From c71f02c02d1c86988c429e213cb7ba943b3b40a4 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Aug 30 2010 15:15:53 +0000 Subject: More fixes --- diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index ce00934..a370656 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -81,11 +81,7 @@ optional_policy(` ') optional_policy(` - hal_dontaudit_use_fds(consoletype_t) - hal_dontaudit_rw_pipes(consoletype_t) - hal_dontaudit_rw_dgram_sockets(consoletype_t) - hal_dontaudit_write_log(consoletype_t) - hal_dontaudit_read_pid_files(consoletype_t) + hal_dontaudit_leaks(consoletype_t) ') optional_policy(` diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te index aa9636d..7851643 100644 --- a/policy/modules/admin/tzdata.te +++ b/policy/modules/admin/tzdata.te @@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t) # tzdata local policy # -files_read_etc_files(tzdata_t) +files_read_config_files(tzdata_t) files_search_spool(tzdata_t) fs_getattr_xattr_fs(tzdata_t) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index 92ab0c3..ffd9870 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -200,6 +200,25 @@ interface(`gnome_setattr_cache_home_dir',` ######################################## ## +## append to generic cache home files (.cache) +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_append_generic_cache_files',` + gen_require(` + type cache_home_t; + ') + + append_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) +') + +######################################## +## ## write to generic cache home files (.cache) ## ## diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index 9cbfded..62e455a 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -48,8 +48,7 @@ template(`wine_role',` allow $2 wine_t:process signal_perms; allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr }; - allow $2 wine_t:shm { unix_read unix_write }; + allow $2 wine_t:shm { associate getattr unix_read unix_write }; allow $2 wine_t:unix_stream_socket connectto; # X access, Home files @@ -165,3 +164,22 @@ interface(`wine_run',` wine_domtrans($1) role $2 types wine_t; ') + +######################################## +## +## Read and write wine Shared +## memory segments. +## +## +## +## Domain allowed access. +## +## +# +interface(`wine_rw_shm',` + gen_require(` + type wine_t; + ') + + allow $1 wine_t:shm rw_shm_perms; +') diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 73e4119..96a406d 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -4935,6 +4935,24 @@ interface(`files_read_var_files',` ######################################## ## +## Append files in the /var directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_append_var_files',` + gen_require(` + type var_t; + ') + + append_files_pattern($1, var_t, var_t) +') + +######################################## +## ## Read and write files in the /var directory. ## ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 712e644..3561f03 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -72,6 +72,7 @@ type cgroup_t alias cgroupfs_t; fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) +dev_associate_sysfs(cgroup_t) genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index 1a44ccb..c6832b0 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -144,21 +144,25 @@ ifdef(`distro_redhat',` can_exec(apmd_t, apmd_var_run_t) - # ifconfig_exec_t needs to be run in its own domain for Red Hat optional_policy(` - sssd_search_lib(apmd_t) + fstools_domtrans(apmd_t) ') optional_policy(` - sysnet_domtrans_ifconfig(apmd_t) + iptables_domtrans(apmd_t) ') optional_policy(` - iptables_domtrans(apmd_t) + netutils_domtrans(apmd_t) ') + # ifconfig_exec_t needs to be run in its own domain for Red Hat optional_policy(` - netutils_domtrans(apmd_t) + sssd_search_lib(apmd_t) + ') + + optional_policy(` + sysnet_domtrans_ifconfig(apmd_t) ') ',` diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if index 2c2a551..fb3454a 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',` interface(`cups_read_config',` gen_require(` type cupsd_etc_t, cupsd_rw_etc_t; + type hplip_etc_t; ') files_search_etc($1) read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) + read_files_pattern($1, hplip_etc_t, hplip_etc_t) read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) ') @@ -319,6 +321,7 @@ interface(`cups_admin',` type cupsd_var_run_t, ptal_etc_t; type ptal_var_run_t, hplip_var_run_t; type cupsd_initrc_exec_t; + type hplip_etc_t; ') allow $1 cupsd_t:process { ptrace signal_perms }; @@ -347,6 +350,8 @@ interface(`cups_admin',` admin_pattern($1, cupsd_var_run_t) files_list_pids($1) + admin_pattern($1, hplip_etc_t) + admin_pattern($1, hplip_var_run_t) admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index 1e554a9..ccacea9 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -205,6 +205,10 @@ allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; +manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) +manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) +files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) + manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if index d01cab6..52ea89b 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -391,8 +391,7 @@ interface(`hal_dontaudit_read_pid_files',` type hald_var_run_t; ') - files_search_pids($1) - allow $1 hald_var_run_t:file read_inherited_file_perms; + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; ') ######################################## @@ -451,3 +450,27 @@ interface(`hal_manage_pid_files',` files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ') + +######################################## +## +## dontaudit read and write an leaked file descriptors +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_dontaudit_leaks',` + gen_require(` + type hald_log_t; + type hald_t; + type hald_var_run_t; + ') + + dontaudit $1 hald_t:fd use; + dontaudit $1 hald_log_t:file rw_inherited_files_perms; + dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; + dontaudit hald_t $1:socket_class_set { read write }; + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te index af3353c..9cb5e25 100644 --- a/policy/modules/services/rpcbind.te +++ b/policy/modules/services/rpcbind.te @@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) kernel_request_load_module(rpcbind_t) +corecmd_exec_shell(rpcbind_t) + corenet_all_recvfrom_unlabeled(rpcbind_t) corenet_all_recvfrom_netlabel(rpcbind_t) corenet_tcp_sendrecv_generic_if(rpcbind_t) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 288d513..60da940 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1106,6 +1106,10 @@ optional_policy(` ') optional_policy(` + wine_rw_shm(xserver_t) +') + +optional_policy(` xfs_stream_connect(xserver_t) ') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 6f36eca..af2af2d 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -137,6 +137,10 @@ optional_policy(` ') optional_policy(` + gnome_append_generic_cache_files(ldconfig_t) +') + +optional_policy(` puppet_rw_tmp(ldconfig_t) ') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index a3b7b0d..f39f39f 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -63,6 +63,7 @@ files_read_etc_runtime_files(depmod_t) files_read_etc_files(depmod_t) files_read_usr_src_files(depmod_t) files_list_usr(depmod_t) +files_append_var_files(depmod_t) files_read_boot_files(depmod_t) fs_getattr_xattr_fs(depmod_t) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index 3f27d1b..b0ee958 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -535,6 +535,10 @@ interface(`seutil_domtrans_setfiles',` files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setfiles_exec_t, setfiles_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit consoletype_t $1:socket_class_set { read write }; + ') ') ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 6581e4b..8451600 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -233,6 +233,7 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) + cups_read_config(udev_t) ') optional_policy(`