',`
@@ -201,24 +222,11 @@ allow ping_t cardmgr_t:fd use;
') dnl end if cardmgr
') dnl end if ping
-ifdef(`dhcpd.te', `', `
-#type dhcp_state_t, file_type, sysadmfile;
-#type dhcp_etc_t, file_type, sysadmfile, usercanread;
-#typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
-')
-
-allow dhcpc_t dhcp_etc_t:dir { getattr read search };
-allow dhcpc_t dhcp_etc_t:file { read getattr };
-allow dhcpc_t dhcp_etc_t:lnk_file { getattr read };
-allow dhcpc_t dhcp_etc_t:file { getattr read execute execute_no_trans };
-
ifdef(`distro_redhat', `
-files_execute_system_config_script(dhcpc_t)
allow initrc_t dhcp_etc_t:file rw_file_perms;
')
allow dhcpc_t var_lib_t:dir search;
-file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
allow dhcpc_t home_root_t:dir search;
allow initrc_t dhcpc_state_t:file { getattr read };
More information about the scm-commits
mailing list