From 85a0f967984ffd785549d6d2bda215a403c06c38 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Apr 19 2006 15:25:22 +0000 Subject: patch from dan Tue, 18 Apr 2006 23:16:15 -0400 --- diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index 4ca258f..92df08d 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -208,7 +208,7 @@ enableaudit: $(BASE_CONF) # $(APPDIR)/customizable_types: $(BASE_CONF) @mkdir -p $(APPDIR) - $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types + $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types $(verbose) install -m 644 $(TMPDIR)/customizable_types $@ ######################################## diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index c6df7b6..89b2d1d 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -230,7 +230,7 @@ $(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC) # $(APPDIR)/customizable_types: $(POLICY_CONF) @mkdir -p $(APPDIR) - $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types + $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types $(verbose) install -m 644 $(TMPDIR)/customizable_types $@ ######################################## diff --git a/refpolicy/policy/modules/services/cups.fc b/refpolicy/policy/modules/services/cups.fc index 4fcfb99..c744fe9 100644 --- a/refpolicy/policy/modules/services/cups.fc +++ b/refpolicy/policy/modules/services/cups.fc @@ -35,7 +35,8 @@ /usr/share/hplip/hpssd.py -- gen_context(system_u:object_r:hplip_exec_t,s0) /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/foomatic(/.*)? -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index cc87327..eb8bdee 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -126,6 +126,7 @@ miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) sysnet_read_config(ftpd_t) +sysnet_use_ldap(ftpd_t) userdom_dontaudit_search_sysadm_home_dirs(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index bb7a992..a81220b 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -315,6 +315,7 @@ files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir }) kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) +kernel_dontaudit_read_system_state(postfix_map_t) corenet_tcp_sendrecv_all_if(postfix_map_t) corenet_udp_sendrecv_all_if(postfix_map_t) @@ -358,8 +359,7 @@ seutil_read_config(postfix_map_t) sysnet_read_config(postfix_map_t) ifdef(`targeted_policy',` - # FIXME: would be better to use a run interface - role system_r types postfix_map_t; + term_dontaudit_use_generic_ptys(postfix_map_t) ') tunable_policy(`read_default_t',` diff --git a/refpolicy/policy/modules/services/postgresql.if b/refpolicy/policy/modules/services/postgresql.if index e030d16..818ba7c 100644 --- a/refpolicy/policy/modules/services/postgresql.if +++ b/refpolicy/policy/modules/services/postgresql.if @@ -113,10 +113,12 @@ interface(`postgresql_tcp_connect',` # interface(`postgresql_stream_connect',` gen_require(` - type postgresql_t, postgresql_var_run_t; + type postgresql_t, postgresql_var_run_t, postgresql_tmp_t; ') files_search_pids($1) allow $1 postgresql_t:unix_stream_socket connectto; allow $1 postgresql_var_run_t:sock_file write; + # Some versions of postgresql put the sock file in /tmp + allow $1 postgresql_tmp_t:sock_file write; ') diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index 0be0cd7..efff376 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -50,6 +50,7 @@ corenet_tcp_sendrecv_all_ports(privoxy_t) corenet_non_ipsec_sendrecv(privoxy_t) corenet_tcp_bind_http_cache_port(privoxy_t) corenet_tcp_connect_http_port(privoxy_t) +corenet_tcp_connect_http_cache_port(privoxy_t) corenet_tcp_connect_ftp_port(privoxy_t) corenet_tcp_connect_tor_port(privoxy_t) diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 306e2ae..0339015 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -160,6 +160,7 @@ optional_policy(` corenet_non_ipsec_sendrecv(samba_net_t) corenet_tcp_bind_all_nodes(samba_net_t) sysnet_read_config(samba_net_t) + corenet_tcp_connect_ldap_port(samba_net_t) ') optional_policy(` @@ -269,6 +270,7 @@ files_list_mnt(smbd_t) init_use_fds(smbd_t) init_use_script_ptys(smbd_t) +init_rw_utmp(smbd_t) libs_use_ld_so(smbd_t) libs_use_shared_libs(smbd_t) diff --git a/refpolicy/policy/modules/services/spamassassin.fc b/refpolicy/policy/modules/services/spamassassin.fc index 37093c0..260950c 100644 --- a/refpolicy/policy/modules/services/spamassassin.fc +++ b/refpolicy/policy/modules/services/spamassassin.fc @@ -1,5 +1,5 @@ -/usr/bin/sa-learn -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index ecbf208..9a72969 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -173,9 +173,13 @@ dev_getattr_video_dev(pam_console_t) dev_setattr_video_dev(pam_console_t) dev_getattr_xserver_misc_dev(pam_console_t) dev_setattr_xserver_misc_dev(pam_console_t) +dev_read_urand(pam_console_t) fs_search_auto_mountpoints(pam_console_t) +mls_file_read_up(pam_console_t) +mls_file_write_down(pam_console_t) + storage_getattr_fixed_disk_dev(pam_console_t) storage_setattr_fixed_disk_dev(pam_console_t) storage_getattr_removable_dev(pam_console_t) @@ -206,8 +210,8 @@ libs_use_shared_libs(pam_console_t) logging_send_syslog_msg(pam_console_t) -mls_file_read_up(pam_console_t) -mls_file_write_down(pam_console_t) +miscfiles_read_localization(pam_console_t) +miscfiles_read_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index 02370c7..b65ef96 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -83,12 +83,14 @@ ifdef(`distro_redhat',` /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/vmware(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) +/usr/NX/lib/libXcomp.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/NX/lib/libjpeg.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -189,6 +191,8 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre # vmware /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/vmware/lib(/.*)?/HConfig.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index ce71126..99cc380 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -113,3 +113,29 @@ interface(`mount_send_nfs_client_request',` allow $1 mount_t:udp_socket rw_socket_perms; ') +######################################## +## +## Execute mount in the unconfined mount domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_domtrans_unconfined',` + ifdef(`targeted_policy',` + gen_require(` + type unconfined_mount_t, mount_exec_t; + ') + + domain_auto_trans($1,mount_exec_t,unconfined_mount_t) + + allow $1 unconfined_mount_t:fd use; + allow unconfined_mount_t $1:fd use; + allow unconfined_mount_t $1:fifo_file rw_file_perms; + allow unconfined_mount_t $1:process sigchld; + ',` + errprint(`Warning: $0($1) has no effect in strict policy.'__endline__) + ') +') diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index ba89ae1..acf6d73 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -14,6 +14,12 @@ role system_r types mount_t; type mount_tmp_t; files_tmp_file(mount_tmp_t) +ifdef(`targeted_policy',` + type unconfined_mount_t; + domain_type(unconfined_mount_t) + domain_entry_file(unconfined_mount_t,mount_exec_t) +') + ######################################## # # mount local policy @@ -151,3 +157,13 @@ optional_policy(` optional_policy(` samba_domtrans_smbmount(mount_t) ') + +######################################## +# +# Unconfined mount local policy +# + +ifdef(`targeted_policy',` + files_manage_etc_runtime_files(unconfined_mount_t) + unconfined_domain(unconfined_mount_t) +') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 17e2fdb..a28a26c 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -36,7 +36,10 @@ ifdef(`targeted_policy',` logging_domtrans_auditctl(unconfined_t) + mount_domtrans_unconfined(unconfined_t) + seutil_domtrans_restorecon(unconfined_t) + seutil_domtrans_semanage(unconfined_t) userdom_unconfined(unconfined_t) userdom_priveleged_home_dir_manager(unconfined_t) @@ -140,10 +143,6 @@ ifdef(`targeted_policy',` ') optional_policy(` - seutil_domtrans_semanage(unconfined_t) - ') - - optional_policy(` sysnet_domtrans_dhcpc(unconfined_t) ')