[selinux-policy: 993/3172] clean up networkmanager hacks
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:30:50 UTC 2010
commit d828b5ca8ffd9b357163d9e23f4dcc2bcd378aea
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Nov 25 16:43:03 2005 +0000
clean up networkmanager hacks
refpolicy/policy/modules/services/apm.te | 15 +++--
refpolicy/policy/modules/services/dbus.if | 17 ++++-
refpolicy/policy/modules/services/dovecot.te | 2 +
refpolicy/policy/modules/services/hal.te | 5 +-
refpolicy/policy/modules/services/howl.if | 16 +++++
.../policy/modules/services/networkmanager.if | 19 ++++++
.../policy/modules/services/networkmanager.te | 63 +++++--------------
refpolicy/policy/modules/system/init.te | 12 +---
refpolicy/policy/modules/system/unconfined.te | 8 +++
refpolicy/policy/modules/system/userdomain.if | 6 ++-
10 files changed, 99 insertions(+), 64 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index 59e8d3f..f20e41a 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -1,5 +1,5 @@
-policy_module(apm,1.0)
+policy_module(apm,1.0.1)
########################################
#
@@ -138,6 +138,7 @@ libs_use_shared_libs(apmd_t)
logging_send_syslog_msg(apmd_t)
miscfiles_read_localization(apmd_t)
+miscfiles_read_hwdata(apmd_t)
modutils_domtrans_insmod(apmd_t)
modutils_read_module_conf(apmd_t)
@@ -168,7 +169,6 @@ ifdef(`distro_redhat',`
')
',`
-
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
')
@@ -195,6 +195,14 @@ optional_policy(`cron',`
cron_domtrans_anacron_system_job(apmd_t)
')
+optional_policy(`dbus',`
+ dbus_stub(apmd_t)
+
+ optional_policy(`networkmanager',`
+ networkmanager_dbus_chat(apmd_t)
+ ')
+')
+
optional_policy(`logrotate',`
logrotate_use_fd(apmd_t)
')
@@ -227,7 +235,4 @@ allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
optional_policy(`cron',`
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
')
-
-r_dir_file(apmd_t, hwdata_t)
-
')
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index 7e1359e..3259c6a 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -1,5 +1,19 @@
## <summary>Desktop messaging bus</summary>
+########################################
+## <summary>
+## DBUS stub interface. No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+## N/A
+## </param>
+#
+interface(`dbus_stub',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+')
+
#######################################
## <summary>
## The per user domain template for the dbus module.
@@ -173,9 +187,6 @@ template(`dbus_system_bus_client_template',`
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t;
- class dir search;
- class sock_file write;
- class unix_stream_socket connectto;
class dbus send_msg;
')
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 6955ca3..187d09b 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -34,6 +34,7 @@ role system_r types dovecot_auth_t;
#
# dovecot local policy
#
+
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms };
@@ -141,6 +142,7 @@ optional_policy(`udev',`
#
# dovecot auth local policy
#
+
allow dovecot_auth_t self:capability { setgid setuid };
allow dovecot_auth_t self:process signal_perms;
allow dovecot_auth_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 4234ace..d0c1694 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -137,10 +137,13 @@ optional_policy(`cups',`
')
optional_policy(`dbus',`
- allow hald_t self:dbus send_msg;
dbus_system_bus_client_template(hald,hald_t)
dbus_send_system_bus_msg(hald_t)
dbus_connect_system_bus(hald_t)
+
+ optional_policy(`networkmanager',`
+ networkmanager_dbus_chat(hald_t)
+ ')
')
optional_policy(`dmidecode',`
diff --git a/refpolicy/policy/modules/services/howl.if b/refpolicy/policy/modules/services/howl.if
index 7091f8b..5b0900e 100644
--- a/refpolicy/policy/modules/services/howl.if
+++ b/refpolicy/policy/modules/services/howl.if
@@ -1 +1,17 @@
## <summary>Port of Apple Rendezvous multicast DNS</summary>
+
+########################################
+## <summary>
+## Send generic signals to howl.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`howl_signal',`
+ gen_require(`
+ type howl_t;
+ ')
+
+ allow $1 howl_t:process signal;
+')
diff --git a/refpolicy/policy/modules/services/networkmanager.if b/refpolicy/policy/modules/services/networkmanager.if
index 96dbbc6..e07d97d 100644
--- a/refpolicy/policy/modules/services/networkmanager.if
+++ b/refpolicy/policy/modules/services/networkmanager.if
@@ -1 +1,20 @@
## <summary>Manager for dynamically switching between networks.</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## NetworkManager over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`networkmanager_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 NetworkManager_t:dbus send_msg;
+ allow NetworkManager_t $1:dbus send_msg;
+')
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index d70bbea..69472b9 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,0.9)
+policy_module(networkmanager,1.0.0)
########################################
#
@@ -65,6 +65,8 @@ fs_search_auto_mountpoints(NetworkManager_t)
mls_file_read_up(NetworkManager_t)
+selinux_dontaudit_search_fs(NetworkManager_t)
+
term_dontaudit_use_console(NetworkManager_t)
corecmd_exec_shell(NetworkManager_t)
@@ -98,12 +100,16 @@ seutil_read_config(NetworkManager_t)
sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_delete_dhcpc_pid(NetworkManager_t)
+sysnet_search_dhcp_state(NetworkManager_t)
