[selinux-policy: 656/3172] more updates
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:01:37 UTC 2010
commit 98a8ead4c549099d050d2a2ca6ca92a88929ce66
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Sep 15 21:03:29 2005 +0000
more updates
refpolicy/Changelog | 2 +
refpolicy/policy/global_tunables | 13 ++-
refpolicy/policy/modules/admin/logrotate.te | 7 ++-
refpolicy/policy/modules/admin/netutils.te | 1 +
refpolicy/policy/modules/kernel/corenetwork.if.in | 56 +++++++++++++-
refpolicy/policy/modules/kernel/devices.if | 19 +++++
refpolicy/policy/modules/kernel/filesystem.if | 38 +++++++++
refpolicy/policy/modules/kernel/filesystem.te | 9 ++-
refpolicy/policy/modules/kernel/kernel.if | 19 ++++-
refpolicy/policy/modules/kernel/selinux.if | 22 +++++
refpolicy/policy/modules/services/bind.if | 18 ++++
refpolicy/policy/modules/services/bind.te | 23 +++--
refpolicy/policy/modules/services/cron.te | 1 -
refpolicy/policy/modules/services/kerberos.if | 5 +-
refpolicy/policy/modules/services/mta.if | 11 +---
refpolicy/policy/modules/services/mta.te | 21 +----
refpolicy/policy/modules/services/mysql.te | 7 ++-
refpolicy/policy/modules/services/nis.if | 9 ++-
refpolicy/policy/modules/services/nscd.te | 10 ++-
refpolicy/policy/modules/services/ntp.if | 14 +++
refpolicy/policy/modules/services/remotelogin.te | 20 ++---
refpolicy/policy/modules/services/sendmail.te | 5 -
refpolicy/policy/modules/services/ssh.if | 9 +--
refpolicy/policy/modules/system/authlogin.if | 38 +++-------
refpolicy/policy/modules/system/authlogin.te | 29 ++-----
refpolicy/policy/modules/system/hostname.te | 20 +----
refpolicy/policy/modules/system/hotplug.if | 4 +-
refpolicy/policy/modules/system/hotplug.te | 12 ++--
refpolicy/policy/modules/system/init.if | 6 +-
refpolicy/policy/modules/system/init.te | 10 +++
refpolicy/policy/modules/system/ipsec.te | 9 ++-
refpolicy/policy/modules/system/iptables.te | 14 +---
refpolicy/policy/modules/system/libraries.if | 3 +-
refpolicy/policy/modules/system/locallogin.te | 11 ++-
refpolicy/policy/modules/system/logging.te | 6 ++
refpolicy/policy/modules/system/miscfiles.if | 21 -----
refpolicy/policy/modules/system/modutils.te | 10 ++-
refpolicy/policy/modules/system/mount.te | 9 +-
refpolicy/policy/modules/system/sysnetwork.if | 88 +++++++++++++++++++++
refpolicy/policy/modules/system/sysnetwork.te | 3 +
refpolicy/policy/modules/system/udev.if | 20 +++++-
refpolicy/policy/modules/system/udev.te | 8 ++-
refpolicy/policy/modules/system/unconfined.if | 17 +++-
refpolicy/policy/modules/system/userdomain.if | 9 +-
refpolicy/policy/modules/system/userdomain.te | 5 +
45 files changed, 474 insertions(+), 217 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index b63c5fe..85c05a4 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Add equivalents for old can_resolve(), can_ldap(), and
+ can_portmap() to sysnetwork.
- Fix base module compile issues.
- Added policies:
ktalk
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index c03493e..28004e2 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -4,12 +4,18 @@
# file should be used.
#
-## Allow execution of anonymous mappings, e.g. executable stack.
+## Allow making anonymous memory executable, e.g.
+## for runtime-code generation or executable stack.
gen_tunable(allow_execmem,false)
-## Support Share libraries with text relocations
+## Allow making a modified private file
+## mapping executable (text relocation).
gen_tunable(allow_execmod,false)
+## Allow making the stack executable via mprotect.
+## Also requires allow_execmem.
+gen_tunable(allow_execstack,false)
+
## Allow gpg executable stack
gen_tunable(allow_gpg_execstack,false)
@@ -56,9 +62,6 @@ gen_tunable(ssh_sysadm_login,false)
## dir and read files (such as ~/.bashrc)
gen_tunable(staff_read_sysadm_file,false)
-## Allow the use of DNS for name resolution.
-gen_tunable(use_dns,false)
-
## Support NFS home directories
gen_tunable(use_nfs_home_dirs,false)
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 060908b..d139e14 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -14,6 +14,9 @@ role system_r types logrotate_t;
type logrotate_exec_t;
files_type(logrotate_exec_t)
+type logrotate_lock_t;
+files_lock_file(logrotate_lock_t)
+
type logrotate_tmp_t;
files_tmp_file(logrotate_tmp_t)
@@ -46,6 +49,9 @@ allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
allow logrotate_t self:msg { send receive };
+allow logrotate_t logrotate_lock_t:file create_file_perms;
+files_create_lock(logrotate_t,logrotate_lock_t)
+
can_exec(logrotate_t, logrotate_tmp_t)
allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
@@ -82,7 +88,6 @@ domain_getattr_all_entry_files(logrotate_t)
files_read_usr_files(logrotate_t)
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
-files_manage_generic_locks(logrotate_t)
files_read_all_pids(logrotate_t)
# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spools(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index d2a0172..3579887 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -117,6 +117,7 @@ libs_use_ld_so(ping_t)
libs_use_shared_libs(ping_t)
sysnet_read_config(ping_t)
+sysnet_dns_name_resolve(ping_t)
logging_send_syslog_msg(ping_t)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index bdce124..c4fbafc 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -620,6 +620,23 @@ interface(`corenet_udp_bind_generic_port',`
########################################
## <summary>
+## Connect TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`corenet_tcp_connect_generic_port',`
+ gen_require(`
+ type port_t;
+ class tcp_socket name_connect;
+ ')
