[selinux-policy: 950/3172] changed rules fixes

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:27:08 UTC 2010 

commit 2e0a88016512e2218cd71580069f6f31937a07c9
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Nov 10 21:37:54 2005 +0000

    changed rules fixes

 refpolicy/policy/modules/admin/netutils.te     |    2 +-
 refpolicy/policy/modules/admin/su.if           |    1 +
 refpolicy/policy/modules/kernel/kernel.if      |    2 +-
 refpolicy/policy/modules/kernel/storage.if     |    3 +--
 refpolicy/policy/modules/services/apache.if    |    1 +
 refpolicy/policy/modules/services/cups.te      |    1 +
 refpolicy/policy/modules/services/dovecot.te   |    2 +-
 refpolicy/policy/modules/services/inetd.te     |    4 ++--
 refpolicy/policy/modules/services/inn.te       |    2 +-
 refpolicy/policy/modules/services/kerberos.te  |    2 ++
 refpolicy/policy/modules/services/ktalk.te     |    2 +-
 refpolicy/policy/modules/services/lpd.te       |    1 +
 refpolicy/policy/modules/services/mysql.te     |    4 ++--
 refpolicy/policy/modules/services/rpc.te       |    4 ++++
 refpolicy/policy/modules/system/logging.te     |    7 ++++---
 refpolicy/policy/modules/system/selinuxutil.te |    2 +-
 16 files changed, 25 insertions(+), 15 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 98a5ecb..641012c 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -35,7 +35,7 @@ allow netutils_t self:process { sigkill sigstop signull signal };
 allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
 allow netutils_t self:packet_socket create_socket_perms;
 allow netutils_t self:udp_socket create_socket_perms;
-allow netutils_t self:tcp_socket create_socket_perms;
+allow netutils_t self:tcp_socket create_stream_socket_perms;
 
 allow netutils_t netutils_tmp_t:dir create_dir_perms;
 allow netutils_t netutils_tmp_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index cca5d2c..f52bae5 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -21,6 +21,7 @@ template(`su_restricted_domain_template', `
 	allow $1_su_t self:process { setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_file_perms;
 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
 
 	# Transition from the user domain to this domain.
 	domain_auto_trans($2, su_exec_t, $1_su_t)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 2b238ee..5933549 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -564,7 +564,7 @@ interface(`kernel_write_proc_file',`
 	')
 
 	allow $1 proc_t:dir search;
-	allow $1 proc_t:file write;
+	allow $1 proc_t:file { append write };
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 3f581a7..a437aee 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -68,10 +68,9 @@ interface(`storage_setattr_fixed_disk',`
 interface(`storage_dontaudit_setattr_fixed_disk',`
 	gen_require(`
 		type fixed_disk_device_t;
-		class blk_file getattr;
 	')
 
-	dontaudit $1 fixed_disk_device_t:blk_file getattr;
+	dontaudit $1 fixed_disk_device_t:blk_file setattr;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 7f96e01..b836c9c 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -53,6 +53,7 @@ template(`apache_content_template',`
 	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
 
 	allow httpd_$1_script_t self:fifo_file rw_file_perms;
+	allow httpd_$1_script_t self:unix_stream_socket connectto;
 
 	allow httpd_$1_script_t httpd_t:fifo_file write;
 	# apache should set close-on-exec
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 281f875..2a08f29 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -401,6 +401,7 @@ allow initrc_t ptal_var_run_t:fifo_file unlink;
 #
 
 dontaudit hplip_t self:capability sys_tty_config;
+allow hplip_t self:process signal_perms;
 allow hplip_t self:unix_dgram_socket create_socket_perms;
 allow hplip_t self:unix_stream_socket create_socket_perms;
 allow hplip_t self:tcp_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 85611b6..e6693a7 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -40,7 +40,7 @@ allow dovecot_t self:process { setrlimit signal_perms };
 allow dovecot_t self:fifo_file rw_file_perms;
 allow dovecot_t self:tcp_socket create_stream_socket_perms;
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
 allow dovecot_t dovecot_auth_t:fd use;
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 9c55937..6fb22da 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -168,8 +168,8 @@ optional_policy(`rhgb.te',`
 
 allow inetd_child_t self:process signal_perms;
 allow inetd_child_t self:fifo_file rw_file_perms;
-allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
-allow inetd_child_t self:udp_socket connected_socket_perms;
+allow inetd_child_t self:tcp_socket connected_stream_socket_perms;
+allow inetd_child_t self:udp_socket create_socket_perms;
 
