[selinux-policy: 1852/3172] trunk: 9 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:45:11 UTC 2010
commit 226c06969c51853066b2d80201255e797f162459
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Nov 15 20:10:26 2007 +0000
trunk: 9 patches from dan.
policy/modules/services/lpd.fc | 1 +
policy/modules/services/lpd.if | 19 +++++++++++++++++++
policy/modules/services/lpd.te | 2 +-
policy/modules/services/ppp.if | 19 +++++++++++++++++++
policy/modules/services/ppp.te | 2 +-
policy/modules/services/procmail.te | 11 +++++------
policy/modules/services/radius.fc | 2 ++
policy/modules/services/radius.te | 8 +++++++-
policy/modules/services/rhgb.te | 6 +++++-
policy/modules/services/ricci.te | 8 +++-----
policy/modules/services/rsync.te | 23 ++++++++++++++---------
policy/modules/services/tftp.te | 21 ++++++++++++++++++++-
policy/modules/system/miscfiles.if | 22 ++++++++++++++++++++++
policy/modules/system/miscfiles.te | 2 +-
14 files changed, 120 insertions(+), 26 deletions(-)
---
diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc
index 59e51aa..fafcfb0 100644
--- a/policy/modules/services/lpd.fc
+++ b/policy/modules/services/lpd.fc
@@ -27,5 +27,6 @@
#
# /var
#
+/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index b7eb9ad..9517dd6 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -303,6 +303,25 @@ interface(`lpd_list_spool',`
########################################
## <summary>
+## Read the printer spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_read_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,print_spool_t,print_spool_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete printer spool files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 1562aa8..943b896 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd,1.7.1)
+policy_module(lpd,1.7.2)
########################################
#
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 9a2883c..1eca6bd 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -159,6 +159,25 @@ interface(`ppp_exec',`
########################################
## <summary>
+## Read ppp configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_config',`
+ gen_require(`
+ type pppd_etc_t;
+ ')
+
+ read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
## Read PPP-writable configuration files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index f45e044..559e81d 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
-policy_module(ppp,1.5.1)
+policy_module(ppp,1.5.2)
########################################
#
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 12ae74c..7a95ff1 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail,1.7.0)
+policy_module(procmail,1.7.1)
########################################
#
@@ -52,6 +52,7 @@ dev_read_urand(procmail_t)
fs_getattr_xattr_fs(procmail_t)
fs_search_auto_mountpoints(procmail_t)
+fs_rw_anon_inodefs_files(procmail_t)
auth_use_nsswitch(procmail_t)
@@ -67,6 +68,8 @@ files_read_usr_files(procmail_t)
libs_use_ld_so(procmail_t)
libs_use_shared_libs(procmail_t)
+logging_send_syslog_msg(procmail_t)
+
miscfiles_read_localization(procmail_t)
# only works until we define a different type for maildir
@@ -99,11 +102,7 @@ optional_policy(`
')
optional_policy(`
- logging_send_syslog_msg(procmail_t)
-')
-
-optional_policy(`
- nis_use_ypbind(procmail_t)
+ munin_dontaudit_search_lib(procmail_t)
')
optional_policy(`
diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc
index 50b60a6..6f48bb0 100644
--- a/policy/modules/services/radius.fc
+++ b/policy/modules/services/radius.fc
@@ -8,6 +8,8 @@
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index 6668fca..7e37903 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius,1.5.2)
+policy_module(radius,1.5.3)
########################################
#
@@ -19,6 +19,9 @@ files_type(radiusd_etc_rw_t)
type radiusd_log_t;
logging_log_file(radiusd_log_t)
+type radiusd_var_lib_t;
+files_type(radiusd_var_lib_t)
+
type radiusd_var_run_t;
files_pid_file(radiusd_var_run_t)
@@ -52,6 +55,8 @@ manage_dirs_pattern(radiusd_t,radiusd_log_t,radiusd_log_t)
manage_files_pattern(radiusd_t,radiusd_log_t,radiusd_log_t)
logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
+manage_files_pattern(radiusd_t,radiusd_var_lib_t,radiusd_var_lib_t)
+
manage_files_pattern(radiusd_t,radiusd_var_run_t,radiusd_var_run_t)
files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
@@ -73,6 +78,7 @@ corenet_sendrecv_radius_server_packets(radiusd_t)
corenet_sendrecv_radacct_server_packets(radiusd_t)
# for RADIUS proxy port
corenet_udp_bind_generic_port(radiusd_t)
+corenet_dontaudit_udp_bind_all_ports(radiusd_t)
corenet_sendrecv_generic_server_packets(radiusd_t)
dev_read_sysfs(radiusd_t)
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index c9ed994..3739d8b 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
-policy_module(rhgb,1.5.1)
+policy_module(rhgb,1.5.2)
########################################
#
@@ -59,6 +59,7 @@ corenet_tcp_connect_all_ports(rhgb_t)
corenet_sendrecv_all_client_packets(rhgb_t)
dev_read_sysfs(rhgb_t)
+dev_read_urand(rhgb_t)
domain_use_interactive_fds(rhgb_t)
