[selinux-policy: 1007/3172] fix several modular build problems
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:32:01 UTC 2010
commit 9fd4b818fce48975c950bf19ed0e5b57221465fc
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Nov 29 21:27:15 2005 +0000
fix several modular build problems
refpolicy/policy/modules/admin/logrotate.te | 6 +-
refpolicy/policy/modules/admin/rpm.if | 3 +-
refpolicy/policy/modules/admin/updfstab.if | 19 +++
refpolicy/policy/modules/admin/updfstab.te | 8 +-
refpolicy/policy/modules/kernel/devices.if | 38 ++++++
refpolicy/policy/modules/kernel/filesystem.if | 33 ++++++
refpolicy/policy/modules/kernel/kernel.te | 9 ++
refpolicy/policy/modules/services/apache.if | 16 +++
refpolicy/policy/modules/services/apm.if | 2 +-
refpolicy/policy/modules/services/avahi.if | 19 +++
refpolicy/policy/modules/services/avahi.te | 7 +-
refpolicy/policy/modules/services/bind.te | 6 +-
refpolicy/policy/modules/services/cups.if | 93 +++++++++++++++
refpolicy/policy/modules/services/cups.te | 146 ++++++++++--------------
refpolicy/policy/modules/services/finger.te | 7 +-
refpolicy/policy/modules/services/hal.te | 20 +---
refpolicy/policy/modules/services/mailman.te | 4 +-
refpolicy/policy/modules/services/mta.if | 20 ++-
refpolicy/policy/modules/services/procmail.te | 4 +-
refpolicy/policy/modules/services/radius.if | 2 +-
refpolicy/policy/modules/services/samba.if | 19 +++
refpolicy/policy/modules/system/authlogin.if | 18 +++-
refpolicy/policy/modules/system/domain.if | 18 +++
refpolicy/policy/modules/system/fstools.te | 11 +--
refpolicy/policy/modules/system/init.if | 17 +++
refpolicy/policy/modules/system/init.te | 10 ++-
refpolicy/policy/modules/system/modutils.te | 4 +
refpolicy/policy/modules/system/pcmcia.te | 7 +-
refpolicy/policy/modules/system/selinuxutil.te | 21 ++--
refpolicy/policy/modules/system/sysnetwork.te | 8 +-
refpolicy/policy/modules/system/udev.te | 10 +-
refpolicy/policy/modules/system/unconfined.te | 10 ++-
refpolicy/policy/modules/system/userdomain.if | 27 ++++-
33 files changed, 471 insertions(+), 171 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index f800cd1..31eb7b2 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
-policy_module(logrotate,1.0)
+policy_module(logrotate,1.0.1)
########################################
#
@@ -148,6 +148,10 @@ optional_policy(`consoletype',`
')
+optional_policy(`cups',`
+ cups_domtrans(logrotate_t)
+')
+
optional_policy(`hostname',`
hostname_exec(logrotate_t)
')
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 75d2511..e8550e0 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -151,6 +151,7 @@ interface(`rpm_read_db',`
type rpm_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir r_dir_perms;
allow $1 rpm_var_lib_t:file { getattr read };
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
@@ -169,8 +170,8 @@ interface(`rpm_manage_db',`
type rpm_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir rw_dir_perms;
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
')
-
diff --git a/refpolicy/policy/modules/admin/updfstab.if b/refpolicy/policy/modules/admin/updfstab.if
index 753454f..5474833 100644
--- a/refpolicy/policy/modules/admin/updfstab.if
+++ b/refpolicy/policy/modules/admin/updfstab.if
@@ -22,3 +22,22 @@ interface(`updfstab_domtrans',`
allow updfstab_t $1:fifo_file rw_file_perms;
allow updfstab_t $1:process sigchld;
')
+
+########################################
+## <summary>
+## Send and receive messages from
+## updfstab over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`updfstab_dbus_chat',`
+ gen_require(`
+ type updfstab_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 updfstab_t:dbus send_msg;
+ allow updfstab_t $1:dbus send_msg;
+')
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index bf83e25..60a1468 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -1,5 +1,5 @@
-policy_module(updfstab,1.0.1)
+policy_module(updfstab,1.0.2)
########################################
#
@@ -100,6 +100,7 @@ optional_policy(`dbus',`
optional_policy(`hal',`
hal_stream_connect(updfstab_t)
+ hal_dbus_chat(updfstab_t)
')
optional_policy(`modutils',`
@@ -123,8 +124,3 @@ optional_policy(`udev',`
ifdef(`TODO',`
allow updfstab_t tmpfs_t:dir getattr;
')
-
-optional_policy(`dbus',`
- allow initrc_t updfstab_t:dbus send_msg;
- allow updfstab_t initrc_t:dbus send_msg;
-')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 4a7ce1b..0ae1165 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -826,6 +826,44 @@ interface(`dev_dontaudit_rw_cardmgr',`
########################################
## <summary>
+## Create, read, write, and delete
+## the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_manage_cardmgr',`
+ gen_require(`
+ type device_t, cardmgr_dev_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## the PCMCIA card manager device
+## with the correct type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_create_cardmgr',`
+ gen_require(`
+ type device_t, cardmgr_dev_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
+ type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t;
+')
