[selinux-policy: 1802/3172] trunk: six patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:40:50 UTC 2010
commit 72f82c47c215725a2edfca35f1b845bf9dc15a06
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Sep 6 18:34:40 2007 +0000
trunk: six patches from dan.
policy/modules/services/apcupsd.fc | 6 +++
policy/modules/services/apcupsd.if | 18 ++++++++
policy/modules/services/apcupsd.te | 58 +++++++++++++++++++++++-
policy/modules/services/networkmanager.fc | 3 +-
policy/modules/services/networkmanager.te | 9 +++-
policy/modules/services/openvpn.if | 68 +++++++++++++++++++++++++++++
policy/modules/services/openvpn.te | 31 +++++++++++--
policy/modules/services/rwho.fc | 2 +
policy/modules/services/rwho.if | 40 +++++++++++++++++
policy/modules/services/rwho.te | 11 +++-
policy/modules/services/spamassassin.fc | 4 ++
policy/modules/services/spamassassin.te | 7 ++-
policy/modules/system/raid.te | 3 +-
13 files changed, 245 insertions(+), 15 deletions(-)
---
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index 85c1e26..a3b8833 100644
--- a/policy/modules/services/apcupsd.fc
+++ b/policy/modules/services/apcupsd.fc
@@ -5,5 +5,11 @@ ifdef(`distro_debian',`
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+/var/www/apcupsd/multimon.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index 26e6137..de8b91b 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -79,3 +79,21 @@ interface(`apcupsd_append_log',`
allow $1 apcupsd_log_t:dir list_dir_perms;
allow $1 apcupsd_log_t:file { getattr append };
')
+
+########################################
+## <summary>
+## Execute a domain transition to run httpd_apcupsd_cgi_script.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`httpd_apcupsd_cgi_script_domtrans',`
+ gen_require(`
+ type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+ ')
+
+ domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t)
+')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index d9c0d9b..63181f8 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -1,5 +1,5 @@
-policy_module(apcupsd,1.1.1)
+policy_module(apcupsd,1.1.2)
########################################
#
@@ -16,6 +16,9 @@ files_lock_file(apcupsd_lock_t)
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
+type apcupsd_tmp_t;
+files_tmp_file(apcupsd_tmp_t)
+
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
@@ -24,6 +27,7 @@ files_pid_file(apcupsd_var_run_t)
# apcupsd local policy
#
+allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
allow apcupsd_t self:process signal;
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
@@ -36,9 +40,17 @@ allow apcupsd_t apcupsd_log_t:dir setattr;
manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
+manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
+files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file)
+
manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
+kernel_read_system_state(apcupsd_t)
+
+corecmd_exec_bin(apcupsd_t)
+corecmd_exec_shell(apcupsd_t)
+
corenet_all_recvfrom_unlabeled(apcupsd_t)
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
@@ -47,6 +59,7 @@ corenet_tcp_sendrecv_all_ports(apcupsd_t)
corenet_tcp_bind_all_nodes(apcupsd_t)
corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+corenet_tcp_connect_apcupsd_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -55,6 +68,16 @@ domain_use_interactive_fds(apcupsd_t)
files_read_etc_files(apcupsd_t)
files_search_locks(apcupsd_t)
+# Creates /etc/nologin
+files_manage_etc_runtime_files(apcupsd_t)
+files_etc_filetrans_etc_runtime(apcupsd_t,file)
+
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
+term_use_unallocated_ttys(apcupsd_t)
+
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
libs_use_ld_so(apcupsd_t)
libs_use_shared_libs(apcupsd_t)
@@ -64,6 +87,37 @@ logging_send_syslog_msg(apcupsd_t)
miscfiles_read_localization(apcupsd_t)
ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(apcupsd_t)
term_dontaudit_use_generic_ptys(apcupsd_t)
')
+
+optional_policy(`
+ hostname_exec(apcupsd_t)
+')
+
+optional_policy(`
+ mta_send_mail(apcupsd_t)
+')
+
+########################################
+#
+# apcupsd_cgi Declarations
+#
+
+optional_policy(`
+ apache_content_template(apcupsd_cgi)
+
+ allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+ corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+
+ sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+')
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
index 12e9bf2..dd7e085 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
@@ -1,5 +1,6 @@
+/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 3d7fb68..045aa31 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.7.0)
+policy_module(networkmanager,1.7.1)
########################################
#
@@ -31,6 +31,8 @@ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+
manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
@@ -162,6 +164,11 @@ optional_policy(`
')
optional_policy(`
+ openvpn_domtrans(NetworkManager_t)
+ openvpn_signal(NetworkManager_t)
+')
+
+optional_policy(`
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index ea6ec75..f806906 100644
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@@ -2,6 +2,74 @@
########################################
## <summary>
+## Execute OPENVPN clients in the openvpn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvpn_domtrans',`
+ gen_require(`
+ type openvpn_t, openvpn_exec_t;
+ ')
+
+ domtrans_pattern($1, openvpn_exec_t, openvpn_t)
+')
+
+########################################
+## <summary>
+## Execute OPENVPN clients in the openvpn domain, and
+## allow the specified role the openvpn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the openvpn domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the openvpn domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_run',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ openvpn_domtrans($1)
+ role $2 types openvpn_t;
+ allow openvpn_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Send generic signals to OPENVPN clients.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvpn_signal',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process signal;
+')
