[selinux-policy: 979/3172] fix transitions in and out of unconfined. fix bugs uncovered by rawhide testing

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:29:36 UTC 2010 

commit 704327e8b2a085e040fe47878fd249bc15be8d35
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Nov 16 21:08:52 2005 +0000

    fix transitions in and out of unconfined.  fix bugs uncovered by rawhide testing

 refpolicy/policy/modules/admin/rpm.te         |   16 ++++++++++------
 refpolicy/policy/modules/admin/updfstab.te    |    9 +++++----
 refpolicy/policy/modules/kernel/bootloader.te |   13 +++++++++++--
 refpolicy/policy/modules/services/dovecot.te  |   10 +++++-----
 refpolicy/policy/modules/services/hal.if      |   17 +++++++++++++++++
 refpolicy/policy/modules/services/inetd.te    |   14 +++++++-------
 refpolicy/policy/modules/system/unconfined.te |   21 ++++++++++++---------
 7 files changed, 67 insertions(+), 33 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 7d00dad..416c7b8 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.0)
+policy_module(rpm,1.0.1)
 
 ########################################
 #
@@ -143,7 +143,6 @@ auth_dontaudit_read_shadow(rpm_t)
 
 corecmd_exec_bin(rpm_t)
 corecmd_exec_sbin(rpm_t)
-corecmd_shell_domtrans(rpm_t,rpm_script_t)
 
 domain_exec_all_entry_files(rpm_t)
 domain_read_all_domains_state(rpm_t)
@@ -179,6 +178,11 @@ ifdef(`targeted_policy',`
 	# unconfined in the targeted policy
 	allow rpm_t rpm_log_t:file create_file_perms;
 	logging_create_log(rpm_t,rpm_log_t)
+
+	# cjp: if rpm_t and xdm_t are aliases of
+	# unconfined_t, this will break xdm logins
+	# by making users log in to rpm_script_t.
+	corecmd_shell_domtrans(rpm_t,rpm_script_t)
 ')
 
 optional_policy(`cron.te',`
@@ -330,16 +334,16 @@ ifdef(`targeted_policy',`
 			mta_send_mail(rpm_script_t)
 		')
 	')
+
+	optional_policy(`bootloader.te',`
+		bootloader_domtrans(rpm_script_t)
+	')
 ')
 
 tunable_policy(`allow_execmem',`
 	allow rpm_script_t self:process execmem;
 ')
 
-optional_policy(`bootloader.te',`
-	bootloader_domtrans(rpm_script_t)
-')
-
 optional_policy(`nis.te',`
 	nis_use_ypbind(rpm_script_t)
 ')
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index dfc42d3..ac5487d 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -1,5 +1,5 @@
 
-policy_module(updfstab,1.0)
+policy_module(updfstab,1.0.1)
 
 ########################################
 #
@@ -98,6 +98,10 @@ optional_policy(`dbus.te',`
 	dbus_send_system_bus_msg(updfstab_t)
 ')
 
+optional_policy(`hald.te',`
+	hal_stream_connect(updfstab_t)
+')
+
 optional_policy(`modutils.te',`
 	modutils_read_module_conf(updfstab_t)
 	modutils_exec_insmod(updfstab_t)
@@ -121,9 +125,6 @@ optional_policy(`rhgb.te',`
 	rhgb_domain(updfstab_t)
 ')
 allow updfstab_t tmpfs_t:dir getattr;
-ifdef(`hald.te', `
-can_unix_connect(updfstab_t, hald_t)
-')
 ')
 
 optional_policy(`dbus.te',`
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index ee399f9..9d3fd0c 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.0)
+policy_module(bootloader,1.0.1)
 
 ########################################
 #
@@ -73,7 +73,7 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
 allow bootloader_t self:process { sigkill sigstop signull signal };
 allow bootloader_t self:fifo_file { getattr read write };
 
-allow bootloader_t boot_t:dir rw_dir_perms;
+allow bootloader_t boot_t:dir { create rw_dir_perms };
 allow bootloader_t boot_t:file create_file_perms;
 allow bootloader_t boot_t:lnk_file create_lnk_perms;
 
@@ -195,6 +195,11 @@ ifdef(`distro_redhat',`
 	mount_domtrans(bootloader_t)
 ')
 
+ifdef(`targeted_policy',`
+	term_use_unallocated_tty(bootloader_t)
+	term_use_generic_pty(bootloader_t)
+')
+
 optional_policy(`fstools.te',`
 	fstools_exec(bootloader_t)
 ')
@@ -215,6 +220,10 @@ optional_policy(`modutils.te',`
 	modutils_exec_update_mods(bootloader_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(bootloader_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_rw_pipe(bootloader_t)
 ')
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index e6693a7..3e07ec8 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.0)
+policy_module(dovecot,1.0.1)
 
