[selinux-policy: 777/3172] more fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:12:12 UTC 2010
commit e6a2eaffdf9b3ab62eb239309cc13a8ec145dd71
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Oct 21 21:35:25 2005 +0000
more fixes
refpolicy/policy/modules/kernel/filesystem.if | 2 +-
refpolicy/policy/modules/kernel/storage.if | 3 +-
refpolicy/policy/modules/kernel/terminal.if | 8 ++----
refpolicy/policy/modules/services/apm.te | 16 ++++++------
refpolicy/policy/modules/services/dovecot.te | 1 +
refpolicy/policy/modules/services/finger.te | 2 +-
refpolicy/policy/modules/services/ftp.te | 21 ++++++++++++-----
refpolicy/policy/modules/services/hal.te | 3 ++
refpolicy/policy/modules/services/inetd.te | 6 ++--
refpolicy/policy/modules/services/mailman.if | 4 +-
refpolicy/policy/modules/services/squid.te | 3 +-
refpolicy/policy/modules/system/files.if | 22 +++++------------
refpolicy/policy/modules/system/getty.te | 20 ++++++----------
refpolicy/policy/modules/system/hostname.te | 1 +
refpolicy/policy/modules/system/hotplug.te | 9 ++++---
refpolicy/policy/modules/system/init.if | 30 ++++++++++++++----------
refpolicy/policy/modules/system/pcmcia.te | 6 +---
refpolicy/policy/modules/system/sysnetwork.if | 2 +-
refpolicy/policy/modules/system/sysnetwork.te | 2 +-
refpolicy/policy/modules/system/userdomain.if | 4 +-
20 files changed, 84 insertions(+), 81 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 7209a09..d5c32a9 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -2361,5 +2361,5 @@ interface(`fs_unconfined',`
# Create/access other files. fs_type is to pick up various
# pseudo filesystem types that are applied to both the filesystem
# and its files.
- allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+ allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
')
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index b870ccf..3f581a7 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -130,11 +130,10 @@ interface(`storage_raw_write_fixed_disk',`
gen_require(`
attribute fixed_disk_raw_write;
type fixed_disk_device_t;
- class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
+ allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };
typeattribute $1 fixed_disk_raw_write;
')
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 7ea3893..b9f496d 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -326,11 +326,10 @@ interface(`term_ioctl_generic_pty',`
interface(`term_use_generic_pty',`
gen_require(`
type devpts_t;
- class chr_file { read write };
')
dev_list_all_dev_nodes($1)
- allow $1 devpts_t:chr_file { read write };
+ allow $1 devpts_t:chr_file { rw_term_perms lock append };
')
########################################
@@ -500,7 +499,7 @@ interface(`term_use_all_user_ptys',`
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
- allow $1 ptynode:chr_file { getattr read write ioctl };
+ allow $1 ptynode:chr_file { rw_term_perms lock append };
')
########################################
@@ -797,11 +796,10 @@ interface(`term_write_all_user_ttys',`
interface(`term_use_all_user_ttys',`
gen_require(`
attribute ttynode;
- class chr_file { getattr read write ioctl };
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { getattr read write ioctl };
+ allow $1 ttynode:chr_file { rw_term_perms lock append };
')
########################################
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index 761c12e..134a1c0 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -148,13 +148,6 @@ userdom_dontaudit_use_unpriv_user_fd(apmd_t)
userdom_dontaudit_search_sysadm_home_dir(apmd_t)
userdom_dontaudit_search_all_users_home(apmd_t) # Excessive?
