[selinux-policy: 2124/3172] trunk: 6 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:08:28 UTC 2010
commit a65fd90a504474c392bdc3cb391bde57f94498b1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jun 11 15:00:48 2009 +0000
trunk: 6 patches from dan.
policy/modules/admin/netutils.te | 8 ++-
policy/modules/kernel/corecommands.fc | 13 +++++
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/corenetwork.if.in | 36 +++++++++++++
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/kernel/domain.if | 3 +-
policy/modules/kernel/domain.te | 4 +-
policy/modules/kernel/files.fc | 1 +
policy/modules/kernel/files.if | 86 ++++++++++++++++++++++++++++++-
policy/modules/kernel/files.te | 4 +-
policy/modules/kernel/kernel.if | 47 ++++++++++++++++-
policy/modules/kernel/kernel.te | 9 +++-
policy/modules/services/nagios.if | 20 +++++++
policy/modules/services/nagios.te | 2 +-
14 files changed, 221 insertions(+), 16 deletions(-)
---
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 1c753fa..7cd5112 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils, 1.8.3)
+policy_module(netutils, 1.8.4)
########################################
#
@@ -50,7 +50,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
-kernel_read_sysctl(netutils_t)
+kernel_read_all_sysctls(netutils_t)
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
@@ -140,6 +140,10 @@ userdom_use_user_terminals(ping_t)
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
+
+ optional_policy(`
+ nagios_dontaudit_rw_pipes(ping_t)
+ ')
')
tunable_policy(`user_ping',`
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 7e551dc..07d0a84 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -32,6 +33,8 @@ ifdef(`distro_redhat',`
#
# /etc
#
+/etc/acpi/actions(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0)
@@ -67,6 +70,8 @@ ifdef(`distro_redhat',`
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
@@ -140,6 +145,7 @@ ifdef(`distro_gentoo',`
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -209,7 +215,14 @@ ifdef(`distro_gentoo',`
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index e6feeb6..0fcd718 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands, 1.11.1)
+policy_module(corecommands, 1.11.2)
########################################
#
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index bb46175..c87c9ec 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1612,6 +1612,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
########################################
## <summary>
+## Connect TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_unreserved_ports',`
+ gen_require(`
+ attribute port_type, reserved_port_type;
+ ')
+
+ allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
## Do not audit attempts to connect TCP sockets
## all reserved ports.
## </summary>
@@ -1687,6 +1705,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
+## Getattr the point-to-point device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_getattr_ppp_dev',`
+ gen_require(`
+ type ppp_device_t;
+ ')
+
+ allow $1 ppp_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
## Read and write the point-to-point device.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 78e96ba..7e624f8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.11.7)
+policy_module(corenetwork, 1.11.8)
########################################
#
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 7316b09..5667bcc 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -525,7 +525,7 @@ interface(`domain_search_all_domains_state',`
')
kernel_search_proc($1)
- allow $1 domain:dir search;
+ allow $1 domain:dir search_dir_perms;
')
########################################
@@ -629,6 +629,7 @@ interface(`domain_read_confined_domains_state',`
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
dontaudit $1 unconfined_domain_type:file read_file_perms;
+ dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
')
########################################
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 2546240..ecd8e56 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
-policy_module(domain, 1.6.0)
+policy_module(domain, 1.6.1)
########################################
#
@@ -145,7 +145,7 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
-allow unconfined_domain_type domain:file read_file_perms;
+allow unconfined_domain_type domain:file rw_file_perms;
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 61aa432..30cfa49 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -5,6 +5,7 @@
/.* gen_context(system_u:object_r:default_t,s0)
/ -d gen_context(system_u:object_r:root_t,s0)
/\.journal <<none>>
+/afs -d gen_context(system_u:object_r:mnt_t,s0)
/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 282a1cf..d76b28b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -928,6 +928,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+ # this is only relabelfrom since there should be no
+ # device nodes with file types.
relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -1096,6 +1098,24 @@ interface(`files_relabelto_all_file_type_fs',`
########################################
## <summary>
+## Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Mount all filesystems with the type of a file.