 ########################################
 #
@@ -48,11 +48,11 @@ allow dovecot_auth_t dovecot_t:process sigchld;
 allow dovecot_auth_t dovecot_t:fd use;
 allow dovecot_auth_t dovecot_t:fifo_file { ioctl read write getattr lock append };
 
-allow dovecot_t dovecot_cert_t:dir { getattr read search };
-allow dovecot_t dovecot_cert_t:file { read getattr ioctl lock };
+allow dovecot_t dovecot_cert_t:dir r_dir_perms;
+allow dovecot_t dovecot_cert_t:file r_file_perms;
 allow dovecot_t dovecot_cert_t:lnk_file { getattr read };
 
-allow dovecot_t dovecot_etc_t:file { getattr read };
+allow dovecot_t dovecot_etc_t:file r_file_perms;
 files_search_etc(dovecot_t)
 
 can_exec(dovecot_t, dovecot_exec_t)
@@ -113,7 +113,7 @@ userdom_dontaudit_use_unpriv_user_fd(dovecot_t)
 userdom_dontaudit_search_sysadm_home_dir(dovecot_t)
 userdom_priveleged_home_dir_manager(dovecot_t)
 
-mta_append_spool(dovecot_t)
+mta_manage_spool(dovecot_t)
 
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(dovecot_t)
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
index ca45cde..71a7a52 100644
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@@ -37,3 +37,20 @@ interface(`hal_dgram_sendto',`
 
 	allow $1 hald_t:unix_dgram_socket sendto;
 ')
+
+########################################
+## <summary>
+##	Send to hal over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`hal_stream_connect',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:unix_stream_socket connectto;
+')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 6fb22da..59b2bda 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
 
-policy_module(inetd,1.0)
+policy_module(inetd,1.0.1)
 
 ########################################
 #
@@ -143,16 +143,16 @@ optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(inetd_t)
 ')
 
-optional_policy(`udev.te', `
+optional_policy(`udev.te',`
 	udev_read_db(inetd_t)
 ')
 
-optional_policy(`unconfined.te', `
-	unconfined_domtrans(inetd_t)
-')
-
 ifdef(`targeted_policy',`
-	unconfined_domain_template(inetd_t) 
+	unconfined_domain_template(inetd_t)
+',`
+	optional_policy(`unconfined.te',`
+		unconfined_domtrans(inetd_t)
+	')
 ')
 
 ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 4b660ff..2d9429e 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.0.1)
+policy_module(unconfined,1.0.2)
 
 ########################################
 #
@@ -70,15 +70,11 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`modutils.te',`
-		modutils_domtrans_depmod(unconfined_t)
-		modutils_domtrans_insmod(unconfined_t)
 		modutils_domtrans_update_mods(unconfined_t)
 	')
 
 	optional_policy(`netutils.te',`
-		netutils_domtrans(unconfined_t)
 		netutils_domtrans_ping(unconfined_t)
-		netutils_domtrans_traceroute(unconfined_t)
 	')
 
 	optional_policy(`portmap.te',`
@@ -87,6 +83,13 @@ ifdef(`targeted_policy',`
 
 	optional_policy(`postfix.te',`
 		postfix_domtrans_map(unconfined_t)
+		# cjp: this should probably be removed:
+		postfix_domtrans_master(unconfined_t)
+	')
+
+	optional_policy(`rpc.te',`
+		# cjp: this should probably be removed:
+		rpc_domtrans_nfsd(unconfined_t)
 	')
 
 	optional_policy(`rpm.te',`
@@ -102,6 +105,10 @@ ifdef(`targeted_policy',`
 		su_per_userdomain_template(sysadm,unconfined_t,system_r)
 	')
 
+	optional_policy(`sysnetwork.te',`
+		sysnet_domtrans_dhcpc(unconfined_t)
+	')
+
 	optional_policy(`usermanage.te',`
 		usermanage_domtrans_admin_passwd(unconfined_t)
 	')
@@ -114,9 +121,5 @@ ifdef(`targeted_policy',`
 	ifdef(`use_mcs',`
 	rw_dir_create_file(sysadm_su_t, home_dir_type)
 	')
-
 	') dnl end TODO
-
-	# FIXME:
-	typeattribute unconfined_t direct_run_init;
 ')

More information about the scm-commits mailing list