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_tty(apmd_t)
- term_dontaudit_use_generic_pty(apmd_t)
- files_dontaudit_read_root_file(apmd_t)
- unconfined_domain_template(apmd_t)
-')
-
ifdef(`distro_redhat',`
allow apmd_t apmd_lock_t:file create_file_perms;
files_create_lock(apmd_t,apmd_lock_t)
@@ -162,7 +155,7 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
# ifconfig_exec_t needs to be run in its own domain for Red Hat
- optional_policy(`ifconfig.te',`
+ optional_policy(`sysnetwork.te',`
sysnet_domtrans_ifconfig(apmd_t)
')
@@ -186,6 +179,13 @@ ifdef(`distro_suse',`
files_create_var_lib(apmd_t,apmd_var_lib_t)
')
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(apmd_t)
+ term_dontaudit_use_generic_pty(apmd_t)
+ files_dontaudit_read_root_file(apmd_t)
+ unconfined_domain_template(apmd_t)
+')
+
optional_policy(`clock.te',`
clock_domtrans(apmd_t)
clock_rw_adjtime(apmd_t)
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 31c7581..d0c236f 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -75,6 +75,7 @@ corenet_tcp_sendrecv_all_nodes(dovecot_t)
corenet_raw_sendrecv_all_nodes(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_all_nodes(dovecot_t)
+corenet_tcp_bind_pop_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
dev_read_sysfs(dovecot_t)
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index 33213fe..94e85c2 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -77,7 +77,7 @@ corecmd_exec_shell(fingerd_t)
domain_use_wide_inherit_fd(fingerd_t)
-files_getattr_home_dir(fingerd_t)
+files_search_home(fingerd_t)
files_read_etc_files(fingerd_t)
files_read_etc_runtime_files(fingerd_t)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index fb89452..bd0e210 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -44,19 +44,23 @@ allow ftpd_t self:unix_stream_socket create_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
-allow ftpd_t ftpd_etc_t:file { getattr read };
+allow ftpd_t ftpd_etc_t:file r_file_perms;
allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
allow ftpd_t ftpd_tmp_t:file create_file_perms;
files_create_tmp_files(ftpd_t, ftpd_tmp_t, { file dir })
-allow ftpd_t ftpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow ftpd_t ftpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow ftpd_t ftpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow ftpd_t ftpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-allow ftpd_t ftpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
+allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
+allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
+allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
+allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
fs_create_tmpfs_data(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+allow ftpd_t ftpd_var_run_t:file create_file_perms;
+allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
+files_create_pid(ftpd_t,ftpd_var_run_t)
+
# Create and modify /var/log/xferlog.
allow ftpd_t xferlog_t:file create_file_perms;
logging_create_log(ftpd_t,xferlog_t)
@@ -86,6 +90,7 @@ corenet_tcp_connect_all_ports(ftpd_t)
term_dontaudit_use_console(ftpd_t)
+auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
@@ -190,6 +195,10 @@ optional_policy(`mount.te',`
mount_send_nfs_client_request(ftpd_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(ftpd_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(ftpd_t)
')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index edbd64b..6d12e3f 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -23,6 +23,7 @@ files_pid_file(hald_var_run_t)
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
dontaudit hald_t self:capability sys_tty_config;
+allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
@@ -45,8 +46,10 @@ kernel_read_kernel_sysctl(hald_t)
kernel_write_proc_file(hald_t)
corenet_tcp_sendrecv_all_if(hald_t)
+corenet_udp_sendrecv_all_if(hald_t)
corenet_raw_sendrecv_all_if(hald_t)
corenet_tcp_sendrecv_all_nodes(hald_t)
+corenet_udp_sendrecv_all_nodes(hald_t)
corenet_raw_sendrecv_all_nodes(hald_t)
corenet_tcp_sendrecv_all_ports(hald_t)
corenet_tcp_bind_all_nodes(hald_t)
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 7b439f4..6ec899b 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -144,9 +144,7 @@ optional_policy(`unconfined.te', `
unconfined_domtrans(inetd_t)
')
-# This should be tunable_policy, but leaving
-# ifdef until typeattribute works in conditionals
-ifdef(`unlimitedInetd', `
+ifdef(`targeted_policy',`
unconfined_domain_template(inetd_t)
')
@@ -184,8 +182,10 @@ kernel_read_system_state(inetd_child_t)
kernel_read_network_state(inetd_child_t)
corenet_tcp_sendrecv_all_if(inetd_child_t)
+corenet_udp_sendrecv_all_if(inetd_child_t)
corenet_raw_sendrecv_all_if(inetd_child_t)
corenet_tcp_sendrecv_all_nodes(inetd_child_t)
+corenet_udp_sendrecv_all_nodes(inetd_child_t)
corenet_raw_sendrecv_all_nodes(inetd_child_t)
corenet_tcp_bind_all_nodes(inetd_child_t)
