[selinux-policy: 1759/3172] trunk: 3 patches from dan
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:37:01 UTC 2010
commit 5bf9deb5bb62ce8a0ad2281019a3a4f7d9571148
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jun 20 19:47:10 2007 +0000
trunk: 3 patches from dan
Changelog | 1 +
policy/modules/kernel/corecommands.fc | 2 +
policy/modules/kernel/corecommands.if | 18 ++++++++++
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/files.fc | 2 +-
policy/modules/kernel/files.if | 46 ++++++++++++++++++++++++---
policy/modules/kernel/files.te | 2 +-
policy/modules/kernel/filesystem.if | 56 +++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.te | 29 ++++++++++++++++-
policy/modules/kernel/selinux.if | 37 +++++++++++++++++++++
policy/modules/kernel/selinux.te | 2 +-
11 files changed, 187 insertions(+), 10 deletions(-)
---
diff --git a/Changelog b/Changelog
index 1b2e5a4..dc7b54a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Filesystem updates from Dan Walsh.
- Large samba update from Dan Walsh.
- Drop snmpd_etc_t.
- Confine sendmail and logrotate on targeted.
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index d422ed8..108106a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -189,6 +189,7 @@ ifdef(`distro_gentoo', `
ifdef(`distro_redhat', `
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -248,6 +249,7 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index cb69796..3de0969 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -931,6 +931,24 @@ interface(`corecmd_exec_all_executables',`
########################################
## <summary>
+## Do not audit attempts to execute all executables.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_exec_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ dontaudit $1 exec_type:file { execute execute_no_trans };
+')
+
+########################################
+## <summary>
## Create, read, write, and all executable files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index bf373cd..4fa3ded 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.6.0)
+policy_module(corecommands,1.6.1)
########################################
#
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index d5aca09..0aa2266 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -45,7 +45,6 @@ ifdef(`distro_suse',`
/etc -d gen_context(system_u:object_r:etc_t,s0)
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -54,6 +53,7 @@ ifdef(`distro_suse',`
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 386e7ef..cd51464 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -992,7 +992,7 @@ interface(`files_dontaudit_search_all_dirs',`
attribute file_type;
')
- dontaudit $1 file_type:dir search;
+ dontaudit $1 file_type:dir search_dir_perms;
')
########################################
@@ -1320,7 +1320,7 @@ interface(`files_dontaudit_search_boot',`
type boot_t;
')
- dontaudit $1 boot_t:dir search;
+ dontaudit $1 boot_t:dir search_dir_perms;
')
########################################
@@ -3310,6 +3310,24 @@ interface(`files_list_usr',`
########################################
## <summary>
+## Add and remove entries from /usr directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
@@ -3368,6 +3386,24 @@ interface(`files_exec_usr_files',`
########################################
## <summary>
+## Create, read, write, and delete files in the /usr directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ manage_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
## Relabel a file to the type used in /usr.
## </summary>
## <param name="domain">
@@ -3637,7 +3673,7 @@ interface(`files_dontaudit_search_var',`
type var_t;
')
- dontaudit $1 var_t:dir search;
+ dontaudit $1 var_t:dir search_dir_perms;
')
########################################
@@ -3993,7 +4029,7 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
- dontaudit $1 var_lock_t:dir search;
+ dontaudit $1 var_lock_t:dir search_dir_perms;
')
########################################
@@ -4181,7 +4217,7 @@ interface(`files_dontaudit_search_pids',`
type var_run_t;
')
- dontaudit $1 var_run_t:dir search;
+ dontaudit $1 var_run_t:dir search_dir_perms;
')
########################################
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 0339a5d..8147376 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.5.1)
+policy_module(files,1.5.2)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 172ce14..dc1bd81 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1096,6 +1096,24 @@ interface(`fs_relabelfrom_dos_fs',`
########################################
## <summary>
+## Search dosfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_dos',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Read files on a DOS filesystem.
## </summary>
## <param name="domain">
@@ -1156,6 +1174,24 @@ interface(`fs_read_eventpollfs',`
########################################
## <summary>
+## Mount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Search inotifyfs filesystem.
## </summary>
## <param name="domain">
@@ -1279,6 +1315,26 @@ interface(`fs_getattr_iso9660_fs',`
## </summary>
## </param>
#
+interface(`fs_getattr_iso9660_files',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`fs_read_iso9660_files',`
gen_require(`
type iso9660_t;
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index ca7bf0d..f6a7c5b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.6.0)
+policy_module(filesystem,1.6.1)
########################################
#
@@ -54,17 +54,29 @@ genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
type capifs_t;
fs_type(capifs_t)
+files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
+type cpusetfs_t;
+fs_type(cpusetfs_t)
+allow cpusetfs_t self:filesystem associate;
+genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
+type fusefs_t;
+fs_noxattr_type(fusefs_t)
+allow fusefs_t self:filesystem associate;
+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
@@ -83,6 +95,11 @@ type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
+type mvfs_t;
+fs_noxattr_type(mvfs_t)
+allow mvfs_t self:filesystem associate;
+genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
type nfsd_fs_t;
fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
@@ -105,6 +122,16 @@ fs_type(rpc_pipefs_t)
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
files_mountpoint(rpc_pipefs_t)
+type spufs_t;
+fs_type(spufs_t)
+genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+files_mountpoint(spufs_t)
+
+type vxfs_t;
+fs_noxattr_type(vxfs_t)
+files_mountpoint(vxfs_t)
+genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
+
#
# tmpfs_t is the type for tmpfs filesystems
#
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index a7d7e7e..ed24ad2 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -32,6 +32,43 @@ interface(`selinux_get_fs_mount',`
########################################
## <summary>
+## Get the attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## attributes of the selinuxfs directory.
## </summary>
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index c1972e8..a0561f0 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,5 +1,5 @@
-policy_module(selinux,1.3.0)
+policy_module(selinux,1.3.1)
########################################
#
More information about the scm-commits
mailing list