From cab9bc9c58cb60c3a98053ab9fc2b781c68f0fed Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Sep 10 2010 17:02:25 +0000 Subject: Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy Conflicts: policy/modules/admin/amanda.if policy/modules/system/init.te policy/modules/system/miscfiles.if policy/modules/system/miscfiles.te policy/modules/system/userdomain.if --- diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc index 734bd71..e3e0701 100644 --- a/policy/modules/admin/amanda.fc +++ b/policy/modules/admin/amanda.fc @@ -1,4 +1,3 @@ - /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) @@ -8,13 +7,12 @@ /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) -/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0) - /usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) /usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) /usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) /var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0) diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if index 2cb11ea..8498e97 100644 --- a/policy/modules/admin/amanda.if +++ b/policy/modules/admin/amanda.if @@ -2,8 +2,8 @@ ######################################## ## -## Execute a domain transition to -## run Amanda Recover. +## Execute a domain transition to run +## Amanda recover. ## ## ## @@ -16,16 +16,15 @@ interface(`amanda_domtrans_recover',` type amanda_recover_t, amanda_recover_exec_t; ') - domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) corecmd_search_bin($1) + domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) ') ######################################## ## -## Execute a domain transition to -## run Amanda Recover and allow the -## specified role the Amanda Recover -## domain. +## Execute a domain transition to run +## Amanda recover, and allow the specified +## role the Amanda recover domain. ## ## ## @@ -50,7 +49,7 @@ interface(`amanda_run_recover',` ######################################## ## -## Search Amanda lib directories. +## Search Amanda library directories. ## ## ## @@ -63,15 +62,13 @@ interface(`amanda_search_lib',` type amanda_usr_lib_t; ') - allow $1 amanda_usr_lib_t:dir search_dir_perms; files_search_usr($1) - libs_search_lib($1) + allow $1 amanda_usr_lib_t:dir search_dir_perms; ') ######################################## ## -## Do not audit attempts to read -## dumpdates files. +## Do not audit attempts to read /etc/dumpdates. ## ## ## @@ -84,12 +81,12 @@ interface(`amanda_dontaudit_read_dumpdates',` type amanda_dumpdates_t; ') - dontaudit $1 amanda_dumpdates_t:file read_file_perms; + dontaudit $1 amanda_dumpdates_t:file { getattr read }; ') ######################################## ## -## Read and write dumpdates files. +## Read and write /etc/dumpdates. ## ## ## @@ -102,13 +99,13 @@ interface(`amanda_rw_dumpdates_files',` type amanda_dumpdates_t; ') - allow $1 amanda_dumpdates_t:file rw_file_perms; files_search_etc($1) + allow $1 amanda_dumpdates_t:file rw_file_perms; ') ######################################## ## -## Search Amanda lib directories. +## Search Amanda library directories. ## ## ## @@ -121,14 +118,13 @@ interface(`amanda_manage_lib',` type amanda_usr_lib_t; ') - allow $1 amanda_usr_lib_t:dir manage_dir_perms; files_search_usr($1) - libs_search_lib($1) + allow $1 amanda_usr_lib_t:dir manage_dir_perms; ') ######################################## ## -## Read and write Amanda logs. +## Read and append amanda logs. ## ## ## @@ -141,13 +137,13 @@ interface(`amanda_append_log_files',` type amanda_log_t; ') - allow $1 amanda_log_t:file { read_file_perms append_file_perms }; logging_search_logs($1) + allow $1 amanda_log_t:file { read_file_perms append_file_perms }; ') ####################################### ## -## Search Amanda lib directories. +## Search Amanda var library directories. ## ## ## @@ -160,6 +156,6 @@ interface(`amanda_search_var_lib',` type amanda_var_lib_t; ') - allow $1 amanda_var_lib_t:dir search_dir_perms; files_search_var_lib($1) + allow $1 amanda_var_lib_t:dir search_dir_perms; ') diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 8b6bef6..a05f32f 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,4 +1,4 @@ -policy_module(amanda, 1.12.0) +policy_module(amanda, 1.12.1) ####################################### # @@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t) type amanda_log_t; logging_log_file(amanda_log_t) -# type for amanda configurations files type amanda_config_t; files_type(amanda_config_t) -# type for files in /usr/lib/amanda type amanda_usr_lib_t; files_type(amanda_usr_lib_t) -# type for all files in /var/lib/amanda type amanda_var_lib_t; files_type(amanda_var_lib_t) -# type for all