[selinux-policy: 902/3172] more fixes

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:23:00 UTC 2010 

commit 30910b37c66bcd4a854252997e6720a0546c9b44
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Oct 31 22:19:16 2005 +0000

    more fixes

 refpolicy/policy/modules/admin/usermanage.te     |    1 +
 refpolicy/policy/modules/kernel/devices.if       |   17 +++++++++++++++++
 refpolicy/policy/modules/services/cron.te        |   17 ++++++++++++-----
 refpolicy/policy/modules/services/cups.te        |    2 +-
 refpolicy/policy/modules/services/ldap.te        |    1 +
 refpolicy/policy/modules/services/remotelogin.te |    1 +
 refpolicy/policy/modules/services/samba.te       |    3 +++
 refpolicy/policy/modules/system/udev.te          |    8 +++++++-
 refpolicy/policy/modules/system/unconfined.te    |    4 ++++
 9 files changed, 47 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 6b226d2..fb77e18 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -276,6 +276,7 @@ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit e
 allow passwd_t self:process { setrlimit setfscreate };
 allow passwd_t self:fd use;
 allow passwd_t self:fifo_file rw_file_perms;
+allow passwd_t self:sock_file r_file_perms;
 allow passwd_t self:unix_dgram_socket create_socket_perms;
 allow passwd_t self:unix_stream_socket create_stream_socket_perms;
 allow passwd_t self:unix_dgram_socket sendto;
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index aa11b47..08b43f0 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1345,6 +1345,23 @@ interface(`dev_rw_mouse',`
 
 ########################################
 ## <summary>
+##	Get the attributes of the mtrr device.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_mtrr',`
+	gen_require(`
+		type device_t, mtrr_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 mtrr_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
 ##	Read the mtrr device.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 935f1ba..1c35439 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -78,10 +78,6 @@ allow crond_t self:msg { send receive };
 allow crond_t crond_var_run_t:file create_file_perms;
 files_create_pid(crond_t,crond_var_run_t)
 
-allow crond_t crond_tmp_t:dir create_dir_perms;
-allow crond_t crond_tmp_t:file create_file_perms;
-files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
-
 allow crond_t cron_spool_t:dir rw_dir_perms;
 allow crond_t cron_spool_t:file r_file_perms;
 allow crond_t system_cron_spool_t:dir r_dir_perms;
@@ -145,6 +141,13 @@ ifdef(`distro_redhat', `
 ')
 
 ifdef(`targeted_policy',`
+	allow crond_t system_crond_tmp_t:dir create_dir_perms;
+	allow crond_t system_crond_tmp_t:file create_file_perms;
+	allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
+	allow crond_t system_crond_tmp_t:sock_file create_file_perms;
+	allow crond_t system_crond_tmp_t:fifo_file create_file_perms;
+	files_create_tmp_files(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
 	unconfined_domain_template(crond_t)
 
 	# cjp: fix this to generic_user interfaces
@@ -154,6 +157,10 @@ ifdef(`targeted_policy',`
 	userdom_manage_user_home_subdir_pipes(user,crond_t)
 	userdom_manage_user_home_subdir_sockets(user,crond_t)
 	userdom_create_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file })
+',`
+	allow crond_t crond_tmp_t:dir create_dir_perms;
+	allow crond_t crond_tmp_t:file create_file_perms;
+	files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
 ')
 
 tunable_policy(`fcron_crond', `
@@ -224,7 +231,7 @@ optional_policy(`squid.te',`
 ')
 
 ifdef(`targeted_policy',`
-	# cjp: fix:
+	# cjp: FIXME
 	allow crond_t unconfined_t:process transition;
 ',`
 	allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index d8fc342..b3517f7 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -316,7 +316,7 @@ allow ptal_t ptal_var_run_t:file create_file_perms;
 allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms;
 allow ptal_t ptal_var_run_t:sock_file create_file_perms;
 allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
-files_create_pid(ptal_t,ptal_var_run_t,{ file lnk_file sock_file fifo_file })
+files_create_pid(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
 
 allow ptal_t ptal_var_run_t:file create_file_perms;
 allow ptal_t ptal_var_run_t:dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 3a23b3b..672ef1c 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -58,6 +58,7 @@ allow slapd_t slapd_tmp_t:file create_file_perms;
 files_create_tmp_files(slapd_t, slapd_tmp_t, { file dir })
 
 allow slapd_t slapd_var_run_t:file create_file_perms;
+allow slapd_t slapd_var_run_t:dir rw_dir_perms;
 files_create_pid(slapd_t,slapd_var_run_t)
 
 kernel_read_system_state(slapd_t)
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 91f1140..ae4d994 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -28,6 +28,7 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl
 allow remote_login_t self:process { setrlimit setexec };
 allow remote_login_t self:fd use;
 allow remote_login_t self:fifo_file rw_file_perms;
+allow remote_login_t self:sock_file r_file_perms;
 allow remote_login_t self:unix_dgram_socket create_socket_perms;
 allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
 allow remote_login_t self:unix_dgram_socket sendto;
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 87cb644..7702c76 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -330,6 +330,7 @@ allow smbd_t mtrr_device_t:file getattr;
 #
 # nmbd Local policy
 #
+
 dontaudit nmbd_t self:capability sys_tty_config;
 allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow nmbd_t self:fd use;
@@ -345,6 +346,7 @@ allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 allow nmbd_t nmbd_var_run_t:file create_file_perms;
+allow nmbd_t nmbd_var_run_t:dir rw_dir_perms;
 files_create_pid(nmbd_t,nmbd_var_run_t)
 
 allow nmbd_t samba_etc_t:dir { search getattr };
@@ -378,6 +380,7 @@ corenet_udp_bind_all_nodes(nmbd_t)
 corenet_udp_bind_nmbd_port(nmbd_t)
 
 dev_read_sysfs(nmbd_t)
+dev_getattr_mtrr(nmbd_t)
 
 fs_getattr_all_fs(nmbd_t)
 fs_search_auto_mountpoints(nmbd_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index fe5626d..3d6e691 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -40,10 +40,12 @@ files_pid_file(udev_var_run_t)
 #
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_nice };
+dontaudit udev_t self:capability sys_tty_config;
 allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_file_perms;
+allow udev_t self:sock_file r_file_perms;
 allow udev_t self:shm create_shm_perms;
 allow udev_t self:sem create_sem_perms;
 allow udev_t self:msgq create_msgq_perms;
@@ -66,8 +68,9 @@ allow udev_t udev_etc_t:file r_file_perms;
 allow udev_t udev_tbl_t:file create_file_perms;
 dev_create_dev_node(udev_t,udev_tbl_t,file)
 
-allow udev_t udev_var_run_t:dir rw_dir_perms;
 allow udev_t udev_var_run_t:file create_file_perms;
+allow udev_t udev_var_run_t:dir rw_dir_perms;
+files_create_pid(udev_t,udev_var_run_t)
 
 kernel_read_system_state(udev_t)
 kernel_getattr_core(udev_t)
@@ -154,6 +157,9 @@ ifdef(`distro_redhat',`
 ')
 
 ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(udev_t)
+	term_dontaudit_use_generic_pty(udev_t)
+
 	unconfined_domain_template(udev_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 2affdb7..ab9c9c6 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -46,6 +46,10 @@ ifdef(`targeted_policy',`
 		amanda_domtrans_recover(unconfined_t)
 	')
 
+	optional_policy(`apache.te',`
+		apache_domtrans_helper(unconfined_t)
+	')
+
 	optional_policy(`bind.te',`
 		bind_domtrans_ndc(unconfined_t)
 	')

More information about the scm-commits mailing list