From 9fe1b540b8661909154727a795ca529d375349b9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: May 20 2010 12:54:51 +0000 Subject: Prelink patch from Dan Walsh. --- diff --git a/policy/modules/admin/prelink.fc b/policy/modules/admin/prelink.fc index 0c1055d..cfb874a 100644 --- a/policy/modules/admin/prelink.fc +++ b/policy/modules/admin/prelink.fc @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) /etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if index bb9b962..6c151d4 100644 --- a/policy/modules/admin/prelink.if +++ b/policy/modules/admin/prelink.if @@ -21,6 +21,25 @@ interface(`prelink_domtrans',` ######################################## ## +## Execute the prelink program in the current domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`prelink_exec',` + gen_require(` + type prelink_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, prelink_exec_t) +') + +######################################## +## ## Execute the prelink program in the prelink domain. ## ## @@ -159,3 +178,22 @@ interface(`prelink_relabelfrom_lib',` files_search_var_lib($1) relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') + +######################################## +## +## Relabel from files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`prelink_relabel_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index 15621d8..516e538 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink, 1.8.0) +policy_module(prelink, 1.8.1) ######################################## # @@ -15,14 +15,22 @@ domain_obj_id_change_exemption(prelink_t) type prelink_cache_t; files_type(prelink_cache_t) +type prelink_cron_system_t; +type prelink_cron_system_exec_t; +domain_type(prelink_cron_system_t) +domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) + type prelink_log_t; logging_log_file(prelink_log_t) type prelink_tmp_t; files_tmp_file(prelink_tmp_t) +type prelink_tmpfs_t; +files_tmpfs_file(prelink_tmpfs_t) + type prelink_var_lib_t; -files_tmp_file(prelink_var_lib_t) +files_type(prelink_var_lib_t) ######################################## # @@ -35,7 +43,6 @@ allow prelink_t self:fifo_file rw_fifo_file_perms; allow prelink_t prelink_cache_t:file manage_file_perms; files_etc_filetrans(prelink_t, prelink_cache_t, file) -files_var_lib_filetrans(prelink_t, prelink_cache_t, file) allow prelink_t prelink_log_t:dir setattr; create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) @@ -45,11 +52,14 @@ logging_log_filetrans(prelink_t, prelink_log_t, file) allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; files_tmp_filetrans(prelink_t, prelink_tmp_t, file) -fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file) + +allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod }; +fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -files_search_var_lib(prelink_t) +relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) # prelink misc objects that are not system # libraries or entrypoints @@ -80,6 +90,7 @@ fs_getattr_xattr_fs(prelink_t) selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) +libs_legacy_use_shared_libs(prelink_t) libs_manage_ld_so(prelink_t) libs_relabel_ld_so(prelink_t) libs_manage_shared_libs(prelink_t) @@ -99,5 +110,54 @@ optional_policy(` ') optional_policy(` + rpm_manage_tmp_files(prelink_t) +') + +optional_policy(` unconfined_domain(prelink_t) ') + +######################################## +# +# Prelink Cron system Policy +# + +optional_policy(` + allow prelink_cron_system_t self:capability setuid; + allow prelink_cron_system_t self:process { setsched setfscreate }; + allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; + allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; + + read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) + allow prelink_cron_system_t prelink_cache_t:file unlink; + + domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) + allow prelink_cron_system_t prelink_t:process noatsecure; + + manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) + + manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) + files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) + allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto }; + + kernel_read_system_state(prelink_cron_system_t) + + corecmd_exec_bin(prelink_cron_system_t) + corecmd_exec_shell(prelink_cron_system_t) + + files_read_etc_files(prelink_cron_system_t) + + init_exec(prelink_cron_system_t) + + libs_exec_ld_so(prelink_cron_system_t) + + logging_search_logs(prelink_cron_system_t) + + miscfiles_read_localization(prelink_cron_system_t) + + cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) + + optional_policy(` + rpm_read_db(prelink_cron_system_t) + ') +')