[selinux-policy: 755/3172] misc fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:10:04 UTC 2010
commit c3812748c36cb45980cd6cc8e38b41e4fb8126b5
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Oct 18 15:07:11 2005 +0000
misc fixes
refpolicy/Rules.modular | 2 +-
refpolicy/policy/modules/admin/rpm.te | 6 ++++++
refpolicy/policy/modules/kernel/kernel.te | 1 +
refpolicy/policy/modules/kernel/mls.te | 1 +
refpolicy/policy/modules/services/dbus.te | 2 +-
refpolicy/policy/modules/services/privoxy.te | 3 +++
refpolicy/policy/modules/services/sendmail.te | 9 ---------
refpolicy/policy/modules/services/ssh.if | 2 +-
refpolicy/policy/modules/services/ssh.te | 13 ++++++++-----
refpolicy/policy/modules/system/init.te | 12 +++++-------
10 files changed, 27 insertions(+), 24 deletions(-)
---
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 9e90bb3..798f989 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -1,6 +1,6 @@
########################################
#
-# Rules and Targets for building monolithic policies
+# Rules and Targets for building modular policies
#
ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 9939948..c1a39c5 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -314,6 +314,12 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t)
+ifdef(`distro_redhat',`
+ optional_policy(`mta.te',`
+ mta_send_mail(rpm_script_t)
+ ')
+')
+
ifdef(`targeted_policy',`
unconfined_domain_template(rpm_t)
')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index d7611ba..0d0f6c7 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -156,6 +156,7 @@ allow kernel_t self:capability *;
allow kernel_t unlabeled_t:dir mounton;
# old general_domain_access()
+allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms;
allow kernel_t self:msg { send receive };
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index bbdabb5..6e1c358 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -56,6 +56,7 @@ type getty_t;
type login_exec_t;
type init_exec_t;
type initrc_t;
+type sshd_exec_t;
type su_exec_t;
type udev_exec_t;
type unconfined_t;
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 14dabc3..83ec8c5 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t)
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process getattr;
+allow system_dbusd_t self:process { getattr signal_perms };
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index 4b5eec3..a1d107b 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -23,6 +23,7 @@ files_pid_file(privoxy_var_run_t)
allow privoxy_t self:capability { setgid setuid };
dontaudit privoxy_t self:capability sys_tty_config;
+allow privoxy_t self:tcp_socket create_stream_socket_perms;
allow privoxy_t privoxy_log_t:file create_file_perms;
allow privoxy_t privoxy_log_t:dir rw_dir_perms;
@@ -41,6 +42,8 @@ corenet_tcp_sendrecv_all_nodes(privoxy_t)
corenet_raw_sendrecv_all_nodes(privoxy_t)
corenet_tcp_sendrecv_all_ports(privoxy_t)
corenet_tcp_bind_http_cache_port(privoxy_t)
+corenet_tcp_connect_http_port(privoxy_t)
+corenet_tcp_connect_ftp_port(privoxy_t)
dev_read_sysfs(privoxy_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 0ac4b5f..6356243 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -130,15 +130,6 @@ optional_policy(`rhgb.te', `
rhgb_domain(sendmail_t)
')
-#
-# Need this transition to create /etc/aliases.db
-#
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t)
-')
-')
-
allow sendmail_t etc_mail_t:dir rw_dir_perms;
allow sendmail_t etc_mail_t:file create_file_perms;
# for the start script to run make -C /etc/mail
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 3f1eb12..66ae081 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -528,7 +528,7 @@ template(`ssh_server_template', `
')
optional_policy(`nscd.te',`
- nscd_use_socket(crond_t)
+ nscd_use_socket($1_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 8935f68..efcdc31 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -24,7 +24,15 @@ role system_r types ssh_keygen_t;
type ssh_keysign_exec_t;
files_type(ssh_keysign_exec_t)
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type sshd_exec_t;
+')
+files_type(sshd_exec_t)
+
ssh_server_template(sshd)
+ssh_server_template(sshd_extern)
# cjp: commenting this out until typeattribute works in a conditional
#optional_policy(`inetd.te',`
@@ -39,11 +47,6 @@ ssh_server_template(sshd)
init_daemon_domain(sshd_t,sshd_exec_t)
#')
-type sshd_exec_t;
-files_type(sshd_exec_t)
-
-ssh_server_template(sshd_extern)
-
type sshd_key_t;
files_type(sshd_key_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9b5f8e4..9513fad 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,6 +1,10 @@
policy_module(init,1.0)
+gen_require(`
+ class passwd rootok;
+')
+
########################################
#
# Declarations
@@ -569,13 +573,7 @@ optional_policy(`squid.te',`
')
optional_policy(`ssh.te',`
- optional_policy(`inetd.te',`
- tunable_policy(`run_ssh_inetd',`',`
- ssh_dontaudit_read_server_keys(initrc_t)
- ')
- ',`
- ssh_dontaudit_read_server_keys(initrc_t)
- ')
+ ssh_dontaudit_read_server_keys(initrc_t)
')
optional_policy(`sysnetwork.te',`
More information about the scm-commits
mailing list