From 9fd4b818fce48975c950bf19ed0e5b57221465fc Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 29 2005 21:27:15 +0000 Subject: fix several modular build problems --- diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index f800cd1..31eb7b2 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -1,5 +1,5 @@ -policy_module(logrotate,1.0) +policy_module(logrotate,1.0.1) ######################################## # @@ -148,6 +148,10 @@ optional_policy(`consoletype',` ') +optional_policy(`cups',` + cups_domtrans(logrotate_t) +') + optional_policy(`hostname',` hostname_exec(logrotate_t) ') diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index 75d2511..e8550e0 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -151,6 +151,7 @@ interface(`rpm_read_db',` type rpm_var_lib_t; ') + files_search_var_lib($1) allow $1 rpm_var_lib_t:dir r_dir_perms; allow $1 rpm_var_lib_t:file { getattr read }; allow $1 rpm_var_lib_t:lnk_file r_file_perms; @@ -169,8 +170,8 @@ interface(`rpm_manage_db',` type rpm_var_lib_t; ') + files_search_var_lib($1) allow $1 rpm_var_lib_t:dir rw_dir_perms; allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; ') - diff --git a/refpolicy/policy/modules/admin/updfstab.if b/refpolicy/policy/modules/admin/updfstab.if index 753454f..5474833 100644 --- a/refpolicy/policy/modules/admin/updfstab.if +++ b/refpolicy/policy/modules/admin/updfstab.if @@ -22,3 +22,22 @@ interface(`updfstab_domtrans',` allow updfstab_t $1:fifo_file rw_file_perms; allow updfstab_t $1:process sigchld; ') + +######################################## +## +## Send and receive messages from +## updfstab over dbus. +## +## +## Domain allowed access. +## +# +interface(`updfstab_dbus_chat',` + gen_require(` + type updfstab_t; + class dbus send_msg; + ') + + allow $1 updfstab_t:dbus send_msg; + allow updfstab_t $1:dbus send_msg; +') diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index bf83e25..60a1468 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -1,5 +1,5 @@ -policy_module(updfstab,1.0.1) +policy_module(updfstab,1.0.2) ######################################## # @@ -100,6 +100,7 @@ optional_policy(`dbus',` optional_policy(`hal',` hal_stream_connect(updfstab_t) + hal_dbus_chat(updfstab_t) ') optional_policy(`modutils',` @@ -123,8 +124,3 @@ optional_policy(`udev',` ifdef(`TODO',` allow updfstab_t tmpfs_t:dir getattr; ') - -optional_policy(`dbus',` - allow initrc_t updfstab_t:dbus send_msg; - allow updfstab_t initrc_t:dbus send_msg; -') diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 4a7ce1b..0ae1165 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -826,6 +826,44 @@ interface(`dev_dontaudit_rw_cardmgr',` ######################################## ## +## Create, read, write, and delete +## the PCMCIA card manager device. +## +## +## Domain allowed access. +## +# +interface(`dev_manage_cardmgr',` + gen_require(` + type device_t, cardmgr_dev_t; + ') + + allow $1 device_t:dir rw_dir_perms; + allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms; +') + +######################################## +## +## Create, read, write, and delete +## the PCMCIA card manager device +## with the correct type. +## +## +## Domain allowed access. +## +# +interface(`dev_create_cardmgr',` + gen_require(` + type device_t, cardmgr_dev_t; + ') + + allow $1 device_t:dir rw_dir_perms; + allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms; + type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t; +') + +######################################## +## ## Get the attributes of the CPU ## microcode and id interfaces. ## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 0725f40..c067a6e 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1681,6 +1681,22 @@ interface(`fs_write_ramfs_pipe',` ######################################## ## +## Read and write a named