From 36095d11ce3522964912cc05f8e23ea29c55443f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 12 2008 14:18:20 +0000 Subject: trunk: kudzu and mta patches from dan. --- diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index ec78261..61bd502 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -1,5 +1,5 @@ -policy_module(kudzu, 1.6.1) +policy_module(kudzu, 1.6.2) ######################################## # @@ -21,8 +21,8 @@ files_pid_file(kudzu_var_run_t) # Local policy # -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; -dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config }; +allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod }; +dontaudit kudzu_t self:capability sys_tty_config; allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:fifo_file rw_fifo_file_perms; allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -68,6 +68,7 @@ mls_file_write_all_levels(kudzu_t) modutils_read_module_deps(kudzu_t) modutils_read_module_config(kudzu_t) modutils_rename_module_config(kudzu_t) +modutils_delete_module_config(kudzu_t) storage_read_scsi_generic(kudzu_t) storage_read_tape(kudzu_t) @@ -103,6 +104,8 @@ files_dontaudit_search_isid_type_dirs(kudzu_t) init_use_fds(kudzu_t) init_use_script_ptys(kudzu_t) init_stream_connect_script(kudzu_t) +init_read_state(kudzu_t) +init_ptrace(kudzu_t) # kudzu will telinit to make init re-read # the inittab after configuring serial consoles init_telinit(kudzu_t) diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 213bebf..9a70378 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -1,5 +1,5 @@ -policy_module(courier, 1.5.1) +policy_module(courier, 1.5.2) ######################################## # @@ -27,7 +27,7 @@ type courier_var_run_t; files_pid_file(courier_var_run_t) type courier_exec_t; -files_type(courier_exec_t) +mta_agent_executable(courier_exec_t) courier_domain_template(sqwebmail) typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc index 3bd68bb..16ec200 100644 --- a/policy/modules/services/mta.fc +++ b/policy/modules/services/mta.fc @@ -1,3 +1,4 @@ +/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 7399a58..a47a55d 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -311,6 +311,44 @@ interface(`mta_mailserver',` ######################################## ## +## Make the specified type a MTA executable file. +## +## +## +## Type to be used as a mail client. +## +## +# +interface(`mta_agent_executable',` + gen_require(` + attribute mta_exec_type; + ') + + typeattribute $1 mta_exec_type; + + application_executable_file($1) +') + +######################################## +## +## Make the specified type by a system MTA. +## +## +## +## Type to be used as a mail client. +## +## +# +interface(`mta_system_content',` + gen_require(` + attribute mailcontent_type; + ') + + typeattribute $1 mailcontent_type; +') + +######################################## +## ## Modified mailserver interface for ## sendmail daemon use. ## @@ -440,16 +478,12 @@ interface(`mta_mailserver_user_agent',` interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; - type system_mail_t, sendmail_exec_t; + type system_mail_t; + attribute mta_exec_type; ') - allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; - domain_auto_trans($1, sendmail_exec_t, system_mail_t) - - allow $1 system_mail_t:fd use; - allow system_mail_t $1:fd use; - allow system_mail_t $1:fifo_file rw_file_perms; - allow system_mail_t $1:process sigchld; + allow $1 mta_exec_type:lnk_file read_lnk_file_perms; + domtrans_pattern($1, mta_exec_type, system_mail_t) allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index f31347d..a0f10f8 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,11 +1,13 @@ -policy_module(mta, 1.10.0) +policy_module(mta, 1.10.1) ######################################## # # Declarations # +attribute mailcontent_type; +attribute mta_exec_type; attribute mta_user_agent; attribute mailserver_delivery; attribute mailserver_domain; @@ -20,13 +22,13 @@ type etc_mail_t; files_config_file(etc_mail_t) type mqueue_spool_t; -files_type(mqueue_spool_t) +files_mountpoint(mqueue_spool_t) type mail_spool_t; -files_type(mail_spool_t) +files_mountpoint(mail_spool_t) type sendmail_exec_t; -application_executable_file(sendmail_exec_t) +mta_agent_executable(sendmail_exec_t) mta_base_mail_template(system) role system_r types system_mail_t; @@ -41,6 +43,10 @@ allow system_mail_t self:capability { dac_override }; read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) +allow system_mail_t mta_exec_type:file entrypoint; + +allow system_mail_t mailcontent_type:file read_file_perms; + kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 3cdd56a..e6e831c 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -731,6 +731,46 @@ interface(`init_run_daemon',` dontaudit direct_init $3:chr_file rw_file_perms; ') + +######################################## +## +## Read the process state (/proc/pid) of init. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_state',` + gen_require(` + attribute init_t; + ') + + allow $1 init_t:dir search_dir_perms; + allow $1 init_t:file read_file_perms; + allow $1 init_t:lnk_file read_file_perms; +') + +######################################## +## +## Ptrace init +## +## +## +## Domain allowed access. +## +## +## +# +interface(`init_ptrace',` + gen_require(` + attribute init_t; + ') + + allow $1 init_t:process ptrace; +') + ######################################## ## ## Write an init script unnamed pipe. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index ebc586d..751a0f7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init, 1.11.2) +policy_module(init, 1.11.3) gen_require(` class passwd rootok; diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 095bd1e..73b4e08 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -66,6 +66,25 @@ interface(`modutils_rename_module_config',` ######################################## ## +## Unlink a file with the configuration options used when +## loading modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_delete_module_config',` + gen_require(` + type modules_conf_t; + ') + + allow $1 modules_conf_t:file unlink; +') + +######################################## +## ## Unconditionally execute insmod in the insmod domain. ## ## @@ -275,6 +294,8 @@ interface(`modutils_run_update_mods',` modutils_domtrans_update_mods($1) role $2 types update_modules_t; allow update_modules_t $3:chr_file rw_term_perms; + + modutils_run_insmod(update_modules_t, $2, $3) ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 34279f5..9fd705d 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils, 1.7.0) +policy_module(modutils, 1.7.1) gen_require(` bool secure_mode_insmod;