 # for identd
 allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 83655c1..a6ea6fe 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -44,7 +44,7 @@ allow innd_t innd_etc_t:lnk_file { getattr read };
 can_exec(innd_t, innd_exec_t)
 
 allow innd_t innd_log_t:file manage_file_perms;
-allow innd_t innd_log_t:dir { setattr ra_dir_perms };
+allow innd_t innd_log_t:dir { setattr rw_dir_perms };
 logging_create_log(innd_t,innd_log_t)
 
 allow innd_t innd_var_lib_t:dir create_dir_perms;
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index fccdc21..98e8e01 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -55,6 +55,7 @@ files_pid_file(krb5kdc_var_run_t)
 # Use capabilities. Surplus capabilities may be allowed.
 allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
 dontaudit kadmind_t self:capability sys_tty_config;
+allow kadmind_t self:process signal_perms;
 allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
 allow kadmind_t self:unix_dgram_socket { connect create write };
 allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -161,6 +162,7 @@ optional_policy(`rhgb.te',`
 # Use capabilities. Surplus capabilities may be allowed.
 allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
 dontaudit krb5kdc_t self:capability sys_tty_config;
+allow krb5kdc_t self:process signal_perms;
 allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
 allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
 allow krb5kdc_t self:udp_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te
index 81a80e3..d3d4529 100644
--- a/refpolicy/policy/modules/services/ktalk.te
+++ b/refpolicy/policy/modules/services/ktalk.te
@@ -25,7 +25,7 @@ files_pid_file(ktalkd_var_run_t)
 allow ktalkd_t self:process signal_perms;
 allow ktalkd_t self:fifo_file rw_file_perms;
 allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
-allow ktalkd_t self:udp_socket connected_socket_perms;
+allow ktalkd_t self:udp_socket create_socket_perms;
 # for identd
 # cjp: this should probably only be inetd_child rules?
 allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index d9ff6ed..d6c433a 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -119,6 +119,7 @@ optional_policy(`nis.te',`
 
 allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
 dontaudit lpd_t self:capability sys_tty_config;
+allow lpd_t self:process signal_perms;
 allow lpd_t self:fifo_file rw_file_perms;
 allow lpd_t self:unix_stream_socket create_stream_socket_perms;
 allow lpd_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index db088a1..52d0770 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -30,9 +30,9 @@ files_tmp_file(mysqld_tmp_t)
 # Local policy
 #
 
-allow mysqld_t self:capability { dac_override setgid setuid };
+allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
 dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched signal_perms };
+allow mysqld_t self:process { setsched getsched setrlimit signal_perms };
 allow mysqld_t self:fifo_file { read write };
 allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
 allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index b8ade12..0f207fb 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -90,6 +90,7 @@ kernel_udp_sendfrom(nfsd_t)
 kernel_tcp_recvfrom(nfsd_t) 
 
 corenet_udp_bind_generic_port(nfsd_t)
+corenet_udp_bind_reserved_port(nfsd_t)
 
 fs_mount_nfsd_fs(nfsd_t) 
 fs_search_nfsd_fs(nfsd_t) 
@@ -130,6 +131,9 @@ files_create_tmp_files(gssd_t, gssd_tmp_t, { file dir })
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 
+corenet_udp_bind_generic_port(gssd_t)
+corenet_udp_bind_reserved_port(gssd_t)
+
 dev_read_urand(gssd_t)
 
 fs_read_rpc_dirs(gssd_t) 
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 2469a3a..e6f2fac 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -185,6 +185,10 @@ rhgb_domain(auditd_t)
 # klogd local policy
 #
 
+allow klogd_t self:capability sys_admin;
+dontaudit klogd_t self:capability { sys_resource sys_tty_config };
+allow klogd_t self:process signal_perms;
+
 allow klogd_t klogd_tmp_t:file create_file_perms;
 allow klogd_t klogd_tmp_t:dir create_dir_perms;
 files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir })
@@ -193,9 +197,6 @@ allow klogd_t klogd_var_run_t:file create_file_perms;
 allow klogd_t klogd_var_run_t:dir rw_dir_perms;
 files_create_pid(klogd_t,klogd_var_run_t)
 
-allow klogd_t self:capability sys_admin;
-dontaudit klogd_t self:capability sys_resource;
-
 kernel_read_system_state(klogd_t)
 kernel_read_messages(klogd_t)
 kernel_read_kernel_sysctl(klogd_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 0fd52e0..42022a2 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -208,7 +208,7 @@ allow newrole_t self:sem create_sem_perms;
 allow newrole_t self:msgq create_msgq_perms;
 allow newrole_t self:msg { send receive };
 allow newrole_t self:unix_dgram_socket sendto;
-allow newrole_t self:unix_stream_socket connectto;
+allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read };
 
 allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;

More information about the scm-commits mailing list