+
+########################################
+## <summary>
## Get the attributes of the CPU
## microcode and id interfaces.
## </summary>
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 0725f40..c067a6e 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1681,6 +1681,22 @@ interface(`fs_write_ramfs_pipe',`
########################################
## <summary>
+## Read and write a named pipe on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_rw_ramfs_pipe',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Write to named socket on a ramfs filesystem.
## </summary>
## <param name="domain">
@@ -2051,6 +2067,23 @@ interface(`fs_create_tmpfs_data',`
########################################
## <summary>
+## Read and write generic tmpfs files.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`fs_rw_tmpfs_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read and write character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 5edbef5..9d670f4 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -21,6 +21,15 @@ attribute proc_type;
# sysctls
attribute sysctl_type;
+role system_r;
+role sysadm_r;
+role staff_r;
+role user_r;
+
+ifdef(`enable_mls',`
+ role secadm_r;
+')
+
#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 00a97c6..8c7f04e 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -703,3 +703,19 @@ interface(`apache_append_squirrelmail_data',`
allow $1 httpd_squirrelmail_t:file { getattr append };
')
+
+########################################
+## <summary>
+## Search system script state directory.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`apache_search_sys_script_state',`
+ gen_require(`
+ type httpd_sys_script_t;
+ ')
+
+ allow $1 httpd_sys_script_t:dir search;
+')
diff --git a/refpolicy/policy/modules/services/apm.if b/refpolicy/policy/modules/services/apm.if
index 4cac734..a051c34 100644
--- a/refpolicy/policy/modules/services/apm.if
+++ b/refpolicy/policy/modules/services/apm.if
@@ -97,7 +97,7 @@ interface(`apm_append_log',`
#
interface(`apm_stream_connect',`
gen_require(`
- type apmd_t;
+ type apmd_t, apmd_var_run_t;
')
files_search_pids($1)
diff --git a/refpolicy/policy/modules/services/avahi.if b/refpolicy/policy/modules/services/avahi.if
index 8bc232b..15b762f 100644
--- a/refpolicy/policy/modules/services/avahi.if
+++ b/refpolicy/policy/modules/services/avahi.if
@@ -1 +1,20 @@
## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## avahi over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`avahi_dbus_chat',`
+ gen_require(`
+ type avahi_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 avahi_t:dbus send_msg;
+ allow avahi_t $1:dbus send_msg;
+')
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index c26bede..fe04bba 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi,1.0.1)
+policy_module(avahi,1.0.2)
########################################
#
@@ -90,10 +90,6 @@ optional_policy(`dbus',`
dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t)
dbus_send_system_bus_msg(avahi_t)
-
- # FIXME:
- allow avahi_t unconfined_t:dbus send_msg;
- allow unconfined_t avahi_t:dbus send_msg;
')
optional_policy(`nis',`
@@ -107,4 +103,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(avahi_t)
')
-
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index f5e2d15..a5869ea 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -289,9 +289,9 @@ optional_policy(`networkmanager',`
')
# optional_policy(`dbus',`
-# gen_require(`
-# class dbus send_msg;
-# ')
+ gen_require(`
+ class dbus send_msg;
+ ')
allow NetworkManager_t named_t:dbus send_msg;
allow named_t NetworkManager_t:dbus send_msg;
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index 5ef539b..d918292 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -2,6 +2,27 @@
########################################
## <summary>
+## Execute cups in the cups domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`cups_domtrans',`
+ gen_require(`
+ type cupsd_t, cupsd_exec_t;
+ ')
+
+ domain_auto_trans($1,cupsd_exec_t,cupsd_t)
+
+ allow $1 cupsd_t:fd use;
+ allow cupsd_t $1:fd use;
+ allow cupsd_t $1:fifo_file rw_file_perms;
+ allow cupsd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute cups_config in the cups_config domain.
