[selinux-policy: 1802/3172] trunk: six patches from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:40:50 UTC 2010 

commit 72f82c47c215725a2edfca35f1b845bf9dc15a06
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Sep 6 18:34:40 2007 +0000

    trunk: six patches from dan.

 policy/modules/services/apcupsd.fc        |    6 +++
 policy/modules/services/apcupsd.if        |   18 ++++++++
 policy/modules/services/apcupsd.te        |   58 +++++++++++++++++++++++-
 policy/modules/services/networkmanager.fc |    3 +-
 policy/modules/services/networkmanager.te |    9 +++-
 policy/modules/services/openvpn.if        |   68 +++++++++++++++++++++++++++++
 policy/modules/services/openvpn.te        |   31 +++++++++++--
 policy/modules/services/rwho.fc           |    2 +
 policy/modules/services/rwho.if           |   40 +++++++++++++++++
 policy/modules/services/rwho.te           |   11 +++-
 policy/modules/services/spamassassin.fc   |    4 ++
 policy/modules/services/spamassassin.te   |    7 ++-
 policy/modules/system/raid.te             |    3 +-
 13 files changed, 245 insertions(+), 15 deletions(-)
---
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index 85c1e26..a3b8833 100644
--- a/policy/modules/services/apcupsd.fc
+++ b/policy/modules/services/apcupsd.fc
@@ -5,5 +5,11 @@ ifdef(`distro_debian',`
 /usr/sbin/apcupsd		--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+/var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 
 /var/run/apcupsd\.pid		--	gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+/var/www/apcupsd/multimon.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index 26e6137..de8b91b 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -79,3 +79,21 @@ interface(`apcupsd_append_log',`
 	allow $1 apcupsd_log_t:dir list_dir_perms;
 	allow $1 apcupsd_log_t:file { getattr append };
 ')
+
+########################################
+## <summary>
+##	Execute a domain transition to run httpd_apcupsd_cgi_script.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`httpd_apcupsd_cgi_script_domtrans',`
+	gen_require(`
+		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+	')
+
+	domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t)
+')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index d9c0d9b..63181f8 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -1,5 +1,5 @@
 
-policy_module(apcupsd,1.1.1)
+policy_module(apcupsd,1.1.2)
 
 ########################################
 #
@@ -16,6 +16,9 @@ files_lock_file(apcupsd_lock_t)
 type apcupsd_log_t;
 logging_log_file(apcupsd_log_t)
 
+type apcupsd_tmp_t;
+files_tmp_file(apcupsd_tmp_t)
+
 type apcupsd_var_run_t;
 files_pid_file(apcupsd_var_run_t)
 
@@ -24,6 +27,7 @@ files_pid_file(apcupsd_var_run_t)
 # apcupsd local policy
 #
 
+allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
 allow apcupsd_t self:process signal;
 allow apcupsd_t self:fifo_file rw_file_perms;
 allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
@@ -36,9 +40,17 @@ allow apcupsd_t apcupsd_log_t:dir setattr;
 manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
 logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
 
+manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
+files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file)
+
 manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
 files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
 
+kernel_read_system_state(apcupsd_t)
+
+corecmd_exec_bin(apcupsd_t)
+corecmd_exec_shell(apcupsd_t)
+
 corenet_all_recvfrom_unlabeled(apcupsd_t)
 corenet_all_recvfrom_netlabel(apcupsd_t)
 corenet_tcp_sendrecv_generic_if(apcupsd_t)
@@ -47,6 +59,7 @@ corenet_tcp_sendrecv_all_ports(apcupsd_t)
 corenet_tcp_bind_all_nodes(apcupsd_t)
 corenet_tcp_bind_apcupsd_port(apcupsd_t)
 corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+corenet_tcp_connect_apcupsd_port(apcupsd_t)
 
 dev_rw_generic_usb_dev(apcupsd_t)
 
