diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te index 98aa2f8..41b4027 100644 --- a/refpolicy/policy/modules/admin/bootloader.te +++ b/refpolicy/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.2.3) +policy_module(bootloader,1.2.4) ######################################## # @@ -49,7 +49,7 @@ logging_log_file(var_log_ksyms_t) # allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; -allow bootloader_t self:process { sigkill sigstop signull signal }; +allow bootloader_t self:process { sigkill sigstop signull signal execmem }; allow bootloader_t self:fifo_file rw_file_perms; allow bootloader_t bootloader_etc_t:file r_file_perms; @@ -111,6 +111,7 @@ files_dontaudit_search_pids(bootloader_t) # for blkid.tab files_manage_etc_runtime_files(bootloader_t) files_etc_filetrans_etc_runtime(bootloader_t,file) +files_dontaudit_search_home(bootloader_t) init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) @@ -127,6 +128,8 @@ logging_rw_generic_logs(bootloader_t) miscfiles_read_localization(bootloader_t) +modutils_domtrans_insmod_uncond(bootloader_t) + seutil_read_bin_policy(bootloader_t) seutil_read_loadpolicy(bootloader_t) seutil_dontaudit_search_config(bootloader_t) @@ -180,6 +183,10 @@ optional_policy(` ') optional_policy(` + kudzu_domtrans(bootloader_t) +') + +optional_policy(` dev_rw_lvm_control(bootloader_t) lvm_domtrans(bootloader_t) diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te index 28ea0a2..d879781 100644 --- a/refpolicy/policy/modules/admin/logwatch.te +++ b/refpolicy/policy/modules/admin/logwatch.te @@ -1,5 +1,5 @@ -policy_module(logwatch,1.1.1) +policy_module(logwatch,1.1.2) ################################# # @@ -23,7 +23,7 @@ files_tmp_file(logwatch_tmp_t) # Local policy # -allow logwatch_t self:capability setgid; +allow logwatch_t self:capability { dac_override dac_read_search setgid }; allow logwatch_t self:fifo_file rw_file_perms; allow logwatch_t self:unix_stream_socket create_stream_socket_perms; diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 2cc4c9f..d5766aa 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils,1.1.3) +policy_module(netutils,1.1.4) ######################################## # @@ -54,6 +54,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t) corenet_udp_sendrecv_all_ports(netutils_t) corenet_tcp_connect_all_ports(netutils_t) corenet_sendrecv_all_client_packets(netutils_t) +corenet_udp_bind_generic_node(netutils_t) fs_getattr_xattr_fs(netutils_t) diff --git a/refpolicy/policy/modules/admin/prelink.fc b/refpolicy/policy/modules/admin/prelink.fc index 729f75a..7d2b81b 100644 --- a/refpolicy/policy/modules/admin/prelink.fc +++ b/refpolicy/policy/modules/admin/prelink.fc @@ -3,6 +3,5 @@ /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) -/var/lib/misc/prelink\..* -- gen_context(system_u:object_r:prelink_cache_t,s0) - /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) +/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index 3f18fca..506215a 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.1.3) +policy_module(prelink,1.1.4) ######################################## # diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index dd76116..4ee35d7 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -353,6 +353,26 @@ interface(`files_dontaudit_list_non_security',` ######################################## ## +## Mount a filesystem on all non-security +## directories and files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_non_security',` + gen_require(` + attribute file_type, security_file_type; + ') + + allow $1 { file_type -security_file_type }:dir mounton; + allow $1 { file_type -security_file_type }:file mounton; +') + +######################################## +## ## Allow attempts to modify any directory ## ## diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index ccf74ba..e3f7b8f 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.11) +policy_module(files,1.2.12) ######################################## # diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 867de41..ebcabc4 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.3.10) +policy_module(filesystem,1.3.11) ######################################## # @@ -69,6 +69,11 @@ fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) +type ibmasmfs_t; +fs_type(ibmasmfs_t) +allow ibmasmfs_t self:filesystem associate; +genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) + type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc index 82e5153..f6277c5 100644 --- a/refpolicy/policy/modules/services/apache.fc +++ b/refpolicy/policy/modules/services/apache.fc @@ -7,7 +7,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0) /etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0) /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) @@ -29,19 +29,22 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) +/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) + ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') -/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) @@ -65,11 +68,11 @@ ifdef(`distro_debian', ` /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -ifdef(`targeted_policy', `', ` +ifdef(`strict_policy',` /var/spool/cron/apache -- gen_context(system_u:object_r:user_cron_spool_t,s0) ') @@ -77,4 +80,3 @@ ifdef(`targeted_policy', `', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 69a605f..98cbfb0 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -15,6 +15,7 @@ template(`apache_content_template',` gen_require(` attribute httpdcontent; attribute httpd_exec_scripts; + attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; ') # allow write access to public file transfer @@ -35,7 +36,7 @@ template(`apache_content_template',` role system_r types httpd_$1_script_t; # This type is used for executable scripts files - type httpd_$1_script_exec_t; # customizable; + type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t) @@ -338,6 +339,58 @@ template(`apache_per_userdomain_template', ` ######################################## ## +## Read httpd user scripts executables. +## +## +## +## Prefix of the domain. Example, user would be +## the prefix for the uder_t domain. +## +## +## +## +## Domain allowed access. +## +## +# +template(`apache_read_user_scripts',` + gen_require(` + type httpd_$1_script_exec_t; + ') + + allow $2 httpd_$1_script_exec_t:dir r_dir_perms; + allow $2 httpd_$1_script_exec_t:file r_file_perms; + allow $2 httpd_$1_script_exec_t:lnk_file { getattr read }; +') + +######################################## +## +## Read user web content. +## +## +## +## Prefix of the domain. Example, user would be +## the prefix for the uder_t domain. +## +## +## +## +## Domain allowed access. +## +## +# +template(`apache_read_user_content',` + gen_require(` + type httpd_$1_content_t; + ') + + allow $2 httpd_$1_content_t:dir r_dir_perms; + allow $2 httpd_$1_content_t:file r_file_perms; + allow $2 httpd_$1_content_t:lnk_file { getattr read }; +') + +######################################## +## ## Transition to apache. ## ## @@ -464,12 +517,17 @@ interface(`apache_dontaudit_rw_tcp_sockets',` # interface(`apache_manage_all_content',` gen_require(` - attribute httpdcontent; + attribute httpdcontent, httpd_script_exec_type; ') allow $1 httpdcontent:dir manage_dir_perms; allow $1 httpdcontent:file manage_file_perms; allow $1 httpdcontent:lnk_file create_lnk_perms; + + allow $1 httpd_script_exec_type:dir manage_dir_perms; + allow $1 httpd_script_exec_type:file manage_file_perms; + allow $1 httpd_script_exec_type:lnk_file create_lnk_perms; + ') ######################################## @@ -515,6 +573,28 @@ interface(`apache_read_config',` ######################################## ## +## Allow the specified domain to manage +## apache configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_manage_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) + allow $1 httpd_config_t:dir manage_dir_perms; + allow $1 httpd_config_t:file manage_file_perms; + allow $1 httpd_config_t:lnk_file { getattr read }; +') + +######################################## +## ## Execute the Apache helper program with ## a domain transition. ## @@ -634,6 +714,28 @@ interface(`apache_dontaudit_append_log',` ######################################## ## +## Allow the specified domain to manage +## to apache log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_manage_log',` + gen_require(` + type httpd_log_t; + ') + + logging_search_logs($1) + allow $1 httpd_log_t:dir manage_dir_perms; + allow $1 httpd_log_t:file manage_file_perms; + allow $1 httpd_log_t:lnk_file { getattr read }; +') + +######################################## +## ## Do not audit attempts to search Apache ## module directories. ## @@ -694,6 +796,28 @@ interface(`apache_exec_modules',` ######################################## ## +## Execute a domain transition to run httpd_rotatelogs. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_domtrans_rotatelogs',` + gen_require(` + type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; + ') + + domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t) + + allow httpd_rotatelogs_t $1:fd use; + allow httpd_rotatelogs_t $1:fifo_file rw_file_perms; + allow httpd_rotatelogs_t $1:process sigchld; +') + +######################################## +## ## Allow the specified domain to manage ## apache system content files. ## @@ -903,55 +1027,3 @@ interface(`apache_search_sys_script_state',` allow $1 httpd_sys_script_t:dir search; ') - -######################################## -## -## Read httpd user scripts executables. -## -## -## -## Prefix of the domain. Example, user would be -## the prefix for the uder_t domain. -## -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_user_scripts',` - gen_require(` - type httpd_$1_script_exec_t; - ') - - allow $2 httpd_$1_script_exec_t:dir r_dir_perms; - allow $2 httpd_$1_script_exec_t:file r_file_perms; - allow $2 httpd_$1_script_exec_t:lnk_file { getattr read }; -') - -######################################## -## -## Read user web content. -## -## -## -## Prefix of the domain. Example, user would be -## the prefix for the uder_t domain. -## -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_user_content',` - gen_require(` - type httpd_$1_content_t; - ') - - allow $2 httpd_$1_content_t:dir r_dir_perms; - allow $2 httpd_$1_content_t:file r_file_perms; - allow $2 httpd_$1_content_t:lnk_file { getattr read }; -') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index fb1c90f..6951300 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.3.13) +policy_module(apache,1.3.14) # # NOTES: @@ -25,6 +25,8 @@ attribute httpdcontent; # domains that can exec all users scripts attribute httpd_exec_scripts; +attribute httpd_script_exec_type; + # user script domains attribute httpd_script_domains; @@ -68,6 +70,10 @@ role system_r types httpd_php_t; type httpd_php_tmp_t; files_tmp_file(httpd_php_tmp_t) +type httpd_rotatelogs_t; +type httpd_rotatelogs_exec_t; +init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) + type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -109,14 +115,6 @@ files_pid_file(httpd_var_run_t) type squirrelmail_spool_t; files_tmp_file(squirrelmail_spool_t) -# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat -# This is a bug but it still exists in FC2 -# cjp: probably can remove this -ifdef(`distro_redhat',` - typealias httpd_log_t alias httpd_runtime_t; - dontaudit httpd_t httpd_runtime_t:file ioctl; -') - ifdef(`targeted_policy',` typealias httpd_sys_content_t alias httpd_user_content_t; typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; @@ -293,6 +291,15 @@ tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') +ifdef(`TODO', ` +# +# We need optionals to be able to be within booleans to make this work +# +tunable_policy(`allow_httpd_mod_auth_pam',` + auth_domtrans_chk_passwd(httpd_t) +') +') + tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_t) ') @@ -655,6 +662,9 @@ kernel_read_kernel_sysctls(httpd_sys_script_t) files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) +# Should we add a boolean? +apache_domtrans_rotatelogs(httpd_sys_script_t) + ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file { getattr append }; ') @@ -688,3 +698,26 @@ optional_policy(` optional_policy(` nscd_socket_use(httpd_unconfined_script_t) ') + +######################################## +# +# httpd_rotatelogs local policy +# + +allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms; +allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms; + +kernel_read_kernel_sysctls(httpd_rotatelogs_t) +kernel_dontaudit_list_proc(httpd_rotatelogs_t) +kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) + +files_read_etc_files(httpd_rotatelogs_t) + +libs_use_ld_so(httpd_rotatelogs_t) +libs_use_shared_libs(httpd_rotatelogs_t) + +miscfiles_read_localization(httpd_rotatelogs_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_generic_ptys(httpd_rotatelogs_t) +') diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index 9d364af..67020c0 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.2.6) +policy_module(automount,1.2.7) ######################################## # @@ -28,7 +28,7 @@ files_mountpoint(automount_tmp_t) # Local policy # -allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override }; +allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin }; dontaudit automount_t self:capability