[selinux-policy: 706/3172] a few conditional cleanups

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:05:55 UTC 2010 

commit 1f91e1bfe58dbb2e6f24cf841a10a8932baec933
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Sep 27 19:40:44 2005 +0000

    a few conditional cleanups

 refpolicy/policy/global_tunables               |    3 +
 refpolicy/policy/modules/admin/netutils.if     |   59 +++++++++++++++++++++++-
 refpolicy/policy/modules/admin/netutils.te     |   10 +---
 refpolicy/policy/modules/admin/rpm.if          |   10 +---
 refpolicy/policy/modules/services/nis.if       |    2 +-
 refpolicy/policy/modules/system/domain.if      |   21 ++++++++-
 refpolicy/policy/modules/system/selinuxutil.te |    1 -
 refpolicy/policy/modules/system/userdomain.if  |   21 ++++++++
 refpolicy/policy/modules/system/userdomain.te  |    4 ++
 9 files changed, 111 insertions(+), 20 deletions(-)
---
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index b8a1b9e..508631b 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -25,6 +25,9 @@ gen_tunable(allow_kerberos,false)
 ## allow host key based authentication
 gen_tunable(allow_ssh_keysign,false)
 
+## Allow sysadm to ptrace all processes
+gen_tunable(allow_ptrace,false)
+
 ## Allow users to connect to mysql
 gen_tunable(allow_user_mysql_connect,false)
 
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index 1c5725b..1738f27 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -108,7 +108,6 @@ interface(`netutils_domtrans_ping',`
 interface(`netutils_run_ping',`
 	gen_require(`
 		type ping_t;
-		class chr_file rw_term_perms;
 	')
 
 	netutils_domtrans_ping($1)
@@ -118,6 +117,35 @@ interface(`netutils_run_ping',`
 
 ########################################
 ## <summary>
+##	Conditionally execute ping in the ping domain, and
+##	allow the specified role the ping domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the ping domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the ping domain to use.
+## </param>
+#
+interface(`netutils_run_ping_cond',`
+	gen_require(`
+		type ping_t;
+		bool user_ping;
+	')
+
+	role $2 types ping_t;
+
+	if ( user_ping ) {
+		netutils_domtrans_ping($1)
+		allow ping_t $3:chr_file rw_term_perms;
+	}
+')
+
+########################################
+## <summary>
 ##	Execute ping in the caller domain.
 ## </summary>
 ## <param name="domain">
@@ -184,6 +212,35 @@ interface(`netutils_run_traceroute',`
 
 ########################################
 ## <summary>
+##	Conditionally execute traceroute in the traceroute domain, and
+##	allow the specified role the traceroute domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the traceroute domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the traceroute domain to use.
+## </param>
+#
+interface(`netutils_run_traceroute_cond',`
+	gen_require(`
+		type traceroute_t;
+		bool user_ping;
+	')
+
+	role $2 types traceroute_t;
+
+	if( user_ping ) {
+		netutils_domtrans_traceroute($1)
+		allow traceroute_t $3:chr_file rw_term_perms;
+	}
+')
+
+########################################
+## <summary>
 ##	Execute traceroute in the caller domain.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 50e55de..a089a1d 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -152,11 +152,9 @@ optional_policy(`hotplug.te',`
 ')
 
 ifdef(`TODO',`
-in_user_role(ping_t)
-tunable_policy(`user_ping',`
-	domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
+if(user_ping) {
 	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
-')
+}
 ') dnl end TODO
 
 ########################################
@@ -217,10 +215,6 @@ optional_policy(`nscd.te',`
 ')
 
 ifdef(`TODO',`
-in_user_role(traceroute_t)
-tunable_policy(`user_ping',`
-	domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
-')
 ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
 #rules needed for nmap
 dontaudit traceroute_t userdomain:dir search;
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 154098e..75d2511 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -148,14 +148,11 @@ interface(`rpm_use_script_fd',`
 #
 interface(`rpm_read_db',`
 	gen_require(`
-		type rpm_var_lib_t_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-		class file r_file_perms;
+		type rpm_var_lib_t;
 	')
 
 	allow $1 rpm_var_lib_t:dir r_dir_perms;
-	allow $1 rpm_var_lib_t:file r_file_perms;
+	allow $1 rpm_var_lib_t:file { getattr read };
 	allow $1 rpm_var_lib_t:lnk_file r_file_perms;
 ')
 
@@ -170,9 +167,6 @@ interface(`rpm_read_db',`
 interface(`rpm_manage_db',`
 	gen_require(`
 		type rpm_var_lib_t;
-		class dir rw_dir_perms;
-		class lnk_file { getattr read write unlink };
-		class file { getattr create read write append unlink };
 	')
 
 	allow $1 rpm_var_lib_t:dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 2a2a5fd..c4e02fc 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -20,7 +20,7 @@ interface(`nis_use_ypbind',`
 		allow $1 self:udp_socket create_socket_perms;
 
 		allow $1 var_yp_t:dir r_dir_perms;
-		allow $1 var_yp_t:lnk_file r_file_perms;
+		allow $1 var_yp_t:lnk_file { getattr read };
 		allow $1 var_yp_t:file r_file_perms;
 
 		corenet_tcp_sendrecv_all_if($1)
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 5da415f..3f7bfc2 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -71,6 +71,10 @@ interface(`domain_type',`
 		unconfined_sigchld($1)
 	')
 
+	tunable_policy(`allow_ptrace',`
+		userdom_sigchld_sysadm($1)
+	')
+
 	# allow any domain to connect to the LDAP server
 	optional_policy(`ldap.te',`
 		ldap_use($1)
@@ -547,6 +551,22 @@ interface(`domain_getattr_confined_domains',`
 
 ########################################
 ## <summary>
+##	Ptrace all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_ptrace_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process ptrace;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to ptrace all domains.
 ## </summary>
 ## <desc>
@@ -566,7 +586,6 @@ interface(`domain_getattr_confined_domains',`
 interface(`domain_dontaudit_ptrace_all_domains',`
 	gen_require(`
 		attribute domain;
-		class process ptrace;
 	')
 
 	dontaudit $1 domain:process ptrace;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 9ed52dd..d690a99 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -380,7 +380,6 @@ ifdef(`targeted_policy',`',`
 
 	term_dontaudit_list_ptys(run_init_t)
 
-	auth_domtrans_chk_passwd(run_init_t)
 	auth_dontaudit_read_shadow(run_init_t)
 
 	corecmd_exec_bin(run_init_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 4656bb4..0950c76 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -609,6 +609,11 @@ template(`unpriv_user_template', `
 		modutils_read_module_conf($1_t)
 	')
 
+	optional_policy(`netutils.te',`
+		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+	')
+
 	optional_policy(`selinuxutil.te',`
 		# for when the network connection is killed
 		seutil_dontaudit_signal_newrole($1_t)
@@ -1515,6 +1520,22 @@ interface(`userdom_read_staff_home_files',`
 
 ########################################
 ## <summary>
+##	Send a SIGCHLD signal to sysadm users.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_sigchld_sysadm',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Read and write sysadm ttys.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index f18b913..6881cfb 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -116,6 +116,10 @@ ifdef(`targeted_policy',`
 		')
 	')
 
+	tunable_policy(`allow_ptrace',`
+		domain_ptrace_all_domains(sysadm_t)
+	')
+
 	optional_policy(`bootloader.te',`
 		bootloader_run(sysadm_t,sysadm_r,admin_terminal)
 	')

More information about the scm-commits mailing list