[selinux-policy: 2947/3172] Add the ability to send audit messages to confined admin policies Remove permissive domain from cmir

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:22:27 UTC 2010 

commit 9461b606575dc43ac1b3d634b96ae22504e130a8
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Wed Sep 15 11:31:20 2010 -0400

    Add the ability to send audit messages to confined admin policies
    Remove permissive domain from cmirrord and dontaudit sys_tty_config
    Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser
    virt needs to be able to read processes to clearance for MLS

 policy/modules/roles/dbadm.te       |    1 +
 policy/modules/roles/webadm.te      |    1 +
 policy/modules/services/cmirrord.te |    3 +--
 policy/modules/services/cron.te     |    7 +++++--
 policy/modules/services/tgtd.te     |    2 ++
 policy/modules/services/virt.te     |    1 +
 policy/modules/system/userdomain.fc |    1 +
 policy/modules/system/userdomain.if |    6 +++---
 8 files changed, 15 insertions(+), 7 deletions(-)
---
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 20d9333..e9c9277 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
 selinux_get_enforce_mode(dbadm_t)
 
 logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
 
 userdom_dontaudit_search_user_home_dirs(dbadm_t)
 
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 0ecc786..dbf2710 100644
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
 seutil_domtrans_setfiles(webadm_t)
 
 logging_send_syslog_msg(webadm_t)
+logging_send_audit_msgs(webadm_t)
 
 userdom_dontaudit_search_user_home_dirs(webadm_t)
 
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
index 1e4adfa..bb7d429 100644
--- a/policy/modules/services/cmirrord.te
+++ b/policy/modules/services/cmirrord.te
@@ -9,8 +9,6 @@ type cmirrord_t;
 type cmirrord_exec_t;
 init_daemon_domain(cmirrord_t, cmirrord_exec_t)
 
-permissive cmirrord_t;
-
 type cmirrord_initrc_exec_t;
 init_script_file(cmirrord_initrc_exec_t)
 
@@ -26,6 +24,7 @@ files_pid_file(cmirrord_var_run_t)
 #
 
 allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
 allow cmirrord_t self:process signal;
 
 allow cmirrord_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index c72dd92..ff1a1c9 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -579,10 +579,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_dbus_send(crond_t)
-	unconfined_shell_domtrans(crond_t)
 	unconfined_domain(crond_t)
 	unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_shell_domtrans(crond_t)
+	unconfined_dbus_send(crond_t)
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
 
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
index 108631e..678ab90 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -57,6 +57,8 @@ corenet_tcp_bind_generic_node(tgtd_t)
 corenet_tcp_bind_iscsi_port(tgtd_t)
 corenet_sendrecv_iscsi_server_packets(tgtd_t)
 
+dev_search_sysfs(tgtd_t)
+
 files_read_etc_files(tgtd_t)
 
 fs_read_anon_inodefs_files(tgtd_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index f38e1ce..91a1d0a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -321,6 +321,7 @@ fs_rw_hugetlbfs_files(virtd_t)
 mls_fd_share_all_levels(virtd_t)
 mls_file_read_to_clearance(virtd_t)
 mls_file_write_to_clearance(virtd_t)
+mls_process_read_to_clearance(virtd_t)
 mls_process_write_to_clearance(virtd_t)
 mls_net_write_within_range(virtd_t)
 mls_socket_write_to_clearance(virtd_t)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 4d34e8e..392d1ee 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -14,3 +14,4 @@ HOME_DIR/Music(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.gvfs(/.*)?	<<none>>
+HOME_DIR/\.debug(/.*)?	<<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c67c8e8..45882b2 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -123,6 +123,9 @@ template(`userdom_base_user_template',`
 	auth_use_nsswitch($1_usertype)
 
 	init_stream_connect($1_usertype)
+	# The library functions always try to open read-write first,
+	# then fall back to read-only if it fails. 
+	init_dontaudit_rw_utmp($1_usertype)
 
 	libs_exec_ld_so($1_usertype)
 
@@ -886,9 +889,6 @@ template(`userdom_login_user_template', `
 	auth_dontaudit_write_login_records($1_t)
 	auth_rw_cache($1_t)
 
-	# The library functions always try to open read-write first,
-	# then fall back to read-only if it fails. 
-	init_dontaudit_rw_utmp($1_usertype)
 	# Stop warnings about access to /dev/console
 	init_dontaudit_use_fds($1_usertype)
 	init_dontaudit_use_script_fds($1_usertype)

More information about the scm-commits mailing list