## </summary>
## <param name="domain">
@@ -23,6 +44,42 @@ interface(`cups_domtrans_config',`
########################################
## <summary>
+## Send generic signals to the cups
+## configuration daemon.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cups_signal_config',`
+ gen_require(`
+ type cupsd_config_t;
+ ')
+
+ allow $1 cupsd_config_t:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## cupsd_config over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cups_dbus_chat_config',`
+ gen_require(`
+ type cupsd_config_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cupsd_config_t:dbus send_msg;
+ allow cupsd_config_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Read cups-writable configuration files.
## </summary>
## <param name="domain">
@@ -38,3 +95,39 @@ interface(`cups_read_rw_config',`
allow $1 cupsd_etc_t:dir search_dir_perms;
allow $1 cupsd_rw_etc_t:file { getattr read };
')
+
+########################################
+## <summary>
+## Read cups log files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cups_read_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 cupsd_log_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Connect to ptal over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cups_stream_connect_ptal',`
+ gen_require(`
+ type ptal_t, ptal_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ptal_var_run_t:dir search;
+ allow $1 ptal_var_run_t:sock_file write;
+ allow $1 ptal_t:unix_stream_socket connectto;
+')
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index b1a3cf3..041da68 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.0)
+policy_module(cups,1.0.1)
########################################
#
@@ -149,6 +149,7 @@ fs_search_auto_mountpoints(cupsd_t)
term_dontaudit_use_console(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
@@ -187,7 +188,7 @@ seutil_dontaudit_read_config(cupsd_t)
sysnet_read_config(cupsd_t)
userdom_dontaudit_use_unpriv_user_fd(cupsd_t)
-userdom_dontaudit_search_sysadm_home_dir(cupsd_t)
+userdom_dontaudit_search_all_users_home(cupsd_t)
# Write to /var/spool/cups.
lpd_manage_spool(cupsd_t)
@@ -198,17 +199,30 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(cupsd_t)
')
+optional_policy(`cron',`
+ cron_use_fd(cupsd_t)
+ cron_read_pipe(cupsd_t)
+')
+
optional_policy(`dbus',`
dbus_system_bus_client_template(cupsd,cupsd_t)
dbus_send_system_bus_msg(cupsd_t)
- allow cupsd_t userdomain:dbus send_msg;
+ userdom_dbus_send_all_users(cupsd_t)
+
+ optional_policy(`hal',`
+ hal_dbus_chat(cupsd_t)
+ ')
')
optional_policy(`hostname',`
hostname_exec(cupsd_t)
')
+optional_policy(`inetd',`
+ inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
+')
+
optional_policy(`mount',`
mount_send_nfs_client_request(cupsd_t)
')
@@ -217,6 +231,15 @@ optional_policy(`nscd',`
nscd_use_socket(cupsd_t)
')
+optional_policy(`portmap',`
+ portmap_udp_sendrecv(cupsd_t)
+')
+
+optional_policy(`samba',`
+ samba_rw_var_files(cupsd_t)
+ # cjp: rw_dir_perms was here, but doesnt make sense
+')
+
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(cupsd_t)
')
@@ -241,56 +264,18 @@ allow cupsd_t devpts_t:dir search;
dontaudit cupsd_t random_device_t:chr_file ioctl;
# temporary solution, we need something better
-allow cupsd_t serial_device:chr_file rw_file_perms;
-
-optional_policy(`logrotate',`
- domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
-')
-
-optional_policy(`inetd',`
-domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
-')
+#allow cupsd_t serial_device:chr_file rw_file_perms;
# for /etc/printcap
dontaudit cupsd_t etc_t:file write;
-
-
-
-
-# Send to portmap.
