diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 208e193..6e3cfa1 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -302,3 +302,17 @@ define(`terminal_ignore_use_general_pseudoterminal_depend',`
type devpts_t;
class chr_file { read write };
')
+
+########################################
+#
+# terminal_ignore_use_pseudoterminal_multiplexer(domain)
+#
+define(`terminal_ignore_use_pseudoterminal_multiplexer',`
+requires_block_template(`$0'_depend)
+dontaudit $1 ptmx_t:chr_file { getattr read write };
+')
+
+define(`terminal_ignore_use_pseudoterminal_multiplexer_depend',`
+type ptmx_t;
+class chr_file { getattr read write };
+')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 8b09787..02d31b0 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -116,8 +116,7 @@ class process transition;
#
define(`authlogin_modify_login_records',`
requires_block_template(`$0'_depend)
-files_search_system_state_data_directory($1)
-# FIXME: search var_log_t
+logging_search_system_log_directory($1)
allow $1 wtmp_t:file { getattr read write setattr };
')
@@ -192,6 +191,38 @@ class file { getattr read write setattr };
#######################################
#
+# authlogin_pam_transition(domain)
+#
+define(`authlogin_pam_transition',`
+requires_block_template(`$0'_depend)
+allow $1 pam_exec_t:file { getattr read execute };
+allow $1 pam_t:process transition;
+type_transition $1 pam_exec_t:file pam_t;
+dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`authlogin_pam_transition_depend',`
+type pam_t, pam_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+#######################################
+#
+# authlogin_pam_execute(domain)
+#
+define(`authlogin_pam_execute',`
+requires_block_template(`$0'_depend)
+allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
+')
+
+define(`authlogin_pam_execute_depend',`
+type pam_exec_t;
+class file { getattr read execute execute_no_trans };
+')
+
+#######################################
+#
# authlogin_pam_read_runtime_data(domain)
#
define(`authlogin_pam_read_runtime_data',`
@@ -225,3 +256,59 @@ type pam_var_run_t;
class dir { getattr search read write remove_name };
class file { getattr unlink };
')
+
+#######################################
+#
+# authlogin_pam_console_transition(domain)
+#
+define(`authlogin_pam_console_transition',`
+requires_block_template(`$0'_depend)
+allow $1 pam_console_exec_t:file { getattr read execute };
+allow $1 pam_console_t:process transition;
+type_transition $1 pam_console_exec_t:file pam_console_t;
+dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`authlogin_pam_console_transition_depend',`
+type pam_console_t, pam_console_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+#######################################
+#
+# authlogin_pam_console_read_runtime_data(domain)
+#
+define(`authlogin_pam_console_read_runtime_data',`
+requires_block_template(`$0'_depend)
+files_search_system_state_data_directory($1)
+files_search_runtime_data_directory($1)
+allow $1 pam_var_console_t:dir { getattr search read };
+allow $1 pam_var_console_t:file { getattr read };
+')
+
+define(`authlogin_pam_console_read_runtime_data_depend',`
+type pam_var_console_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+#######################################
+#
+# authlogin_pam_console_manage_runtime_data(domain)
+#
+define(`authlogin_pam_console_manage_runtime_data',`
+requires_block_template(`$0'_depend)
+files_search_system_state_data_directory($1)
+files_search_runtime_data_directory($1)
+allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
+')
+
+define(`authlogin_pam_console_manage_runtime_data_depend',`
+type pam_var_console_t;
+class dir { read getattr lock search ioctl add_name remove_name write };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+class lnk_file { create read getattr setattr link unlink rename };
+')
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index ca11f84..d3cd88b 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -172,6 +172,11 @@ terminal_ignore_use_general_pseudoterminal(pam_console_t)
files_ignore_read_rootfs_file(pam_console_t)
')
+optional_policy(`hotplug.te', `
+hotplug_use_file_descriptors(pam_console_t)
+hotplug_ignore_search_config_directory(pam_console_t)
+')
+
optional_policy(`selinux.te',`
selinux_newrole_sigchld(pam_console_t)
')
@@ -210,11 +215,6 @@ ifdef(`gpm.te', `
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
')
-optional_policy(`hotplug.te', `
-dontaudit pam_console_t hotplug_etc_t:dir search;
-hotplug_use_file_descriptors(pam_console_t)
-')
-
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
@@ -236,6 +236,7 @@ terminal_get_all_users_physical_terminal_attributes(utempter_t)
terminal_get_all_users_pseudoterminal_attributes(utempter_t)
terminal_ignore_use_all_users_physical_terminals(utempter_t)
terminal_ignore_use_all_users_pseudoterminals(utempter_t)
+terminal_ignore_use_pseudoterminal_multiplexer(utempter_t)
init_script_modify_runtime_data(utempter_t)
@@ -253,9 +254,6 @@ in_user_role(utempter_t)
role sysadm_r types utempter_t;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
-# dontaudit access to /dev/ptmx.
-dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
-
# Allow utemper to write to /tmp/.xses-*
allow utempter_t user_tmpfile:file { getattr write append };
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index 9299c20..d152359 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -45,3 +45,36 @@ define(`hotplug_use_file_descriptors_depend',`
type hotplug_t;
class fd use;
')
+
+########################################
+#
+# hotplug_ignore_search_config_directory(domain)
+#
+define(`hotplug_ignore_search_config_directory',`
+requires_block_template(`$0'_depend)
+dontaudit $1 hotplug_etc_t:dir search;
+')
+
+define(`hotplug_ignore_search_config_directory_depend',`
+type hotplug_etc_t;
+class dir search;
+')
+
+########################################
+#
+# hotplug_read_config(domain)
+#
+define(`hotplug_read_config',`
+requires_block_template(`$0'_depend)
+# FIXME: search etc_t
+allow $1 hotplug_etc_t:file { read getattr lock ioctl };
+allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
+allow $1 hotplug_etc_t:lnk_file { getattr read };
+')
+
+define(`hotplug_read_config_depend',`
+type hotplug_etc_t;
+class file { read getattr lock ioctl };
+class dir { read getattr lock search ioctl };
+class lnk_file { getattr read };
+')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index d43bca7..372b087 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -289,6 +289,10 @@ modutils_depmod_transition(initrc_t)
modutils_update_modules_transition(initrc_t)
')
+optional_policy(`mount.te',`
+mount_transition(initrc_t)
+')
+
optional_policy(`sysnetwork.te',`
sysnetwork_ifconfig_transition(initrc_t)
')
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index ace0030..fb587e1 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -10,6 +10,7 @@ policy_module(iptables, 1.0)
type iptables_t;
type iptables_exec_t;
domain_make_daemon_domain(iptables_t,iptables_exec_t)
+role system_r types iptables_t;
type iptables_tmp_t;
files_make_file(iptables_tmp_t)
@@ -23,9 +24,11 @@ files_make_file(iptables_t)
#
allow iptables_t self:capability { net_admin net_raw };
-allow iptables_t self:process { sigkill sigstop signull signal };
+dontaudit iptables_t self:capability sys_tty_config;
+allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t iptables_var_run_t:dir { ioctl read getattr lock write append };
+files_create_daemon_runtime_data(iptables_t,iptables_var_run_t)
allow iptables_t iptables_exec_t:file { getattr read execute execute_no_trans };
@@ -35,27 +38,68 @@ files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir })
allow iptables_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-kernel_read_modprobe_sysctl(iptables_t)
-kernel_use_file_descriptors(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
+kernel_read_hardware_state(iptables_t)
+kernel_read_kernel_sysctl(iptables_t)
+kernel_read_modprobe_sysctl(iptables_t)
+kernel_use_file_descriptors(iptables_t)
filesystem_get_persistent_filesystem_attributes(iptables_t)
+devices_discard_data_stream(iptables_t)
+
+terminal_ignore_use_console(iptables_t)
+
+init_use_file_descriptors(iptables_t)
+init_script_use_pseudoterminal(iptables_t)
+
+domain_use_widely_inheritable_file_descriptors(iptables_t)
+
files_read_general_system_config(iptables_t)
+libraries_use_dynamic_loader(iptables_t)
+libraries_read_shared_libraries(iptables_t)
+
logging_send_system_log_message(iptables_t)
# system-config-network appends to /var/log
#logging_append_system_logs(iptables_t)