corenet_tcp_sendrecv_all_ports(inetd_child_t)
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index a3f1d8c..364faf3 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -248,7 +248,7 @@ interface(`mailman_read_archive',`
type mailman_archive_t;
')
- allow $1 mailman_archive_t:dir { getattr read search };
- allow $1 mailman_archive_t:file { read getattr };
+ allow $1 mailman_archive_t:dir list_dir_perms;
+ allow $1 mailman_archive_t:file r_file_perms;
allow $1 mailman_archive_t:lnk_file { getattr read };
')
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index a18741a..45b79d6 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -121,6 +121,7 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
+miscfiles_read_certs(squid_t)
miscfiles_read_localization(squid_t)
userdom_use_unpriv_users_fd(squid_t)
@@ -172,7 +173,7 @@ optional_policy(`rhgb.te',`
ifdef(`apache.te',`
can_tcp_connect(squid_t, httpd_t)
')
-r_dir_file(squid_t, cert_t)
+
ifdef(`winbind.te', `
domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 504e104..5098412 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1322,10 +1322,9 @@ interface(`files_create_etc_config',`
interface(`files_dontaudit_search_isid_type_dir',`
gen_require(`
type file_t;
- class dir search;
')
- dontaudit $1 file_t:dir search;
+ dontaudit $1 file_t:dir search_dir_perms;
')
########################################
@@ -1566,10 +1565,9 @@ interface(`files_dontaudit_getattr_home_dir',`
interface(`files_search_home',`
gen_require(`
type home_root_t;
- class dir search;
')
- allow $1 home_root_t:dir search;
+ allow $1 home_root_t:dir search_dir_perms;
')
########################################
@@ -1584,10 +1582,9 @@ interface(`files_search_home',`
interface(`files_dontaudit_search_home',`
gen_require(`
type home_root_t;
- class dir search;
')
- dontaudit $1 home_root_t:dir search;
+ dontaudit $1 home_root_t:dir search_dir_perms;
')
########################################
@@ -2565,10 +2562,9 @@ interface(`files_dontaudit_getattr_pid_dir',`
interface(`files_search_pids',`
gen_require(`
type var_t, var_run_t;
- class dir search;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir search;
')
@@ -2599,7 +2595,7 @@ interface(`files_list_pids',`
class dir r_dir_perms;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir r_dir_perms;
')
@@ -2613,7 +2609,7 @@ interface(`files_create_pid',`
class dir rw_dir_perms;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir rw_dir_perms;
ifelse(`$3',`',`
@@ -2650,7 +2646,6 @@ interface(`files_rw_generic_pids',`
interface(`files_dontaudit_write_all_pids',`
gen_require(`
attribute pidfile;
- class file write;
')
dontaudit $1 pidfile:file write;
@@ -2667,7 +2662,6 @@ interface(`files_dontaudit_write_all_pids',`
interface(`files_dontaudit_ioctl_all_pids',`
gen_require(`
attribute pidfile;
- class file ioctl;
')
dontaudit $1 pidfile:file ioctl;
@@ -2681,11 +2675,9 @@ interface(`files_read_all_pids',`
gen_require(`
attribute pidfile;
type var_t;
- class dir r_dir_perms;
- class file r_file_perms;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 pidfile:dir r_dir_perms;
allow $1 pidfile:file r_file_perms;
')
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 00586cd..8e5f692 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -38,7 +38,7 @@ files_pid_file(getty_var_run_t)
# Use capabilities.
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
-allow getty_t self:process { getpgid getsession };
+allow getty_t self:process { getpgid getsession signal_perms };
allow getty_t getty_etc_t:dir r_dir_perms;
allow getty_t getty_etc_t:file r_file_perms;
@@ -47,14 +47,15 @@ files_create_etc_config(getty_t,getty_etc_t,{ file dir })
allow getty_t getty_lock_t:file create_file_perms;
files_create_lock(getty_t,getty_lock_t)
-allow getty_t getty_log_t:file { getattr append setattr };
+allow getty_t getty_log_t:file create_file_perms;
+logging_create_log(getty_t,getty_log_t)
-allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
-allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
+allow getty_t getty_tmp_t:file create_file_perms;
+allow getty_t getty_tmp_t:dir create_dir_perms;
files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
allow getty_t getty_var_run_t:file create_file_perms;
-allow getty_t getty_var_run_t:dir create_dir_perms;
+allow getty_t getty_var_run_t:dir rw_dir_perms;
files_create_pid(getty_t,getty_var_run_t)
dev_read_sysfs(getty_t)
@@ -90,11 +91,6 @@ logging_send_syslog_msg(getty_t)
miscfiles_read_localization(getty_t)
-ifdef(`TODO',`
-#
-# getty needs to be able to run pppd
-#
-ifdef(`pppd.te', `
-domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
+optional_policy(`ppp.te',`
+ ppp_domtrans(getty_t)
')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index e298a69..4ea3d19 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -19,6 +19,7 @@ role system_r types hostname_t;
# for setting the hostname
allow hostname_t self:process { sigchld sigkill sigstop signull signal };