@@ -68,6 +69,7 @@ files_read_etc_runtime_files(rhgb_t)
files_search_tmp(rhgb_t)
files_read_usr_files(rhgb_t)
files_mounton_mnt(rhgb_t)
+files_dontaudit_rw_root_dir(rhgb_t)
files_dontaudit_read_default_files(rhgb_t)
files_dontaudit_search_pids(rhgb_t)
# for nscd
@@ -100,6 +102,7 @@ logging_send_syslog_msg(rhgb_t)
miscfiles_read_localization(rhgb_t)
miscfiles_read_fonts(rhgb_t)
+miscfiles_dontaudit_write_fonts(rhgb_t)
seutil_search_default_contexts(rhgb_t)
seutil_read_config(rhgb_t)
@@ -118,6 +121,7 @@ xserver_read_xkb_libs(rhgb_t)
xserver_domtrans_xdm_xserver(rhgb_t)
xserver_signal_xdm_xserver(rhgb_t)
xserver_read_xdm_tmp_files(rhgb_t)
+xserver_stream_connect_xdm_xserver(rhgb_t)
optional_policy(`
consoletype_exec(rhgb_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index da4fde8..baff761 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -1,5 +1,5 @@
-policy_module(ricci,1.2.2)
+policy_module(ricci,1.2.3)
########################################
#
@@ -260,7 +260,7 @@ optional_policy(`
# ricci_modclusterd local policy
#
-allow ricci_modclusterd_t self:capability sys_nice;
+allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
allow ricci_modclusterd_t self:process { signal sigkill setsched };
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
@@ -468,9 +468,6 @@ libs_use_shared_libs(ricci_modstorage_t)
logging_send_syslog_msg(ricci_modstorage_t)
-lvm_domtrans(ricci_modstorage_t)
-lvm_manage_config(ricci_modstorage_t)
-
miscfiles_read_localization(ricci_modstorage_t)
modutils_read_module_deps(ricci_modstorage_t)
@@ -482,6 +479,7 @@ optional_policy(`
optional_policy(`
lvm_domtrans(ricci_modstorage_t)
+ lvm_manage_config(ricci_modstorage_t)
')
optional_policy(`
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 25c0238..68e05a1 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
-policy_module(rsync,1.5.1)
+policy_module(rsync,1.5.2)
########################################
#
@@ -8,6 +8,13 @@ policy_module(rsync,1.5.1)
## <desc>
## <p>
+## Allow rsync export files read only
+## </p>
+## </desc>
+gen_tunable(rsync_export_all_ro,false)
+
+## <desc>
+## <p>
## Allow rsync to modify public files
## used for public file transfer services.
## </p>
@@ -58,6 +65,8 @@ files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+auth_use_nsswitch(rsync_t)
+
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -90,8 +99,6 @@ logging_dontaudit_search_logs(rsync_t)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
-sysnet_read_config(rsync_t)
-
tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
@@ -108,10 +115,8 @@ optional_policy(`
inetd_service_domain(rsync_t,rsync_exec_t)
')
-optional_policy(`
- nis_use_ypbind(rsync_t)
-')
-
-optional_policy(`
- nscd_socket_use(rsync_t)
+tunable_policy(`rsync_export_all_ro',`
+ allow rsync_t self:capability dac_override;
+ fs_read_noxattr_fs_files(rsync_t)
+ auth_read_all_files_except_shadow(rsync_t)
')
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 4edddfb..0a781f8 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,11 +1,19 @@
-policy_module(tftp,1.5.2)
+policy_module(tftp,1.5.3)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow tftp to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(tftp_anon_write,false)
+
type tftpd_t;
type tftpd_exec_t;
init_daemon_domain(tftpd_t,tftpd_exec_t)
@@ -16,6 +24,9 @@ files_pid_file(tftpd_var_run_t)
type tftpdir_t;
files_type(tftpdir_t)
+type tftpdir_rw_t;
+files_type(tftpdir_rw_t)
+
########################################
#
# Local policy
@@ -33,6 +44,10 @@ allow tftpd_t tftpdir_t:dir { getattr read search };
allow tftpd_t tftpdir_t:file { read getattr };
allow tftpd_t tftpdir_t:lnk_file { getattr read };
+manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+
manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
@@ -80,6 +95,10 @@ userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
userdom_dontaudit_search_sysadm_home_dirs(tftpd_t)
+tunable_policy(`tftp_anon_write',`
+ miscfiles_manage_public_files(tftpd_t)
+')
+
optional_policy(`
inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index cf640b6..bebb25f 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -48,6 +48,26 @@ interface(`miscfiles_read_fonts',`
########################################
## <summary>
+## Do not audit attempts to write fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_write_fonts',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ dontaudit $1 fonts_t:dir write;
+ dontaudit $1 fonts_t:file write;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete fonts.
## </summary>
## <param name="domain">
@@ -253,6 +273,8 @@ interface(`miscfiles_delete_man_pages',`
files_search_usr($1)
allow $1 man_t:dir setattr;
+ # RH bug #309351
+ allow $1 man_t:dir list_dir_perms;
delete_dirs_pattern($1,man_t,man_t)
delete_files_pattern($1,man_t,man_t)
delete_lnk_files_pattern($1,man_t,man_t)
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 48c25c3..2b51b6e 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,5 +1,5 @@
-policy_module(miscfiles,1.4.0)
+policy_module(miscfiles,1.4.1)
########################################
#
More information about the scm-commits
mailing list