miscfiles_read_localization(iptables_t)
+sysnetwork_ifconfig_transition(iptables_t)
+
optional_policy(`modutils.te', `
modutils_insmod_transition(iptables_t)
')
+optional_policy(`selinux.te',`
+selinux_newrole_sigchld(iptables_t)
+')
+
+optional_policy(`udev.te', `
+udev_read_database(iptables_t)
+')
+
+tunable_policy(`targeted_policy', `
+terminal_ignore_use_general_physical_terminal(iptables_t)
+terminal_ignore_use_general_pseudoterminal(iptables_t)
+files_ignore_read_rootfs_file(iptables_t)
+')
+
ifdef(`TODO',`
-daemon_base_domain(iptables, `, privmodule')
+
+optional_policy(`rhgb.te', `
+allow iptables_t rhgb_t:process sigchld;
+allow iptables_t rhgb_t:fd use;
+allow iptables_t rhgb_t:fifo_file { read write };
+')
+allow iptables_t null_device_t:chr_file r_file_perms;
+dontaudit iptables_t unpriv_userdomain:fd use;
+allow iptables_t autofs_t:dir { search getattr };
+tunable_policy(`direct_sysadm_daemon', `
+dontaudit iptables_t admin_tty_type:chr_file rw_file_perms;
+')
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
role sysadm_r types iptables_t;
@@ -63,11 +107,6 @@ role sysadm_r types iptables_t;
# to allow rules to be saved on reboot
allow iptables_t initrc_tmp_t:file rw_file_perms;
-domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
-
-file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t, $2)
-allow iptables_t var_t:dir search;
-
# for iptables -L
can_resolve(iptables_t)
can_ypbind(iptables_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 3947470..68899ef 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -3,9 +3,10 @@
# Declarations
#
-type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, privfd, nscd_client_domain;
+type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, nscd_client_domain;
domain_make_domain(local_login_t)
authlogin_make_login_program_entrypoint(local_login_t)
+domain_make_file_descriptors_widely_inheritable(local_login_t)
role system_r types local_login_t;
type local_login_tmp_t;
@@ -34,6 +35,10 @@ kernel_compute_reachable_user_contexts(local_login_t)
# for SSP/ProPolice
devices_get_pseudorandom_data(local_login_t)
+terminal_use_all_users_physical_terminals(local_login_t)
+terminal_use_general_physical_terminal(local_login_t)
+
+init_script_modify_runtime_data(local_login_t)
init_ignore_use_file_descriptors(local_login_t)
files_read_general_system_config(local_login_t)
@@ -50,6 +55,8 @@ selinux_read_default_contexts(local_login_t)
authlogin_ignore_read_shadow_passwords(local_login_t)
authlogin_modify_login_records(local_login_t)
authlogin_modify_last_login_log(local_login_t)
+authlogin_pam_execute(local_login_t)
+authlogin_pam_console_manage_runtime_data(local_login_t)
miscfiles_read_localization(local_login_t)
@@ -75,11 +82,6 @@ allow local_login_t exec_type:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
allow local_login_t device_t:lnk_file r_file_perms;
-optional_policy(`authlogin.te',`
-can_exec(local_login_t, pam_exec_t)
-rw_dir_create_file(local_login_t, pam_var_console_t)
-')
-
dontaudit local_login_t sysfs_t:dir search;
allow local_login_t autofs_t:dir { search read getattr };
@@ -98,13 +100,6 @@ allow local_login_t crack_db_t:file r_file_perms;
allow local_login_t home_root_t:dir search;
allow local_login_t home_dir_type:dir search;
-# Write to /var/run/utmp.
-allow local_login_t var_run_t:dir search;
-allow local_login_t initrc_var_run_t:file rw_file_perms;
-
-# Write to /var/log/wtmp.