@@ -55,6 +68,16 @@ domain_use_interactive_fds(apcupsd_t)
 
 files_read_etc_files(apcupsd_t)
 files_search_locks(apcupsd_t)
+# Creates /etc/nologin
+files_manage_etc_runtime_files(apcupsd_t)
+files_etc_filetrans_etc_runtime(apcupsd_t,file)
+
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
+term_use_unallocated_ttys(apcupsd_t)
+
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
 
 libs_use_ld_so(apcupsd_t)
 libs_use_shared_libs(apcupsd_t)
@@ -64,6 +87,37 @@ logging_send_syslog_msg(apcupsd_t)
 miscfiles_read_localization(apcupsd_t)
 
 ifdef(`targeted_policy',`
-	term_dontaudit_use_unallocated_ttys(apcupsd_t)
 	term_dontaudit_use_generic_ptys(apcupsd_t)
 ')
+
+optional_policy(`
+	hostname_exec(apcupsd_t)
+')
+
+optional_policy(`
+	mta_send_mail(apcupsd_t)
+')
+
+########################################
+#
+# apcupsd_cgi Declarations
+#
+
+optional_policy(`
+	apache_content_template(apcupsd_cgi)
+	
+	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+	
+	corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+	corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+	
+	sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+')
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
index 12e9bf2..dd7e085 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
@@ -1,5 +1,6 @@
+/usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
-/usr/(s)?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 3d7fb68..045aa31 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.7.0)
+policy_module(networkmanager,1.7.1)
 
 ########################################
 #
@@ -31,6 +31,8 @@ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
 allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
 
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+
 manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
 manage_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
 manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
@@ -162,6 +164,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	openvpn_domtrans(NetworkManager_t)
+	openvpn_signal(NetworkManager_t)
+')
+
+optional_policy(`
 	ppp_domtrans(NetworkManager_t)
 	ppp_read_pid_files(NetworkManager_t)
 	ppp_signal(NetworkManager_t)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index ea6ec75..f806906 100644
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@@ -2,6 +2,74 @@
 
 ########################################
 ## <summary>
+##	Execute OPENVPN clients in the openvpn domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_domtrans',`
+	gen_require(`
+		type openvpn_t, openvpn_exec_t;
+	')
+
+	domtrans_pattern($1, openvpn_exec_t, openvpn_t)
+')
+
+########################################
+## <summary>
+##	Execute OPENVPN clients in the openvpn domain, and
+##	allow the specified role the openvpn domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the openvpn domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the openvpn domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_run',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	openvpn_domtrans($1)
+	role $2 types openvpn_t;
+	allow openvpn_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Send generic signals to OPENVPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_signal',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	allow $1 openvpn_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to read
 ##	OpenVPN configuration files.
 ## </summary>
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 3e0ebf0..40a0271 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,11 +1,18 @@
 
-policy_module(openvpn,1.3.0)
+policy_module(openvpn,1.3.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow openvpn to read home directories
+## </p>
+## </desc>
+gen_tunable(openvpn_enable_homedirs,false)
+
 # main openvpn domain
 type openvpn_t;
 type openvpn_exec_t;
@@ -28,7 +35,9 @@ files_pid_file(openvpn_var_run_t)
 # openvpn local policy
 #
 
-allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:process { signal getsched };
+
 allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
 allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow openvpn_t self:udp_socket create_socket_perms;
@@ -42,8 +51,8 @@ read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
 allow openvpn_t openvpn_var_log_t:file manage_file_perms;
 logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
 
-allow openvpn_t openvpn_var_run_t:file manage_file_perms;
-files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
+manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(openvpn_t)
 kernel_read_net_sysctls(openvpn_t)
@@ -67,6 +76,7 @@ corenet_tcp_bind_openvpn_port(openvpn_t)
 corenet_udp_bind_openvpn_port(openvpn_t)
 corenet_sendrecv_openvpn_server_packets(openvpn_t)
 corenet_rw_tun_tap_dev(openvpn_t)
+corenet_tcp_connect_openvpn_port(openvpn_t)
 
 dev_search_sysfs(openvpn_t)
 dev_read_rand(openvpn_t)
@@ -81,6 +91,7 @@ libs_use_shared_libs(openvpn_t)
 logging_send_syslog_msg(openvpn_t)
 
 miscfiles_read_localization(openvpn_t)
+miscfiles_read_certs(openvpn_t)
 
 sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)
@@ -90,6 +101,18 @@ ifdef(`targeted_policy',`
 	term_use_generic_ptys(openvpn_t)
 ')
 