-optional_policy(`portmap', `
-allow cupsd_t portmap_t:udp_socket sendto;
-allow portmap_t cupsd_t:udp_socket recvfrom;
-allow portmap_t cupsd_t:udp_socket sendto;
-allow cupsd_t portmap_t:udp_socket recvfrom;
-')
-
-
-
-
-
#
# Satisfy readahead
#
-allow initrc_t cupsd_log_t:file { getattr read };
allow cupsd_t var_t:dir { getattr read search };
allow cupsd_t var_t:file r_file_perms;
allow cupsd_t var_t:lnk_file { getattr read };
-optional_policy(`samba',`
-# cjp: rw_dir_perms here doesnt make sense
-allow cupsd_t samba_var_t:dir rw_dir_perms;
-allow cupsd_t samba_var_t:file rw_file_perms;
-allow cupsd_t samba_var_t:lnk_file { getattr read };
-allow smbd_t cupsd_etc_t:dir search;
-')
-
-optional_policy(`authlogin',`
-dontaudit cupsd_t pam_var_run_t:file { getattr read };
-')
-dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
########################################
#
# PTAL local policy
@@ -358,7 +343,7 @@ miscfiles_read_localization(ptal_t)
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fd(ptal_t)
-userdom_dontaudit_search_sysadm_home_dir(ptal_t)
+userdom_dontaudit_search_all_users_home(ptal_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(ptal_t)
@@ -374,14 +359,8 @@ optional_policy(`udev',`
udev_read_db(ptal_t)
')
-allow userdomain ptal_t:unix_stream_socket connectto;
-allow userdomain ptal_var_run_t:sock_file write;
-allow userdomain ptal_var_run_t:dir search;
-
allow initrc_t printer_device_t:chr_file getattr;
-dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
allow initrc_t ptal_var_run_t:dir rmdir;
allow initrc_t ptal_var_run_t:fifo_file unlink;
@@ -555,6 +534,8 @@ corecmd_exec_sbin(cupsd_config_t)
corecmd_exec_shell(cupsd_config_t)
domain_use_wide_inherit_fd(cupsd_config_t)
+# killall causes the following
+domain_dontaudit_search_all_domains_state(cupsd_config_t)
files_read_usr_files(cupsd_config_t)
files_read_etc_files(cupsd_config_t)
@@ -577,12 +558,35 @@ sysnet_read_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fd(cupsd_config_t)
userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t)
+ifdef(`distro_redhat',`
+ init_getattr_script_entry_file(cupsd_config_t)
+
+ optional_policy(`rpm',`
+ rpm_read_db(cupsd_config_t)
+ ')
+')
+
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(cupsd_config_t)
term_dontaudit_use_generic_pty(cupsd_config_t)
files_dontaudit_read_root_file(cupsd_config_t)
')
+optional_policy(`cron',`
+ cron_use_system_job_fd(cupsd_config_t)
+ cron_read_pipe(cupsd_config_t)
+')
+
+optional_policy(`dbus',`
+ dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
+ dbus_connect_system_bus(cupsd_config_t)
+ dbus_send_system_bus_msg(cupsd_config_t)
+
+ optional_policy(`hal',`
+ hal_dbus_chat(cupsd_config_t)
+ ')
+')
+
optional_policy(`hal',`
hal_domtrans(cupsd_config_t)
')
@@ -603,6 +607,10 @@ optional_policy(`nscd',`
nscd_use_socket(cupsd_config_t)
')
+optional_policy(`rpm',`
+ rpm_read_db(cupsd_config_t)
+')
+
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(cupsd_config_t)
')
@@ -611,49 +619,10 @@ optional_policy(`udev',`
udev_read_db(cupsd_config_t)
')
-allow cupsd_config_t devpts_t:dir search;
-allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
-
-ifdef(`distro_redhat', `
- optional_policy(`rpm',`
- allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
- allow cupsd_config_t rpm_var_lib_t:file { getattr read };
- ')
- allow cupsd_config_t initrc_exec_t:file getattr;
-')
-
allow cupsd_config_t var_t:lnk_file read;
-optional_policy(`dbus',`
- dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
- dbus_connect_system_bus(cupsd_config_t)
- dbus_send_system_bus_msg(cupsd_config_t)
-
- allow cupsd_config_t userdomain:dbus send_msg;
- allow userdomain cupsd_config_t:dbus send_msg;
-')
-
-optional_policy(`hal', `
- optional_policy(`dbus',`
- allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
- allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
- ')
-
- allow hald_t cupsd_config_t:process signal;
-')
-
-# killall causes the following
-dontaudit cupsd_config_t domain:dir { getattr search };
-
-allow cupsd_config_t var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
allow cupsd_config_t printconf_t:file { getattr read };
-allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file r_file_perms;
-allow cupsd_t crond_t:fifo_file read;
-allow cupsd_t crond_t:fd use;