-allow local_login_t var_log_t:dir search;
-
# Write to /var/log/btmp
allow local_login_t faillog_t:file { append read write };
@@ -143,12 +138,12 @@ allow local_login_t var_lock_t:dir rw_dir_perms;
allow local_login_t var_lock_t:file create_file_perms;
# Read and write ttys.
-allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
-allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
+allow local_login_t tty_device_t:chr_file setattr;
+allow local_login_t ttyfile:chr_file setattr;
# Relabel ttys.
-allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
-allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
+allow local_login_t tty_device_t:chr_file { relabelfrom relabelto };
+allow local_login_t ttyfile:chr_file { relabelfrom relabelto };
optional_policy(`gpm.te',`
allow local_login_t gpmctl_t:sock_file { getattr setattr };
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 09f102a..9dade39 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -126,10 +126,6 @@ files_read_general_system_config(syslogd_t)
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
-tunable_policy(`distro_suse', `
-# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
-file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
-')
libraries_use_dynamic_loader(syslogd_t)
libraries_read_shared_libraries(syslogd_t)
@@ -170,6 +166,7 @@ files_ignore_read_rootfs_file(syslogd_t)
')
ifdef(`TODO',`
+
allow syslogd_t proc_t:dir r_dir_perms;
allow syslogd_t proc_t:lnk_file read;
allow syslogd_t null_device_t:chr_file r_file_perms;
@@ -185,6 +182,11 @@ tunable_policy(`direct_sysadm_daemon',`
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
')
+tunable_policy(`distro_suse', `
+# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
+')
+
# can_network is for the UDP socket
can_ypbind(syslogd_t)
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index c019681..a20ac42 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -5,7 +5,7 @@ policy_module(miscfiles,1.0)
#
# catman_t is the type for /var/catman.
#
-type catman_t; # , file_type, sysadmfile, tmpfile;
+type catman_t; # , tmpfile;
files_make_file(catman_t)
#
@@ -42,5 +42,5 @@ files_make_file(test_file_t)
#
# for /var/{spool,lib}/texmf index files
#
-type tetex_data_t; # , file_type, sysadmfile, tmpfile;
+type tetex_data_t; # , tmpfile;
files_make_file(tetex_data_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index e983a4c..1e017d3 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -69,8 +69,6 @@ ifdef(`TODO',`
# nfsv4 has a filesystem to mount for its userspace daemons
allow mount_t var_lib_nfs_t:dir mounton;
-#domain_auto_trans(initrc_t, mount_exec_t, mount_t)
-
# for localization
allow mount_t lib_t:file { getattr read };
@@ -125,15 +123,24 @@ allow mount_t autofs_t:dir read;
optional_policy(`portmap.te', `
# for nfs
-can_network(mount_t)
can_ypbind(mount_t)
+can_udp_send(mount_t, portmap_t)
+can_udp_send(portmap_t, mount_t)
+allow mount_t rpc_pipefs_t:dir search;
+corenetwork_network_tcp_on_all_interfaces(mount_t)
+corenetwork_network_raw_on_all_interfaces(mount_t)
+corenetwork_network_udp_on_all_interfaces(mount_t)
+corenetwork_network_tcp_on_all_nodes(mount_t)
+corenetwork_network_raw_on_all_nodes(mount_t)
+corenetwork_network_udp_on_all_nodes(mount_t)
+corenetwork_network_tcp_on_all_ports(mount_t)
+corenetwork_network_udp_on_all_ports(mount_t)
+corenetwork_bind_tcp_on_all_nodes(mount_t)
+corenetwork_bind_udp_on_all_nodes(mount_t)
corenetwork_bind_tcp_on_general_port(mount_t)
corenetwork_bind_udp_on_general_port(mount_t)
corenetwork_bind_tcp_on_reserved_port(mount_t)
corenetwork_bind_udp_on_reserved_port(mount_t)
-can_udp_send(mount_t, portmap_t)
-can_udp_send(portmap_t, mount_t)
-allow mount_t rpc_pipefs_t:dir search;
')
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 42f74c3..7d869e9 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -106,6 +106,8 @@ terminal_use_controlling_terminal(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t)
+domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
+
libraries_use_dynamic_loader(checkpolicy_t)
libraries_read_shared_libraries(checkpolicy_t)
@@ -117,11 +119,9 @@ domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
# directory search permissions for path to source and binary policy files
-allow checkpolicy_t root_t:dir search;
allow checkpolicy_t etc_t:dir search;