+
+ allow $1 port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
## Send and receive TCP network traffic on all ports.
## </summary>
## <param name="domain">
@@ -837,6 +854,23 @@ interface(`corenet_udp_bind_reserved_port',`
########################################
## <summary>
+## Connect TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`corenet_tcp_connect_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ class tcp_socket name_connect;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
## Send and receive TCP network traffic on all reserved ports.
## </summary>
## <param name="domain">
@@ -973,6 +1007,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
########################################
## <summary>
+## Do not audit attempts to connect TCP sockets
+## all reserved ports.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ class tcp_socket name_connect;
+ ')
+
+ dontaudit $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
## Read and write the TUN/TAP virtual network device.
## </summary>
## <param name="domain">
@@ -982,11 +1034,11 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
interface(`corenet_use_tun_tap_device',`
gen_require(`
type tun_tap_device_t;
- class chr_file { read write };
+ class chr_file { read write ioctl };
')
dev_list_all_dev_nodes($1)
- allow $1 tun_tap_device_t:chr_file { read write };
+ allow $1 tun_tap_device_t:chr_file { read write ioctl };
')
########################################
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 0f0904e..978c2b0 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -185,6 +185,25 @@ interface(`dev_rw_generic_file',`
########################################
## <summary>
+## Delete generic files in /dev.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_delete_generic_file',`
+ gen_require(`
+ type device_t;
+ class dir { search write remove_name };
+ class file unlink;
+ ')
+
+ allow $1 device_t:dir { search write remove_name };
+ allow $1 device_t:file unlink;
+')
+
+########################################
+## <summary>
## Dontaudit getattr on generic pipes.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 6a57c88..a3c784f 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1630,6 +1630,24 @@ interface(`fs_dontaudit_list_tmpfs',`
')
########################################
+## <summary>
+## Create, read, write, and delete
+## tmpfs directories
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_manage_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 tmpfs_t:dir create_dir_perms;
+')
+
+########################################
#
# fs_create_tmpfs_data(domain,derivedtype,[class])
#
@@ -1728,6 +1746,26 @@ interface(`fs_relabel_tmpfs_blk_dev',`
########################################
## <summary>
+## Read and write, create and delete generic
+## files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`fs_manage_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:file create_file_perms;
+')
+
+########################################
+## <summary>
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 62a4f36..e1771a6 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -22,6 +22,7 @@ sid fs context_template(system_u:object_r:fs_t,s0)
fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0);
fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0);
+fs_use_xattr reiserfs context_template(system_u:object_r:fs_t,s0);
fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
@@ -55,9 +56,11 @@ genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0)
type hugetlbfs_t, filesystem_type;
files_mountpoint(hugetlbfs_t)
allow hugetlbfs_t self:filesystem associate;
+genfscon hugetlbfs / context_template(system_u:object_r:hugetlbfs_t,s0)
type inotifyfs_t, filesystem_type;
allow inotifyfs_t self:filesystem associate;
+genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0)
type mqueue_t, filesystem_type;
files_mountpoint(mqueue_t)
@@ -89,8 +92,8 @@ files_type(tmpfs_t)
# and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems like devpts and tmpfs
# where we want to label objects with a derived type.
-fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
+fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
allow tmpfs_t self:filesystem associate;
allow tmpfs_t noxattrfs:filesystem associate;
@@ -119,10 +122,10 @@ genfscon smbfs / context_template(system_u:object_r:cifs_t,s0)
#
type dosfs_t, filesystem_type, noxattrfs;
allow dosfs_t self:filesystem associate;
-genfscon vfat / context_template(system_u:object_r:dosfs_t,s0)
-genfscon msdos / context_template(system_u:object_r:dosfs_t,s0)
genfscon fat / context_template(system_u:object_r:dosfs_t,s0)
+genfscon msdos / context_template(system_u:object_r:dosfs_t,s0)
genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0)
+genfscon vfat / context_template(system_u:object_r:dosfs_t,s0)
#
# iso9660_t is the type for CD filesystems
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 02d3827..6d0b9ba 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -53,6 +53,23 @@ interface(`kernel_rootfs_mountpoint',`
########################################
## <summary>
+## Set the process group of kernel threads.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`kernel_setpgid',`
+ gen_require(`
+ type kernel_t;
+ class process setpgid;
+ ')
+
+ allow $1 kernel_t:process setpgid;
+')
+
+########################################
+## <summary>
## Send a SIGCHLD signal to kernel threads.
## </summary>
## <param name="domain">
@@ -65,7 +82,7 @@ interface(`kernel_sigchld',`
class process sigchld;
')
- allow kernel_t $1:process sigchld;
+ allow $1 kernel_t:process sigchld;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index 6840d4b..0a1a072 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -276,6 +276,28 @@ interface(`selinux_compute_create_context',`
########################################
## <summary>
+## Allows caller to compute polyinstatntiated
+## directory members.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`selinux_compute_member',`
+ gen_require(`
+ type security_t;
+ class dir { read search getattr };
+ class file { getattr read write };
+ class security compute_member;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_member;
+')
+
+########################################
+## <summary>
## Calculate the context for relabeling objects.
## </summary>
## <desc>
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index b9b181f..72c5c0e 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -109,6 +109,24 @@ interface(`bind_write_config',`
########################################
## <summary>
+## Create, read, write, and delete
+## BIND configuration directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`bind_manage_config_dir',`
+ gen_require(`
+ type named_conf_t;
+ class dir perms;
+ ')
+
+ allow $1 named_conf_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the attributes