## </summary>
## <param name="domain">
@@ -2307,6 +2327,25 @@ interface(`files_rw_isid_type_dirs',`
########################################
## <summary>
+## Delete directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_dirs_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
@@ -2364,6 +2403,25 @@ interface(`files_read_isid_type_files',`
########################################
## <summary>
+## Delete files on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete files
## on new filesystems that have not yet been labeled.
## </summary>
@@ -2820,6 +2878,7 @@ interface(`files_search_kernel_modules',`
')
allow $1 modules_object_t:dir search_dir_perms;
+ read_lnk_files_pattern($1, modules_object_t, modules_object_t)
')
########################################
@@ -3546,7 +3605,7 @@ interface(`files_delete_usr_dirs',`
type usr_t;
')
- allow $1 usr_t:file delete_dir_perms;
+ delete_dirs_pattern($1, usr_t, usr_t)
')
########################################
@@ -4413,6 +4472,28 @@ interface(`files_read_all_locks',`
########################################
## <summary>
+## manage all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
## Create an object in the locks directory, with a private
## type using a type transition.
## </summary>
@@ -4532,7 +4613,8 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
- read_files_pattern($1, { var_t var_run_t }, var_run_t)
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
')
########################################
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 13f52cf..498e39a 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files, 1.11.0)
+policy_module(files, 1.11.1)
########################################
#
@@ -199,7 +199,7 @@ fs_associate_ramfs(file_type)
# Rules for all tmp file types
#
-allow tmpfile tmp_t:filesystem associate;
+allow file_type tmp_t:filesystem associate;
fs_associate_tmpfs(tmpfile)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 1879be0..d6ec546 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -157,7 +157,7 @@ interface(`kernel_signal',`
type kernel_t;
')
- allow kernel_t $1:process signal;
+ allow $1 kernel_t:process signal;
')
########################################
@@ -817,7 +817,7 @@ interface(`kernel_dontaudit_read_system_state',`
type proc_t;
')
- dontaudit $1 proc_t:file { getattr read };
+ dontaudit $1 proc_t:file read_file_perms;
')
########################################
@@ -1183,6 +1183,25 @@ interface(`kernel_write_xen_state',`
########################################
## <summary>
+## Allow attempts to list all proc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_list_all_proc',`
+ gen_require(`
+ attribute proc_type;
+ ')
+
+ allow $1 proc_type:dir list_dir_perms;
+ allow $1 proc_type:file getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to list all proc directories.
## </summary>
## <param name="domain">
@@ -1197,6 +1216,7 @@ interface(`kernel_dontaudit_list_all_proc',`
')
dontaudit $1 proc_type:dir list_dir_perms;
+ dontaudit $1 proc_type:file getattr;
')
########################################
@@ -1232,10 +1252,11 @@ interface(`kernel_dontaudit_search_sysctl',`
#
interface(`kernel_read_sysctl',`
gen_require(`
- type sysctl_t;
+ type sysctl_t, proc_t;
')
list_dirs_pattern($1, proc_t, sysctl_t)
+ read_files_pattern($1, sysctl_t, sysctl_t)
')
########################################
@@ -1568,6 +1589,25 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
########################################
## <summary>
+## Read generic crypto sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_crypto_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_crypto_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
+')
+
+########################################
+## <summary>
## Read generic kernel sysctls.
## </summary>
## <param name="domain">
@@ -1767,6 +1807,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
+ dontaudit $1 sysctl_type:file getattr;
')
########################################
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d3d685a..4fa91a3 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel, 1.10.3)
+policy_module(kernel, 1.10.4)
########################################
#
@@ -100,6 +100,7 @@ type proc_net_t, proc_type;
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
type proc_xen_t, proc_type;
+files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
#
@@ -120,6 +121,10 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
type sysctl_rpc_t, sysctl_type;
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
+# /proc/sys/crypto directory and files
+type sysctl_crypto_t, sysctl_type;
+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
+
# /proc/sys/fs directory and files
type sysctl_fs_t, sysctl_type;
files_mountpoint(sysctl_fs_t)
@@ -198,6 +203,8 @@ allow kernel_t self:fifo_file rw_fifo_file_perms;
allow kernel_t self:sock_file read_sock_file_perms;
allow kernel_t self:fd use;
+allow kernel_t debugfs_t:dir search_dir_perms;
+
allow kernel_t proc_t:dir list_dir_perms;
allow kernel_t proc_t:file read_file_perms;
allow kernel_t proc_t:lnk_file read_lnk_file_perms;
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index c76ba8b..82691c0 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -2,6 +2,26 @@
########################################
## <summary>
+## Do not audit attempts to read or write nagios
+## unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nagios_dontaudit_rw_pipes',`
+ gen_require(`
+ type nagios_t;
+ ')
+
+ dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Allow the specified domain to read
## nagios configuration files.
## </summary>
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index e872fe5..0828a9c 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,5 +1,5 @@
-policy_module(nagios, 1.7.1)
+policy_module(nagios, 1.7.2)
########################################
#
More information about the scm-commits
mailing list