+
+########################################
+## <summary>
## Allow the specified domain to read
## OpenVPN configuration files.
## </summary>
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 3e0ebf0..40a0271 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,11 +1,18 @@
-policy_module(openvpn,1.3.0)
+policy_module(openvpn,1.3.1)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow openvpn to read home directories
+## </p>
+## </desc>
+gen_tunable(openvpn_enable_homedirs,false)
+
# main openvpn domain
type openvpn_t;
type openvpn_exec_t;
@@ -28,7 +35,9 @@ files_pid_file(openvpn_var_run_t)
# openvpn local policy
#
-allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:process { signal getsched };
+
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
@@ -42,8 +51,8 @@ read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
-allow openvpn_t openvpn_var_run_t:file manage_file_perms;
-files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
+manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
@@ -67,6 +76,7 @@ corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
+corenet_tcp_connect_openvpn_port(openvpn_t)
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
@@ -81,6 +91,7 @@ libs_use_shared_libs(openvpn_t)
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
+miscfiles_read_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
@@ -90,6 +101,18 @@ ifdef(`targeted_policy',`
term_use_generic_ptys(openvpn_t)
')
+tunable_policy(`openvpn_enable_homedirs',`
+ userdom_read_unpriv_users_home_content_files(openvpn_t)
+')
+
optional_policy(`
daemontools_service_domain(openvpn_t,openvpn_exec_t)
')
+
+optional_policy(`
+ dbus_system_bus_client_template(openvpn,openvpn_t)
+ dbus_connect_system_bus(openvpn_t)
+ dbus_send_system_bus(openvpn_t)
+
+ networkmanager_dbus_chat(openvpn_t)
+')
diff --git a/policy/modules/services/rwho.fc b/policy/modules/services/rwho.fc
index 2d1f8ed..7aa6ae0 100644
--- a/policy/modules/services/rwho.fc
+++ b/policy/modules/services/rwho.fc
@@ -1,3 +1,5 @@
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
+
+/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0)
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 2de6247..fa303f7 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -20,6 +20,46 @@ interface(`rwho_domtrans',`
########################################
## <summary>
+## Search rwho log directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rwho_search_log',`
+ gen_require(`
+ type rwho_log_t;
+ ')
+
+ allow $1 rwho_log_t:dir search_dir_perms;
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Read rwho log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rwho_read_log_files',`
+ gen_require(`
+ type rwho_log_t;
+ ')
+
+ allow $1 rwho_log_t:file read_file_perms;
+ allow $1 rwho_log_t:dir list_dir_perms;
+ logging_search_logs($1)
+')
+
+
+########################################
+## <summary>
## Search rwho spool directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index 9e9d8ff..60baaeb 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -1,5 +1,5 @@
-policy_module(rwho,1.1.0)
+policy_module(rwho,1.1.1)
########################################
#
@@ -10,7 +10,9 @@ type rwho_t;
type rwho_exec_t;
init_daemon_domain(rwho_t, rwho_exec_t)
-# var/spool files
+type rwho_log_t;
+files_type(rwho_log_t)
+
type rwho_spool_t;
files_type(rwho_spool_t)
@@ -25,7 +27,10 @@ allow rwho_t self:fifo_file rw_file_perms;
allow rwho_t self:unix_stream_socket create_stream_socket_perms;
allow rwho_t self:udp_socket create_socket_perms;
-# var/spool files for rwho
+allow rwho_t rwho_log_t:dir manage_dir_perms;
+allow rwho_t rwho_log_t:file manage_file_perms;
+logging_log_filetrans(rwho_t, rwho_log_t, { file dir })
+
allow rwho_t rwho_spool_t:dir manage_dir_perms;
allow rwho_t rwho_spool_t:file manage_file_perms;
files_spool_filetrans(rwho_t,rwho_spool_t, { file dir })
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 471cf9f..870dc7d 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -8,7 +8,11 @@
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
ifdef(`strict_policy',`
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 78e3b8e..26f5e2c 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.7.1)
+policy_module(spamassassin,1.7.2)
########################################
#
@@ -87,8 +87,9 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
-manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
-files_pid_filetrans(spamd_t,spamd_var_run_t,file)
+manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 59a7d69..d204e09 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -1,5 +1,5 @@
-policy_module(raid,1.3.0)
+policy_module(raid,1.3.1)
########################################
#
@@ -70,6 +70,7 @@ miscfiles_read_localization(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_use_sysadm_ttys(mdadm_t)
+userdom_dontaudit_search_all_users_home_content(mdadm_t)
mta_send_mail(mdadm_t)
More information about the scm-commits
mailing list