allow hostname_t self:capability sys_admin;
+allow hostname_t self:unix_stream_socket create_stream_socket_perms;
dontaudit hostname_t self:capability sys_tty_config;
kernel_dontaudit_use_fd(hostname_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 6e268c6..9309e8a 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -14,6 +14,7 @@ init_daemon_domain(hotplug_t,hotplug_exec_t)
type hotplug_etc_t; #, usercanread;
files_type(hotplug_etc_t)
kernel_search_from(hotplug_etc_t)
+domain_entry_file(hotplug_t,hotplug_etc_t)
type hotplug_var_run_t;
files_pid_file(hotplug_var_run_t)
@@ -27,7 +28,7 @@ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
-allow hotplug_t self:process { getsession getattr };
+allow hotplug_t self:process { getsession getattr signal_perms };
allow hotplug_t self:fifo_file rw_file_perms;
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;
@@ -36,11 +37,11 @@ allow hotplug_t self:tcp_socket connected_stream_socket_perms;
allow hotplug_t hotplug_etc_t:file r_file_perms;
allow hotplug_t hotplug_etc_t:dir r_dir_perms;
allow hotplug_t hotplug_etc_t:lnk_file r_file_perms;
+can_exec(hotplug_t,hotplug_etc_t)
-allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_trans };
-allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
+can_exec(hotplug_t,hotplug_exec_t)
-allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
+allow hotplug_t hotplug_var_run_t:file manage_file_perms;
files_create_pid(hotplug_t,hotplug_var_run_t)
kernel_sigchld(hotplug_t)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index c8df5f1..9c27dae 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -618,33 +618,37 @@ interface(`init_use_script_pty',`
########################################
## <summary>
-## Read init scripts.
+## Do not audit attempts to read and
+## write the init script pty.
## </summary>
## <param name="domain">
-## The type of the process performing this action.
+## Domain to not audit.
## </param>
#
-interface(`init_read_script_file',`
+interface(`init_dontaudit_use_script_pty',`
gen_require(`
- type initrc_exec_t;
- class file r_file_perms;
+ type initrc_devpts_t;
')
- files_search_etc($1)
- allow $1 initrc_exec_t:file r_file_perms;
+ dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
')
########################################
+## <summary>
+## Read init scripts.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
#
-# init_dontaudit_use_script_pty(domain)
-#
-interface(`init_dontaudit_use_script_pty',`
+interface(`init_read_script_file',`
gen_require(`
- type initrc_devpts_t;
- class chr_file { read write ioctl };
+ type initrc_exec_t;
+ class file r_file_perms;
')
- dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
+ files_search_etc($1)
+ allow $1 initrc_exec_t:file r_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index b1ba783..f724db3 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -49,8 +49,6 @@ files_create_pid(cardmgr_t,cardmgr_var_run_t)
kernel_read_system_state(cardmgr_t)
kernel_read_kernel_sysctl(cardmgr_t)
-kernel_list_proc(cardmgr_t)
-kernel_read_proc_symlinks(cardmgr_t)
kernel_dontaudit_getattr_message_if(cardmgr_t)
bootloader_search_kernel_modules(cardmgr_t)
@@ -118,13 +116,13 @@ sysnet_manage_config(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fd(cardmgr_t)
userdom_dontaudit_search_sysadm_home_dir(cardmgr_t)
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(cardmgr_t)
term_dontaudit_use_generic_pty(cardmgr_t)
files_dontaudit_read_root_file(cardmgr_t)
')
-optional_policy(`selinuxutils.te',`
+optional_policy(`selinuxutil.te',`
seutil_dontaudit_read_config(cardmgr_t)
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 656a0aa..cf55822 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -141,7 +141,7 @@ interface(`sysnet_rw_dhcp_config',`
')
files_search_etc($1)
- allow $1 dhcp_etc_t:file { getattr read };
+ allow $1 dhcp_etc_t:file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 5a6217d..b998b18 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -244,7 +244,7 @@ rhgb_domain(dhcpc_t)
#
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow ifconfig_t self:capability { net_admin sys_tty_config };
+allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:fd use;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 0183c29..1b2cbc1 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1781,7 +1781,7 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',`
type sysadm_home_dir_t;
')
- dontaudit $1 sysadm_home_dir_t:dir search;
+ dontaudit $1 sysadm_home_dir_t:dir { getattr search };
')
########################################
@@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_search_all_users_home',`
attribute home_dir_type, home_type;
')
- dontaudit $1 { home_dir_type home_type }:dir search;
+ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
')
########################################
More information about the scm-commits
mailing list