-
# Alternatives asks for this
allow cupsd_config_t initrc_exec_t:file getattr;
@@ -664,6 +633,7 @@ ifdef(`targeted_policy', `
allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
allow unconfined_t cupsd_config_t:dbus send_msg;
allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
+ term_use_generic_pty(cupsd_config_t)
')
########################################
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index 6af68c3..50b6769 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -100,6 +100,9 @@ miscfiles_read_localization(fingerd_t)
userdom_read_unpriv_user_home_files(fingerd_t)
userdom_dontaudit_use_unpriv_user_fd(fingerd_t)
userdom_dontaudit_search_sysadm_home_dir(fingerd_t)
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+userdom_dontaudit_search_user_home_dirs(fingerd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(fingerd_t)
@@ -130,7 +133,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(fingerd_t)
')
-
-# stop it accessing sub-directories, prevents checking a Maildir for new mail,
-# have to change this when we create a type for Maildir
-dontaudit fingerd_t user_home_t:dir search;
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index d0c1694..236dcee 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.0.1)
+policy_module(hal,1.0.2)
########################################
#
@@ -134,6 +134,7 @@ optional_policy(`apm',`
optional_policy(`cups',`
cups_domtrans_config(hald_t)
+ cups_signal_config(hald_t)
')
optional_policy(`dbus',`
@@ -187,21 +188,4 @@ optional_policy(`updfstab',`
ifdef(`TODO',`
allow hald_t device_t:dir create_dir_perms;
-
-optional_policy(`hald',`
-allow udev_t hald_t:unix_dgram_socket sendto;
-')
') dnl end TODO
-
-ifdef(`targeted_policy', `
-allow unconfined_t hald_t:dbus send_msg;
-allow hald_t unconfined_t:dbus send_msg;
-')
-
-optional_policy(`updfstab',`
- allow updfstab_t hald_t:dbus send_msg;
- allow hald_t updfstab_t:dbus send_msg;
-')
-
-allow hald_t initrc_t:dbus send_msg;
-allow initrc_t hald_t:dbus send_msg;
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
index 163c297..e834aca 100644
--- a/refpolicy/policy/modules/services/mailman.te
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -51,9 +51,7 @@ optional_policy(`apache',`
apache_sigchld(mailman_cgi_t)
apache_use_fd(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
-
- # FIXME:
- allow mailman_cgi_t httpd_sys_script_t:dir search;
+ apache_search_sys_script_state(mailman_cgi_t)
')
########################################
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 3b89e10..8abdaba 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -36,6 +36,11 @@ interface(`mta_stub',`
#
template(`mta_base_mail_template',`
+ gen_require(`
+ attribute user_mail_domain;
+ type sendmail_exec_t;
+ ')
+
##############################
#
# $1_mail_t declarations
@@ -45,12 +50,8 @@ template(`mta_base_mail_template',`
domain_type($1_mail_t)
domain_entry_file($1_mail_t,sendmail_exec_t)
- optional_policy(`sendmail',`
- type $1_mail_tmp_t;
- files_tmp_file($1_mail_tmp_t)
-
- sendmail_stub($1_mail_t)
- ')
+ type $1_mail_tmp_t;
+ files_tmp_file($1_mail_tmp_t)
##############################
#
@@ -107,6 +108,10 @@ template(`mta_base_mail_template',`
')
optional_policy(`sendmail',`
+ gen_require(`
+ type etc_mail_t, mail_spool_t, mqueue_spool_t;
+ ')
+
allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir })
@@ -166,7 +171,8 @@ template(`mta_base_mail_template',`
#
template(`mta_per_userdomain_template',`
gen_require(`
- attribute mailserver_domain, mta_user_agent, user_mail_domain;
+ attribute mailserver_domain, mta_user_agent;
+ attribute mailserver_delivery, user_mail_domain;
type sendmail_exec_t;
')
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
index e0e321a..bc9e604 100644
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@@ -6,8 +6,7 @@ policy_module(procmail,1.0.0)
# Declarations
#
-# privhome only works until we define a different type for maildir
-type procmail_t, privhome;
+type procmail_t;
type procmail_exec_t;
domain_type(procmail_t)
domain_entry_file(procmail_t,procmail_exec_t)
@@ -61,6 +60,7 @@ libs_use_shared_libs(procmail_t)
miscfiles_read_localization(procmail_t)
+# only works until we define a different type for maildir
userdom_priveleged_home_dir_manager(procmail_t)
