From 9cca1cd5939489218d1ec0a8c49454af42a18b12 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Dec 13 2005 20:38:19 +0000 Subject: policy-20051208.patch --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 649364a..d43a10c 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -6,6 +6,7 @@ automount fetchmail sysstat + vbetool * Wed Dec 07 2005 Chris PeBenito - 20051207 - Add unlabeled IPSEC association rule to domains with diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 80419ce..8fe7768 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -1,5 +1,5 @@ -policy_module(updfstab,1.1.1) +policy_module(updfstab,1.1.2) ######################################## # @@ -32,6 +32,7 @@ dev_read_sysfs(updfstab_t) dev_manage_generic_symlinks(updfstab_t) fs_getattr_xattr_fs(updfstab_t) +fs_getattr_tmpfs(updfstab_t) fs_getattr_tmpfs_dir(updfstab_t) fs_search_auto_mountpoints(updfstab_t) diff --git a/refpolicy/policy/modules/admin/vbetool.fc b/refpolicy/policy/modules/admin/vbetool.fc new file mode 100644 index 0000000..d00970f --- /dev/null +++ b/refpolicy/policy/modules/admin/vbetool.fc @@ -0,0 +1 @@ +/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/vbetool.if b/refpolicy/policy/modules/admin/vbetool.if new file mode 100644 index 0000000..efac87e --- /dev/null +++ b/refpolicy/policy/modules/admin/vbetool.if @@ -0,0 +1,24 @@ +## run real-mode video BIOS code to alter hardware state + +######################################## +## +## Execute vbetool application in the vbetool domain. +## +## +## N/A +## +# +interface(`vbetool_domtrans',` + gen_require(` + type vbetool_t, vbetool_exec_t; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1,vbetool_exec_t,vbetool_t) + + allow $1 vbetool_t:fd use; + allow vbetool_t $1:fd use; + allow vbetool_t $1:fifo_file rw_file_perms; + allow vbetool_t $1:process sigchld; + +') diff --git a/refpolicy/policy/modules/admin/vbetool.te b/refpolicy/policy/modules/admin/vbetool.te new file mode 100644 index 0000000..15936eb --- /dev/null +++ b/refpolicy/policy/modules/admin/vbetool.te @@ -0,0 +1,26 @@ + +policy_module(vbetool,1.0.0) + +######################################## +# +# Declarations +# + +type vbetool_t; +type vbetool_exec_t; +init_system_domain(vbetool_t,vbetool_exec_t) + +######################################## +# +# Local policy +# + +allow vbetool_t self:process execmem; + +dev_wx_raw_memory(vbetool_t) +dev_read_raw_memory(vbetool_t) +dev_rwx_zero_dev(vbetool_t) +dev_read_sysfs(vbetool_t) + +libs_use_ld_so(vbetool_t) +libs_use_shared_libs(vbetool_t) diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te index 27f9ae9..964c52b 100644 --- a/refpolicy/policy/modules/kernel/mls.te +++ b/refpolicy/policy/modules/kernel/mls.te @@ -1,5 +1,5 @@ -policy_module(mls,1.1.0) +policy_module(mls,1.1.1) ######################################## # @@ -52,13 +52,14 @@ attribute mlsrangetrans; # temporarily have to break encapsulation to work around this. # +type crond_exec_t; type cupsd_exec_t; type getty_t; -type login_exec_t; type init_t; type init_exec_t; type initrc_t; type initrc_exec_t; +type login_exec_t; type sshd_exec_t; type su_exec_t; type udev_exec_t; @@ -68,6 +69,7 @@ type xdm_exec_t; ifdef(`enable_mcs',` range_transition getty_t login_exec_t s0 - s0:c0.c255; range_transition init_t xdm_exec_t s0 - s0:c0.c255; +range_transition initrc_t crond_exec_t s0 - s0:c0.c255; range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; range_transition initrc_t udev_exec_t s0 - s0:c0.c255; diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 10c4a28..cdf0192 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -619,6 +619,23 @@ interface(`term_setattr_unallocated_ttys',` ######################################## ## +## Do not audit attempts to ioctl +## unallocated tty device nodes. +## +## +## Domain allowed access. +## +# +interface(`term_dontaudit_ioctl_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dontaudit $1 tty_device_t:chr_file ioctl; +') + +######################################## +## ## Relabel from and to the unallocated ## tty type. ## diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index f68c043..cbab9d0 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.0.1) +policy_module(automount,1.0.2) ######################################## # @@ -58,6 +58,7 @@ allow automount_t automount_var_run_t:dir rw_dir_perms; files_create_pid(automount_t,automount_var_run_t) kernel_read_kernel_sysctl(automount_t) +kernel_read_fs_sysctl(automount_t) kernel_read_proc_symlinks(automount_t) kernel_read_system_state(automount_t) kernel_list_proc(automount_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 6339ab3..9b2fddf 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron, 1.1.0) +policy_module(cron, 1.1.1) gen_require(` class passwd rootok; @@ -18,7 +18,11 @@ type cron_spool_t; files_type(cron_spool_t) type crond_t; -type