[selinux-policy: 2839/3172] More fixes

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:12:44 UTC 2010 

commit c71f02c02d1c86988c429e213cb7ba943b3b40a4
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Aug 30 11:15:53 2010 -0400

    More fixes

 policy/modules/admin/consoletype.te  |    6 +-----
 policy/modules/admin/tzdata.te       |    2 +-
 policy/modules/apps/gnome.if         |   19 +++++++++++++++++++
 policy/modules/apps/wine.if          |   22 ++++++++++++++++++++--
 policy/modules/kernel/files.if       |   18 ++++++++++++++++++
 policy/modules/kernel/filesystem.te  |    1 +
 policy/modules/services/apm.te       |   14 +++++++++-----
 policy/modules/services/cups.if      |    5 +++++
 policy/modules/services/devicekit.te |    4 ++++
 policy/modules/services/hal.if       |   27 +++++++++++++++++++++++++--
 policy/modules/services/rpcbind.te   |    2 ++
 policy/modules/services/xserver.te   |    4 ++++
 policy/modules/system/libraries.te   |    4 ++++
 policy/modules/system/modutils.te    |    1 +
 policy/modules/system/selinuxutil.if |    4 ++++
 policy/modules/system/udev.te        |    1 +
 16 files changed, 119 insertions(+), 15 deletions(-)
---
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index ce00934..a370656 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -81,11 +81,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	hal_dontaudit_use_fds(consoletype_t)
-	hal_dontaudit_rw_pipes(consoletype_t)
-	hal_dontaudit_rw_dgram_sockets(consoletype_t)
-	hal_dontaudit_write_log(consoletype_t)
-	hal_dontaudit_read_pid_files(consoletype_t)
+	hal_dontaudit_leaks(consoletype_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
index aa9636d..7851643 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
 # tzdata local policy
 #
 
-files_read_etc_files(tzdata_t)
+files_read_config_files(tzdata_t)
 files_search_spool(tzdata_t)
 
 fs_getattr_xattr_fs(tzdata_t)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 92ab0c3..ffd9870 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -200,6 +200,25 @@ interface(`gnome_setattr_cache_home_dir',`
 
 ########################################
 ## <summary>
+##	append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_append_generic_cache_files',`
+	gen_require(`
+		type cache_home_t;
+	')
+
+	append_files_pattern($1, cache_home_t, cache_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
 ##	write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 9cbfded..62e455a 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -48,8 +48,7 @@ template(`wine_role',`
 	allow $2 wine_t:process signal_perms;
 
 	allow $2 wine_t:fd use;
-	allow $2 wine_t:shm { associate getattr };
-	allow $2 wine_t:shm { unix_read unix_write };
+	allow $2 wine_t:shm { associate getattr  unix_read unix_write };
 	allow $2 wine_t:unix_stream_socket connectto;
 
 	# X access, Home files
@@ -165,3 +164,22 @@ interface(`wine_run',`
 	wine_domtrans($1)
 	role $2 types wine_t;
 ')
+
+########################################
+## <summary>
+##	Read and write wine Shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wine_rw_shm',`
+	gen_require(`
+		type wine_t;
+	')
+
+	allow $1 wine_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 73e4119..96a406d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4935,6 +4935,24 @@ interface(`files_read_var_files',`
 
 ########################################
 ## <summary>
+##	Append files in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_append_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	append_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
 ##	Read and write files in the /var directory.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 712e644..3561f03 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -72,6 +72,7 @@ type cgroup_t alias cgroupfs_t;
 fs_type(cgroup_t)
 files_type(cgroup_t)
 files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 1a44ccb..c6832b0 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -144,21 +144,25 @@ ifdef(`distro_redhat',`
 
 	can_exec(apmd_t, apmd_var_run_t)
 
-	# ifconfig_exec_t needs to be run in its own domain for Red Hat
 	optional_policy(`
-		sssd_search_lib(apmd_t)
+		fstools_domtrans(apmd_t)
 	')
 
 	optional_policy(`
-		sysnet_domtrans_ifconfig(apmd_t)
+		iptables_domtrans(apmd_t)
 	')
 
 	optional_policy(`
-		iptables_domtrans(apmd_t)
+		netutils_domtrans(apmd_t)
 	')
 