pipe on a ramfs filesystem. +## +## +## Domain allowed access. +## +# +interface(`fs_rw_ramfs_pipe',` + gen_require(` + type ramfs_t; + ') + + allow $1 ramfs_t:fifo_file rw_file_perms; +') + +######################################## +## ## Write to named socket on a ramfs filesystem. ## ## @@ -2051,6 +2067,23 @@ interface(`fs_create_tmpfs_data',` ######################################## ## +## Read and write generic tmpfs files. +## +## +## The type of the process performing this action. +## +# +interface(`fs_rw_tmpfs_file',` + gen_require(` + type tmpfs_t; + ') + + fs_search_tmpfs($1) + allow $1 tmpfs_t:file rw_file_perms; +') + +######################################## +## ## Read and write character nodes on tmpfs filesystems. ## ## diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 5edbef5..9d670f4 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -21,6 +21,15 @@ attribute proc_type; # sysctls attribute sysctl_type; +role system_r; +role sysadm_r; +role staff_r; +role user_r; + +ifdef(`enable_mls',` + role secadm_r; +') + # # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 00a97c6..8c7f04e 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -703,3 +703,19 @@ interface(`apache_append_squirrelmail_data',` allow $1 httpd_squirrelmail_t:file { getattr append }; ') + +######################################## +## +## Search system script state directory. +## +## +## Domain to not audit. +## +# +interface(`apache_search_sys_script_state',` + gen_require(` + type httpd_sys_script_t; + ') + + allow $1 httpd_sys_script_t:dir search; +') diff --git a/refpolicy/policy/modules/services/apm.if b/refpolicy/policy/modules/services/apm.if index 4cac734..a051c34 100644 --- a/refpolicy/policy/modules/services/apm.if +++ b/refpolicy/policy/modules/services/apm.if @@ -97,7 +97,7 @@ interface(`apm_append_log',` # interface(`apm_stream_connect',` gen_require(` - type apmd_t; + type apmd_t, apmd_var_run_t; ') files_search_pids($1) diff --git a/refpolicy/policy/modules/services/avahi.if b/refpolicy/policy/modules/services/avahi.if index 8bc232b..15b762f 100644 --- a/refpolicy/policy/modules/services/avahi.if +++ b/refpolicy/policy/modules/services/avahi.if @@ -1 +1,20 @@ ## mDNS/DNS-SD daemon implementing Apple ZeroConf architecture + +######################################## +## +## Send and receive messages from +## avahi over dbus. +## +## +## Domain allowed access. +## +# +interface(`avahi_dbus_chat',` + gen_require(` + type avahi_t; + class dbus send_msg; + ') + + allow $1 avahi_t:dbus send_msg; + allow avahi_t $1:dbus send_msg; +') diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index c26bede..fe04bba 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -1,5 +1,5 @@ -policy_module(avahi,1.0.1) +policy_module(avahi,1.0.2) ######################################## # @@ -90,10 +90,6 @@ optional_policy(`dbus',` dbus_system_bus_client_template(avahi,avahi_t) dbus_connect_system_bus(avahi_t) dbus_send_system_bus_msg(avahi_t) - - # FIXME: - allow avahi_t unconfined_t:dbus send_msg; - allow unconfined_t avahi_t:dbus send_msg; ') optional_policy(`nis',` @@ -107,4 +103,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(avahi_t) ') - diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index f5e2d15..a5869ea 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -289,9 +289,9 @@ optional_policy(`networkmanager',` ') # optional_policy(`dbus',` -# gen_require(` -# class dbus send_msg; -# ') + gen_require(` + class dbus send_msg; + ') allow NetworkManager_t named_t:dbus send_msg; allow named_t NetworkManager_t:dbus send_msg; diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if index 5ef539b..d918292 100644 --- a/refpolicy/policy/modules/services/cups.if +++ b/refpolicy/policy/modules/services/cups.if @@ -2,6 +2,27 @@ ######################################## ## +## Execute cups in the cups domain. +## +## +## The type of the process performing this action. +## +# +interface(`cups_domtrans',` + gen_require(` + type cupsd_t, cupsd_exec_t; + ') + + domain_auto_trans($1,cupsd_exec_t,cupsd_t) + + allow $1 cupsd_t:fd use; + allow cupsd_t $1:fd use; + allow cupsd_t $1:fifo_file rw_file_perms; + allow cupsd_t $1:process sigchld; +') + +######################################## +## ## Execute cups_config in the cups_config domain. ## ## @@ -23,6 +44,42 @@ interface(`cups_domtrans_config',` ######################################## ## +## Send generic signals to the cups +## configuration daemon. +## +## +## Domain allowed access. +## +# +interface(`cups_signal_config',` + gen_require(` + type cupsd_config_t; + ') + + allow $1 cupsd_config_t:process signal; +') + +######################################## +## +## Send and receive messages from +## cupsd_config over dbus. +## +## +## Domain allowed access. +## +# +interface(`cups_dbus_chat_config',` + gen_require(` + type cupsd_config_t; + class dbus send_msg; + ') + + allow $1 cupsd_config_t:dbus send_msg; + allow cupsd_config_t $1:dbus send_msg; +') + +######################################## +## ## Read cups-writable configuration files. ## ## @@ -38,3 +95,39 @@ interface(`cups_read_rw_config',` allow $1 cupsd_etc_t:dir search_dir_perms; allow $1 cupsd_rw_etc_t:file { getattr read }; ') + +######################################## +## +## Read cups log files. +## +## +## Domain allowed access. +## +# +interface(`cups_read_log',` + gen_require(` + type cupsd_log_t; + ') + + logging_search_logs($1) + allow $1 cupsd_log_t:file { getattr read }; +') + +######################################## +## +## Connect to ptal over an unix domain stream socket. +## +## +## Domain allowed access. +## +# +interface(`cups_stream_connect_ptal',` + gen_require(` + type ptal_t, ptal_var_run_t; + ') + + files_search_pids($1) + allow $1 ptal_var_run_t:dir search; + allow $1 ptal_var_run_t:sock_file write; + allow $1 ptal_t:unix_stream_socket connectto; +') diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index b1a3cf3..041da68 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.0) +policy_module(cups,1.0.1) ######################################## # @@ -149,6 +149,7 @@ fs_search_auto_mountpoints(cupsd_t) term_dontaudit_use_console(cupsd_t) auth_domtrans_chk_passwd(cupsd_t) +auth_dontaudit_read_pam_pid(cupsd_t) # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) @@ -187,7 +188,7 @@ seutil_dontaudit_read_config(cupsd_t) sysnet_read_config(cupsd_t) userdom_dontaudit_use_unpriv_user_fd(cupsd_t) -userdom_dontaudit_search_sysadm_home_dir(cupsd_t) +userdom_dontaudit_search_all_users_home(cupsd_t) # Write to /var/spool/cups. lpd_manage_spool(cupsd_t) @@ -198,17 +199,30 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(cupsd_t) ') +optional_policy(`cron',` + cron_use_fd(cupsd_t) + cron_read_pipe(cupsd_t) +') + optional_policy(`dbus',` dbus_system_bus_client_template(cupsd,cupsd_t) dbus_send_system_bus_msg(cupsd_t) - allow cupsd_t userdomain:dbus send_msg; + userdom_dbus_send_all_users(cupsd_t) + + optional_policy(`hal',` + hal_dbus_chat(cupsd_t) + ') ') optional_policy(`hostname',` hostname_exec(cupsd_t) ') +optional_policy(`inetd',` + inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t) +') + optional_policy(`mount',` mount_send_nfs_client_request(cupsd_t) ') @@ -217,6 +231,15 @@ optional_policy(`nscd',` nscd_use_socket(cupsd_t) ') +optional_policy(`portmap',` + portmap_udp_sendrecv(cupsd_t) +') + +optional_policy(`samba',` + samba_rw_var_files(cupsd_t) + # cjp: rw_dir_perms was here, but doesnt make sense +') + optional_policy(`selinuxutil',` seutil_sigchld_newrole(cupsd_t) ') @@ -241,56 +264,18 @@ allow cupsd_t devpts_t:dir search; dontaudit cupsd_t