[selinux-policy: 1390/3172] more of patch from dan Thu, 20 Apr 2006 14:06:03 -0400

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:05:35 UTC 2010 

commit 0e1c461e0552e2ffa9670dbcccabd988a609ab61
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Apr 26 15:22:33 2006 +0000

    more of patch from dan Thu, 20 Apr 2006 14:06:03 -0400

 refpolicy/policy/modules/admin/netutils.te      |    3 ++-
 refpolicy/policy/modules/admin/usermanage.te    |    3 ++-
 refpolicy/policy/modules/kernel/corecommands.fc |    5 +++--
 refpolicy/policy/modules/kernel/corecommands.te |    2 +-
 refpolicy/policy/modules/kernel/files.if        |   20 ++++++++++++++++++++
 refpolicy/policy/modules/kernel/files.te        |    2 +-
 refpolicy/policy/modules/kernel/terminal.if     |    2 +-
 refpolicy/policy/modules/kernel/terminal.te     |    2 +-
 refpolicy/policy/modules/services/pegasus.te    |   10 +++++++++-
 refpolicy/policy/modules/services/samba.te      |    4 ++--
 refpolicy/policy/modules/system/libraries.fc    |   18 ++++--------------
 refpolicy/policy/modules/system/libraries.te    |    2 +-
 refpolicy/policy/modules/system/logging.te      |    6 +++---
 refpolicy/policy/modules/system/sysnetwork.te   |    4 +++-
 refpolicy/policy/modules/system/unconfined.if   |   18 ++++++++++++++++++
 refpolicy/policy/modules/system/unconfined.te   |    2 +-
 refpolicy/policy/modules/system/xen.if          |   19 +++++++++++++++++++
 refpolicy/policy/modules/system/xen.te          |    3 ++-
 18 files changed, 93 insertions(+), 32 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 1437bac..2e72dc4 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
 
-policy_module(netutils,1.1.1)
+policy_module(netutils,1.1.2)
 
 ########################################
 #
@@ -98,6 +98,7 @@ dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:udp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
 
 corenet_tcp_sendrecv_all_if(ping_t)
 corenet_udp_sendrecv_all_if(ping_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 2d22241..2742509 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.3)
+policy_module(usermanage,1.3.4)
 
 ########################################
 #
@@ -514,6 +514,7 @@ userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
 # Add/remove user home directories
 userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_generic_user_home_content_dirs(useradd_t)
+userdom_manage_generic_user_home_content_files(useradd_t)
 userdom_manage_staff_home_dirs(useradd_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index f2e7687..3871bbb 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -145,7 +145,7 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 
@@ -177,8 +177,9 @@ ifdef(`distro_gentoo', `
 ifdef(`distro_redhat', `
 /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hwbrowser/hwbrowser --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index 43d0a2e..39b6588 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.3.9)
+policy_module(corecommands,1.3.10)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index f3f0a04..c990af7 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -1268,6 +1268,26 @@ interface(`files_manage_boot_symlinks',`
 
 ########################################
 ## <summary>
+##     Read kernel files in the /boot directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_read_kernel_img',`
+       gen_require(`
+               type boot_t;
+       ')
+
+       allow $1 boot_t:dir list_dir_perms;
+       allow $1 boot_t:file { getattr read };
+       allow $1 boot_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Install a kernel into the /boot directory.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index dacfc72..3f0a33c 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.7)
+policy_module(files,1.2.8)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 6b7acd8..f21191a 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -174,7 +174,7 @@ interface(`term_write_console',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 console_device_t:chr_file write;
+	allow $1 console_device_t:chr_file { getattr write append };
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index d96c9fd..dde69ea 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.0)
+policy_module(terminal,1.1.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
index b22f413..8445027 100644
--- a/refpolicy/policy/modules/services/pegasus.te
+++ b/refpolicy/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.1.1)
+policy_module(pegasus,1.1.2)
 
 ########################################
 #
@@ -79,11 +79,16 @@ corenet_tcp_connect_pegasus_http_port(pegasus_t)
 corenet_tcp_connect_pegasus_https_port(pegasus_t)
 corenet_tcp_connect_generic_port(pegasus_t)
 
+corecmd_exec_sbin(pegasus_t)
+corecmd_exec_bin(pegasus_t)
+corecmd_exec_shell(pegasus_t)
+
 dev_read_sysfs(pegasus_t)
 dev_read_urand(pegasus_t)
 
 fs_getattr_all_fs(pegasus_t)
 fs_search_auto_mountpoints(pegasus_t)
+files_getattr_all_dirs(pegasus_t)
 
 term_dontaudit_use_console(pegasus_t)
 
