From 6f11d6b894d04db67cbf6d252b702a5271b1aba3 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jan 04 2006 19:31:53 +0000 Subject: add readahead --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 1a9c1e0..530ba5c 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -7,6 +7,7 @@ ddcprobe fetchmail openct + readahead smartmon sysstat vbetool (Dan Walsh) diff --git a/refpolicy/policy/modules/admin/readahead.fc b/refpolicy/policy/modules/admin/readahead.fc new file mode 100644 index 0000000..26c1128 --- /dev/null +++ b/refpolicy/policy/modules/admin/readahead.fc @@ -0,0 +1,4 @@ +# +# /usr +# +/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/readahead.if b/refpolicy/policy/modules/admin/readahead.if new file mode 100644 index 0000000..47c4723 --- /dev/null +++ b/refpolicy/policy/modules/admin/readahead.if @@ -0,0 +1 @@ +## Readahead, read files into page cache for improved performance diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te new file mode 100644 index 0000000..ac097ea --- /dev/null +++ b/refpolicy/policy/modules/admin/readahead.te @@ -0,0 +1,72 @@ + +policy_module(readahead,1.0.0) + +######################################## +# +# Declarations +# + +type readahead_t; +type readahead_exec_t; +init_daemon_domain(readahead_t,readahead_exec_t) + +type readahead_var_run_t; +files_pid_file(readahead_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit readahead_t self:capability sys_tty_config; +allow readahead_t self:process signal_perms; + +allow readahead_t readahead_var_run_t:file create_file_perms; +allow readahead_t readahead_var_run_t:dir rw_dir_perms; +files_create_pid(readahead_t,readahead_var_run_t) + +kernel_read_kernel_sysctl(readahead_t) +kernel_read_system_state(readahead_t) + +dev_read_sysfs(readahead_t) +dev_getattr_generic_chr_file(readahead_t) +dev_getattr_generic_blk_file(readahead_t) +dev_getattr_all_chr_files(readahead_t) +dev_getattr_all_blk_files(readahead_t) +dev_dontaudit_read_all_blk_files(readahead_t) + +domain_use_wide_inherit_fd(readahead_t) + +files_dontaudit_getattr_all_sockets(readahead_t) +files_list_non_security(readahead_t) +files_read_non_security_files(readahead_t) + +fs_getattr_all_fs(readahead_t) +fs_search_auto_mountpoints(readahead_t) + +term_dontaudit_use_console(readahead_t) + +auth_dontaudit_read_shadow(readahead_t) + +init_use_fd(readahead_t) +init_use_script_pty(readahead_t) + +libs_use_ld_so(readahead_t) +libs_use_shared_libs(readahead_t) + +logging_send_syslog_msg(readahead_t) + +miscfiles_read_localization(readahead_t) + +userdom_dontaudit_use_unpriv_user_fd(readahead_t) +userdom_dontaudit_search_sysadm_home_dir(readahead_t) + +ifdef(`targeted_policy',` + files_dontaudit_read_root_file(readahead_t) + term_dontaudit_use_unallocated_tty(readahead_t) + term_dontaudit_use_generic_pty(readahead_t) +') + +optional_policy(`selinuxutil',` + seutil_sigchld_newrole(readahead_t) +') diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 74c154f..91ab7c3 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -310,8 +310,24 @@ interface(`files_list_all',` ######################################## ## +## List all non-security directories. +## +## +## Domain allowed access. +## +# +interface(`files_list_non_security',` + gen_require(` + attribute file_type, security_file_type; + ') + + dontaudit $1 { file_type -security_file_type }:dir r_dir_perms; +') + +######################################## +## ## Do not audit attempts to list all -## non security directories. +## non-security directories. ## ## ## Domain to not audit. @@ -422,6 +438,24 @@ interface(`files_read_all_files',` ######################################## ## +## Read all non-security files. +## +## +## Domain allowed access. +## +# +interface(`files_read_non_security_files',` + gen_require(` + attribute file_type, security_file_type; + ') + + allow $1 { file_type -security_file_type }:dir search_dir_perms; + allow $1 { file_type -security_file_type }:file r_file_perms; + allow $1 { file_type -security_file_type }:lnk_file { getattr read }; +') + +######################################## +## ## Read all directories on the filesystem, except ## the listed exceptions. ## @@ -466,7 +500,7 @@ interface(`files_read_all_files_except',` ######################################## ## -## Read all symbloic links on the filesystem, except +## Read all symbolic links on the filesystem, except ## the listed exceptions. ## ## diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index e67be67..0cc1104 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -48,7 +48,7 @@ type pam_var_run_t; files_pid_file(pam_var_run_t) type shadow_t; -files_type(shadow_t) +files_security_file(shadow_t) neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;