crond_exec_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type crond_exec_t; +') init_daemon_domain(crond_t,crond_exec_t) domain_wide_inherit_fd(crond_t) domain_cron_exemption_source(crond_t) diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index f058625..4287366 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.1.0) +policy_module(dovecot,1.1.1) ######################################## # @@ -154,6 +154,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write io allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; +allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms; + kernel_read_all_sysctl(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) @@ -165,6 +167,8 @@ auth_use_nsswitch(dovecot_auth_t) files_read_etc_files(dovecot_auth_t) files_read_etc_runtime_files(dovecot_auth_t) files_search_pids(dovecot_auth_t) +files_read_usr_symlinks(dovecot_auth_t) +files_search_tmp(dovecot_auth_t) libs_use_ld_so(dovecot_auth_t) libs_use_shared_libs(dovecot_auth_t) diff --git a/refpolicy/policy/modules/services/ftp.fc b/refpolicy/policy/modules/services/ftp.fc index 40cd7ae..2967dd7 100644 --- a/refpolicy/policy/modules/services/ftp.fc +++ b/refpolicy/policy/modules/services/ftp.fc @@ -21,6 +21,7 @@ /var/run/proftpd(/.*)? gen_context(system_u:object_r:ftpd_var_run_t,s0) /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) +/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index be83a0e..beb05f1 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -1,5 +1,5 @@ -policy_module(gpm,1.0.1) +policy_module(gpm,1.0.2) ######################################## # @@ -28,6 +28,7 @@ files_type(gpmctl_t) # allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config }; +allow gpm_t self:unix_stream_socket create_stream_socket_perms; allow gpm_t gpm_conf_t:dir r_dir_perms; allow gpm_t gpm_conf_t:file r_file_perms; @@ -94,5 +95,5 @@ optional_policy(`udev',` ifdef(`TODO',` # Access the mouse. # cjp: why write? -allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms; +allow gpm_t event_device_t:chr_file rw_file_perms; ') diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 9bb932a..455e384 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.1.1) +policy_module(hal,1.1.2) ######################################## # @@ -21,10 +21,10 @@ files_pid_file(hald_var_run_t) # Local policy # -allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; +# execute openvt which needs setuid +allow hald_t self:capability { setuid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio }; dontaudit hald_t self:capability sys_tty_config; -# vbetool requires execmem -allow hald_t self:process { execmem signal_perms }; +allow hald_t self:process signal_perms; allow hald_t self:fifo_file rw_file_perms; allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow hald_t self:unix_dgram_socket create_socket_perms; @@ -104,9 +104,11 @@ storage_raw_read_fixed_disk(hald_t) storage_raw_write_fixed_disk(hald_t) term_dontaudit_use_console(hald_t) +term_dontaudit_ioctl_unallocated_ttys(hald_t) init_use_fd(hald_t) init_use_script_pty(hald_t) +init_domtrans_script(hald_t) libs_use_ld_so(hald_t) libs_use_shared_libs(hald_t) @@ -138,6 +140,10 @@ optional_policy(`apm',` apm_stream_connect(hald_t) ') +optional_policy(`clock',` + clock_domtrans(hald_t) +') + optional_policy(`cups',` cups_domtrans_config(hald_t) cups_signal_config(hald_t) @@ -198,6 +204,10 @@ optional_policy(`updfstab',` updfstab_domtrans(hald_t) ') +optional_policy(`vbetool',` + vbetool_domtrans(hald_t) +') + ifdef(`TODO',` allow hald_t device_t:dir create_dir_perms; ') dnl end TODO diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index d3621ed..7a04b59 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.1.0) +policy_module(spamassassin,1.1.1) ######################################## # @@ -120,6 +120,8 @@ ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(spamd_t) term_dontaudit_use_generic_pty(spamd_t) files_dontaudit_read_root_file(spamd_t) + userdom_manage_generic_user_home_dirs(spamd_t) + userdom_manage_generic_user_home_files(spamd_t) ') tunable_policy(`use_nfs_home_dirs',` diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 6ec83de..57c3f6a 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -32,16 +32,18 @@ template(`unconfined_domain_template',` kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) + domain_unconfined($1) + files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) - domain_unconfined($1) - files_unconfined($1) + libs_use_shared_libs($1) tunable_policy(`allow_execmem',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; + auditallow $1 self:process execmem; ') tunable_policy(`allow_execmem && allow_execstack',` diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index b05843f..c4c2a89 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.1.0) +policy_module(unconfined,1.1.1) ######################################## #