## of the BIND pid directory.
## </summary>
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index cf278f8..4a6af13 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -15,6 +15,9 @@ type named_exec_t;
init_daemon_domain(named_t,named_exec_t)
role system_r types named_t;
+type named_checkconf_exec_t;
+init_system_domain(named_t,named_checkconf_exec_t)
+
# A type for configuration files of named.
type named_conf_t;
files_type(named_conf_t)
@@ -23,6 +26,9 @@ files_type(named_conf_t)
type named_cache_t;
files_type(named_cache_t)
+type named_log_t;
+logging_log_file(named_log_t)
+
type named_tmp_t;
files_tmp_file(named_tmp_t)
@@ -67,6 +73,10 @@ allow named_t named_cache_t:lnk_file create_lnk_perms;
can_exec(named_t, named_exec_t)
+allow named_t named_log_t:file create_file_perms;
+allow named_t named_log_t:dir rw_dir_perms;
+logging_create_log(named_t,named_log_t,{ file dir })
+
allow named_t named_tmp_t:dir create_dir_perms;
allow named_t named_tmp_t:file create_file_perms;
files_create_tmp_files(named_t, named_tmp_t, { file dir })
@@ -99,7 +109,8 @@ corenet_tcp_bind_all_nodes(named_t)
corenet_udp_bind_all_nodes(named_t)
corenet_tcp_bind_dns_port(named_t)
corenet_udp_bind_dns_port(named_t)
-#corenet_tcp_bind_rndc_port(named_t)
+corenet_tcp_bind_rndc_port(named_t)
+corenet_tcp_connect_all_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
@@ -196,6 +207,7 @@ corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_raw_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_bind_all_nodes(ndc_t)
+corenet_tcp_connect_rndc_port(ndc_t)
fs_getattr_xattr_fs(ndc_t)
@@ -215,20 +227,13 @@ logging_send_syslog_msg(ndc_t)
miscfiles_read_localization(ndc_t)
sysnet_read_config(ndc_t)
+sysnet_dns_name_resolve(ndc_t)
# for /etc/rndc.key
ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;
')
-tunable_policy(`use_dns',`
- allow ndc_t self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if(ndc_t)
- corenet_udp_sendrecv_all_nodes(ndc_t)
- corenet_udp_sendrecv_dns_port(ndc_t)
- corenet_udp_bind_all_nodes(ndc_t)
-')
-
tunable_policy(`named_write_master_zones',`
allow named_t named_zone_t:dir create_dir_perms;
allow named_t named_zone_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index a20b616..f8dd882 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -288,7 +288,6 @@ logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
miscfiles_read_man_pages(system_crond_t)
-miscfiles_rw_man_cache(system_crond_t)
seutil_read_config(system_crond_t)
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
index f0baf8b..adfd14e 100644
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -55,10 +55,7 @@ interface(`kerberos_use',`
corenet_tcp_bind_all_nodes($1)
corenet_udp_bind_all_nodes($1)
sysnet_read_config($1)
- ')
-
- tunable_policy(`allow_kerberos && use_dns',`
- corenet_udp_sendrecv_dns_port($1)
+ sysnet_dns_name_resolve($1)
')
')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index e6efcbd..06537b8 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -42,8 +42,6 @@ template(`mta_per_userdomain_template',`
allow $1_mail_t self:capability { setuid setgid chown };
allow $1_mail_t self:process { signal_perms setrlimit };
-
- # tcp networking
allow $1_mail_t self:tcp_socket create_socket_perms;
# re-exec itself
@@ -91,19 +89,12 @@ template(`mta_per_userdomain_template',`
miscfiles_read_localization($1_mail_t)
sysnet_read_config($1_mail_t)
+ sysnet_dns_name_resolve($1_mail_t)
userdom_use_user_terminals($1,$1_mail_t)
# Write to the user domain tty. cjp: why?
userdom_use_user_terminals($1,mta_user_agent)
- tunable_policy(`use_dns',`
- allow $1_mail_t self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if($1_mail_t)
- corenet_udp_sendrecv_all_nodes($1_mail_t)
- corenet_udp_bind_all_nodes($1_mail_t)
- corenet_udp_sendrecv_dns_port($1_mail_t)
- ')
-
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
fs_manage_cifs_symlinks($1_mail_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 3a112e9..634db10 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -45,7 +45,6 @@ ifdef(`targeted_policy',`',`
allow system_mail_t self:capability { setuid setgid chown };
allow system_mail_t self:process { signal_perms setrlimit };
-
allow system_mail_t self:tcp_socket create_socket_perms;
# re-exec itself
@@ -60,9 +59,10 @@ corenet_tcp_sendrecv_all_if(system_mail_t)
corenet_raw_sendrecv_all_if(system_mail_t)
corenet_tcp_sendrecv_all_nodes(system_mail_t)
corenet_raw_sendrecv_all_nodes(system_mail_t)
-corenet_tcp_bind_all_nodes(system_mail_t)
corenet_tcp_sendrecv_all_ports(system_mail_t)
+corenet_tcp_bind_all_nodes(system_mail_t)
+dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
fs_getattr_xattr_fs(system_mail_t)
@@ -86,6 +86,7 @@ logging_send_syslog_msg(system_mail_t)
miscfiles_read_localization(system_mail_t)
sysnet_read_config(system_mail_t)
+sysnet_dns_name_resolve(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
@@ -116,14 +117,6 @@ ifdef(`targeted_policy',`
')
')
-tunable_policy(`use_dns',`
- allow system_mail_t self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if(system_mail_t)
- corenet_udp_sendrecv_all_nodes(system_mail_t)
- corenet_udp_bind_all_nodes(system_mail_t)
- corenet_udp_sendrecv_dns_port(system_mail_t)
-')
-
optional_policy(`cron.te',`
cron_read_system_job_tmp_files(system_mail_t)
')
@@ -174,14 +167,6 @@ allow system_mail_t privmail:fd use;
allow system_mail_t privmail:process sigchld;
allow system_mail_t privmail:fifo_file { read write };
-optional_policy(`arpwatch.te',`
- allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
-
