From a3cf80d85ba09527e88139b89db11b5b93595908 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mar 23 2006 19:19:38 +0000 Subject: patch from dan Fri, 17 Mar 2006 15:22:53 -0500 --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 4c4530d..4971b87 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Numerous fixes from Dan Walsh. - Change build order to preserve m4 line number information so policy compile errors are useful again. - Additional MLS interfaces from Chad Hanson. @@ -23,6 +24,7 @@ rhgb thunderbird tor (Erich Schubert) + xen (Dan Walsh) * Tue Mar 07 2006 Chris PeBenito - 20060307 - Make all interface parameters required. diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index dc44893..4ca258f 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -208,7 +208,7 @@ enableaudit: $(BASE_CONF) # $(APPDIR)/customizable_types: $(BASE_CONF) @mkdir -p $(APPDIR) - $(verbose) $(GREP) "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > $(TMPDIR)/customizable_types + $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types $(verbose) install -m 644 $(TMPDIR)/customizable_types $@ ######################################## diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index 9503485..0a84109 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -213,7 +213,7 @@ $(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC) # $(APPDIR)/customizable_types: $(POLICY_CONF) @mkdir -p $(APPDIR) - $(verbose) $(GREP) "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > $(TMPDIR)/customizable_types + $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types $(verbose) install -m 644 $(TMPDIR)/customizable_types $@ ######################################## diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs index 9a39f46..69f172a 100644 --- a/refpolicy/policy/mcs +++ b/refpolicy/policy/mcs @@ -141,9 +141,7 @@ mlsconstrain file { write setattr append unlink link rename mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2)); -mlsconstrain file { read } ((h1 dom h2) or - ( t1 == mlsfileread )); - +mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread )); # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te index 165da65..b13756c 100644 --- a/refpolicy/policy/modules/admin/bootloader.te +++ b/refpolicy/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.2.0) +policy_module(bootloader,1.2.1) ######################################## # @@ -103,13 +103,14 @@ files_manage_boot_files(bootloader_t) files_manage_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) files_exec_etc_files(bootloader_t) -files_read_etc_runtime_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t) files_read_kernel_modules(bootloader_t) # for nscd files_dontaudit_search_pids(bootloader_t) +# for blkid.tab +files_manage_etc_runtime_files(bootloader_t) init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) diff --git a/refpolicy/policy/modules/admin/dmidecode.te b/refpolicy/policy/modules/admin/dmidecode.te index 839896f..ae975cd 100644 --- a/refpolicy/policy/modules/admin/dmidecode.te +++ b/refpolicy/policy/modules/admin/dmidecode.te @@ -1,5 +1,5 @@ -policy_module(dmidecode,1.0.0) +policy_module(dmidecode,1.0.1) ######################################## # @@ -23,6 +23,8 @@ allow dmidecode_t self:capability sys_rawio; # Allow dmidecode to read /dev/mem dev_read_raw_memory(dmidecode_t) +mls_file_read_up(dmidecode_t) + term_list_ptys(dmidecode_t) files_list_usr(dmidecode_t) diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index 0bf9f33..1bbcff8 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -1,5 +1,5 @@ -policy_module(readahead,1.2.0) +policy_module(readahead,1.2.1) ######################################## # @@ -18,7 +18,7 @@ files_pid_file(readahead_var_run_t) # Local policy # -dontaudit readahead_t self:capability sys_tty_config; +dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config }; allow readahead_t self:process signal_perms; allow readahead_t readahead_var_run_t:file create_file_perms; diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc index 186995b..e7ee7d7 100644 --- a/refpolicy/policy/modules/admin/rpm.fc +++ b/refpolicy/policy/modules/admin/rpm.fc @@ -22,7 +22,7 @@ ifdef(`distro_redhat', ` /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) -/var/log/yum\.log -- gen_context(system_u:object_r:rpm_log_t,s0) +/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) # SuSE ifdef(`distro_suse', ` diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index a6fc3ff..2010151 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -78,6 +78,9 @@ interface(`rpm_run',` role $2 types rpm_t; role $2 types rpm_script_t; seutil_run_loadpolicy(rpm_script_t,$2,$3) + seutil_run_semanage(rpm_script_t,$2,$3) + seutil_run_setfiles(rpm_script_t,$2,$3) + seutil_run_restorecon(rpm_script_t,$2,$3) allow rpm_t $3:chr_file rw_term_perms; ') diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index f9bd40d..c83a0a9 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.3.1) +policy_module(rpm,1.3.2) ######################################## # @@ -326,6 +326,7 @@ modutils_domtrans_insmod(rpm_script_t) seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_restorecon(rpm_script_t) +seutil_domtrans_semanage(rpm_script_t) userdom_use_all_users_fds(rpm_script_t) diff --git a/refpolicy/policy/modules/admin/su.fc b/refpolicy/policy/modules/admin/su.fc index 5d385e6..5c15aa6 100644 --- a/refpolicy/policy/modules/admin/su.fc +++ b/refpolicy/policy/modules/admin/su.fc @@ -2,3 +2,4 @@ /bin/su -- gen_context(system_u:object_r:su_exec_t,s0) /usr(/local)?/bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 6cce4e9..80f4d81 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -134,7 +134,6 @@ template(`su_per_userdomain_template',` # Transition from the user domain to this domain. domain_auto_trans($2, su_exec_t, $1_su_t) - allow $2 $1_su_t:fd use; allow $1_su_t $2:fd use; allow $1_su_t $2:fifo_file rw_file_perms; allow $1_su_t $2:process sigchld; @@ -142,9 +141,8 @@ template(`su_per_userdomain_template',` # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_su_t,$2) allow $2 $1_su_t:fd use; - allow $1_su_t $2:fd use; - allow $1_su_t $2:fifo_file rw_file_perms; - allow $1_su_t $2:process sigchld; + allow $2 $1_su_t:fifo_file rw_file_perms; + allow $2 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te index 59a5b12..b31c42e 100644 --- a/refpolicy/policy/modules/admin/su.te +++ b/refpolicy/policy/modules/admin/su.te @@ -1,5 +1,5 @@ -policy_module(su,1.3.0) +policy_module(su,1.3.1) ######################################## # diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index b76f18a..7a9fdc7 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -1,5 +1,5 @@ -policy_module(updfstab,1.2.0) +policy_module(updfstab,1.2.1) ######################################## # @@ -102,6 +102,10 @@ optional_policy(`dbus',` dbus_send_system_bus(updfstab_t) ') +optional_policy(`fstools',` + fstools_getattr_swap_files(updfstab_t) +') + optional_policy(`hal',` hal_stream_connect(updfstab_t) hal_dbus_chat(updfstab_t) @@ -124,7 +128,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(updfstab_t) ') - -ifdef(`TODO',` -allow updfstab_t tmpfs_t:dir getattr; -') diff --git a/refpolicy/policy/modules/admin/vbetool.te b/refpolicy/policy/modules/admin/vbetool.te index d4b9eea..88456a7 100644 --- a/refpolicy/policy/modules/admin/vbetool.te +++ b/refpolicy/policy/modules/admin/vbetool.te @@ -1,5 +1,5 @@ -policy_module(vbetool,1.0.0) +policy_module(vbetool,1.0.1) ######################################## # @@ -15,6 +15,7 @@ init_system_domain(vbetool_t,vbetool_exec_t) # Local policy # +allow vbetool_t self:capability { sys_tty_config sys_admin }; allow vbetool_t self:process execmem; dev_wx_raw_memory(vbetool_t) @@ -22,5 +23,13 @@ dev_read_raw_memory(vbetool_t) dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) +term_use_unallocated_ttys(vbetool_t) + libs_use_ld_so(vbetool_t) libs_use_shared_libs(vbetool_t) + +miscfiles_read_localization(vbetool_t) + +optional_policy(`hal',` + hal_rw_pid_files(vbetool_t) +') diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc index f0abdba..fb37388 100644 --- a/refpolicy/policy/modules/kernel/corecommands.fc +++ b/refpolicy/policy/modules/kernel/corecommands.fc @@ -32,11 +32,14 @@ ifdef(`distro_redhat',` # # /etc # + /etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0) /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0) +/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) + /etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0) /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) @@ -44,6 +47,8 @@ ifdef(`distro_redhat',` /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0) +/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0) @@ -52,6 +57,8 @@ ifdef(`distro_redhat',` /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + ifdef(`distro_debian',` /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) ') @@ -132,6 +139,8 @@ ifdef(`distro_gentoo',` /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te index 42953f9..1185d89 100644 --- a/refpolicy/policy/modules/kernel/corecommands.te +++ b/refpolicy/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.3.3) +policy_module(corecommands,1.3.4) ######################################## # diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index ea9a43a..16fa9ac 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.1.2) +policy_module(corenetwork,1.1.3) ######################################## # @@ -126,6 +126,7 @@ network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) +network_port(xen, tcp,8002,s0) network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0) network_port(zebra, tcp,2601,s0) network_port(zope, tcp,8021,s0) diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc index 2b9802e..ee2e73e 100644 --- a/refpolicy/policy/modules/kernel/devices.fc +++ b/refpolicy/policy/modules/kernel/devices.fc @@ -15,6 +15,7 @@ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) +/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) @@ -47,6 +48,7 @@ /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) /dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/smu -c gen_context(system_u:object_r:power_device_t,s0) /dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -86,6 +88,8 @@ ifdef(`distro_suse', ` /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) + ifdef(`distro_redhat',` # originally from named.fc /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 85a3c37..0bef90d 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -2382,7 +2382,7 @@ interface(`dev_rw_generic_usb_dev',` ') allow $1 device_t:dir r_dir_perms; - allow $1 usb_device_t:chr_file { read write }; + allow $1 usb_device_t:chr_file rw_file_perms; ') ######################################## @@ -2634,6 +2634,64 @@ interface(`dev_read_video_dev',` ######################################## ## +## Read and write Xen devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_xen',` + gen_require(` + type device_t, xen_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 xen_device_t:chr_file r_file_perms; +') + +######################################## +## +## Create, read, write, and delete Xen devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_xen',` + gen_require(` + type device_t, xen_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 xen_device_t:chr_file r_file_perms; +') + +######################################## +## +## Automatic type transition to the type +## for xen device nodes when created in /dev. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_filetrans_xen',` + gen_require(` + type device_t, xen_device_t; + ') + + allow $1 device_t:dir rw_dir_perms; + type_transition $1 device_t:chr_file xen_device_t; +') + +######################################## +## ## Get the attributes of X server miscellaneous devices. ## ## @@ -2768,4 +2826,3 @@ interface(`dev_unconfined',` allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_write, memory_raw_read; ') - diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 1e38097..3c72579 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.1.1) +policy_module(devices,1.1.2) ######################################## # @@ -168,6 +168,9 @@ dev_node(usb_device_t) type v4l_device_t; dev_node(v4l_device_t) +type xen_device_t; +dev_node(xen_device_t) + type xserver_misc_device_t; dev_node(xserver_misc_device_t) diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc index fcc484f..467c259 100644 --- a/refpolicy/policy/modules/kernel/files.fc +++ b/refpolicy/policy/modules/kernel/files.fc @@ -45,7 +45,7 @@ ifdef(`distro_redhat',` /etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/blkid\.tab.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -60,7 +60,6 @@ ifdef(`distro_redhat',` /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) -/etc/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0) /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -68,8 +67,6 @@ ifdef(`distro_redhat',` /etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0) - /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -93,7 +90,7 @@ ifdef(`distro_suse',` # HOME_ROOT # expanded by genhomedircon # -HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s15:c0.c255) +HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255) HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) HOME_ROOT/lost\+found/.