sys_tty_config; allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; allow automount_t self:fifo_file rw_file_perms; @@ -64,8 +64,17 @@ kernel_read_proc_symlinks(automount_t) kernel_read_system_state(automount_t) kernel_read_network_state(automount_t) kernel_list_proc(automount_t) +kernel_dontaudit_search_xen_state(automount_t) files_search_boot(automount_t) +# Automount is slowly adding all mount functionality internally +files_search_all(automount_t) +files_mounton_all_mountpoints(automount_t) +files_mount_all_file_type_fs(automount_t) +files_unmount_all_file_type_fs(automount_t) + +fs_mount_all_fs(automount_t) +fs_unmount_all_fs(automount_t) corecmd_exec_sbin(automount_t) corecmd_exec_bin(automount_t) diff --git a/refpolicy/policy/modules/services/clamav.if b/refpolicy/policy/modules/services/clamav.if index dfb0dd0..3263dbb 100644 --- a/refpolicy/policy/modules/services/clamav.if +++ b/refpolicy/policy/modules/services/clamav.if @@ -64,6 +64,25 @@ interface(`clamav_read_config',` ######################################## ## +## Search clamav libraries directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_search_lib',` + gen_require(` + type clamd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 clamd_var_lib_t:dir search_dir_perms; +') + +######################################## +## ## Execute a domain transition to run clamscan. ## ## @@ -83,4 +102,3 @@ interface(`clamav_domtrans_clamscan',` allow clamscan_t $1:fifo_file rw_file_perms; allow clamscan_t $1:process sigchld; ') - diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te index 76a543a..14f06d6 100644 --- a/refpolicy/policy/modules/services/clamav.te +++ b/refpolicy/policy/modules/services/clamav.te @@ -1,5 +1,5 @@ -policy_module(clamav,1.0.3) +policy_module(clamav,1.0.4) ######################################## # diff --git a/refpolicy/policy/modules/services/cups.fc b/refpolicy/policy/modules/services/cups.fc index c744fe9..44831b1 100644 --- a/refpolicy/policy/modules/services/cups.fc +++ b/refpolicy/policy/modules/services/cups.fc @@ -21,6 +21,7 @@ /usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if index 5fa55b1..5f3a5cb 100644 --- a/refpolicy/policy/modules/services/cups.if +++ b/refpolicy/policy/modules/services/cups.if @@ -40,7 +40,7 @@ interface(`cups_stream_connect',` files_search_pids($1) allow $1 cupsd_var_run_t:dir search; - allow $1 cupsd_var_run_t:sock_file write; + allow $1 cupsd_var_run_t:sock_file { getattr write }; allow $1 cupsd_t:unix_stream_socket connectto; ') diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 0c24a94..48ed810 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.3.9) +policy_module(cups,1.3.10) ######################################## # @@ -313,6 +313,7 @@ allow cupsd_config_t self:fifo_file rw_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; allow cupsd_config_t self:tcp_socket create_stream_socket_perms; +allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms; allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom }; allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom }; @@ -342,6 +343,9 @@ allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms; allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms; files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file) +allow cupsd_config_t cupsd_tmp_t:file create_file_perms; +files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir }) + allow cupsd_config_t cupsd_var_run_t:file { getattr read }; kernel_read_system_state(cupsd_config_t) @@ -357,6 +361,7 @@ corenet_sendrecv_all_client_packets(cupsd_config_t) dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) +dev_read_rand(cupsd_config_t) fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) @@ -397,6 +402,8 @@ userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t) lpd_read_config(cupsd_config_t) +cups_stream_connect(cupsd_config_t) + ifdef(`distro_redhat',` init_getattr_script_files(cupsd_config_t) @@ -430,6 +437,7 @@ optional_policy(` optional_policy(` hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) ') optional_policy(` @@ -593,6 +601,7 @@ corenet_receive_hplip_server_packets(hplip_t) dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) dev_read_urand(hplip_t) +dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) fs_getattr_all_fs(hplip_t) diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if index 7bc69b2..97e7830 100644 --- a/refpolicy/policy/modules/services/hal.if +++ b/refpolicy/policy/modules/services/hal.if @@ -101,10 +101,27 @@ interface(`hal_dbus_chat',` allow hald_t $1:dbus send_msg; ') +######################################## +## +## Read hald tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_read_tmp_files',` + gen_require(` + type hald_tmp_t; + ') + + allow $1 hald_tmp_t:file r_file_perms; +') ######################################## ## -## Read hald state files. +## Read hald PID files. ## ## ## @@ -124,7 +141,7 @@ interface(`hal_read_pid_files',` ######################################## ## -## Read/Write hald state files. +## Read/Write hald PID files. ## ## ## diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 74c9809..47786ad 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.3.9) +policy_module(hal,1.3.10) ######################################## # diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 71aa898..fc62d0b 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -194,9 +194,3 @@ optional_policy(` cron_read_system_job_tmp_files(mta_user_agent) ') ') - -ifdef(`TODO',` -# for the start script to run make -C /etc/mail -allow initrc_t etc_mail_t:dir rw_dir_perms; -allow initrc_t etc_mail_t:file create_file_perms; -') diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index c5228b6..c6eda32 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.3.4) +policy_module(networkmanager,1.3.5) ######################################## # @@ -92,6 +92,7 @@ libs_use_shared_libs(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) +miscfiles_read_certs(NetworkManager_t) modutils_domtrans_insmod(NetworkManager_t) diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index af22a7e..a679b2f 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -1,5 +1,5 @@ -policy_module(ntp,1.1.2) +policy_module(ntp,1.1.3) ######################################## # @@ -62,6 +62,7 @@ files_pid_filetrans(ntpd_t,ntpd_var_run_t,file) kernel_read_kernel_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) +kernel_read_network_state(ntpd_t) corenet_non_ipsec_sendrecv(ntpd_t) corenet_tcp_sendrecv_all_if(ntpd_t) diff --git a/refpolicy/policy/modules/services/openvpn.te b/refpolicy/policy/modules/services/openvpn.te index 8967f0c..8277b36 100644 --- a/refpolicy/policy/modules/services/openvpn.te +++ b/refpolicy/policy/modules/services/openvpn.te @@ -1,5 +1,5 @@ -policy_module(openvpn,1.0.1) +policy_module(openvpn,1.0.2) ######################################## # @@ -44,6 +44,7 @@ logging_log_filetrans(openvpn_t,openvpn_var_log_t,file) allow openvpn_t openvpn_var_run_t:file create_file_perms; files_pid_filetrans(openvpn_t, openvpn_var_run_t, file) +kernel_read_kernel_sysctls(openvpn_t) kernel_read_net_sysctls(openvpn_t) kernel_read_network_state(openvpn_t) kernel_read_system_state(openvpn_t) @@ -81,6 +82,10 @@ miscfiles_read_localization(openvpn_t) sysnet_exec_ifconfig(openvpn_t) +ifdef(`targeted_policy',` + term_dontaudit_use_generic_ptys(openvpn_t) +') + optional_policy(` daemontools_service_domain(openvpn_t,openvpn_exec_t) ') diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index 1618a94..b6c9bb1 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -405,6 +405,29 @@ interface(`postfix_exec_master',` ######################################## ## +## Execute the master postfix program in the +## postfix_master domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_domtrans_smtp',` + gen_require(` + type postfix_smtp_t, postfix_smtp_exec_t; + ') + + domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t) + + allow postfix_smtp_t $1:fd use; + allow postfix_smtp_t $1:fifo_file rw_file_perms; + allow postfix_smtp_t $1:process sigchld; +') + +######################################## +## ## Search postfix mail spool directories. ## ## diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 612ba91..d2f7515 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.2.7) +policy_module(postfix,1.2.8) ######################################## # @@ -456,10 +456,7 @@ ifdef(`targeted_policy', ` ') optional_policy(` - cron_use_fds(postfix_postdrop_t) - cron_rw_pipes(postfix_postdrop_t) - cron_use_system_job_fds(postfix_postdrop_t) - cron_rw_system_job_pipes(postfix_postdrop_t) + cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') optional_policy(` diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 5ba43fd..4f48f9b 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -1,5 +1,5 @@ -policy_module(ppp,1.2.3) +policy_module(ppp,1.2.4) ######################################## # @@ -59,8 +59,8 @@ files_pid_file(pptp_var_run_t) allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override }; dontaudit pppd_t self:capability sys_tty_config; +allow pppd_t self:process signal; allow pppd_t self:fifo_file rw_file_perms; -allow pppd_t self:file { read getattr }; allow pppd_t self:socket create_socket_perms; allow pppd_t self:unix_dgram_socket create_socket_perms; allow pppd_t self:unix_stream_socket create_socket_perms; diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index 15f8dea..29eefae 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.2.3) +policy_module(procmail,1.2.4) ######################################## # @@ -78,6 +78,7 @@ ifdef(`targeted_policy', ` optional_policy(` clamav_domtrans_clamscan(procmail_t) + clamav_search_lib(procmail_t) ') optional_policy(` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index baeccb0..a6bdb4e 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -1290,6 +1290,8 @@ interface(`auth_use_nsswitch',` allow $1 var_auth_t:file create_file_perms; files_list_var_lib($1) + miscfiles_read_certs($1) + sysnet_dns_name_resolve($1) sysnet_use_ldap($1) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 3cc57bd..6a21bb7 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.3.5) +policy_module(authlogin,1.3.6) ######################################## # diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index ec49bbf..9126380 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -121,7 +121,7 @@ ifdef(`distro_gentoo',` /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/xorg/modules/drivers/fglx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_redhat',` diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 2251bf6..03ce1fa 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.3.8) +policy_module(libraries,1.3.9) ######################################## # diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 9caa6f8..d257374 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.3.6) +policy_module(mount,1.3.7) ######################################## # @@ -111,6 +111,7 @@ ifdef(`targeted_policy',` tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) + files_mounton_non_security(mount_t) ') ') diff --git a/refpolicy/policy/modules/system/unconfined.fc b/refpolicy/policy/modules/system/unconfined.fc index a505b37..08643f9 100644 --- a/refpolicy/policy/modules/system/unconfined.fc +++ b/refpolicy/policy/modules/system/unconfined.fc @@ -7,4 +7,6 @@ ifdef(`targeted_policy',` /usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/local/RealPlay/realplay.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index d8509df..acd16f2 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.3.10) +policy_module(unconfined,1.3.11) ######################################## # diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te index 8d15a08..4f80cc0 100644 --- a/refpolicy/policy/modules/system/xen.te +++ b/refpolicy/policy/modules/system/xen.te @@ -1,5 +1,5 @@ -policy_module(xen,1.0.6) +policy_module(xen,1.0.7) ######################################## # @@ -68,7 +68,7 @@ init_daemon_domain(xm_t, xm_exec_t) # xend local policy # -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config }; +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; allow xend_t self:process { signal sigkill }; # internal communication is often done using fifo and unix sockets. allow xend_t self:fifo_file rw_file_perms; @@ -168,6 +168,8 @@ sysnet_read_dhcpc_pid(xend_t) xen_stream_connect_xenstore(xend_t) +netutils_domtrans(xend_t) + optional_policy(` consoletype_domtrans(xend_t) ') @@ -255,7 +257,8 @@ xen_append_log(xenstored_t) # xm local policy # -allow xm_t self:capability { dac_override ipc_lock }; +allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; + # internal communication is often done using fifo and unix sockets. allow xm_t self:fifo_file { read write }; allow xm_t self:unix_stream_socket create_stream_socket_perms; @@ -265,6 +268,9 @@ allow xm_t xend_var_lib_t:fifo_file create_file_perms; allow xm_t xend_var_lib_t:file create_file_perms; files_search_var_lib(xm_t) +allow xm_t xen_image_t:dir rw_dir_perms; +allow xm_t xen_image_t:file r_file_perms; + kernel_read_system_state(xm_t) kernel_read_kernel_sysctls(xm_t) kernel_read_xen_state(xm_t) @@ -284,6 +290,7 @@ files_read_etc_files(xm_t) term_use_all_terms(xm_t) init_rw_script_stream_sockets(xm_t) +init_use_fds(xm_t) libs_use_ld_so(xm_t) libs_use_shared_libs(xm_t)