- ifdef(`hide_broken_symptoms', `
- dontaudit system_mail_t arpwatch_t:packet_socket { read write };
- ')
-')
-
optional_policy(`qmail.te',`
allow system_mail_t qmail_etc_t:dir search;
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index 4830cf0..0d8f7d3 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -32,8 +32,9 @@ files_tmp_file(mysqld_tmp_t)
allow mysqld_t self:capability { dac_override setgid setuid };
dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process getsched;
+allow mysqld_t self:process { setsched getsched };
allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket connected_socket_perms;
@@ -112,6 +113,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(mysqld_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(mysqld_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(mysqld_t)
')
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 9ad95f8..1f5a0c5 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -35,17 +35,20 @@ interface(`nis_use_ypbind',`
corenet_tcp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_raw_sendrecv_all_nodes($1)
- corenet_tcp_bind_all_nodes($1)
- corenet_udp_bind_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_bind_all_nodes($1)
+ corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
corenet_tcp_bind_reserved_port($1)
corenet_udp_bind_reserved_port($1)
corenet_dontaudit_tcp_bind_all_reserved_ports($1)
corenet_dontaudit_udp_bind_all_reserved_ports($1)
-
+ corenet_tcp_connect_portmap_port($1)
+ corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_generic_port($1)
+ corenet_dontaudit_tcp_connect_all_reserved_ports($1)
',`
dontaudit $1 var_yp_t:dir search;
')
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 6ed8241..0cb99bd 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -11,6 +11,9 @@ type nscd_t;
type nscd_exec_t;
init_daemon_domain(nscd_t,nscd_exec_t)
+type nscd_log_t;
+logging_log_file(nscd_log_t)
+
type nscd_var_run_t;
files_pid_file(nscd_var_run_t)
@@ -35,6 +38,9 @@ allow nscd_t self:udp_socket create_socket_perms;
# cjp: this should probably be in a direct_sysadm_daemon tunable
allow nscd_t self:nscd { admin getstat };
+allow nscd_t nscd_log_t:file create_file_perms;
+logging_create_log(nscd_t,nscd_log_t)
+
allow nscd_t nscd_var_run_t:file create_file_perms;
allow nscd_t nscd_var_run_t:sock_file create_file_perms;
files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file })
@@ -66,6 +72,7 @@ corenet_udp_sendrecv_all_ports(nscd_t)
corenet_tcp_bind_all_nodes(nscd_t)
corenet_udp_bind_all_nodes(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
+corenet_use_tun_tap_device(nscd_t)
selinux_get_fs_mount(nscd_t)
selinux_validate_context(nscd_t)
@@ -111,8 +118,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-nscd_socket_domain(daemon)
-
optional_policy(`winbind.te', `
# Handle winbind for samba, Might only be needed for targeted policy
@@ -124,6 +129,7 @@ optional_policy(`winbind.te', `
optional_policy(`rhgb.te',`
rhgb_domain(nscd_t)
')
+r_dir_file(nscd_t, cert_t)
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ntp.if b/refpolicy/policy/modules/services/ntp.if
index 9c43145..8527e7e 100644
--- a/refpolicy/policy/modules/services/ntp.if
+++ b/refpolicy/policy/modules/services/ntp.if
@@ -2,6 +2,20 @@
########################################
## <summary>
+## NTP stub interface. No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+## N/A
+## </param>
+#
+interface(`ntp_stub',`
+ gen_require(`ntp.te',`
+ type ntpd_t;
+ ')
+')
+
+########################################
+## <summary>
## Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 8f6084c..1256da6 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -1,12 +1,12 @@
-policy_module(authlogin,1.0)
+policy_module(remotelogin,1.0)
########################################
#
# Declarations
#
-type remote_login_t;
+type remote_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
domain_obj_id_change_exempt(remote_login_t)
domain_subj_id_change_exempt(remote_login_t)
domain_role_change_exempt(remote_login_t)
@@ -107,6 +107,8 @@ logging_send_syslog_msg(remote_login_t)
seutil_read_config(remote_login_t)
seutil_read_default_contexts(remote_login_t)
+sysnet_dns_name_resolve(remote_login_t)
+
miscfiles_read_localization(remote_login_t)
userdom_use_unpriv_users_fd(remote_login_t)
@@ -132,18 +134,6 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(remote_login_t)
')
-# Allow remote login to resolve host names (passed in via the -h switch)
-tunable_policy(`use_dns',`
- allow remote_login_t self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if(remote_login_t)
- corenet_raw_sendrecv_all_if(remote_login_t)
- corenet_udp_sendrecv_all_nodes(remote_login_t)
- corenet_raw_sendrecv_all_nodes(remote_login_t)
- corenet_udp_sendrecv_dns_port(remote_login_t)
- corenet_udp_bind_all_nodes(remote_login_t)
- sysnet_read_config(remote_login_t)
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(remote_login_t)
fs_read_nfs_symlinks(remote_login_t)
@@ -172,6 +162,8 @@ optional_policy(`remotelogin.te',`
# FIXME: what is this for?
remotelogin_signull(xdm_t)
')
+# Login can polyinstantiate
+polyinstantiater(remote_login_t)
allow remote_login_t userpty_type:chr_file { setattr write };
allow remote_login_t ptyfile:chr_file { getattr ioctl };
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 0b1d97e..61e6238 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -129,11 +129,6 @@ optional_policy(`rhgb.te', `
rhgb_domain(sendmail_t)
')
-optional_policy(`arpwatch.te',`
- # why is mail delivered to a directory of type arpwatch_data_t?
