[selinux-policy: 1892/3172] trunk: add basic ubuntu support
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:48:34 UTC 2010
commit 12cf805e1c57f1f0b83a4ba75cce345bf2019776
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Feb 5 18:24:43 2008 +0000
trunk: add basic ubuntu support
Makefile | 4 +++
policy/modules/services/ssh.if | 8 ++++--
policy/modules/system/authlogin.te | 30 ++++++++++++++++++++++++
policy/modules/system/getty.te | 6 +++++
policy/modules/system/init.te | 11 +++++----
policy/modules/system/libraries.te | 6 +++++
policy/modules/system/locallogin.te | 6 +++++
policy/modules/system/logging.te | 18 ++++++++++++++
policy/modules/system/modutils.te | 18 ++++++++++++++
policy/modules/system/mount.te | 6 +++++
policy/modules/system/selinuxutil.te | 42 ++++++++++++++++++++++++++++++++++
policy/modules/system/sysnetwork.te | 12 +++++++++
12 files changed, 159 insertions(+), 8 deletions(-)
---
diff --git a/Makefile b/Makefile
index 9fc4080..1af6b9b 100644
--- a/Makefile
+++ b/Makefile
@@ -184,6 +184,10 @@ ifeq "$(DISTRO)" "rhel4"
M4PARAM += -D distro_redhat
endif
+ifeq "$(DISTRO)" "ubuntu"
+ M4PARAM += -D distro_debian
+endif
+
ifneq ($(OUTPUT_POLICY),)
CHECKPOLICY += -c $(OUTPUT_POLICY)
endif
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 22fa094..e1a478c 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -507,9 +507,6 @@ template(`ssh_server_template', `
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
- # Allow checking users mail at login
- mta_getattr_spool($1_t)
-
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
')
@@ -523,6 +520,11 @@ template(`ssh_server_template', `
')
optional_policy(`
+ # Allow checking users mail at login
+ mta_getattr_spool($1_t)
+ ')
+
+ optional_policy(`
nscd_socket_use($1_t)
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 773e20f..b7b0f78 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -122,6 +122,12 @@ logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(pam_t)
+ ')
+')
+
optional_policy(`
locallogin_use_fds(pam_t)
')
@@ -223,6 +229,12 @@ seutil_read_file_contexts(pam_console_t)
userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(pam_console_t)
+ ')
+')
+
optional_policy(`
gpm_getattr_gpmctl(pam_console_t)
gpm_setattr_gpmctl(pam_console_t)
@@ -264,6 +276,12 @@ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(system_chkpwd_t)
+ ')
+')
+
########################################
#
# updpwd local policy
@@ -292,6 +310,12 @@ logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(updpwd_t)
+ ')
+')
+
########################################
#
# Utempter local policy
@@ -324,6 +348,12 @@ logging_search_logs(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_users_tmp_files(utempter_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(utempter_t)
+ ')
+')
+
optional_policy(`
nscd_socket_use(utempter_t)
')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index e85dc48..ae1720e 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -114,6 +114,12 @@ ifdef(`distro_gentoo',`
sysnet_dontaudit_read_config(getty_t)
')
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(getty_t)
+ ')
+')
+
optional_policy(`
mta_send_mail(getty_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 266b1f6..e46e0b9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -163,6 +163,12 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
')
+ifndef(`distro_ubuntu',`
+ # Run the shell in the sysadm role for single-user mode.
+ # causes problems with upstart
+ userdom_shell_domtrans_sysadm(init_t)
+')
+
optional_policy(`
auth_rw_login_records(init_t)
')
@@ -175,11 +181,6 @@ optional_policy(`
unconfined_domain(init_t)
')
-# Run the shell in the sysadm_t domain for single-user mode.
-optional_policy(`
- userdom_shell_domtrans_sysadm(init_t)
-')
-
########################################
#
# Init script local policy
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 0f800e6..a6bc400 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -80,6 +80,12 @@ logging_send_syslog_msg(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(ldconfig_t)
+ ')
+')
+
ifdef(`hide_broken_symptoms',`
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 9bbd3d4..39ceb8d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -138,6 +138,12 @@ userdom_use_unpriv_users_fds(local_login_t)
userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(local_login_t)
+ ')
+')
+
tunable_policy(`read_default_t',`
files_list_default(local_login_t)
files_read_default_files(local_login_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 4eb97e9..5a81526 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -164,6 +164,12 @@ seutil_dontaudit_read_config(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(auditd_t)
+ ')
+')
+
optional_policy(`
seutil_sigchld_newrole(auditd_t)
')
@@ -220,6 +226,12 @@ mls_file_read_all_levels(klogd_t)
userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(klogd_t)
+ ')
+')
+
optional_policy(`
udev_read_db(klogd_t)
')
@@ -357,6 +369,12 @@ ifdef(`distro_suse',`
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
')
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(syslogd_t)
+ ')
+')
+
optional_policy(`
inn_manage_log(syslogd_t)
')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 59767a9..53a0afc 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -112,6 +112,12 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(insmod_t)
+ ')
+')
+
if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
@@ -205,6 +211,12 @@ files_list_home(depmod_t)
userdom_read_staff_home_content_files(depmod_t)
userdom_read_sysadm_home_content_files(depmod_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(depmod_t)
+ ')
+')
+
optional_policy(`
# Read System.map from home directories.
unconfined_read_home_content_files(depmod_t)
@@ -282,3 +294,9 @@ ifdef(`distro_gentoo',`
consoletype_exec(update_modules_t)
')
')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(update_modules_t)
+ ')
+')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 12070a0..de9e9f5 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -128,6 +128,12 @@ ifdef(`distro_redhat',`
')
')
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(mount_t)
+ ')
+')
+
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index fd277bd..b9cbaaf 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -145,6 +145,12 @@ libs_use_shared_libs(checkpolicy_t)
userdom_use_all_users_fds(checkpolicy_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(checkpolicy_t)
+ ')
+')
+
########################################
#
# Load_policy local policy
@@ -183,6 +189,12 @@ seutil_libselinux_linked(load_policy_t)
userdom_use_all_users_fds(load_policy_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(load_policy_t)
+ ')
+')
+
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
@@ -276,6 +288,12 @@ userdom_use_unpriv_users_fds(newrole_t)
userdom_dontaudit_search_all_users_home_content(newrole_t)
userdom_search_all_users_home_dirs(newrole_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(newrole_t)
+ ')
+')
+
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
@@ -329,6 +347,12 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(restorecond_t)
+ ')
+')
+
optional_policy(`
rpm_use_script_fds(restorecond_t)
')
@@ -396,6 +420,12 @@ ifndef(`direct_sysadm_daemon',`
')
')
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(run_init_t)
+ ')
+')
+
optional_policy(`
daemontools_domtrans_start(run_init_t)
')
@@ -471,6 +501,12 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(semanage_t)
+ ')
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
@@ -575,6 +611,12 @@ ifdef(`distro_redhat', `
fs_relabel_tmpfs_chr_file(setfiles_t)
')
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(setfiles_t)
+ ')
+')
+
ifdef(`hide_broken_symptoms',`
optional_policy(`
udev_dontaudit_rw_dgram_sockets(setfiles_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3227730..bb35555 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -142,6 +142,12 @@ ifdef(`distro_redhat', `
files_exec_etc_files(dhcpc_t)
')
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(dhcpc_t)
+ ')
+')
+
optional_policy(`
consoletype_domtrans(dhcpc_t)
')
@@ -297,6 +303,12 @@ seutil_use_runinit_fds(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(ifconfig_t)
+ ')
+')
+
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
More information about the scm-commits
mailing list