[selinux-policy: 2104/3172] trunk: 3 patches from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:06:41 UTC 2010 

commit d6605bc48b1e4c0116912d1d5fd08a9f0a81b2dc
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Apr 3 14:14:43 2009 +0000

    trunk: 3 patches from dan.

 policy/modules/system/fstools.te  |    6 ++++++
 policy/modules/system/ipsec.fc    |    3 +++
 policy/modules/system/ipsec.te    |   37 +++++++++++++++++++++++--------------
 policy/modules/system/iptables.fc |    3 ++-
 policy/modules/system/iptables.te |    4 ++--
 5 files changed, 36 insertions(+), 17 deletions(-)
---
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 8b843ff..ecb8978 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -153,6 +153,12 @@ seutil_read_config(fsadm_t)
 userdom_use_user_terminals(fsadm_t)
 userdom_use_unpriv_users_fds(fsadm_t)
 
+ifdef(`distro_redhat',`
+	optional_policy(`
+		unconfined_domain(fsadm_t)
+	')
+')
+
 tunable_policy(`read_default_t',`
 	files_list_default(fsadm_t)
 	files_read_default_files(fsadm_t)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index bb3b6a1..d65ef1e 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -16,6 +16,8 @@
 /usr/lib(64)?/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/lib(64)?/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
+/usr/libexec/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/libexec/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
@@ -26,6 +28,7 @@
 /usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
+/usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index bc981b7..fc874de 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -55,11 +55,12 @@ role system_r types setkey_t;
 
 allow ipsec_t self:capability { net_admin dac_override dac_read_search };
 dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process signal;
-allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
+allow ipsec_t self:process { signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
-allow ipsec_t self:key_socket { create write read setopt };
-allow ipsec_t self:fifo_file read_file_perms;
+allow ipsec_t self:udp_socket create_socket_perms;
+allow ipsec_t self:key_socket create_socket_perms;
+allow ipsec_t self:fifo_file read_fifo_file_perms;
+allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
 
 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
 read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
@@ -102,8 +103,11 @@ corenet_tcp_sendrecv_all_nodes(ipsec_t)
 corenet_raw_sendrecv_all_nodes(ipsec_t)
 corenet_tcp_sendrecv_all_ports(ipsec_t)
 corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_all_nodes(ipsec_t)
 corenet_tcp_bind_reserved_port(ipsec_t)
 corenet_tcp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_ipsecnat_port(ipsec_t)
 corenet_sendrecv_generic_server_packets(ipsec_t)
 corenet_sendrecv_isakmp_server_packets(ipsec_t)
 
@@ -127,20 +131,16 @@ files_read_etc_files(ipsec_t)
 init_use_fds(ipsec_t)
 init_use_script_ptys(ipsec_t)
 
+auth_use_nsswitch(ipsec_t)
+
 logging_send_syslog_msg(ipsec_t)
 
 miscfiles_read_localization(ipsec_t)
 
-sysnet_read_config(ipsec_t)
-
 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
 userdom_dontaudit_search_user_home_dirs(ipsec_t)
 
 optional_policy(`
-	nis_use_ypbind(ipsec_t)
-')
-
-optional_policy(`
 	seutil_sigchld_newrole(ipsec_t)
 ')
 
@@ -156,9 +156,9 @@ optional_policy(`
 allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
 allow ipsec_mgmt_t self:process { signal setrlimit };
 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
-allow ipsec_mgmt_t self:tcp_socket create_socket_perms;
+allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-allow ipsec_mgmt_t self:key_socket { create setopt };
+allow ipsec_mgmt_t self:key_socket create_socket_perms;
 allow ipsec_mgmt_t self:fifo_file rw_file_perms;
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
@@ -222,6 +222,7 @@ term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
 # the ipsec wrapper wants to run /usr/bin/logger (should we put
 # it in its own domain?)
 corecmd_exec_bin(ipsec_mgmt_t)
+corecmd_exec_shell(ipsec_mgmt_t)
 
 domain_use_interactive_fds(ipsec_mgmt_t)
 # denials when ps tries to search /proc. Do not audit these denials.
@@ -241,6 +242,8 @@ init_use_script_ptys(ipsec_mgmt_t)
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 
+logging_send_syslog_msg(ipsec_mgmt_t)
+
 miscfiles_read_localization(ipsec_mgmt_t)
 
 modutils_domtrans_insmod(ipsec_mgmt_t)
@@ -276,7 +279,7 @@ allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-allow racoon_t self:key_socket { create read setopt write };
+allow racoon_t self:key_socket create_socket_perms;
 
 # manage pid file
 manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -295,6 +298,10 @@ kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
 
 corenet_all_recvfrom_unlabeled(racoon_t)
+corenet_tcp_sendrecv_all_if(racoon_t)
+corenet_udp_sendrecv_all_if(racoon_t)
+corenet_tcp_sendrecv_all_nodes(racoon_t)
+corenet_udp_sendrecv_all_nodes(racoon_t)
 corenet_tcp_bind_all_nodes(racoon_t)
 corenet_udp_bind_all_nodes(racoon_t)
 corenet_udp_bind_isakmp_port(racoon_t)
@@ -312,6 +319,8 @@ selinux_compute_access_vector(racoon_t)
 
 ipsec_setcontext_default_spd(racoon_t)
 
+auth_use_nsswitch(racoon_t)
+
 locallogin_use_fds(racoon_t)
 
 logging_send_syslog_msg(racoon_t)
@@ -325,7 +334,7 @@ miscfiles_read_localization(racoon_t)
 #
 
 allow setkey_t self:capability net_admin;
-allow setkey_t self:key_socket { create read setopt write };
+allow setkey_t self:key_socket create_socket_perms;
 allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
 
 allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index f715d71..cc04d8d 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,4 +1,3 @@
-
 /sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -6,3 +5,5 @@
 /usr/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/var/lib/shorewall(/.*)? --	gen_context(system_u:object_r:iptables_var_run_t,s0)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 180fb0a..f44ef6a 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -22,12 +22,12 @@ files_pid_file(iptables_var_run_t)
 # Iptables local policy
 #
 
-allow iptables_t self:capability { net_admin net_raw };
+allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
 dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
 allow iptables_t self:rawip_socket create_socket_perms;
 
-allow iptables_t iptables_var_run_t:dir rw_dir_perms;
+manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
 files_pid_filetrans(iptables_t,iptables_var_run_t,file)
 
 can_exec(iptables_t,iptables_exec_t)

More information about the scm-commits mailing list