random_device_t:chr_file ioctl; # temporary solution, we need something better -allow cupsd_t serial_device:chr_file rw_file_perms; - -optional_policy(`logrotate',` - domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t) -') - -optional_policy(`inetd',` -domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t) -') +#allow cupsd_t serial_device:chr_file rw_file_perms; # for /etc/printcap dontaudit cupsd_t etc_t:file write; - - - - -# Send to portmap. -optional_policy(`portmap', ` -allow cupsd_t portmap_t:udp_socket sendto; -allow portmap_t cupsd_t:udp_socket recvfrom; -allow portmap_t cupsd_t:udp_socket sendto; -allow cupsd_t portmap_t:udp_socket recvfrom; -') - - - - - # # Satisfy readahead # -allow initrc_t cupsd_log_t:file { getattr read }; allow cupsd_t var_t:dir { getattr read search }; allow cupsd_t var_t:file r_file_perms; allow cupsd_t var_t:lnk_file { getattr read }; -optional_policy(`samba',` -# cjp: rw_dir_perms here doesnt make sense -allow cupsd_t samba_var_t:dir rw_dir_perms; -allow cupsd_t samba_var_t:file rw_file_perms; -allow cupsd_t samba_var_t:lnk_file { getattr read }; -allow smbd_t cupsd_etc_t:dir search; -') - -optional_policy(`authlogin',` -dontaudit cupsd_t pam_var_run_t:file { getattr read }; -') -dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; - ######################################## # # PTAL local policy @@ -358,7 +343,7 @@ miscfiles_read_localization(ptal_t) sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fd(ptal_t) -userdom_dontaudit_search_sysadm_home_dir(ptal_t) +userdom_dontaudit_search_all_users_home(ptal_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(ptal_t) @@ -374,14 +359,8 @@ optional_policy(`udev',` udev_read_db(ptal_t) ') -allow userdomain ptal_t:unix_stream_socket connectto; -allow userdomain ptal_var_run_t:sock_file write; -allow userdomain ptal_var_run_t:dir search; - allow initrc_t printer_device_t:chr_file getattr; -dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; - allow initrc_t ptal_var_run_t:dir rmdir; allow initrc_t ptal_var_run_t:fifo_file unlink; @@ -555,6 +534,8 @@ corecmd_exec_sbin(cupsd_config_t) corecmd_exec_shell(cupsd_config_t) domain_use_wide_inherit_fd(cupsd_config_t) +# killall causes the following +domain_dontaudit_search_all_domains_state(cupsd_config_t) files_read_usr_files(cupsd_config_t) files_read_etc_files(cupsd_config_t) @@ -577,12 +558,35 @@ sysnet_read_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fd(cupsd_config_t) userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t) +ifdef(`distro_redhat',` + init_getattr_script_entry_file(cupsd_config_t) + + optional_policy(`rpm',` + rpm_read_db(cupsd_config_t) + ') +') + ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(cupsd_config_t) term_dontaudit_use_generic_pty(cupsd_config_t) files_dontaudit_read_root_file(cupsd_config_t) ') +optional_policy(`cron',` + cron_use_system_job_fd(cupsd_config_t) + cron_read_pipe(cupsd_config_t) +') + +optional_policy(`dbus',` + dbus_system_bus_client_template(cupsd_config,cupsd_config_t) + dbus_connect_system_bus(cupsd_config_t) + dbus_send_system_bus_msg(cupsd_config_t) + + optional_policy(`hal',` + hal_dbus_chat(cupsd_config_t) + ') +') + optional_policy(`hal',` hal_domtrans(cupsd_config_t) ') @@ -603,6 +607,10 @@ optional_policy(`nscd',` nscd_use_socket(cupsd_config_t) ') +optional_policy(`rpm',` + rpm_read_db(cupsd_config_t) +') + optional_policy(`selinuxutil',` seutil_sigchld_newrole(cupsd_config_t) ') @@ -611,49 +619,10 @@ optional_policy(`udev',` udev_read_db(cupsd_config_t) ') -allow cupsd_config_t devpts_t:dir search; -allow cupsd_config_t devpts_t:chr_file { getattr ioctl }; - -ifdef(`distro_redhat', ` - optional_policy(`rpm',` - allow cupsd_config_t rpm_var_lib_t:dir { getattr search }; - allow cupsd_config_t rpm_var_lib_t:file { getattr read }; - ') - allow cupsd_config_t initrc_exec_t:file getattr; -') - allow cupsd_config_t var_t:lnk_file read; -optional_policy(`dbus',` - dbus_system_bus_client_template(cupsd_config,cupsd_config_t) - dbus_connect_system_bus(cupsd_config_t) - dbus_send_system_bus_msg(cupsd_config_t) - - allow cupsd_config_t userdomain:dbus send_msg; - allow userdomain cupsd_config_t:dbus send_msg; -') - -optional_policy(`hal', ` - optional_policy(`dbus',` - allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg; - allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg; - ') - - allow hald_t cupsd_config_t:process signal; -') - -# killall causes the following -dontaudit cupsd_config_t domain:dir { getattr search }; - -allow cupsd_config_t var_lib_t:dir { getattr search }; -allow cupsd_config_t rpm_var_lib_t:file { getattr read }; allow cupsd_config_t printconf_t:file { getattr read }; -allow cupsd_config_t system_crond_t:fd use; -allow cupsd_config_t crond_t:fifo_file r_file_perms; -allow cupsd_t crond_t:fifo_file read; -allow cupsd_t crond_t:fd use; - # Alternatives asks for this allow cupsd_config_t initrc_exec_t:file getattr; @@ -664,6 +633,7 @@ ifdef(`targeted_policy', ` allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg; allow unconfined_t cupsd_config_t:dbus send_msg; allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read; + term_use_generic_pty(cupsd_config_t) ') ######################################## diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index 6af68c3..50b6769 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -100,6 +100,9 @@ miscfiles_read_localization(fingerd_t) userdom_read_unpriv_user_home_files(fingerd_t) userdom_dontaudit_use_unpriv_user_fd(fingerd_t) userdom_dontaudit_search_sysadm_home_dir(fingerd_t) +# stop it accessing sub-directories, prevents checking a Maildir for new mail, +# have to change this when we create a type for Maildir +userdom_dontaudit_search_user_home_dirs(fingerd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(fingerd_t) @@ -130,7 +133,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(fingerd_t) ') - -# stop it accessing sub-directories, prevents checking a Maildir for new mail, -# have to change this when we create a type for Maildir -dontaudit fingerd_t user_home_t:dir search; diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index d0c1694..236dcee 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.0.1) +policy_module(hal,1.0.2) ######################################## # @@ -134,6 +134,7 @@ optional_policy(`apm',` optional_policy(`cups',` cups_domtrans_config(hald_t) + cups_signal_config(hald_t) ') optional_policy(`dbus',` @@ -187,21 +188,4 @@ optional_policy(`updfstab',` ifdef(`TODO',` allow hald_t device_t:dir create_dir_perms; - -optional_policy(`hald',` -allow udev_t hald_t:unix_dgram_socket sendto; -') ') dnl end TODO - -ifdef(`targeted_policy', ` -allow unconfined_t hald_t:dbus send_msg; -allow hald_t unconfined_t:dbus send_msg; -') - -optional_policy(`updfstab',` - allow updfstab_t hald_t:dbus send_msg; - allow hald_t updfstab_t:dbus send_msg; -') - -allow hald_t initrc_t:dbus send_msg; -allow initrc_t hald_t:dbus send_msg; diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te index 163c297..e834aca 100644 --- a/refpolicy/policy/modules/services/mailman.te +++ b/refpolicy/policy/modules/services/mailman.te @@ -51,9 +51,7 @@ optional_policy(`apache',` apache_sigchld(mailman_cgi_t) apache_use_fd(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) - - # FIXME: - allow mailman_cgi_t httpd_sys_script_t:dir search; + apache_search_sys_script_state(mailman_cgi_t) ') ######################################## diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 3b89e10..8abdaba 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -36,6 +36,11 @@ interface(`mta_stub',` # template(`mta_base_mail_template',` + gen_require(` + attribute user_mail_domain; + type sendmail_exec_t; + ') + ############################## # # $1_mail_t declarations @@ -45,12 +50,8 @@ template(`mta_base_mail_template',` domain_type($1_mail_t) domain_entry_file($1_mail_t,sendmail_exec_t) - optional_policy(`sendmail',` - type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) - - sendmail_stub($1_mail_t) - ') + type $1_mail_tmp_t; + files_tmp_file($1_mail_tmp_t) ############################## # @@ -107,6 +108,10 @@ template(`mta_base_mail_template',` ') optional_policy(`sendmail',` + gen_require(` + type etc_mail_t, mail_spool_t, mqueue_spool_t; + ') + allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms; allow $1_mail_t $1_mail_tmp_t:file create_file_perms; files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir }) @@ -166,7 +171,8 @@ template(`mta_base_mail_template',` # template(`mta_per_userdomain_template',` gen_require(` - attribute mailserver_domain, mta_user_agent, user_mail_domain; + attribute mailserver_domain, mta_user_agent; + attribute mailserver_delivery, user_mail_domain; type sendmail_exec_t; ') diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index e0e321a..bc9e604 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -6,8 +6,7 @@ policy_module(procmail,1.0.0) # Declarations # -# privhome only works until we define a different type for maildir -type procmail_t, privhome; +type procmail_t; type procmail_exec_t; domain_type(procmail_t) domain_entry_file(procmail_t,procmail_exec_t) @@ -61,6 +60,7 @@ libs_use_shared_libs(procmail_t) miscfiles_read_localization(procmail_t) +# only works until we define a different type for maildir userdom_priveleged_home_dir_manager(procmail_t) # Do not audit attempts to access /root. userdom_dontaudit_search_sysadm_home_dir(procmail_t) diff --git a/refpolicy/policy/modules/services/radius.if b/refpolicy/policy/modules/services/radius.if index c3b31d7..33cd1ed 100644 --- a/refpolicy/policy/modules/services/radius.if +++ b/refpolicy/policy/modules/services/radius.if @@ -10,7 +10,7 @@ # interface(`radius_use',` gen_require(` - type radius_t; + type radiusd_t; ') allow $1 radiusd_t:udp_socket sendto; diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if index 3e9a0a5..34b6d48 100644 --- a/refpolicy/policy/modules/services/samba.if +++ b/refpolicy/policy/modules/services/samba.if @@ -215,6 +215,25 @@ interface(`samba_search_var',` ######################################## ## +## Allow the specified domain to +## read and write samba /var files. +## +## +## Domain allowed access. +## +# +interface(`samba_rw_var_files',` + gen_require(` + type samba_var_t; + ') + + files_search_var($1) + allow $1 samba_var_t:dir search_dir_perms; + allow $1 samba_var_t:file rw_file_perms; +') + +######################################## +## ## Allow the specified domain to write to smbmount tcp sockets. ## ## diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index d64453f..0afd82a 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -559,8 +559,6 @@ interface(`auth_exec_pam',` interface(`auth_read_pam_pid',` gen_require(` type pam_var_run_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_var($1) @@ -569,6 +567,22 @@ interface(`auth_read_pam_pid',` allow $1 pam_var_run_t:file r_file_perms; ') +####################################### +## +## Do not audit attemps to read PAM pid files. +## +## +## Domain to not audit. +## +# +interface(`auth_dontaudit_read_pam_pid',` + gen_require(` + type pam_var_run_t; + ') + + dontaudit $1 pam_var_run_t:file { getattr read }; +') + ######################################## ## ## Delete pam PID files. diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index d2546fa..78f2d87 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -471,6 +471,7 @@ interface(`domain_kill_all_domains',` allow $1 domain:process sigkill; allow $1 self:capability kill; ') + ######################################## ## ## Search the process state directory (/proc/pid) of all domains. @@ -491,6 +492,23 @@ interface(`domain_search_all_domains_state',` ######################################## ## +## Do not audit attempts to search the process +## state directory (/proc/pid) of all domains. +## +## +## Domain to not audit. +## +# +interface(`domain_dontaudit_search_all_domains_state',` + gen_require(` + attribute domain; + ') + + dontaudit $1 domain:dir search_dir_perms; +') + +######################################## +## ## Read the process state (/proc/pid) of all domains. ## ## diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 75d6223..4659db9 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools,1.0) +policy_module(fstools,1.0.1) ######################################## # @@ -72,6 +72,8 @@ dev_getattr_usbfs_dir(fsadm_t) fs_search_auto_mountpoints(fsadm_t) fs_getattr_xattr_fs(fsadm_t) +fs_rw_ramfs_pipe(fsadm_t) +fs_rw_tmpfs_file(fsadm_t) # remount file system to apply changes fs_remount_xattr_fs(fsadm_t) # for /dev/shm @@ -155,10 +157,3 @@ optional_policy(`cron',` optional_policy(`nis',` nis_use_ypbind(fsadm_t) ') - -ifdef(`TODO',` -ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') -') dnl end TODO - -allow fsadm_t tmpfs_t:file { read write }; -allow fsadm_t ramfs_t:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 54749bd..d12b7f2 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -477,6 +477,23 @@ interface(`init_dontaudit_unix_connect_script',` ######################################## ## +## Get the attribute of init script entrypoint files. +## +## +## Domain allowed access. +## +# +interface(`init_getattr_script_entry_file',` + gen_require(` + type initrc_exec_t; + ') + + files_list_etc($1) + allow $1 initrc_exec_t:file getattr; +') + +######################################## +## ## Read init scripts. ## ## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index c1ca9bd..28fda4c 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.0.1) +policy_module(init,1.0.2) gen_require(` class passwd rootok; @@ -494,6 +494,10 @@ optional_policy(`cpucontrol',` dev_getattr_cpu(initrc_t) ') +optional_policy(`cups',` + cups_read_log(initrc_t) +') + optional_policy(`dbus',` dbus_connect_system_bus(initrc_t) dbus_send_system_bus_msg(initrc_t) @@ -502,6 +506,10 @@ optional_policy(`dbus',` optional_policy(`networkmanager',` networkmanager_dbus_chat(initrc_t) ') + + optional_policy(`updfstab',` + updfstab_dbus_chat(initrc_t) + ') ') optional_policy(`ftp',` diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 247e9de..13801fb 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -1,6 +1,10 @@ policy_module(modutils,1.0) +gen_require(` + bool secure_mode_insmod; +') + ######################################## # # Declarations diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index a189206..0bad501 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -55,6 +55,8 @@ kernel_dontaudit_getattr_message_if(cardmgr_t) bootloader_search_kernel_modules(cardmgr_t) dev_read_sysfs(cardmgr_t) +dev_manage_cardmgr(cardmgr_t) +dev_create_cardmgr(cardmgr_t) dev_getattr_all_chr_files(cardmgr_t) dev_getattr_all_blk_files(cardmgr_t) # for SSP @@ -149,6 +151,5 @@ optional_policy(`udev',` # Create device files in /tmp. # cjp: why is this created all over the place? -allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms; -allow cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:dir rw_dir_perms; -type_transition cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t; +allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms; +type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t; diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 