# Do not audit attempts to access /root.
userdom_dontaudit_search_sysadm_home_dir(procmail_t)
diff --git a/refpolicy/policy/modules/services/radius.if b/refpolicy/policy/modules/services/radius.if
index c3b31d7..33cd1ed 100644
--- a/refpolicy/policy/modules/services/radius.if
+++ b/refpolicy/policy/modules/services/radius.if
@@ -10,7 +10,7 @@
#
interface(`radius_use',`
gen_require(`
- type radius_t;
+ type radiusd_t;
')
allow $1 radiusd_t:udp_socket sendto;
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index 3e9a0a5..34b6d48 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -215,6 +215,25 @@ interface(`samba_search_var',`
########################################
## <summary>
+## Allow the specified domain to
+## read and write samba /var files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`samba_rw_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ allow $1 samba_var_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Allow the specified domain to write to smbmount tcp sockets.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index d64453f..0afd82a 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -559,8 +559,6 @@ interface(`auth_exec_pam',`
interface(`auth_read_pam_pid',`
gen_require(`
type pam_var_run_t;
- class dir r_dir_perms;
- class file r_file_perms;
')
files_search_var($1)
@@ -569,6 +567,22 @@ interface(`auth_read_pam_pid',`
allow $1 pam_var_run_t:file r_file_perms;
')
+#######################################
+## <summary>
+## Do not audit attemps to read PAM pid files.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`auth_dontaudit_read_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ dontaudit $1 pam_var_run_t:file { getattr read };
+')
+
########################################
## <summary>
## Delete pam PID files.
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index d2546fa..78f2d87 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -471,6 +471,7 @@ interface(`domain_kill_all_domains',`
allow $1 domain:process sigkill;
allow $1 self:capability kill;
')
+
########################################
## <summary>
## Search the process state directory (/proc/pid) of all domains.
@@ -491,6 +492,23 @@ interface(`domain_search_all_domains_state',`
########################################
## <summary>
+## Do not audit attempts to search the process
+## state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`domain_dontaudit_search_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Read the process state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 75d6223..4659db9 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
-policy_module(fstools,1.0)
+policy_module(fstools,1.0.1)
########################################
#
@@ -72,6 +72,8 @@ dev_getattr_usbfs_dir(fsadm_t)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
+fs_rw_ramfs_pipe(fsadm_t)
+fs_rw_tmpfs_file(fsadm_t)
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)
# for /dev/shm
@@ -155,10 +157,3 @@ optional_policy(`cron',`
optional_policy(`nis',`
nis_use_ypbind(fsadm_t)
')
-
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
-') dnl end TODO
-
-allow fsadm_t tmpfs_t:file { read write };
-allow fsadm_t ramfs_t:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 54749bd..d12b7f2 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -477,6 +477,23 @@ interface(`init_dontaudit_unix_connect_script',`
########################################
## <summary>
+## Get the attribute of init script entrypoint files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`init_getattr_script_entry_file',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 initrc_exec_t:file getattr;
+')
+
+########################################
+## <summary>
## Read init scripts.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c1ca9bd..28fda4c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.0.1)
+policy_module(init,1.0.2)
gen_require(`
class passwd rootok;
@@ -494,6 +494,10 @@ optional_policy(`cpucontrol',`
dev_getattr_cpu(initrc_t)
')
+optional_policy(`cups',`
+ cups_read_log(initrc_t)
+')
+
optional_policy(`dbus',`
dbus_connect_system_bus(initrc_t)
dbus_send_system_bus_msg(initrc_t)
@@ -502,6 +506,10 @@ optional_policy(`dbus',`
optional_policy(`networkmanager',`
networkmanager_dbus_chat(initrc_t)
')
+
+ optional_policy(`updfstab',`
+ updfstab_dbus_chat(initrc_t)
+ ')
')
optional_policy(`ftp',`
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 247e9de..13801fb 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -1,6 +1,10 @@
policy_module(modutils,1.0)
+gen_require(`
+ bool secure_mode_insmod;
+')
+
########################################
#
# Declarations
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index a189206..0bad501 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -55,6 +55,8 @@ kernel_dontaudit_getattr_message_if(cardmgr_t)
bootloader_search_kernel_modules(cardmgr_t)
dev_read_sysfs(cardmgr_t)
+dev_manage_cardmgr(cardmgr_t)
+dev_create_cardmgr(cardmgr_t)
dev_getattr_all_chr_files(cardmgr_t)
dev_getattr_all_blk_files(cardmgr_t)