* <> diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 4bec122..eb63505 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -1726,6 +1726,7 @@ interface(`files_manage_etc_runtime_files',` ') allow $1 etc_t:dir rw_dir_perms; + allow $1 etc_runtime_t:dir rw_dir_perms; allow $1 etc_runtime_t:file create_file_perms; type_transition $1 etc_t:file etc_runtime_t; ') @@ -3808,12 +3809,13 @@ interface(`files_polyinstantiate_all',` # Need to give permission to create directories where applicable allow $1 self:process setfscreate; - allow $1 polymember: dir { create setattr }; + allow $1 polymember: dir { create setattr relabelto }; allow $1 polydir: dir { write add_name }; - allow $1 polyparent:dir { write add_name }; + allow $1 polyparent:dir { write add_name relabelfrom relabelto }; # Default type for mountpoints allow $1 poly_t:dir { create mounton }; + fs_unmount_xattr_fs($1) ') ######################################## diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index 0b49aa7..1f69128 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.1) +policy_module(files,1.2.2) ######################################## # diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 6e70892..12b652f 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.3.0) +policy_module(filesystem,1.3.1) ######################################## # @@ -167,3 +167,5 @@ files_mountpoint(nfs_t) genfscon nfs / gen_context(system_u:object_r:nfs_t,s0) genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0) genfscon afs / gen_context(system_u:object_r:nfs_t,s0) +genfscon hfs / gen_context(system_u:object_r:nfs_t,s0) +genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 3ffe0cd..ac84330 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -909,6 +909,110 @@ interface(`kernel_read_network_state_symlinks',` ######################################## ## +## Allow searching of xen state directory. +## +## +## +## The process type reading the state. +## +## +## +# +interface(`kernel_search_xen_state',` + gen_require(` + type proc_t, proc_xen_t; + ') + + allow $1 proc_t:dir search_dir_perms; + allow $1 proc_xen_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to search the xen +## state directory. +## +## +## +## The process type reading the state. +## +## +## +# +interface(`kernel_dontaudit_search_xen_state',` + gen_require(` + type proc_xen_t; + ') + + dontaudit $1 proc_xen_t:dir search; +') + +######################################## +## +## Allow caller to read the xen state information. +## +## +## +## The process type reading the state. +## +## +## +# +interface(`kernel_read_xen_state',` + gen_require(` + type proc_t, proc_xen_t; + ') + + allow $1 proc_t:dir search_dir_perms; + allow $1 proc_xen_t:dir r_dir_perms; + allow $1 proc_xen_t:file r_file_perms; + allow $1 proc_xen_t:lnk_file { getattr read }; +') + +######################################## +## +## Allow caller to read the xen state symbolic links. +## +## +## +## The process type reading the state. +## +## +## +# +interface(`kernel_read_xen_state_symlinks',` + gen_require(` + type proc_t, proc_xen_t; + ') + + allow $1 proc_t:dir search; + allow $1 proc_xen_t:dir r_dir_perms; + allow $1 proc_xen_t:lnk_file r_file_perms; +') + +######################################## +## +## Allow caller to write xen state information. +## +## +## +## The process type writing the state. +## +## +## +# +interface(`kernel_write_xen_state',` + gen_require(` + type proc_t, proc_xen_t; + ') + + allow $1 proc_t:dir search; + allow $1 proc_xen_t:dir r_dir_perms; + allow $1 proc_xen_t:file write; +') + +######################################## +## ## Do not audit attempts by caller to search ## the base directory of sysctls. ## @@ -1044,6 +1148,7 @@ interface(`kernel_rw_vm_sysctls',` allow $1 proc_t:dir search; allow $1 sysctl_t:dir r_dir_perms; + allow $1 sysctl_vm_t:dir list_dir_perms; allow $1 sysctl_vm_t:file rw_file_perms; ') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index c45b321..58780de 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.3.0) +policy_module(kernel,1.3.1) ######################################## # @@ -75,6 +75,9 @@ genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) type proc_net_t, proc_type; genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) +type proc_xen_t, proc_type; +genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) + # # Sysctl types # diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc index 737fcf6..7cdaf0b 100644 --- a/refpolicy/policy/modules/services/apache.fc +++ b/refpolicy/policy/modules/services/apache.fc @@ -15,6 +15,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) @@ -75,3 +76,4 @@ ifdef(`targeted_policy', `', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index cbd528e..8d07704 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -12,6 +12,11 @@ ## # template(`apache_content_template',` + gen_require(` + attribute httpdcontent; + attribute httpd_exec_scripts; + type httpd_t, httpd_suexec_t, httpd_log_t; + ') # allow write access to public file transfer # services files. gen_tunable(allow_httpd_$1_script_anon_write,false) diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 5d1f593..1309042 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.3.3) +policy_module(apache,1.3.4) # # NOTES: diff --git a/refpolicy/policy/modules/services/apm.fc b/refpolicy/policy/modules/services/apm.fc index cbe282e..0123777 100644 --- a/refpolicy/policy/modules/services/apm.fc +++ b/refpolicy/policy/modules/services/apm.fc @@ -11,7 +11,7 @@ # # /var # -/var/log/acpid -- gen_context(system_u:object_r:apmd_log_t,s0) +/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) /var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) /var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 19ec27c..48761d2 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -1,5 +1,5 @@ -policy_module(apm,1.2.0) +policy_module(apm,1.2.1) ######################################## # diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 44e7941..225b82a 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth,1.2.0) +policy_module(bluetooth,1.2.1) ######################################## # @@ -115,6 +115,7 @@ corecmd_exec_bin(bluetooth_t) corecmd_exec_shell(bluetooth_t) domain_use_interactive_fds(bluetooth_t) +domain_dontaudit_search_all_domains_state(bluetooth_t) files_read_etc_files(bluetooth_t) files_read_etc_runtime_files(bluetooth_t) @@ -145,6 +146,7 @@ ifdef(`targeted_policy',` optional_policy(`dbus',` dbus_system_bus_client_template(bluetooth,bluetooth_t) + dbus_connect_system_bus(bluetooth_t) dbus_send_system_bus(bluetooth_t) ') @@ -170,6 +172,7 @@ allow bluetooth_helper_t self:process getsched; allow bluetooth_helper_t self:fifo_file rw_file_perms; allow bluetooth_helper_t self:shm create_shm_perms; allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow bluetooth_helper_t self:tcp_socket create_socket_perms; allow bluetooth_helper_t bluetooth_t:socket { read write }; @@ -202,20 +205,23 @@ logging_send_syslog_msg(bluetooth_helper_t) miscfiles_read_localization(bluetooth_helper_t) miscfiles_read_fonts(bluetooth_helper_t) -userdom_search_all_users_home_content(bluetooth_helper_t) +optional_policy(`dbus',` + dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t) + dbus_connect_system_bus(bluetooth_helper_t) + dbus_send_system_bus(bluetooth_helper_t) +') optional_policy(`nscd',` nscd_socket_use(bluetooth_helper_t) ') +optional_policy(`xserver',` + xserver_stream_connect_xdm(bluetooth_helper_t) +') + ifdef(`TODO',` allow bluetooth_helper_t tmp_t:dir search; -ifdef(`xserver.te', ` - allow bluetooth_helper_t xserver_log_t:dir search; - allow bluetooth_helper_t xserver_log_t:file { getattr read }; -') - ifdef(`strict_policy',` ifdef(`xdm.te',` allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write }; @@ -227,4 +233,9 @@ ifdef(`targeted_policy',` files_rw_generic_tmp_sockets(bluetooth_helper_t) allow bluetooth_helper_t tmpfs_t:file { read write }; allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; + userdom_read_all_users_home_content_files(bluetooth_helper_t) + + optional_policy(`xserver',` + xserver_stream_connect_xdm(bluetooth_helper_t) + ') ') diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 42f4006..f5d0c40 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.3.1) +policy_module(cron,1.3.2) gen_require(` class passwd rootok; @@ -166,6 +166,10 @@ ifdef(`targeted_policy',` allow crond_t unconfined_t:dbus send_msg; allow crond_t initrc_t:dbus send_msg; + + optional_policy(`mono',` + mono_domtrans(crond_t) + ') ',` allow crond_t crond_tmp_t:dir create_dir_perms; allow crond_t crond_tmp_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/cups.fc b/refpolicy/policy/modules/services/cups.fc index 8cd7cc5..4fcfb99 100644 --- a/refpolicy/policy/modules/services/cups.fc +++ b/refpolicy/policy/modules/services/cups.fc @@ -43,7 +43,7 @@ /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) /var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0) -/var/run/cups/printcap -- gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if index 1c8220f..5fa55b1 100644 --- a/refpolicy/policy/modules/services/cups.if +++ b/refpolicy/policy/modules/services/cups.if @@ -25,6 +25,47 @@ interface(`cups_domtrans',` ######################################## ## +## Connect to cupsd over an unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`cups_stream_connect',` + gen_require(` + type cupsd_t, cupsd_var_run_t; + ') + + files_search_pids($1) + allow $1 cupsd_var_run_t:dir search; + allow $1 cupsd_var_run_t:sock_file write; + allow $1 cupsd_t:unix_stream_socket connectto; +') + +######################################## +## +## Connect to cups over TCP. +## +## +## +## Domain allowed access. +## +## +# +interface(`cups_tcp_connect',` + gen_require(` + type cupsd_t; + ') + + allow $1 cupsd_t:tcp_socket { connectto recvfrom }; + allow cupsd_t $1:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1) +') + +######################################## +## ## Send and receive messages from ## cups over dbus. ## @@ -206,23 +247,3 @@ interface(`cups_stream_connect_ptal',` allow $1 ptal_var_run_t:sock_file write; allow $1 ptal_t:unix_stream_socket connectto; ') - -######################################## -## -## Connect to cups over TCP. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_tcp_connect',` - gen_require(` - type cupsd_t; - ') - - allow $1 cupsd_t:tcp_socket { connectto recvfrom }; - allow cupsd_t $1:tcp_socket { acceptfrom recvfrom }; - kernel_tcp_recvfrom($1) -') diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 7a96c57..3b130c9 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.3.0) +policy_module(cups,1.3.1) ######################################## # @@ -77,7 +77,7 @@ allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fse dontaudit cupsd_t self:capability { sys_tty_config net_admin }; allow cupsd_t self:process { setsched signal_perms }; allow cupsd_t self:fifo_file rw_file_perms; -allow cupsd_t self:unix_stream_socket create_socket_perms; +allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow cupsd_t self:unix_dgram_socket create_socket_perms; allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms }; @@ -110,6 +110,7 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) allow cupsd_t cupsd_var_run_t:file create_file_perms; allow cupsd_t cupsd_var_run_t:dir rw_dir_perms; +allow cupsd_t cupsd_var_run_t:sock_file create_file_perms; files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) allow cupsd_t hplip_var_run_t:file { read getattr }; @@ -119,6 +120,7 @@ allow cupsd_t ptal_var_run_t:sock_file { write setattr }; allow cupsd_t ptal_t:unix_stream_socket connectto; kernel_read_system_state(cupsd_t) +kernel_read_network_state(cupsd_t) kernel_read_all_sysctls(cupsd_t) kernel_tcp_recvfrom(cupsd_t) @@ -383,6 +385,8 @@ allow hplip_t self:rawip_socket create_socket_perms; allow hplip_t cupsd_etc_t:dir search; +cups_stream_connect(hplip_t) + allow hplip_t hplip_etc_t:file r_file_perms; allow hplip_t hplip_etc_t:dir r_dir_perms; allow hplip_t hplip_etc_t:lnk_file { getattr read }; @@ -649,7 +653,7 @@ ifdef(`targeted_policy', ` ifdef(`targeted_policy',` term_use_generic_ptys(cupsd_config_t) - unconfined_read_pipes(cupsd_config_t) + unconfined_rw_pipes(cupsd_config_t) ') ######################################## diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if index f4f54f9..7bc69b2 100644 --- a/refpolicy/policy/modules/services/hal.if +++ b/refpolicy/policy/modules/services/hal.if @@ -100,3 +100,43 @@ interface(`hal_dbus_chat',` allow $1 hald_t:dbus send_msg; allow hald_t $1:dbus send_msg; ') + + +######################################## +## +## Read hald state files. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_read_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + allow $1 hald_var_run_t:file r_file_perms; +') + + +######################################## +## +## Read/Write hald state files. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_rw_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + allow $1 hald_var_run_t:file rw_file_perms; +') diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 2ebe6d6..8ef18ef 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.3.0) +policy_module(hal,1.3.1) ######################################## # @@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t) # # execute openvt which needs setuid -allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio }; +allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; dontaudit hald_t self:capability sys_tty_config; allow hald_t self:process signal_perms; allow hald_t self:fifo_file rw_file_perms; @@ -48,6 +48,7 @@ kernel_read_system_state(hald_t) kernel_read_network_state(hald_t) kernel_read_kernel_sysctls(hald_t) kernel_read_fs_sysctls(hald_t) +kernel_rw_vm_sysctls(hald_t) kernel_write_proc_files(hald_t) files_search_boot(hald_t) @@ -75,6 +76,8 @@ dev_rw_printer(hald_t) dev_read_lvm_control(hald_t) dev_getattr_all_chr_files(hald_t) dev_manage_generic_chr_files(hald_t) +dev_rw_generic_usb_dev(hald_t) + # hal is now execing pm-suspend dev_rw_sysfs(hald_t) @@ -110,9 +113,8 @@ storage_raw_read_fixed_disk(hald_t) storage_raw_write_fixed_disk(hald_t) term_dontaudit_use_console(hald_t) -term_dontaudit_ioctl_unallocated_ttys(hald_t) -term_dontaudit_use_unallocated_ttys(hald_t) term_dontaudit_use_generic_ptys(hald_t) +term_use_unallocated_ttys(hald_t) init_use_fds(hald_t) init_use_script_ptys(hald_t) @@ -144,6 +146,7 @@ userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_sysadm_home_dirs(hald_t) ifdef(`targeted_policy', ` + term_setattr_unallocated_ttys(hald_t) term_dontaudit_use_unallocated_ttys(hald_t) term_dontaudit_use_generic_ptys(hald_t) files_dontaudit_read_root_files(hald_t) @@ -195,6 +198,10 @@ optional_policy(`hotplug',` hotplug_read_config(hald_t) ') +optional_policy(`lvm', ` + lvm_domtrans(hald_t) +') + optional_policy(`mount',` mount_domtrans(hald_t) ') diff --git a/refpolicy/policy/modules/services/ktalk.fc b/refpolicy/policy/modules/services/ktalk.fc index 720bca5..6b30e26 100644 --- a/refpolicy/policy/modules/services/ktalk.fc +++ b/refpolicy/policy/modules/services/ktalk.fc @@ -1,3 +1,4 @@ -/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0) diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te index 5980730..d00edae 100644 --- a/refpolicy/policy/modules/services/ktalk.te +++ b/refpolicy/policy/modules/services/ktalk.te @@ -1,5 +1,5 @@ -policy_module(ktalk,1.2.0) +policy_module(ktalk,1.2.1) ######################################## # @@ -11,6 +11,9 @@ type ktalkd_exec_t; inetd_udp_service_domain(ktalkd_t,ktalkd_exec_t) role system_r types ktalkd_t; +type ktalkd_log_t; +logging_log_file(ktalkd_log_t) + type ktalkd_tmp_t; files_tmp_file(ktalkd_tmp_t) @@ -38,6 +41,9 @@ optional_policy(`kerberos',` ') #end for identd +allow ktalkd_t ktalkd_log_t:file manage_file_perms; +logging_log_filetrans(ktalkd_t,ktalkd_log_t,file) + allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms; allow ktalkd_t ktalkd_tmp_t:file create_file_perms; files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) @@ -68,6 +74,8 @@ fs_getattr_xattr_fs(ktalkd_t) files_read_etc_files(ktalkd_t) +init_read_utmp(ktalkd_t) + libs_use_ld_so(ktalkd_t) libs_use_shared_libs(ktalkd_t) logging_send_syslog_msg(ktalkd_t) diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if index 750ff55..b398141 100644 --- a/refpolicy/policy/modules/services/mailman.if +++ b/refpolicy/policy/modules/services/mailman.if @@ -275,3 +275,28 @@ interface(`mailman_read_archive',` allow $1 mailman_archive_t:file r_file_perms; allow $1 mailman_archive_t:lnk_file { getattr read }; ') + + +####################################### +## +## Execute mailman_queue in the mailman_queue domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailman_domtrans_queue',` + gen_require(` + type mailman_queue_exec_t, mailman_queue_t; + ') + + domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t) + + allow $1 mailman_queue_t:fd use; + allow mailman_queue_t $1:fd use; + allow mailman_queue_t $1:fifo_file rw_file_perms; + allow mailman_queue_t $1:process sigchld; +') + diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te index b81fb4d..03228c9 100644 --- a/refpolicy/policy/modules/services/mailman.te +++ b/refpolicy/policy/modules/services/mailman.te @@ -1,5 +1,5 @@ -policy_module(mailman,1.1.0) +policy_module(mailman,1.1.1) ######################################## # diff --git a/refpolicy/policy/modules/services/nis.fc b/refpolicy/policy/modules/services/nis.fc index a2e760d..0128ee0 100644 --- a/refpolicy/policy/modules/services/nis.fc +++ b/refpolicy/policy/modules/services/nis.fc @@ -4,6 +4,7 @@ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/sbin/rpc.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) +/usr/sbin/rpc.ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index 162d5db..f5b10e8 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -277,3 +277,27 @@ interface(`nis_read_ypserv_config',` files_search_etc($1) allow $1 ypserv_conf_t:file { getattr read }; ') + +######################################## +## +## Execute ypxfr in the ypxfr domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`nis_domtrans_ypxfr',` + gen_require(` + type ypxfr_t, ypxfr_exec_t; + ') + + corecmd_search_bin($1) + domain_auto_trans($1,ypxfr_exec_t,ypxfr_t) + + allow $1 ypxfr_t:fd use; + allow ypxfr_t $1:fd use; + allow ypxfr_t $1:fifo_file rw_file_perms; + allow ypxfr_t $1:process sigchld; +') diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index b5d97a9..b11a6cb 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -1,5 +1,5 @@ -policy_module(nis,1.1.0) +policy_module(nis,1.1.1) ######################################## # @@ -40,6 +40,10 @@ files_tmp_file(ypserv_tmp_t) type ypserv_var_run_t; files_pid_file(ypserv_var_run_t) +type ypxfr_t; +type ypxfr_exec_t; +init_daemon_domain(ypxfr_t,ypxfr_exec_t) + ######################################## # # ypbind local policy @@ -245,6 +249,7 @@ dontaudit ypserv_t self:capability sys_tty_config; allow ypserv_t self:fifo_file rw_file_perms; allow ypserv_t self:process signal_perms; allow ypserv_t self:unix_dgram_socket create_socket_perms; +allow ypserv_t self:unix_stream_socket create_stream_socket_perms; allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; allow ypserv_t self:tcp_socket connected_stream_socket_perms; allow ypserv_t self:udp_socket create_socket_perms; @@ -306,6 +311,8 @@ logging_send_syslog_msg(ypserv_t) miscfiles_read_localization(ypserv_t) +nis_domtrans_ypxfr(ypserv_t) + sysnet_read_config(ypserv_t) userdom_dontaudit_use_unpriv_user_fds(ypserv_t) @@ -326,3 +333,29 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(ypserv_t) ') + +######################################## +# +# ypxfr local policy +# + +allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; + +corenet_tcp_sendrecv_all_if(ypxfr_t) +corenet_udp_sendrecv_all_if(ypxfr_t) +corenet_raw_sendrecv_all_if(ypxfr_t) +corenet_tcp_sendrecv_all_nodes(ypxfr_t) +corenet_udp_sendrecv_all_nodes(ypxfr_t) +corenet_raw_sendrecv_all_nodes(ypxfr_t) +corenet_tcp_sendrecv_all_ports(ypxfr_t) +corenet_udp_sendrecv_all_ports(ypxfr_t) +corenet_non_ipsec_sendrecv(ypxfr_t) +corenet_tcp_bind_all_nodes(ypxfr_t) +corenet_udp_bind_all_nodes(ypxfr_t) +corenet_tcp_bind_reserved_port(ypxfr_t) +corenet_udp_bind_reserved_port(ypxfr_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) +corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) +corenet_tcp_connect_all_ports(ypxfr_t) + +files_read_etc_files(ypxfr_t) diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if index df190b2..dd13368 100644 --- a/refpolicy/policy/modules/services/nscd.if +++ b/refpolicy/policy/modules/services/nscd.if @@ -49,8 +49,8 @@ interface(`nscd_socket_use',` dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; files_search_pids($1) + allow $1 nscd_var_run_t:dir r_dir_perms; allow $1 nscd_var_run_t:sock_file rw_file_perms; - dontaudit $1 nscd_var_run_t:dir { search getattr }; dontaudit $1 nscd_var_run_t:file { getattr read }; ') diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 1f1230d..e4ae3dc 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd,1.2.0) +policy_module(nscd,1.2.1) gen_require(` class nscd all_nscd_perms; diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 6bed2c4..37e7cf7 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.2.0) +policy_module(postfix,1.2.1) ######################################## # @@ -406,6 +406,10 @@ optional_policy(`procmail',` procmail_domtrans(postfix_pipe_t) ') +optional_policy(`mailman',` + mailman_domtrans_queue(postfix_pipe_t) +') + ######################################## # # Postfix postdrop local policy diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index ee4dc11..b04994e 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba,1.2.0) +policy_module(samba,1.2.1) ################################# # @@ -32,7 +32,7 @@ files_tmp_file(samba_net_tmp_t) type samba_secrets_t; files_type(samba_secrets_t) -type samba_share_t; +type samba_share_t; # customizable files_config_file(samba_share_t) type samba_var_t; diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index f6a15db..3ce5d74 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -1,5 +1,5 @@ -policy_module(sendmail,1.2.0) +policy_module(sendmail,1.2.1) ######################################## # @@ -125,6 +125,7 @@ optional_policy(`nscd',` ') optional_policy(`postfix',` + postfix_exec_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') diff --git a/refpolicy/policy/modules/system/fstools.if b/refpolicy/policy/modules/system/fstools.if index 1fb801b..29ec471 100644 --- a/refpolicy/policy/modules/system/fstools.if +++ b/refpolicy/policy/modules/system/fstools.if @@ -110,3 +110,21 @@ interface(`fstools_manage_entry_files',` allow $1 fsadm_exec_t:file create_file_perms; ') + +######################################## +## +## Getattr swapfile +## +## +## +## The type of the process performing this action. +## +## +# +interface(`fstools_getattr_swap_files',` + gen_require(` + type swapfile_t; + ') + + allow $1 swapfile_t:file getattr; +') diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index f6d0610..cb4a266 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools,1.3.0) +policy_module(fstools,1.3.1) ######################################## # @@ -53,6 +53,7 @@ kernel_read_kernel_sysctls(fsadm_t) kernel_change_ring_buffer_level(fsadm_t) # mkreiserfs needs this kernel_getattr_proc(fsadm_t) +kernel_getattr_core_if(fsadm_t) # Access to /initrd devices kernel_rw_unlabeled_dirs(fsadm_t) kernel_rw_unlabeled_blk_files(fsadm_t) @@ -60,6 +61,7 @@ kernel_rw_unlabeled_blk_files(fsadm_t) files_getattr_boot_dirs(fsadm_t) dev_getattr_all_chr_files(fsadm_t) +dev_dontaudit_getattr_all_blk_files(fsadm_t) # mkreiserfs and other programs need this for UUID dev_read_rand(fsadm_t) dev_read_urand(fsadm_t) @@ -127,6 +129,7 @@ files_search_all(fsadm_t) init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) +init_dontaudit_getattr_initctl(fsadm_t) libs_use_ld_so(fsadm_t) libs_use_shared_libs(fsadm_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 0b559a8..ab16f6b 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.3.1) +policy_module(init,1.3.2) gen_require(` class passwd rootok; @@ -482,6 +482,10 @@ ifdef(`distro_suse',` ifdef(`targeted_policy',` domain_subj_id_change_exemption(initrc_t) unconfined_domain(initrc_t) + + optional_policy(`mono',` + mono_domtrans(initrc_t) + ') ',` # cjp: require doesnt work in optionals :\ # this also would result in a type transition diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index 677bfdc..c897505 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -65,6 +65,7 @@ ifdef(`distro_redhat',` /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -74,6 +75,7 @@ ifdef(`distro_redhat',` /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_redhat',` /usr/lib(64)?/.*/program/.*\.so.* gen_context(system_u:object_r:shlib_t,s0) diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 77501df..8a2b5e0 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.3.0) +policy_module(libraries,1.3.1) ######################################## # diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 3e4dfd6..f9be092 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.2.0) +policy_module(locallogin,1.2.1) ######################################## # @@ -20,6 +20,7 @@ files_lock_file(local_login_lock_t) type local_login_tmp_t; files_tmp_file(local_login_tmp_t) +files_poly_parent(local_login_tmp_t) type sulogin_t; type sulogin_exec_t; diff --git a/refpolicy/policy/modules/system/lvm.fc b/refpolicy/policy/modules/system/lvm.fc index c71690e..0339693 100644 --- a/refpolicy/policy/modules/system/lvm.fc +++ b/refpolicy/policy/modules/system/lvm.fc @@ -25,6 +25,7 @@ # /sbin # /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) +/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index ed40088..1f9d055 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm,1.3.0) +policy_module(lvm,1.3.1) ######################################## # @@ -128,7 +128,8 @@ optional_policy(`udev',` # # DAC overrides and mknod for modifying /dev entries (vgmknodes) -allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource }; +# rawio needed for dmraid +allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio }; dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. @@ -199,6 +200,7 @@ dev_dontaudit_read_all_blk_files(lvm_t) dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) +dev_create_generic_dirs(lvm_t) fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 190f3bd..9161405 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.3.0) +policy_module(mount,1.3.1) ######################################## # @@ -26,6 +26,7 @@ allow mount_t mount_tmp_t:dir create_dir_perms; files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) kernel_read_system_state(mount_t) +kernel_dontaudit_getattr_core_if(mount_t) corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t) corenet_dontaudit_udp_bind_all_reserved_ports(mount_t) @@ -33,6 +34,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) dev_rw_lvm_control(mount_t) +dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) dev_getattr_sound_dev(mount_t) @@ -73,6 +75,7 @@ files_read_isid_type_files(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) +init_dontaudit_getattr_initctl(mount_t) libs_use_ld_so(mount_t) libs_use_shared_libs(mount_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc index 58c4f9e..d66bfe6 100644 --- a/refpolicy/policy/modules/system/selinuxutil.fc +++ b/refpolicy/policy/modules/system/selinuxutil.fc @@ -8,9 +8,9 @@ /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) /etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) -/etc/selinux([^/]*/)?modules/(active|tmp|previous)(/.