- allow mta_delivery_agent arpwatch_data_t:dir search;
-')
-
#
# Need this transition to create /etc/aliases.db
#
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index e1c29eb..1b4b1d4 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -144,6 +144,7 @@ template(`ssh_per_userdomain_template',`
seutil_read_config($1_ssh_t)
sysnet_read_config($1_ssh_t)
+ sysnet_dns_name_resolve($1_ssh_t)
userdom_use_unpriv_users_fd($1_ssh_t)
@@ -155,14 +156,6 @@ template(`ssh_per_userdomain_template',`
files_read_default_pipes($1_ssh_t)
')
- tunable_policy(`use_dns',`
- allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
- corenet_udp_sendrecv_all_if($1_ssh_t)
- corenet_udp_sendrecv_all_nodes($1_ssh_t)
- corenet_udp_sendrecv_dns_port($1_ssh_t)
- corenet_udp_bind_all_nodes($1_ssh_t)
- ')
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_ssh_t)
fs_manage_nfs_files($1_ssh_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index e05857b..7a126cc 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -53,6 +53,14 @@ template(`authlogin_per_userdomain_template',`
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
+ # Transition from the user domain to this domain.
+ domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
+
+ allow $1_chkpwd_t $2:fd use;
+ allow $2 $1_chkpwd_t:fd use;
+ allow $1_chkpwd_t $2:fifo_file rw_file_perms;
+ allow $1_chkpwd_t $2:process sigchld;
+
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
@@ -73,13 +81,7 @@ template(`authlogin_per_userdomain_template',`
seutil_read_config($1_chkpwd_t)
- # Transition from the user domain to this domain.
- domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
-
- allow $1_chkpwd_t $2:fd use;
- allow $2 $1_chkpwd_t:fd use;
- allow $1_chkpwd_t $2:fifo_file rw_file_perms;
- allow $1_chkpwd_t $2:process sigchld;
+ sysnet_dns_name_resolve($1_chkpwd_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_chkpwd_t)
@@ -87,17 +89,6 @@ template(`authlogin_per_userdomain_template',`
# Inherit and use descriptors from gnome-pty-helper.
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
- tunable_policy(`use_dns',`
- allow $1_chkpwd_t self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if($1_chkpwd_t)
- corenet_raw_sendrecv_all_if($1_chkpwd_t)
- corenet_udp_sendrecv_all_nodes($1_chkpwd_t)
- corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
- corenet_udp_bind_all_nodes($1_chkpwd_t)
- corenet_udp_sendrecv_dns_port($1_chkpwd_t)
- sysnet_read_config($1_chkpwd_t)
- ')
-
optional_policy(`kerberos.te',`
kerberos_use($1_chkpwd_t)
')
@@ -237,16 +228,7 @@ interface(`auth_domtrans_chk_passwd',`
dontaudit $1 shadow_t:file { getattr read };
- tunable_policy(`use_dns',`
- allow $1 self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if($1)
- corenet_raw_sendrecv_all_if($1)
- corenet_udp_sendrecv_all_nodes($1)
- corenet_raw_sendrecv_all_nodes($1)
- corenet_udp_bind_all_nodes($1)
- corenet_udp_sendrecv_dns_port($1)
- sysnet_read_config($1)
- ')
+ sysnet_dns_name_resolve($1)
optional_policy(`kerberos.te',`
kerberos_use($1)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 21620db..0769638 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -124,6 +124,10 @@ optional_policy(`nscd.te',`
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
+# Supress xdm denial
+ifdef(`xdm.te', `
+dontaudit pam_t xdm_t:fd use;
+') dnl ifdef
') dnl endif TODO
########################################
@@ -272,34 +276,15 @@ miscfiles_read_localization(system_chkpwd_t)
seutil_read_config(system_chkpwd_t)
-userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
+sysnet_dns_name_resolve(system_chkpwd_t)
+sysnet_use_ldap(system_chkpwd_t)
-tunable_policy(`use_dns',`
- allow system_chkpwd_t self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if(system_chkpwd_t)
- corenet_raw_sendrecv_all_if(system_chkpwd_t)
- corenet_udp_sendrecv_all_nodes(system_chkpwd_t)
- corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
- corenet_udp_bind_all_nodes(system_chkpwd_t)
- corenet_udp_sendrecv_dns_port(system_chkpwd_t)
- sysnet_read_config(system_chkpwd_t)
-')
+userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
optional_policy(`kerberos.te',`
kerberos_use(system_chkpwd_t)
')
-optional_policy(`ldap.te',`
- allow system_chkpwd_t self:tcp_socket create_socket_perms;
- corenet_tcp_sendrecv_all_if(system_chkpwd_t)
- corenet_raw_sendrecv_all_if(system_chkpwd_t)
- corenet_tcp_sendrecv_all_nodes(system_chkpwd_t)
- corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
- corenet_tcp_sendrecv_ldap_port(system_chkpwd_t)
- corenet_tcp_bind_all_nodes(system_chkpwd_t)
- sysnet_read_config(system_chkpwd_t)
-')
-
optional_policy(`nis.te',`
nis_use_ypbind(system_chkpwd_t)
')
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 73db9df..61dbd27 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -18,12 +18,9 @@ role system_r types hostname_t;
# for setting the hostname
allow hostname_t self:process { sigchld sigkill sigstop signull signal };
-
allow hostname_t self:capability sys_admin;
dontaudit hostname_t self:capability sys_tty_config;
-sysnet_read_config(hostname_t)
-
kernel_read_kernel_sysctl(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
kernel_list_proc(hostname_t)
@@ -55,6 +52,9 @@ logging_send_syslog_msg(hostname_t)
miscfiles_read_localization(hostname_t)
+sysnet_read_config(hostname_t)
+sysnet_dns_name_resolve(hostname_t)
+
userdom_use_all_user_fd(hostname_t)
ifdef(`distro_redhat', `
@@ -67,17 +67,6 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(hostname_t)
')
-tunable_policy(`use_dns',`
- allow hostname_t self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if(hostname_t)
- corenet_raw_sendrecv_all_if(hostname_t)