# for SSP
@@ -149,6 +151,5 @@ optional_policy(`udev',`
# Create device files in /tmp.
# cjp: why is this created all over the place?
-allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
-allow cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:dir rw_dir_perms;
-type_transition cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
+allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms;
+type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 06433bf..9b649fd 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -13,6 +13,18 @@ gen_require(`
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+# cjp: this is out of order due to rules
+# in the domain_type interface
+# (fix dup decl)
+type selinux_config_t;
+files_type(selinux_config_t)
+kernel_list_from(selinux_config_t)
+kernel_read_file_from(selinux_config_t)
+
type checkpolicy_t, can_write_binary_policy;
domain_type(checkpolicy_t)
role system_r types checkpolicy_t;
@@ -81,15 +93,6 @@ domain_type(run_init_t)
type run_init_exec_t;
domain_entry_file(run_init_t,run_init_exec_t)
-#
-# selinux_config_t is the type applied to
-# /etc/selinux/config
-#
-type selinux_config_t;
-files_type(selinux_config_t)
-kernel_list_from(selinux_config_t)
-kernel_read_file_from(selinux_config_t)
-
type setfiles_t, can_relabelto_binary_policy;
domain_obj_id_change_exempt(setfiles_t)
domain_type(setfiles_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 8347a59..c1a479f 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -173,8 +173,12 @@ optional_policy(`dbus',`
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
- allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
- allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
+ allow initrc_t dhcpc_t:dbus send_msg;
+ allow dhcpc_t initrc_t:dbus send_msg;
+
+ optional_policy(`networkmanager',`
+ networkmanager_dbus_chat(dhcpc_t)
+ ')
ifdef(`unconfined.te', `
allow unconfined_t dhcpc_t:dbus send_msg;
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 2a7a1ad..efe4fa8 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.0)
+policy_module(udev,1.0.1)
########################################
#
@@ -176,6 +176,10 @@ optional_policy(`dbus',`
dbus_system_bus_client_template(udev,udev_t)
')
+optional_policy(`hal',`
+ hal_dgram_sendto(udev_t)
+')
+
optional_policy(`hotplug',`
hotplug_read_config(udev_t)
')
@@ -192,8 +196,8 @@ optional_policy(`sysnetwork',`
sysnet_domtrans_dhcpc(udev_t)
')
-#optional_policy(`xserver',`
-# xserver_read_xdm_pid(udev_t)
+#optional_policy(`xdm',`
+# xdm_read_pid(udev_t)
#')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 7348834..8160f15 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.0.2)
+policy_module(unconfined,1.0.3)
########################################
#
@@ -60,6 +60,14 @@ ifdef(`targeted_policy',`
optional_policy(`dbus',`
dbus_stub(unconfined_t)
+ optional_policy(`avahi',`
+ avahi_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`hal',`
+ hal_dbus_chat(unconfined_t)
+ ')
+
optional_policy(`networkmanager',`
networkmanager_dbus_chat(unconfined_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index fdd932b..6d775a8 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -322,9 +322,17 @@ template(`base_user_template',`
canna_stream_connect($1_t)
')
+ optional_policy(`cups',`
+ cups_stream_connect_ptal($1_t)
+ ')
+
optional_policy(`dbus',`
dbus_system_bus_client_template($1,$1_t)
+ optional_policy(`cups',`
+ cups_dbus_chat_config($1_t)
+ ')
+
optional_policy(`hal',`
hal_dbus_chat($1_t)
')
@@ -2569,7 +2577,7 @@ interface(`userdom_signal_all_users',`
## Domain allowed access.
## </param>
#
-interface(`userdom_sigcld_all_users',`
+interface(`userdom_sigchld_all_users',`
gen_require(`
attribute userdomain;
')
@@ -2579,6 +2587,23 @@ interface(`userdom_sigcld_all_users',`
########################################
## <summary>
+## Send a dbus message to all user domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_dbus_send_all_users',`
+ gen_require(`
+ attribute userdomain;
+ class dbus send_msg;
+ ')
+
+ allow $1 userdomain:dbus send_msg;
+')
+
+########################################
+## <summary>
## Unconfined access to user domains.
## </summary>
## <param name="domain">
More information about the scm-commits
mailing list