*)? -- gen_context(system_u:object_r:semanage_store_t,s0) -/etc/selinux([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) -/etc/selinux([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) +/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/selinux/([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) +/etc/selinux/([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) /etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) # diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index d6a3b65..7dfe562 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -606,6 +606,28 @@ interface(`seutil_read_config',` allow $1 selinux_config_t:lnk_file { getattr read }; ') +####################################### +## +## Create, read, write, and delete +## the general selinux configuration files. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`seutil_manage_selinux_config',` + gen_require(` + type selinux_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:dir rw_dir_perms; + allow $1 selinux_config_t:file manage_file_perms; + allow $1 selinux_config_t:lnk_file { getattr read }; +') + ######################################## ## ## Search the policy directory with default_context files. diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 2f274b8..9b7f564 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.2.0) +policy_module(selinuxutil,1.2.1) gen_require(` bool secure_mode; @@ -267,6 +267,7 @@ term_use_all_user_ttys(newrole_t) term_use_all_user_ptys(newrole_t) term_relabel_all_user_ttys(newrole_t) term_relabel_all_user_ptys(newrole_t) +term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) auth_domtrans_chk_passwd(newrole_t) @@ -476,6 +477,11 @@ ifdef(`targeted_policy',`',` optional_policy(`daemontools',` daemontools_domtrans_start(run_init_t) ') + + optional_policy(`nscd',` + nscd_socket_use(run_init_t) + ') + ') dnl end ifdef targeted policy ######################################## @@ -499,6 +505,7 @@ files_list_pids(semanage_t) mls_file_write_down(semanage_t) mls_rangetrans_target(semanage_t) +mls_file_read_up(semanage_t) selinux_get_enforce_mode(semanage_t) @@ -510,6 +517,7 @@ libs_use_lib_files(semanage_t) seutil_search_default_contexts(semanage_t) seutil_rw_file_contexts(semanage_t) +seutil_manage_selinux_config(semanage_t) seutil_domtrans_setfiles(semanage_t) seutil_domtrans_loadpolicy(semanage_t) seutil_read_config(semanage_t) @@ -519,6 +527,10 @@ seutil_manage_module_store(semanage_t) seutil_get_semanage_trans_lock(semanage_t) seutil_get_semanage_read_lock(semanage_t) +optional_policy(`nscd',` + nscd_socket_use(semanage_t) +') + ######################################## # # Setfiles local policy diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 2401646..50e4d0f 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -1,5 +1,5 @@ -policy_module(sysnetwork,1.1.0) +policy_module(sysnetwork,1.1.1) ######################################## # @@ -246,6 +246,10 @@ optional_policy(`userdomain',` userdom_use_all_users_fds(dhcpc_t) ') +optional_policy(`xen',` + xen_append_log(dhcpc_t) +') + ######################################## # # Ifconfig local policy @@ -339,3 +343,7 @@ optional_policy(`nis',` optional_policy(`ppp',` ppp_use_fds(ifconfig_t) ') + +optional_policy(`xen',` + xen_append_log(ifconfig_t) +') diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index cc1bc57..b5c67a4 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.3.0) +policy_module(udev,1.3.1) ######################################## # @@ -39,7 +39,7 @@ files_pid_file(udev_var_run_t) # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource sys_nice }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; dontaudit udev_t self:capability sys_tty_config; allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 2e2c2b5..1d76b1c 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.3.0) +policy_module(unconfined,1.3.1) ######################################## # @@ -89,10 +89,6 @@ ifdef(`targeted_policy',` firstboot_domtrans(unconfined_t) ') - optional_policy(`fstools',` - fstools_domtrans(unconfined_t) - ') - optional_policy(`java',` java_domtrans(unconfined_t) ') @@ -109,10 +105,6 @@ ifdef(`targeted_policy',` mono_domtrans(unconfined_t) ') - optional_policy(`mount',` - mount_domtrans(unconfined_t) - ') - optional_policy(`netutils',` netutils_domtrans_ping(unconfined_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 28a3474..d43a2a4 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.3.4) +policy_module(userdomain,1.3.5) gen_require(` role sysadm_r, staff_r, user_r; @@ -177,6 +177,7 @@ ifdef(`targeted_policy',` mls_file_write_down(secadm_t) mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) + init_exec(secadm_t) logging_read_audit_log(secadm_t) logging_domtrans_auditctl(secadm_t) userdom_dontaudit_append_staff_home_content_files(secadm_t) diff --git a/refpolicy/policy/modules/system/xen.fc b/refpolicy/policy/modules/system/xen.fc new file mode 100644 index 0000000..0f4f3d7 --- /dev/null +++ b/refpolicy/policy/modules/system/xen.fc @@ -0,0 +1,16 @@ +/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) +/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) +/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) + +/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) +/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) +/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) + +/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) +/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) +/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) + +/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) +/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) +/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) +/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/xen.if b/refpolicy/policy/modules/system/xen.if new file mode 100644 index 0000000..9a414a0 --- /dev/null +++ b/refpolicy/policy/modules/system/xen.if @@ -0,0 +1,67 @@ +## Xen hypervisor + +######################################## +## +## Execute a domain transition to run xend. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`xen_domtrans',` + gen_requires(` + type xend_t, xend_exec_t; + ') + + domain_auto_trans($1,xend_exec_t,xend_t) + + allow $1 xend_t:fd use; + allow xend_t $1:fd use; + allow xend_t $1:fifo_file rw_file_perms; + allow xend_t $1:process sigchld; +') + + +######################################## +## +## Allow the specified domain to append +## xend log files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`xen_append_log',` + gen_require(` + type var_log_t, xend_var_log_t; + ') + + logging_search_logs($1) + allow $1 xend_var_log_t:file { getattr append }; + dontaudit $1 xend_var_log_t:file write; +') + +######################################## +## +## Connect to xenstored over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`xen_stream_connect_xenstore',` + gen_require(` + type xenstored_t, xenstored_var_run_t; + ') + + files_search_pids($1) + allow $1 xenstored_var_run_t:dir search; + allow $1 xenstored_var_run_t:sock_file { getattr write }; + allow $1 xenstored_t:unix_stream_socket connectto; +') diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te new file mode 100644 index 0000000..8787fcf --- /dev/null +++ b/refpolicy/policy/modules/system/xen.te @@ -0,0 +1,221 @@ + +policy_module(xen,1.0.0) + +######################################## +# +# Declarations +# + +# console ptys +type xen_devpts_t; +term_pty(xen_devpts_t); +files_type(xen_devpts_t); + +type xend_t; +type xend_exec_t; +domain_type(xend_t) +init_daemon_domain(xend_t, xend_exec_t) + +# var/lib files +type xend_var_lib_t; +files_type(xend_var_lib_t) + +# log files +type xend_var_log_t; +logging_log_file(xend_var_log_t) + +# pid files +type xend_var_run_t; +files_pid_file(xend_var_run_t) + +type xenstored_t; +type xenstored_exec_t; +domain_type(xenstored_t) +domain_entry_file(xenstored_t,xenstored_exec_t) +role system_r types xenstored_t; + +# var/lib files +type xenstored_var_lib_t; +files_type(xenstored_var_lib_t) + +# pid files +type xenstored_var_run_t; +files_pid_file(xenstored_var_run_t) + +type xenconsoled_t; +type xenconsoled_exec_t; +domain_type(xenconsoled_t) +domain_entry_file(xenconsoled_t,xenconsoled_exec_t) +role system_r types xenconsoled_t; + +# pid files +type xenconsoled_var_run_t; +files_pid_file(xenconsoled_var_run_t) + +######################################## +# +# xend local policy +# + +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config }; +allow xend_t self:process { signal sigkill }; +# internal communication is often done using fifo and unix sockets. +allow xend_t self:fifo_file rw_file_perms; +allow xend_t self:unix_stream_socket create_stream_socket_perms; +allow xend_t self:unix_dgram_socket create_socket_perms; +allow xend_t self:netlink_route_socket r_netlink_socket_perms; +allow xend_t self:tcp_socket create_stream_socket_perms; +allow xend_t self:packet_socket create_socket_perms; + +# pid file +allow xend_t xend_var_run_t:file manage_file_perms; +allow xend_t xend_var_run_t:sock_file manage_file_perms; +allow xend_t xend_var_run_t:dir rw_dir_perms; +files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file }) + +# log files +allow xend_t xend_var_log_t:file create_file_perms; +allow xend_t xend_var_log_t:sock_file create_file_perms; +allow xend_t xend_var_log_t:dir { rw_dir_perms setattr }; +logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir }) + +# var/lib files for xend +allow xend_t xend_var_lib_t:file create_file_perms; +allow xend_t xend_var_lib_t:sock_file create_file_perms; +allow xend_t xend_var_lib_t:dir create_dir_perms; +files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file }) + +# transition to store +domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t) +allow xenstored_t xend_t:fd use; +allow xenstored_t xend_t:process sigchld; +allow xenstored_t xend_t:fifo_file write; + +# transition to console +domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t) +allow xenconsoled_t xend_t:fd use; + +kernel_read_kernel_sysctls(xend_t) +kernel_read_system_state(xend_t) +kernel_write_xen_state(xend_t) +kernel_read_xen_state(xend_t) +kernel_rw_net_sysctls(xend_t) +kernel_read_network_state(xend_t) + +corecmd_exec_sbin(xend_t) +corecmd_exec_bin(xend_t) +corecmd_exec_shell(xend_t) + +corenet_tcp_sendrecv_all_if(xend_t) +corenet_tcp_sendrecv_all_nodes(xend_t) +corenet_tcp_sendrecv_all_ports(xend_t) +corenet_non_ipsec_sendrecv(xend_t) +corenet_tcp_bind_xen_port(xend_t) +corenet_tcp_bind_soundd_port(xend_t) + +dev_read_urand(xend_t) +dev_manage_xen(xend_t) +dev_filetrans_xen(xend_t) +dev_rw_sysfs(xend_t) + +domain_read_all_domains_state(xend_t) +domain_dontaudit_read_all_domains_state(xend_t) + +files_read_etc_files(xend_t) + +storage_raw_read_fixed_disk(xend_t) + +term_dontaudit_getattr_all_user_ptys(xend_t) +term_dontaudit_use_generic_ptys(xend_t) + +init_use_fds(xend_t) + +libs_use_ld_so(xend_t) +libs_use_shared_libs(xend_t) + +logging_send_syslog_msg(xend_t) + +miscfiles_read_localization(xend_t) + +sysnet_domtrans_dhcpc(xend_t) +sysnet_signal_dhcpc(xend_t) +sysnet_domtrans_ifconfig(xend_t) +sysnet_dns_name_resolve(xend_t) +sysnet_delete_dhcpc_pid(xend_t) +sysnet_read_dhcpc_pid(xend_t) + +consoletype_exec(xend_t) + +xen_stream_connect_xenstore(xend_t) + +######################################## +# +# Xen console local policy +# + +allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; +allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; +allow xenconsoled_t self:fifo_file { read write }; + +allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; + +# pid file +allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms; +allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms; +allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms; +files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(xenconsoled_t) +kernel_write_xen_state(xenconsoled_t) +kernel_read_xen_state(xenconsoled_t) + +term_create_pty(xenconsoled_t,xen_devpts_t); +term_dontaudit_use_generic_ptys(xenconsoled_t) + +init_use_fds(xenconsoled_t) + +libs_use_ld_so(xenconsoled_t) +libs_use_shared_libs(xenconsoled_t) + +miscfiles_read_localization(xenconsoled_t) + +xen_append_log(xenconsoled_t) +xen_stream_connect_xenstore(xenconsoled_t) + +######################################## +# +# Xen store local policy +# + +allow xenstored_t self:capability { dac_override mknod ipc_lock }; +allow xenstored_t self:unix_stream_socket create_stream_socket_perms; + +# pid file +allow xenstored_t xenstored_var_run_t:file manage_file_perms; +allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms; +allow xenstored_t xenstored_var_run_t:dir rw_dir_perms; +files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file }) + +# var/lib files for xenstored +allow xenstored_t xenstored_var_lib_t:file create_file_perms; +allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms; +allow xenstored_t xenstored_var_lib_t:dir create_dir_perms; +files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file }) + +kernel_write_xen_state(xenstored_t) +kernel_read_xen_state(xenstored_t) + +dev_create_generic_dirs(xenstored_t) +dev_manage_xen(xenconsoled_t) +dev_filetrans_xen(xenstored_t) + +term_dontaudit_use_generic_ptys(xenstored_t) + +init_use_fds(xenstored_t) + +libs_use_ld_so(xenstored_t) +libs_use_shared_libs(xenstored_t) + +miscfiles_read_localization(xenstored_t) + +xen_append_log(xenstored_t)