- corenet_udp_sendrecv_all_nodes(hostname_t)
- corenet_raw_sendrecv_all_nodes(hostname_t)
- corenet_udp_bind_all_nodes(hostname_t)
- corenet_udp_sendrecv_dns_port(hostname_t)
- sysnet_read_config(hostname_t)
-')
-
optional_policy(`firstboot.te',`
firstboot_use_fd(hostname_t)
')
@@ -90,7 +79,8 @@ optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(hostname_t)
')
-optional_policy(`udev.te', `
+optional_policy(`udev.te',`
+ udev_dontaudit_use_fd(hostname_t)
udev_read_db(hostname_t)
')
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index 19c0e63..7e10b6a 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -104,10 +104,10 @@ interface(`hotplug_getattr_config_dir',`
interface(`hotplug_search_config',`
gen_require(`
type hotplug_etc_t;
- class dir search;
+ class dir { getattr search };
')
- allow $1 hotplug_etc_t:dir search;
+ allow $1 hotplug_etc_t:dir { getattr search };
')
########################################
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index b6c33db..514724b 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -23,14 +23,13 @@ files_pid_file(hotplug_var_run_t)
# Local policy
#
-allow hotplug_t self:capability { net_admin sys_tty_config mknod };
+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
-
allow hotplug_t self:process { getsession getattr };
-
allow hotplug_t self:fifo_file rw_file_perms;
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;
allow hotplug_t self:tcp_socket connected_stream_socket_perms;
@@ -45,6 +44,7 @@ allow hotplug_t hotplug_var_run_t:file { getattr create read write append setatt
files_create_pid(hotplug_t,hotplug_var_run_t)
kernel_sigchld(hotplug_t)
+kernel_setpgid(hotplug_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
kernel_read_net_sysctl(hotplug_t)
@@ -58,7 +58,7 @@ corenet_raw_sendrecv_all_nodes(hotplug_t)
corenet_tcp_sendrecv_all_ports(hotplug_t)
corenet_tcp_bind_all_nodes(hotplug_t)
-dev_read_sysfs(hotplug_t)
+dev_rw_sysfs(hotplug_t)
dev_read_usbfs(hotplug_t)
dev_setattr_printer(hotplug_t)
dev_setattr_snd_dev(hotplug_t)
@@ -107,6 +107,8 @@ modutils_read_mods_deps(hotplug_t)
miscfiles_read_localization(hotplug_t)
+seutil_dontaudit_search_config(hotplug_t)
+
sysnet_read_config(hotplug_t)
userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
@@ -122,8 +124,6 @@ ifdef(`distro_redhat', `
')
ifdef(`targeted_policy', `
- unconfined_domain_template(hotplug_t)
-
optional_policy(`consoletype.te',`
consoletype_domtrans(hotplug_t)
')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 5e702c9..f4d943d 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -90,10 +90,14 @@ interface(`init_daemon_domain',`
# Red Hat systems seem to have a stray
# fd open from the initrd
- optional_policy(`distro_redhat',`
+ ifdef(`distro_redhat',`
kernel_dontaudit_use_fd($1)
files_dontaudit_read_root_file($1)
')
+
+ optional_policy(`nscd.te',`
+ nscd_use_socket($1)
+ ')
')
########################################
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index b105b6e..5d03d77 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -385,6 +385,10 @@ ifdef(`distro_redhat',`
# readahead asks for these
mta_read_aliases(initrc_t)
+
+ optional_policy(`bind.te',`
+ bind_manage_config_dir(initrc_t)
+ ')
')
ifdef(`targeted_policy',`
@@ -546,6 +550,12 @@ ifdef(`distro_redhat', `
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
allow initrc_t self:capability sys_admin;
allow initrc_t device_t:dir create;
+
+ optional_policy(`rpm.te',`
+ rpm_stub()
+ #read ahead wants to read this
+ allow initrc_t system_cron_spool_t:file { getattr read };
+ ')
')
ifdef(`targeted_policy',`
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index a30a314..25e0b0a 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -28,6 +28,9 @@ type ipsec_mgmt_exec_t;
init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
role system_r types ipsec_mgmt_t;
+type ipsec_mgmt_lock_t;
+files_lock_file(ipsec_mgmt_lock_t)
+
type ipsec_mgmt_var_run_t;
files_pid_file(ipsec_mgmt_var_run_t)
@@ -155,6 +158,9 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket { create setopt };
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms;
+files_create_lock(ipsec_mgmt_t,ipsec_mgmt_lock_t)
+
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
files_create_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t)
@@ -235,9 +241,6 @@ files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dir(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-# Allow scripts to use /var/locl/subsys/ipsec
-# cjp: need a lock type
-files_manage_generic_locks(ipsec_mgmt_t)
init_use_script_pty(ipsec_mgmt_t)
init_exec_script(ipsec_mgmt_t)
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 509ba51..98f777b 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -69,6 +69,7 @@ logging_send_syslog_msg(iptables_t)
miscfiles_read_localization(iptables_t)
sysnet_domtrans_ifconfig(iptables_t)
+sysnet_dns_name_resolve(iptables_t)
userdom_use_all_user_fd(iptables_t)
@@ -79,19 +80,6 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(iptables_t)
')
-tunable_policy(`use_dns',`
- allow iptables_t self:udp_socket create_socket_perms;
-
- corenet_udp_sendrecv_all_if(iptables_t)
- corenet_raw_sendrecv_all_if(iptables_t)
- corenet_udp_sendrecv_all_nodes(iptables_t)
- corenet_raw_sendrecv_all_nodes(iptables_t)
- corenet_udp_bind_all_nodes(iptables_t)
- corenet_udp_sendrecv_dns_port(iptables_t)
-
- sysnet_read_config(iptables_t)
-')
-
optional_policy(`firstboot.te',`
firstboot_use_fd(iptables_t)
firstboot_write_pipe(iptables_t)
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index b59c850..9a09e42 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -225,7 +225,7 @@ interface(`libs_use_shared_libs',`