+	# ifconfig_exec_t needs to be run in its own domain for Red Hat
 	optional_policy(`
-		netutils_domtrans(apmd_t)
+		sssd_search_lib(apmd_t)
+	')
+
+	optional_policy(`
+		sysnet_domtrans_ifconfig(apmd_t)
 	')
 
 ',`
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 2c2a551..fb3454a 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
 interface(`cups_read_config',`
 	gen_require(`
 		type cupsd_etc_t, cupsd_rw_etc_t;
+		type hplip_etc_t;
 	')
 
 	files_search_etc($1)
 	read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+	read_files_pattern($1, hplip_etc_t, hplip_etc_t)
 	read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
 ')
 
@@ -319,6 +321,7 @@ interface(`cups_admin',`
 		type cupsd_var_run_t, ptal_etc_t;
 		type ptal_var_run_t, hplip_var_run_t;
 		type cupsd_initrc_exec_t;
+		type hplip_etc_t;
 	')
 
 	allow $1 cupsd_t:process { ptrace signal_perms };
@@ -347,6 +350,8 @@ interface(`cups_admin',`
 	admin_pattern($1, cupsd_var_run_t)
 	files_list_pids($1)
 
+	admin_pattern($1, hplip_etc_t)
+
 	admin_pattern($1, hplip_var_run_t)
 
 	admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 1e554a9..ccacea9 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -205,6 +205,10 @@ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
 
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+
 manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index d01cab6..52ea89b 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -391,8 +391,7 @@ interface(`hal_dontaudit_read_pid_files',`
 		type hald_var_run_t;
 	')
 
-	files_search_pids($1)
-	allow $1 hald_var_run_t:file read_inherited_file_perms;
+	dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
 ')
 
 ########################################
@@ -451,3 +450,27 @@ interface(`hal_manage_pid_files',`
 	files_search_pids($1)
 	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
 ')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_leaks',`
+	gen_require(`
+		type hald_log_t;
+		type hald_t;
+		type hald_var_run_t;
+	')
+
+	dontaudit $1 hald_t:fd use; 
+	dontaudit $1 hald_log_t:file rw_inherited_files_perms;
+	dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; 
+	dontaudit hald_t $1:socket_class_set { read write };
+	dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index af3353c..9cb5e25 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t)
 kernel_read_network_state(rpcbind_t)
 kernel_request_load_module(rpcbind_t)
 
+corecmd_exec_shell(rpcbind_t)
+
 corenet_all_recvfrom_unlabeled(rpcbind_t)
 corenet_all_recvfrom_netlabel(rpcbind_t)
 corenet_tcp_sendrecv_generic_if(rpcbind_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 288d513..60da940 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1106,6 +1106,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	wine_rw_shm(xserver_t)
+')
+
+optional_policy(`
 	xfs_stream_connect(xserver_t)
 ')
 
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 6f36eca..af2af2d 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -137,6 +137,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gnome_append_generic_cache_files(ldconfig_t)
+')
+
+optional_policy(`
 	puppet_rw_tmp(ldconfig_t)
 ')
 
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index a3b7b0d..f39f39f 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -63,6 +63,7 @@ files_read_etc_runtime_files(depmod_t)
 files_read_etc_files(depmod_t)
 files_read_usr_src_files(depmod_t)
 files_list_usr(depmod_t)
+files_append_var_files(depmod_t)
 files_read_boot_files(depmod_t)
 
 fs_getattr_xattr_fs(depmod_t)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3f27d1b..b0ee958 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -535,6 +535,10 @@ interface(`seutil_domtrans_setfiles',`
 	files_search_usr($1)
 	corecmd_search_bin($1)
 	domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit consoletype_t $1:socket_class_set { read write };
+	')
 ')
 
 ########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6581e4b..8451600 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -233,6 +233,7 @@ optional_policy(`
 
 optional_policy(`
 	cups_domtrans_config(udev_t)
+	cups_read_config(udev_t)
 ')
 
 optional_policy(`

More information about the scm-commits mailing list