+tunable_policy(`openvpn_enable_homedirs',`
+	userdom_read_unpriv_users_home_content_files(openvpn_t)
+')
+
 optional_policy(`
 	daemontools_service_domain(openvpn_t,openvpn_exec_t)
 ')
+
+optional_policy(`
+	dbus_system_bus_client_template(openvpn,openvpn_t)
+	dbus_connect_system_bus(openvpn_t)
+	dbus_send_system_bus(openvpn_t)
+
+	networkmanager_dbus_chat(openvpn_t)
+')
diff --git a/policy/modules/services/rwho.fc b/policy/modules/services/rwho.fc
index 2d1f8ed..7aa6ae0 100644
--- a/policy/modules/services/rwho.fc
+++ b/policy/modules/services/rwho.fc
@@ -1,3 +1,5 @@
 /usr/sbin/rwhod		--	gen_context(system_u:object_r:rwho_exec_t,s0)
 
 /var/spool/rwho(/.*)?		gen_context(system_u:object_r:rwho_spool_t,s0)
+
+/var/log/rwhod(/.*)?		gen_context(system_u:object_r:rwho_log_t,s0)
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 2de6247..fa303f7 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -20,6 +20,46 @@ interface(`rwho_domtrans',`
 
 ########################################
 ## <summary>
+##	Search rwho log directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rwho_search_log',`
+	gen_require(`
+		type rwho_log_t;
+	')
+
+	allow $1 rwho_log_t:dir search_dir_perms;
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Read rwho log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rwho_read_log_files',`
+	gen_require(`
+		type rwho_log_t;
+	')
+
+	allow $1 rwho_log_t:file read_file_perms;
+	allow $1 rwho_log_t:dir list_dir_perms;
+	logging_search_logs($1)
+')
+
+
+########################################
+## <summary>
 ##	Search rwho spool directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index 9e9d8ff..60baaeb 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -1,5 +1,5 @@
 
-policy_module(rwho,1.1.0)
+policy_module(rwho,1.1.1)
 
 ########################################
 #
@@ -10,7 +10,9 @@ type rwho_t;
 type rwho_exec_t;
 init_daemon_domain(rwho_t, rwho_exec_t)
 
-# var/spool files
+type rwho_log_t;
+files_type(rwho_log_t)
+
 type rwho_spool_t;
 files_type(rwho_spool_t)
 
@@ -25,7 +27,10 @@ allow rwho_t self:fifo_file rw_file_perms;
 allow rwho_t self:unix_stream_socket create_stream_socket_perms;
 allow rwho_t self:udp_socket create_socket_perms;
 
-# var/spool files for rwho
+allow rwho_t rwho_log_t:dir manage_dir_perms;
+allow rwho_t rwho_log_t:file manage_file_perms;
+logging_log_filetrans(rwho_t, rwho_log_t, { file dir })
+
 allow rwho_t rwho_spool_t:dir manage_dir_perms;
 allow rwho_t rwho_spool_t:file manage_file_perms;
 files_spool_filetrans(rwho_t,rwho_spool_t, { file dir })
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 471cf9f..870dc7d 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -8,7 +8,11 @@
 
 /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 
+/var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
 
 ifdef(`strict_policy',`
 HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 78e3b8e..26f5e2c 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.7.1)
+policy_module(spamassassin,1.7.2)
 
 ########################################
 #
@@ -87,8 +87,9 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
 read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
 
-manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
-files_pid_filetrans(spamd_t,spamd_var_run_t,file)
+manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
 
 kernel_read_all_sysctls(spamd_t)
 kernel_read_system_state(spamd_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 59a7d69..d204e09 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -1,5 +1,5 @@
 
-policy_module(raid,1.3.0)
+policy_module(raid,1.3.1)
 
 ########################################
 #
@@ -70,6 +70,7 @@ miscfiles_read_localization(mdadm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
 userdom_dontaudit_use_sysadm_ttys(mdadm_t)
+userdom_dontaudit_search_all_users_home_content(mdadm_t)
 
 mta_send_mail(mdadm_t)

More information about the scm-commits mailing list