06433bf..9b649fd 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -13,6 +13,18 @@ gen_require(` attribute can_write_binary_policy; attribute can_relabelto_binary_policy; +# +# selinux_config_t is the type applied to +# /etc/selinux/config +# +# cjp: this is out of order due to rules +# in the domain_type interface +# (fix dup decl) +type selinux_config_t; +files_type(selinux_config_t) +kernel_list_from(selinux_config_t) +kernel_read_file_from(selinux_config_t) + type checkpolicy_t, can_write_binary_policy; domain_type(checkpolicy_t) role system_r types checkpolicy_t; @@ -81,15 +93,6 @@ domain_type(run_init_t) type run_init_exec_t; domain_entry_file(run_init_t,run_init_exec_t) -# -# selinux_config_t is the type applied to -# /etc/selinux/config -# -type selinux_config_t; -files_type(selinux_config_t) -kernel_list_from(selinux_config_t) -kernel_read_file_from(selinux_config_t) - type setfiles_t, can_relabelto_binary_policy; domain_obj_id_change_exempt(setfiles_t) domain_type(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 8347a59..c1a479f 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -173,8 +173,12 @@ optional_policy(`dbus',` domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t) - allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg; - allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; + allow initrc_t dhcpc_t:dbus send_msg; + allow dhcpc_t initrc_t:dbus send_msg; + + optional_policy(`networkmanager',` + networkmanager_dbus_chat(dhcpc_t) + ') ifdef(`unconfined.te', ` allow unconfined_t dhcpc_t:dbus send_msg; diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 2a7a1ad..efe4fa8 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.0) +policy_module(udev,1.0.1) ######################################## # @@ -176,6 +176,10 @@ optional_policy(`dbus',` dbus_system_bus_client_template(udev,udev_t) ') +optional_policy(`hal',` + hal_dgram_sendto(udev_t) +') + optional_policy(`hotplug',` hotplug_read_config(udev_t) ') @@ -192,8 +196,8 @@ optional_policy(`sysnetwork',` sysnet_domtrans_dhcpc(udev_t) ') -#optional_policy(`xserver',` -# xserver_read_xdm_pid(udev_t) +#optional_policy(`xdm',` +# xdm_read_pid(udev_t) #') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 7348834..8160f15 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.0.2) +policy_module(unconfined,1.0.3) ######################################## # @@ -60,6 +60,14 @@ ifdef(`targeted_policy',` optional_policy(`dbus',` dbus_stub(unconfined_t) + optional_policy(`avahi',` + avahi_dbus_chat(unconfined_t) + ') + + optional_policy(`hal',` + hal_dbus_chat(unconfined_t) + ') + optional_policy(`networkmanager',` networkmanager_dbus_chat(unconfined_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index fdd932b..6d775a8 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -322,9 +322,17 @@ template(`base_user_template',` canna_stream_connect($1_t) ') + optional_policy(`cups',` + cups_stream_connect_ptal($1_t) + ') + optional_policy(`dbus',` dbus_system_bus_client_template($1,$1_t) + optional_policy(`cups',` + cups_dbus_chat_config($1_t) + ') + optional_policy(`hal',` hal_dbus_chat($1_t) ') @@ -2569,7 +2577,7 @@ interface(`userdom_signal_all_users',` ## Domain allowed access. ## # -interface(`userdom_sigcld_all_users',` +interface(`userdom_sigchld_all_users',` gen_require(` attribute userdomain; ') @@ -2579,6 +2587,23 @@ interface(`userdom_sigcld_all_users',` ######################################## ## +## Send a dbus message to all user domains. +## +## +## Domain allowed access. +## +# +interface(`userdom_dbus_send_all_users',` + gen_require(` + attribute userdomain; + class dbus send_msg; + ') + + allow $1 userdomain:dbus send_msg; +') + +######################################## +## ## Unconfined access to user domains. ## ##