files in /var/lib/amanda/gnutar-lists/ type amanda_gnutarlists_t; files_type(amanda_gnutarlists_t) type amanda_tmp_t; files_tmp_file(amanda_tmp_t) -# type for /etc/amandates type amanda_amandates_t; files_type(amanda_amandates_t) -# type for /etc/dumpdates type amanda_dumpdates_t; files_type(amanda_dumpdates_t) -# type for amanda data type amanda_data_t; files_type(amanda_data_t) -# type for amrecover type amanda_recover_t; type amanda_recover_exec_t; application_domain(amanda_recover_t, amanda_recover_exec_t) role system_r types amanda_recover_t; -# type for recover files ( restored data ) type amanda_recover_dir_t; files_type(amanda_recover_dir_t) @@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms; allow amanda_t self:tcp_socket create_stream_socket_perms; allow amanda_t self:udp_socket create_socket_perms; -# access to amanda_amandates_t allow amanda_t amanda_amandates_t:file rw_file_perms; -# configuration files -> read only allow amanda_t amanda_config_t:file read_file_perms; -# access to amandas data structure manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) -# access to amanda_dumpdates_t allow amanda_t amanda_dumpdates_t:file rw_file_perms; can_exec(amanda_t, amanda_exec_t) can_exec(amanda_t, amanda_inetd_exec_t) -# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; allow amanda_t amanda_gnutarlists_t:file manage_file_perms; allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; @@ -151,19 +137,15 @@ storage_raw_read_fixed_disk(amanda_t) storage_read_tape(amanda_t) storage_write_tape(amanda_t) -# Added for targeted policy -term_use_unallocated_ttys(amanda_t) - auth_use_nsswitch(amanda_t) auth_read_shadow(amanda_t) -optional_policy(` - logging_send_syslog_msg(amanda_t) -') +logging_send_syslog_msg(amanda_t) ######################################## # # Amanda recover local policy +# allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; allow amanda_recover_t self:process { sigkill sigstop signal }; @@ -175,7 +157,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms; manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) -# access to amanda_recover_dir_t manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) diff --git a/policy/modules/admin/amtu.if b/policy/modules/admin/amtu.if index 52ea86f..be82315 100644 --- a/policy/modules/admin/amtu.if +++ b/policy/modules/admin/amtu.if @@ -1,8 +1,8 @@ -## Abstract Machine Test Utility +## Abstract Machine Test Utility. ######################################## ## -## Execute amtu in the amtu domain. +## Execute a domain transition to run Amtu. ## ## ## @@ -21,8 +21,9 @@ interface(`amtu_domtrans',` ######################################## ## -## Execute amtu in the amtu domain, and -## allow the specified role the amtu domain. +## Execute a domain transition to run +## Amtu, and allow the specified role +## the Amtu domain. ## ## ## diff --git a/policy/modules/admin/anaconda.fc b/policy/modules/admin/anaconda.fc index 3afd63b..b098089 100644 --- a/policy/modules/admin/anaconda.fc +++ b/policy/modules/admin/anaconda.fc @@ -1,5 +1 @@ -# -# Currently anaconda does not have any file context since it is -# started during install. This is a placeholder to satisfy -# the policy Makefile dependencies. -# +# No file context specifications. diff --git a/policy/modules/admin/anaconda.if b/policy/modules/admin/anaconda.if index 18491c8..14a61b7 100644 --- a/policy/modules/admin/anaconda.if +++ b/policy/modules/admin/anaconda.if @@ -1 +1 @@ -## Policy for the Anaconda installer. +## Anaconda installer. diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te index 6cf5d7a..9a9526a 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te @@ -20,7 +20,6 @@ allow anaconda_t self:process execmem; kernel_domtrans_to(anaconda_t, anaconda_exec_t) -# Run other rc scripts in the anaconda_t domain. init_domtrans_script(anaconda_t) libs_domtrans_ldconfig(anaconda_t) diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te index 9cba75f..86644f0 100644 --- a/policy/modules/admin/certwatch.te +++ b/policy/modules/admin/certwatch.te @@ -1,4 +1,4 @@ -policy_module(certwatch, 1.5.0) +policy_module(certwatch, 1.5.1) ######################################## # @@ -31,7 +31,7 @@ auth_var_filetrans_cache(certwatch_t) logging_send_syslog_msg(certwatch_t) -miscfiles_read_certs(certwatch_t) +miscfiles_read_generic_certs(certwatch_t) miscfiles_read_localization(certwatch_t) userdom_use_user_terminals(certwatch_t) diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index 5d3d45c..e15a20c 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -1,4 +1,4 @@ -policy_module(evolution, 2.1.1) +policy_module(evolution, 2.1.2) ######################################## # @@ -541,7 +541,7 @@ fs_search_auto_mountpoints(evolution_server_t) miscfiles_read_localization(evolution_server_t) # Look in /etc/pki -miscfiles_read_certs(evolution_server_t) +miscfiles_read_generic_certs(evolution_server_t) # Talk to ldap (address book) sysnet_read_config(evolution_server_t) diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te index 65609e5..2bd70ae 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -147,7 +147,7 @@ sysnet_dns_name_resolve(abrt_t) logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -miscfiles_read_certs(abrt_t) +miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index cc216a4..31f4612 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -144,7 +144,7 @@ init_stream_connect_script(amavis_t) logging_send_syslog_msg(amavis_t) -miscfiles_read_certs(amavis_t) +miscfiles_read_generic_certs(amavis_t) miscfiles_read_localization(amavis_t) sysnet_dns_name_resolve(amavis_t) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index de4388a..7a8df8a 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -484,7 +484,7 @@ logging_send_syslog_msg(httpd_t) miscfiles_read_localization(httpd_t) miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) -miscfiles_read_certs(httpd_t) +miscfiles_read_generic_certs(httpd_t) seutil_dontaudit_search_config(httpd_t) diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index ac13727..6189565 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -141,7 +141,7 @@ logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) miscfiles_read_localization(automount_t) -miscfiles_read_certs(automount_t) +miscfiles_read_generic_certs(automount_t) # Run mount in the mount_t domain. mount_domtrans(automount_t) diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 0aa1998..803adbf 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -86,7 +86,7 @@ init_signull_script(avahi_t) logging_send_syslog_msg(avahi_t) miscfiles_read_localization(avahi_t) -miscfiles_read_certs(avahi_t) +miscfiles_read_generic_certs(avahi_t) sysnet_domtrans_ifconfig(avahi_t) sysnet_manage_config(avahi_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 190b0bc..ece1f1f 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -143,7 +143,7 @@ auth_use_nsswitch(named_t) logging_send_syslog_msg(named_t) miscfiles_read_localization(named_t) -miscfiles_read_certs(named_t) +miscfiles_read_generic_certs(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if index 221ea9e..f9335fb 100644 --- a/policy/modules/services/certmaster.if +++ b/policy/modules/services/certmaster.if @@ -129,8 +129,8 @@ interface(`certmaster_admin',` allow $2 system_r; files_list_etc($1) - miscfiles_manage_cert_dirs($1) - miscfiles_manage_cert_files($1) + miscfiles_manage_generic_cert_dirs($1) + miscfiles_manage_generic_cert_files($1) admin_pattern($1, certmaster_etc_rw_t) diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te index 6e32117..da60c93 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te @@ -1,4 +1,4 @@ -policy_module(certmaster, 1.1.0) +policy_module(certmaster, 1.1.1) ######################################## # @@ -68,5 +68,5 @@ auth_use_nsswitch(certmaster_t) miscfiles_read_localization(certmaster_t) -miscfiles_manage_cert_dirs(certmaster_t) -miscfiles_manage_cert_files(certmaster_t) +miscfiles_manage_generic_cert_dirs(certmaster_t) +miscfiles_manage_generic_cert_files(certmaster_t) diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te index 52312f5..261a37c 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te @@ -54,7 +54,7 @@ files_list_tmp(certmonger_t) logging_send_syslog_msg(certmonger_t) miscfiles_read_localization(certmonger_t) -miscfiles_manage_cert_files(certmonger_t) +miscfiles_manage_generic_cert_files(certmonger_t) sysnet_dns_name_resolve(certmonger_t) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index ab82c3c..f80e725 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -104,7 +104,7 @@ libs_exec_lib_files(cyrus_t) logging_send_syslog_msg(cyrus_t) miscfiles_read_localization(cyrus_t) -miscfiles_read_certs(cyrus_t) +miscfiles_read_generic_certs(cyrus_t) sysnet_read_config(cyrus_t) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 4b3d9c4..c725cae 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -130,7 +130,7 @@ logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) miscfiles_read_localization(system_dbusd_t) -miscfiles_read_certs(system_dbusd_t) +miscfiles_read_generic_certs(system_dbusd_t) seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index c771d46..b52545a 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -143,7 +143,7 @@ auth_use_nsswitch(dovecot_t) logging_send_syslog_msg(dovecot_t) -miscfiles_read_certs(dovecot_t) +miscfiles_read_generic_certs(dovecot_t) miscfiles_read_localization(dovecot_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index b55c438..6c819a3 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -123,7 +123,7 @@ auth_use_nsswitch(exim_t) logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) -miscfiles_read_certs(exim_t) +miscfiles_read_generic_certs(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index f50e0f1..5f5b57b 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -80,7 +80,7 @@ domain_use_interactive_fds(fetchmail_t) logging_send_syslog_msg(fetchmail_t) miscfiles_read_localization(fetchmail_t) -miscfiles_read_certs(fetchmail_t) +miscfiles_read_generic_certs(fetchmail_t) sysnet_read_config(fetchmail_t) diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index a715c65..ee5e345 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -123,7 +123,7 @@ auth_use_nsswitch(slapd_t) logging_send_syslog_msg(slapd_t) -miscfiles_read_certs(slapd_t) +miscfiles_read_generic_certs(slapd_t) miscfiles_read_localization(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 45ecee3..02ae4e0 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -132,7 +132,7 @@ auth_use_nsswitch(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) -miscfiles_read_certs(NetworkManager_t) +miscfiles_read_generic_certs(NetworkManager_t) modutils_domtrans_insmod(NetworkManager_t) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 4c61aa5..ba7c06b 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -113,7 +113,7 @@ auth_use_pam(openvpn_t) logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) -miscfiles_read_certs(openvpn_t) +miscfiles_read_all_certs(openvpn_t) sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index 18996a5..b6d763d 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -91,7 +91,7 @@ template(`postfix_domain_template',` logging_send_syslog_msg(postfix_$1_t) miscfiles_read_localization(postfix_$1_t) - miscfiles_read_certs(postfix_$1_t) + miscfiles_read_generic_certs(postfix_$1_t) userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index df6769b..b3f1fd3 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -111,7 +111,7 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) -miscfiles_read_certs(radiusd_t) +miscfiles_read_generic_certs(radiusd_t) userdom_dontaudit_use_unpriv_user_fds(radiusd_t) userdom_dontaudit_search_user_home_dirs(radiusd_t) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index eae7d14..9ae080e 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -94,7 +94,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) selinux_dontaudit_read_fs(rpcd_t) -miscfiles_read_certs(rpcd_t) +miscfiles_read_generic_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -222,7 +222,7 @@ files_dontaudit_write_var_dirs(gssd_t) auth_use_nsswitch(gssd_t) auth_manage_cache(gssd_t) -miscfiles_read_certs(gssd_t) +miscfiles_read_generic_certs(gssd_t) mount_signal(gssd_t) diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 8655cb0..87810ec 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -83,7 +83,7 @@ init_dontaudit_stream_connect_script(saslauthd_t) logging_send_syslog_msg(saslauthd_t) miscfiles_read_localization(saslauthd_t) -miscfiles_read_certs(saslauthd_t) +miscfiles_read_generic_certs(saslauthd_t) seutil_dontaudit_read_config(saslauthd_t) diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index 668ce83..b6781d5 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -104,7 +104,7 @@ libs_read_lib_files(sendmail_t) logging_send_syslog_msg(sendmail_t) logging_dontaudit_write_generic_logs(sendmail_t) -miscfiles_read_certs(sendmail_t) +miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index e219c1f..4b2230e 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -160,7 +160,7 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) -miscfiles_read_certs(squid_t) +miscfiles_read_generic_certs(squid_t) miscfiles_read_localization(squid_t) userdom_use_unpriv_users_fds(squid_t) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 8dad56a..3061e83 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -401,7 +401,7 @@ template(`ssh_role_template',` logging_send_syslog_msg($1_ssh_agent_t) miscfiles_read_localization($1_ssh_agent_t) - miscfiles_read_certs($1_ssh_agent_t) + miscfiles_read_generic_certs($1_ssh_agent_t) seutil_dontaudit_read_config($1_ssh_agent_t) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 5a77c23..f38e1ce 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -341,7 +341,7 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) miscfiles_read_localization(virtd_t) -miscfiles_read_certs(virtd_t) +miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) modutils_read_module_deps(virtd_t) diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te