type lib_t, shlib_t, texrel_shlib_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
- class file rx_file_perms;
+ class file { rx_file_perms execmod };
')
files_search_usr($1)
@@ -233,6 +233,7 @@ interface(`libs_use_shared_libs',`
allow $1 lib_t:lnk_file r_file_perms;
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
+ allow $1 texrel_shlib_t:file execmod;
')
########################################
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 447829e..0c5d65e 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -6,7 +6,7 @@ policy_module(locallogin,1.0)
# Declarations
#
-type local_login_t;
+type local_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
auth_login_entry_type(local_login_t)
domain_type(local_login_t)
domain_obj_id_change_exempt(local_login_t)
@@ -15,6 +15,9 @@ domain_role_change_exempt(local_login_t)
domain_wide_inherit_fd(local_login_t)
role system_r types local_login_t;
+type local_login_lock_t;
+files_lock_file(local_login_lock_t)
+
type local_login_tmp_t;
files_type(local_login_tmp_t)
@@ -47,6 +50,9 @@ allow local_login_t self:sem create_sem_perms;
allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
+allow local_login_t local_login_lock_t:file create_file_perms;
+files_create_lock(local_login_t,local_login_lock_t)
+
allow local_login_t local_login_tmp_t:dir create_dir_perms;
allow local_login_t local_login_tmp_t:file create_file_perms;
files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
@@ -125,7 +131,6 @@ domain_read_all_entry_files(local_login_t)
files_read_etc_files(local_login_t)
files_read_etc_runtime_files(local_login_t)
files_read_usr_files(local_login_t)
-files_manage_generic_locks(var_lock_t)
files_list_mnt(local_login_t)
files_list_world_readable(local_login_t)
files_read_world_readable_files(local_login_t)
@@ -209,6 +214,8 @@ optional_policy(`locallogin.te',`
# FIXME: what is this for?
locallogin_signull(xdm_t)
')
+# Login can polyinstantiate
+polyinstantiater(local_login_t)
') dnl endif TODO
#################################
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 4dabd10..1af5ed5 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -200,6 +200,12 @@ logging_send_syslog_msg(klogd_t)
miscfiles_read_localization(klogd_t)
+ifdef(`TODO',`
+ifdef(`targeted_policy', `
+allow klogd_t unconfined_t:system syslog_mod;
+')
+')
+
########################################
#
# syslogd local policy
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 399d502..b86b245 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -2,27 +2,6 @@
########################################
## <summary>
-## Allow process to create files and dirs in /var/cache/man
-## and /var/catman/
-## </summary>
-## <param name="domain">
-## Type type of the process performing this action.
-## </param>
-#
-interface(`miscfiles_rw_man_cache',`
- gen_require(`
- type catman_t;
- class dir create_dir_perms;
- class file create_file_perms;
- ')
-
- files_search_var($1)
- allow $1 catman_t:dir create_dir_perms;
- allow $1 catman_t:file create_file_perms;
-')
-
-########################################
-## <summary>
## Read fonts
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 731cb7d..ae357bf 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -14,7 +14,7 @@ files_type(modules_conf_t)
type modules_dep_t;
files_type(modules_dep_t)
-type insmod_t;
+type insmod_t; #, mlsfilewrite
type insmod_exec_t;
kernel_userland_entry(insmod_t,insmod_exec_t)
init_system_domain(insmod_t,insmod_exec_t)
@@ -111,10 +111,18 @@ ifdef(`targeted_policy',`
unconfined_domain_template(insmod_t)
')
+optional_policy(`hotplug.te',`
+ hotplug_search_config(insmod_t)
+')
+
optional_policy(`mount.te',`
mount_domtrans(insmod_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(insmod_t)
+')
+
optional_policy(`rpm.te',`
rpm_rw_pipe(insmod_t)
')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index d7ecfc7..4e5d709 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -6,7 +6,7 @@ policy_module(mount,1.0)
# Declarations
#
-type mount_t;
+type mount_t; #, mlsfileread, mlsfilewrite
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -45,6 +45,7 @@ fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_xattr_fs(mount_t)
fs_search_auto_mountpoints(mount_t)
+fs_use_tmpfs_chr_dev(mount_t)
term_use_console(mount_t)
@@ -77,12 +78,11 @@ logging_send_syslog_msg(mount_t)
miscfiles_read_localization(mount_t)
+sysnet_use_portmap(mount_t)
+
userdom_use_all_user_fd(mount_t)
ifdef(`distro_redhat',`
- fs_use_tmpfs_chr_dev(mount_t)
- allow mount_t tmpfs_t:dir mounton;
-
optional_policy(`authlogin.te',`
auth_read_pam_console_data(mount_t)
# mount config by default sets fscontext=removable_t
@@ -109,6 +109,7 @@ optional_policy(`portmap.te', `
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
corenet_udp_bind_reserved_port(mount_t)
+ corenet_tcp_connect_all_ports(mount_t)
optional_policy(`nis.te',`
nis_use_ypbind(mount_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index f0d486d..e4053ca 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -345,3 +345,91 @@ interface(`sysnet_create_dhcp_state',`
type_transition $1 dhcp_state_t:$3 $2;
')
')
+
+########################################
+## <summary>
+## Perform a DNS name resolution.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`sysnet_dns_name_resolve',`
+ gen_require(`
+ type net_conf_t;
+ class udp_socket create_socket_perms;
+ ')
+
+ allow $1 self:udp_socket create_socket_perms;
+ corenet_udp_sendrecv_all_if($1)
+ corenet_raw_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_dns_port($1)
+ corenet_udp_bind_all_nodes($1)