@@ -98,6 +103,8 @@ files_list_var_lib(pegasus_t)
 files_read_var_lib_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
+hostname_exec(pegasus_t)
+
 init_use_fds(pegasus_t)
 init_use_script_ptys(pegasus_t)
 init_rw_utmp(pegasus_t)
@@ -116,6 +123,7 @@ ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_ttys(pegasus_t)
 	term_dontaudit_use_generic_ptys(pegasus_t)
 	files_dontaudit_read_root_files(pegasus_t)
+	unconfined_signull(pegasus_t)
 ')
 
 optional_policy(`
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 0339015..bddf574 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
 
-policy_module(samba,1.2.4)
+policy_module(samba,1.2.5)
 
 #################################
 #
@@ -107,7 +107,7 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
 
 allow samba_net_t samba_var_t:dir rw_dir_perms;
 allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
-allow samba_net_t samba_var_t:file create_lnk_perms;
+allow samba_net_t samba_var_t:file create_file_perms;
 
 kernel_read_proc_symlinks(samba_net_t)
 
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 8e74cfe..e459ef7 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -71,13 +71,8 @@ ifdef(`distro_gentoo',`
 
 /usr/(.*/)?nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/lib(64)?/pgsql/test/regress/.*\.so	--	gen_context(system_u:object_r:shlib_t,s0)
-
 /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
-/usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
-
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -104,7 +99,6 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_redhat',`
-/usr/lib(64)?/.*/program/.*\.so.*		gen_context(system_u:object_r:shlib_t,s0)
 /usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
 
 # The following are libraries with text relocations in need of execmod permissions
@@ -118,7 +112,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libglide-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/oggfformat\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/theorarend\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -203,16 +197,12 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/(.*/)?intellinux/nppdf\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?intellinux/lib/\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?intellinux/plug_ins/.*\.api	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
 
-ifdef(`distro_suse',`
-/usr/lib(64)?/samba/classic/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-')
-
 #
 # /var
 #
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 8fe2fc8..ba068be 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.4)
+policy_module(libraries,1.3.5)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 8a75634..367a4bd 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.3)
+policy_module(logging,1.3.4)
 
 ########################################
 #
@@ -140,7 +140,7 @@ files_list_usr(auditd_t)
 init_use_fds(auditd_t)
 init_exec(auditd_t)
 init_write_initctl(auditd_t)
-init_use_script_ptys(auditd_t)
+init_dontaudit_use_script_ptys(auditd_t)
 
 logging_send_syslog_msg(auditd_t)
 
@@ -293,7 +293,7 @@ dev_read_sysfs(syslogd_t)
 
 fs_search_auto_mountpoints(syslogd_t)
 
-term_dontaudit_use_console(syslogd_t)
+term_write_console(syslogd_t)
 # Allow syslog to a terminal
 term_write_unallocated_ttys(syslogd_t)
 
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 34c1841..65e8c5d 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.1.1)
+policy_module(sysnetwork,1.1.2)
 
 ########################################
 #
@@ -248,6 +248,7 @@ optional_policy(`
 
 optional_policy(`
 	xen_append_log(dhcpc_t)
+	xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
 ')
 
 ########################################
@@ -346,4 +347,5 @@ optional_policy(`
 
 optional_policy(`
 	xen_append_log(ifconfig_t)
+	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 74a904f..236e7ff 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -224,6 +224,24 @@ interface(`unconfined_sigchld',`
 
 ########################################
 ## <summary>
+##	Send a SIGNULL signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_signull',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Send generic signals to the unconfined domain.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index a28a26c..2f947d5 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.6)
+policy_module(unconfined,1.3.7)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/xen.if b/refpolicy/policy/modules/system/xen.if
index 9a414a0..89f2d22 100644
--- a/refpolicy/policy/modules/system/xen.if
+++ b/refpolicy/policy/modules/system/xen.if
@@ -47,6 +47,25 @@ interface(`xen_append_log',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read and write
+##	Xen unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to don't audit.
+##	</summary>
+## </param>
+#
+interface(`xen_dontaudit_rw_unix_stream_sockets',`
+       gen_require(`
+               type xend_t;
+       ')
+
+       dontaudit $1 xend_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
 ##	Connect to xenstored over an unix stream socket.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te
index 08fb1b5..c25adeb 100644
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.1)
+policy_module(xen,1.0.2)
 
 ########################################
 #
@@ -125,6 +125,7 @@ domain_dontaudit_read_all_domains_state(xend_t)
 
 files_read_etc_files(xend_t)
 files_read_kernel_symbol_table(xend_t)
+files_read_kernel_img(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)

More information about the scm-commits mailing list