index c37d690..f4c4c1b 100644 --- a/policy/modules/services/w3c.te +++ b/policy/modules/services/w3c.te @@ -26,7 +26,7 @@ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) -miscfiles_read_certs(httpd_w3c_validator_script_t) +miscfiles_read_generic_certs(httpd_w3c_validator_script_t) sysnet_dns_name_resolve(httpd_w3c_validator_script_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 395f8f3..bd3185e 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -401,7 +401,7 @@ interface(`auth_domtrans_chk_passwd',` logging_send_audit_msgs($1) - miscfiles_read_certs($1) + miscfiles_read_generic_certs($1) optional_policy(` kerberos_read_keytab($1) @@ -1574,7 +1574,7 @@ interface(`auth_use_nsswitch',` # read /etc/nsswitch.conf files_read_etc_files($1) - miscfiles_read_certs($1) + miscfiles_read_generic_certs($1) sysnet_dns_name_resolve($1) sysnet_use_ldap($1) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index bd9d529..ee0fe55 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -281,7 +281,7 @@ init_use_script_ptys(pam_console_t) logging_send_syslog_msg(pam_console_t) miscfiles_read_localization(pam_console_t) -miscfiles_read_certs(pam_console_t) +miscfiles_read_generic_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index d96bf27..e0dc975 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 1.15.2) +policy_module(init, 1.15.3) gen_require(` class passwd rootok; diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 4eeb1a5..926ba65 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -46,7 +46,7 @@ interface(`miscfiles_cert_type',` ######################################## ## -## Read system SSL certificates. +## Read all SSL certificates. ## ## ## @@ -55,7 +55,7 @@ interface(`miscfiles_cert_type',` ## ## # -interface(`miscfiles_read_certs',` +interface(`miscfiles_read_all_certs',` gen_require(` attribute cert_type; ') @@ -67,7 +67,7 @@ interface(`miscfiles_read_certs',` ######################################## ## -## manange system SSL certificates. +## Read generic SSL certificates. ## ## ## @@ -76,7 +76,27 @@ interface(`miscfiles_read_certs',` ## ## # -interface(`miscfiles_manage_cert_dirs',` +interface(`miscfiles_read_generic_certs',` + gen_require(` + type cert_t; + ') + + allow $1 cert_t:dir list_dir_perms; + read_files_pattern($1, cert_t, cert_t) + read_lnk_files_pattern($1, cert_t, cert_t) +') + +######################################## +## +## Manage generic SSL certificates. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_manage_generic_cert_dirs',` gen_require(` type cert_t; ') @@ -86,7 +106,7 @@ interface(`miscfiles_manage_cert_dirs',` ######################################## ## -## manange system SSL certificates. +## Manage generic SSL certificates. ## ## ## @@ -95,7 +115,7 @@ interface(`miscfiles_manage_cert_dirs',` ## ## # -interface(`miscfiles_manage_cert_files',` +interface(`miscfiles_manage_generic_cert_files',` gen_require(` type cert_t; ') @@ -106,6 +126,51 @@ interface(`miscfiles_manage_cert_files',` ######################################## ## +## Read SSL certificates. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_read_certs',` + miscfiles_read_generic_certs($1) + refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.') +') + +######################################## +## +## Manage SSL certificates. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_manage_cert_dirs',` + miscfiles_manage_generic_cert_dirs($1) + refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.') +') + +######################################## +## +## Manage SSL certificates. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_manage_cert_files',` + miscfiles_manage_generic_cert_files($1) + refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.') +') + +######################################## +## ## Read fonts. ## ## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index eb75070..59c70bf 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,4 +1,4 @@ -policy_module(miscfiles, 1.8.0) +policy_module(miscfiles, 1.8.1) ######################################## # diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index e1da594..c67c8e8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -126,7 +126,10 @@ template(`userdom_base_user_template',` libs_exec_ld_so($1_usertype) - miscfiles_read_certs($1_usertype) + miscfiles_read_localization($1_t) + miscfiles_read_generic_certs($1_t) + + miscfiles_read_all_certs($1_usertype) miscfiles_read_localization($1_usertype) miscfiles_read_man_pages($1_usertype) miscfiles_read_public_files($1_usertype)