# in /etc created by NetworkManager will be labelled net_conf_t.
sysnet_manage_config(NetworkManager_t)
sysnet_create_config(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fd(NetworkManager_t)
userdom_dontaudit_search_sysadm_home_dir(NetworkManager_t)
+userdom_dontaudit_use_unpriv_user_tty(NetworkManager_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(NetworkManager_t)
@@ -119,6 +125,16 @@ optional_policy(`consoletype',`
consoletype_exec(NetworkManager_t)
')
+optional_policy(`dbus',`
+ dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
+ dbus_connect_system_bus(NetworkManager_t)
+ dbus_send_system_bus_msg(NetworkManager_t)
+')
+
+optional_policy(`howl',`
+ howl_signal(NetworkManager_t)
+')
+
optional_policy(`mount',`
mount_send_nfs_client_request(NetworkManager_t)
')
@@ -142,48 +158,3 @@ optional_policy(`udev',`
optional_policy(`vpn',`
vpn_domtrans(NetworkManager_t)
')
-
-###########################################################
-#
-# Partially converted rules. THESE ARE ONLY TEMPORARY
-#
-
-optional_policy(`dbus',`
- gen_require(`
- class dbus send_msg;
- ')
-
- allow NetworkManager_t self:dbus send_msg;
-
- allow NetworkManager_t userdomain:dbus send_msg;
- allow userdomain NetworkManager_t:dbus send_msg;
-
- allow NetworkManager_t initrc_t:dbus send_msg;
- allow initrc_t NetworkManager_t:dbus send_msg;
-
- allow NetworkManager_t apmd_t:dbus send_msg;
- allow apmd_t NetworkManager_t:dbus send_msg;
-
- dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
- dbus_send_system_bus_msg(NetworkManager_t)
-
- ifdef(`targeted_policy',`
- allow NetworkManager_t unconfined_t:dbus send_msg;
- allow unconfined_t NetworkManager_t:dbus send_msg;
- ')
-
- optional_policy(`hal',`
- allow NetworkManager_t hald_t:dbus send_msg;
- allow hald_t NetworkManager_t:dbus send_msg;
- ')
-')
-
-allow NetworkManager_t howl_t:process signal;
-
-allow NetworkManager_t dhcp_state_t:dir search;
-allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
-
-allow NetworkManager_t var_lib_t:dir search;
-dontaudit NetworkManager_t user_ttynode:chr_file { read write };
-dontaudit NetworkManager_t security_t:dir search;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 73a2f73..2f3e785 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.0)
+policy_module(init,1.0.1)
gen_require(`
class passwd rootok;
@@ -497,14 +497,10 @@ optional_policy(`cpucontrol',`
optional_policy(`dbus',`
dbus_connect_system_bus(initrc_t)
dbus_send_system_bus_msg(initrc_t)
+ dbus_system_bus_client_template(initrc,initrc_t)
- # FIXME
- allow initrc_t system_dbusd_t:unix_stream_socket connectto;
- allow initrc_t system_dbusd_var_run_t:sock_file write;
-
- ifdef(`targeted_policy',`
- allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
- allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+ optional_policy(`networkmanager',`
+ networkmanager_dbus_chat(initrc_t)
')
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 4eca013..7348834 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -57,6 +57,14 @@ ifdef(`targeted_policy',`
bluetooth_domtrans_helper(unconfined_t)
')
+ optional_policy(`dbus',`
+ dbus_stub(unconfined_t)
+
+ optional_policy(`networkmanager',`
+ networkmanager_dbus_chat(unconfined_t)
+ ')
+ ')
+
optional_policy(`dmidecode',`
dmidecode_domtrans(unconfined_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index b653070..d5aec82 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -310,6 +310,10 @@ template(`base_user_template',`
optional_policy(`dbus',`
dbus_system_bus_client_template($1,$1_t)
+
+ optional_policy(`networkmanager',`
+ networkmanager_dbus_chat($1_t)
+ ')
')
optional_policy(`dictd',`
@@ -2466,7 +2470,7 @@ interface(`userdom_write_unpriv_user_tmp',`
#
interface(`userdom_dontaudit_use_unpriv_user_tty',`
ifdef(`targeted_policy',`
- term_dontaudit_use_generic_pty($1)
+ term_dontaudit_use_unallocated_tty($1)
',`
gen_require(`
attribute user_ttynode;
More information about the scm-commits
mailing list