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Connect and use a LDAP server.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`sysnet_use_ldap',`
+ gen_require(`
+ type net_conf_t;
+ class tcp_socket create_socket_perms;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_raw_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_ldap_port($1)
+ corenet_tcp_bind_all_nodes($1)
+ corenet_tcp_connect_ldap_port($1)
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Connect and use remote port mappers.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`sysnet_use_portmap',`
+ gen_require(`
+ type net_conf_t;
+ class tcp_socket create_socket_perms;
+ class udp_socket create_socket_perms;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_raw_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_portmap_port($1)
+ corenet_udp_sendrecv_portmap_port($1)
+ corenet_tcp_bind_all_nodes($1)
+ corenet_udp_bind_all_nodes($1)
+ corenet_tcp_connect_portmap_port($1)
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 2842c25..7a0554f 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -172,6 +172,9 @@ optional_policy(`hotplug.te',`
# for the dhcp client to run ping to check IP addresses
optional_policy(`netutils.te',`
netutils_domtrans_ping(dhcpc_t)
+',`
+ allow dhcpc_t self:capability setuid;
+ allow dhcpc_t self:rawip_socket create_socket_perms;
')
optional_policy(`nis.te',`
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index 6dedd30..340f528 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -26,6 +26,24 @@ interface(`udev_domtrans',`
########################################
## <summary>
+## Do not audit attempts to inherit a
+## udev file descriptor.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`udev_dontaudit_use_fd',`
+ gen_require(`
+ type udev_t;
+ class fd use;
+ ')
+
+ dontaudit $1 udev_t:fd use;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write
## to a udev unix datagram socket.
## </summary>
@@ -33,7 +51,7 @@ interface(`udev_domtrans',`
## Domain to not audit.
## </param>
#
-interface(`udev_donaudit_rw_unix_dgram_socket',`
+interface(`udev_dontaudit_rw_unix_dgram_socket',`
gen_require(`
type udev_t;
class unix_dgram_socket { read write };
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 81071aa..0829712 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -34,7 +34,7 @@ files_pid_file(udev_var_run_t)
# Local policy
#
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio };
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -75,8 +75,10 @@ kernel_rw_unix_dgram_socket(udev_t)
kernel_sendto_unix_dgram_socket(udev_t)
kernel_signal(udev_t)
-dev_read_sysfs(udev_t)
+dev_rw_sysfs(udev_t)
dev_manage_dev_nodes(udev_t)
+dev_rw_generic_file(udev_t)
+dev_delete_generic_file(udev_t)
fs_getattr_all_fs(udev_t)
@@ -125,6 +127,8 @@ sysnet_domtrans_ifconfig(udev_t)
userdom_use_sysadm_tty(udev_t)
ifdef(`distro_redhat',`
+ fs_manage_tmpfs_dirs(udev_t)
+ fs_manage_tmpfs_files(udev_t)
fs_manage_tmpfs_symlinks(udev_t)
fs_manage_tmpfs_sockets(udev_t)
fs_manage_tmpfs_blk_dev(udev_t)
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 97d701d..59eb383 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -34,10 +34,16 @@ template(`unconfined_domain_template',`
files_unconfined($1)
tunable_policy(`allow_execmem',`
- # Allow loading DSOs that require executable stack.
+ # Allow making anonymous memory executable, e.g.
+ # for runtime-code generation or executable stack.
allow $1 self:process execmem;
')
+ tunable_policy(`allow_execmem && allow_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execstack;
+ ')
+
optional_policy(`authlogin.te',`
auth_unconfined($1)
')
@@ -61,8 +67,13 @@ template(`unconfined_domain_template',`
ifdef(`TODO',`
if (allow_execmod) {
- # Allow text relocations on system shared libraries, e.g. libGL.
- allow $1 texrel_shlib_t:file execmod;
+ ifdef(`targeted_policy', `
+ allow $1 file_type:file execmod;
+ ', `
+ # Allow text relocations on system shared libraries, e.g. libGL.
+ allow $1 texrel_shlib_t:file execmod;
+ allow $1 home_type:file execmod;
+ ')
}
ifdef(`dbusd.te', `
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 0e91736..d105ae8 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -139,8 +139,8 @@ template(`base_user_template',`
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
- # allow port_t name binding for UDP because it is not very usable otherwise
corenet_udp_bind_generic_port($1_t)
+ corenet_tcp_connect_all_ports($1_t)
dev_read_input($1_t)
dev_read_misc($1_t)
@@ -194,7 +194,6 @@ template(`base_user_template',`
logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_localization($1_t)
- miscfiles_rw_man_cache($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
@@ -301,6 +300,8 @@ template(`base_user_template',`
ifdef(`TODO',`
+ can_winbind($1_t)
+
#
# Cups daemon running as user tries to write /etc/printcap
#
@@ -324,8 +325,6 @@ template(`base_user_template',`
#
dontaudit $1_t sysctl_net_t:dir search;
- dontaudit $1_t default_context_t:dir search;
-
r_dir_file($1_t, usercanread)
tunable_policy(`allow_execmod',`
@@ -1481,7 +1480,7 @@ interface(`userdom_dontaudit_use_sysadm_tty',`
term_dontaudit_use_unallocated_tty($1)
',`
gen_require(`
- attribute sysadm_tty_device_t;
+ type sysadm_tty_device_t;
class chr_file { read write };
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 8438dd5..6f89062 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -186,6 +186,11 @@ ifdef(`targeted_policy',`
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`ntp.te',`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
+ ')
+
optional_policy(`pcmcia.te',`
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
')
More information about the scm-commits
mailing list