From 12cf805e1c57f1f0b83a4ba75cce345bf2019776 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Feb 05 2008 18:24:43 +0000 Subject: trunk: add basic ubuntu support --- diff --git a/Makefile b/Makefile index 9fc4080..1af6b9b 100644 --- a/Makefile +++ b/Makefile @@ -184,6 +184,10 @@ ifeq "$(DISTRO)" "rhel4" M4PARAM += -D distro_redhat endif +ifeq "$(DISTRO)" "ubuntu" + M4PARAM += -D distro_debian +endif + ifneq ($(OUTPUT_POLICY),) CHECKPOLICY += -c $(OUTPUT_POLICY) endif diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 22fa094..e1a478c 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -507,9 +507,6 @@ template(`ssh_server_template', ` userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_search_all_users_home_dirs($1_t) - # Allow checking users mail at login - mta_getattr_spool($1_t) - tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) ') @@ -523,6 +520,11 @@ template(`ssh_server_template', ` ') optional_policy(` + # Allow checking users mail at login + mta_getattr_spool($1_t) + ') + + optional_policy(` nscd_socket_use($1_t) ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 773e20f..b7b0f78 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -122,6 +122,12 @@ logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fds(pam_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(pam_t) + ') +') + optional_policy(` locallogin_use_fds(pam_t) ') @@ -223,6 +229,12 @@ seutil_read_file_contexts(pam_console_t) userdom_dontaudit_use_unpriv_user_fds(pam_console_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(pam_console_t) + ') +') + optional_policy(` gpm_getattr_gpmctl(pam_console_t) gpm_setattr_gpmctl(pam_console_t) @@ -264,6 +276,12 @@ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) userdom_dontaudit_use_sysadm_terms(system_chkpwd_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(system_chkpwd_t) + ') +') + ######################################## # # updpwd local policy @@ -292,6 +310,12 @@ logging_send_syslog_msg(updpwd_t) miscfiles_read_localization(updpwd_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(updpwd_t) + ') +') + ######################################## # # Utempter local policy @@ -324,6 +348,12 @@ logging_search_logs(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_unpriv_users_tmp_files(utempter_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(utempter_t) + ') +') + optional_policy(` nscd_socket_use(utempter_t) ') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index e85dc48..ae1720e 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -114,6 +114,12 @@ ifdef(`distro_gentoo',` sysnet_dontaudit_read_config(getty_t) ') +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(getty_t) + ') +') + optional_policy(` mta_send_mail(getty_t) ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 266b1f6..e46e0b9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -163,6 +163,12 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t,initctl_t,fifo_file) ') +ifndef(`distro_ubuntu',` + # Run the shell in the sysadm role for single-user mode. + # causes problems with upstart + userdom_shell_domtrans_sysadm(init_t) +') + optional_policy(` auth_rw_login_records(init_t) ') @@ -175,11 +181,6 @@ optional_policy(` unconfined_domain(init_t) ') -# Run the shell in the sysadm_t domain for single-user mode. -optional_policy(` - userdom_shell_domtrans_sysadm(init_t) -') - ######################################## # # Init script local policy diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 0f800e6..a6bc400 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -80,6 +80,12 @@ logging_send_syslog_msg(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(ldconfig_t) + ') +') + ifdef(`hide_broken_symptoms',` optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 9bbd3d4..39ceb8d 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -138,6 +138,12 @@ userdom_use_unpriv_users_fds(local_login_t) userdom_sigchld_all_users(local_login_t) userdom_create_all_users_keys(local_login_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(local_login_t) + ') +') + tunable_policy(`read_default_t',` files_list_default(local_login_t) files_read_default_files(local_login_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 4eb97e9..5a81526 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -164,6 +164,12 @@ seutil_dontaudit_read_config(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_sysadm_home_dirs(auditd_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(auditd_t) + ') +') + optional_policy(` seutil_sigchld_newrole(auditd_t) ') @@ -220,6 +226,12 @@ mls_file_read_all_levels(klogd_t) userdom_dontaudit_search_sysadm_home_dirs(klogd_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(klogd_t) + ') +') + optional_policy(` udev_read_db(klogd_t) ') @@ -357,6 +369,12 @@ ifdef(`distro_suse',` files_var_lib_filetrans(syslogd_t,devlog_t,sock_file) ') +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(syslogd_t) + ') +') + optional_policy(` inn_manage_log(syslogd_t) ') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 59767a9..53a0afc 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -112,6 +112,12 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(insmod_t) + ') +') + if( ! secure_mode_insmod ) { kernel_domtrans_to(insmod_t,insmod_exec_t) } @@ -205,6 +211,12 @@ files_list_home(depmod_t) userdom_read_staff_home_content_files(depmod_t) userdom_read_sysadm_home_content_files(depmod_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(depmod_t) + ') +') + optional_policy(` # Read System.map from home directories. unconfined_read_home_content_files(depmod_t) @@ -282,3 +294,9 @@ ifdef(`distro_gentoo',` consoletype_exec(update_modules_t) ') ') + +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(update_modules_t) + ') +') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 12070a0..de9e9f5 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -128,6 +128,12 @@ ifdef(`distro_redhat',` ') ') +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(mount_t) + ') +') + tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index fd277bd..b9cbaaf 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -145,6 +145,12 @@ libs_use_shared_libs(checkpolicy_t) userdom_use_all_users_fds(checkpolicy_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(checkpolicy_t) + ') +') + ######################################## # # Load_policy local policy @@ -183,6 +189,12 @@ seutil_libselinux_linked(load_policy_t) userdom_use_all_users_fds(load_policy_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(load_policy_t) + ') +') + ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; @@ -276,6 +288,12 @@ userdom_use_unpriv_users_fds(newrole_t) userdom_dontaudit_search_all_users_home_content(newrole_t) userdom_search_all_users_home_dirs(newrole_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(newrole_t) + ') +') + # if secure mode is enabled, then newrole # can only transition to unprivileged users if(secure_mode) { @@ -329,6 +347,12 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(restorecond_t) + ') +') + optional_policy(` rpm_use_script_fds(restorecond_t) ') @@ -396,6 +420,12 @@ ifndef(`direct_sysadm_daemon',` ') ') +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(run_init_t) + ') +') + optional_policy(` daemontools_domtrans_start(run_init_t) ') @@ -471,6 +501,12 @@ ifdef(`distro_debian',` files_read_var_lib_symlinks(semanage_t) ') +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(semanage_t) + ') +') + # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files @@ -575,6 +611,12 @@ ifdef(`distro_redhat', ` fs_relabel_tmpfs_chr_file(setfiles_t) ') +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(setfiles_t) + ') +') + ifdef(`hide_broken_symptoms',` optional_policy(` udev_dontaudit_rw_dgram_sockets(setfiles_t) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3227730..bb35555 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -142,6 +142,12 @@ ifdef(`distro_redhat', ` files_exec_etc_files(dhcpc_t) ') +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(dhcpc_t) + ') +') + optional_policy(` consoletype_domtrans(dhcpc_t) ') @@ -297,6 +303,12 @@ seutil_use_runinit_fds(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(ifconfig_t) + ') +') + ifdef(`hide_broken_symptoms',` optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t)