[selinux-policy: 907/3172] tty and caps fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:23:25 UTC 2010
commit 7ac22585e3f0d534638d70053bef4501555abf07
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Nov 1 15:34:00 2005 +0000
tty and caps fixes
refpolicy/policy/modules/services/bind.te | 5 +++++
refpolicy/policy/modules/services/postfix.te | 5 +++++
refpolicy/policy/modules/services/snmp.te | 1 +
refpolicy/policy/modules/system/authlogin.te | 2 +-
refpolicy/policy/modules/system/modutils.te | 5 +++++
refpolicy/policy/modules/system/unconfined.te | 1 +
6 files changed, 18 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index c323392..a4db2f7 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -247,6 +247,11 @@ ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;
')
+ifdef(`targeted_policy', `
+ term_use_unallocated_tty(ndc_t)
+ term_use_generic_pty(ndc_t)
+')
+
tunable_policy(`named_write_master_zones',`
allow named_t named_zone_t:dir create_dir_perms;
allow named_t named_zone_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 969692f..e7ddccc 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -451,6 +451,11 @@ sysnet_dontaudit_read_config(postfix_postdrop_t)
mta_rw_user_mail_stream_socket(postfix_postdrop_t)
+ifdef(`targeted_policy', `
+ term_use_unallocated_tty(postfix_postdrop_t)
+ term_use_generic_pty(postfix_postdrop_t)
+')
+
optional_policy(`crond.te',`
cron_use_fd(postfix_postdrop_t)
cron_rw_pipe(postfix_postdrop_t)
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index e453757..45b81a3 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -26,6 +26,7 @@ files_type(snmpd_var_lib_t)
# Local policy
#
allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+dontaudit snmpd_t self:capability sys_tty_config;
allow snmpd_t self:fifo_file rw_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 0fb6a6a..5dae3e7 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -270,7 +270,7 @@ kernel_read_system_state(system_chkpwd_t)
fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
-term_use_unallocated_tty(system_chkpwd_t)
+term_dontaudit_use_unallocated_tty(system_chkpwd_t)
domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 5f68f1b..5613a7a 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -190,6 +190,11 @@ files_list_home(depmod_t)
userdom_read_staff_home_files(depmod_t)
userdom_read_sysadm_home_files(depmod_t)
+ifdef(`targeted_policy', `
+ term_use_unallocated_tty(depmod_t)
+ term_use_generic_pty(depmod_t)
+')
+
optional_policy(`rpm.te',`
rpm_rw_pipe(depmod_t)
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index ab9c9c6..5b06fde 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -26,6 +26,7 @@ logging_send_syslog_msg(unconfined_t)
ifdef(`targeted_policy',`
allow unconfined_t self:system syslog_read;
+ dontaudit unconfined_t self:capability sys_module;
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
More information about the scm-commits
mailing list