# Read the devpts root directory.
-allow checkpolicy_t devpts_t:dir r_dir_perms;
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Other access
@@ -133,7 +133,8 @@ allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
# so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t)
-allow checkpolicy_t { userdomain privfd }:fd use;
+allow checkpolicy_t userdomain:fd use;
+
') dnl endif TODO
########################################
@@ -165,6 +166,8 @@ terminal_list_pseudoterminals(load_policy_t)
init_script_use_file_descriptors(load_policy_t)
init_script_use_pseudoterminal(load_policy_t)
+domain_use_widely_inheritable_file_descriptors(load_policy_t)
+
libraries_use_dynamic_loader(load_policy_t)
libraries_read_shared_libraries(load_policy_t)
@@ -178,9 +181,9 @@ domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
allow load_policy_t etc_t:dir search;
# Other access
-allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr };
+allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
-allow load_policy_t { userdomain privfd }:fd use;
+allow load_policy_t userdomain:fd use;
allow load_policy_t sysadm_tmp_t:file { getattr write } ;
') dnl endif TODO
@@ -223,6 +226,11 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
terminal_list_pseudoterminals(newrole_t)
terminal_use_controlling_terminal(newrole_t)
+# Write to utmp.
+init_script_modify_runtime_data(newrole_t)
+
+domain_use_widely_inheritable_file_descriptors(newrole_t)
+
files_read_general_system_config(newrole_t)
libraries_use_dynamic_loader(newrole_t)
@@ -243,9 +251,6 @@ allow newrole_t autofs_t:dir { search getattr };
# for when the user types "exec newrole" at the command line
allow newrole_t privfd:process sigchld;
-# Inherit descriptors from the current session.
-allow newrole_t privfd:fd use;
-
# Execute /sbin/pwdb_chkpwd to check the password.
allow newrole_t sbin_t:dir r_dir_perms;
@@ -283,9 +288,6 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
# for when the network connection is killed
dontaudit unpriv_userdomain newrole_t:process signal;
-# Write to utmp.
-allow newrole_t var_run_t:dir r_dir_perms;
-allow newrole_t initrc_var_run_t:file rw_file_perms;
') dnl ifdef TODO
########################################
@@ -310,9 +312,13 @@ kernel_compute_reachable_user_contexts(restorecon_t)
filesystem_get_persistent_filesystem_attributes(restorecon_t)
+terminal_use_general_physical_terminal(restorecon_t)
+
init_use_file_descriptors(restorecon_t)
init_script_use_pseudoterminal(restorecon_t)
+domain_use_widely_inheritable_file_descriptors(restorecon_t)
+
files_read_runtime_system_config(restorecon_t)
files_read_general_system_config(restorecon_t)
@@ -332,12 +338,12 @@ devices_manage_all_devices_labels(restorecon_t)
files_manage_all_files_labels(restorecon_t)
ifdef(`TODO',`
-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+allow restorecon_t admin_tty_type:chr_file { read write ioctl };
domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
role sysadm_r types restorecon_t;
-allow restorecon_t { userdomain privfd }:fd use;
+allow restorecon_t userdomain:fd use;
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run!
@@ -375,11 +381,16 @@ kernel_compute_reachable_user_contexts(setfiles_t)
filesystem_get_persistent_filesystem_attributes(setfiles_t)
terminal_use_controlling_terminal(setfiles_t)
+terminal_use_all_users_physical_terminals(setfiles_t)
+terminal_use_all_users_pseudoterminals(setfiles_t)
+terminal_use_general_physical_terminal(setfiles_t)
init_use_file_descriptors(setfiles_t)
init_script_use_file_descriptors(setfiles_t)
init_script_use_pseudoterminal(setfiles_t)
+domain_use_widely_inheritable_file_descriptors(setfiles_t)
+
libraries_use_dynamic_loader(setfiles_t)
libraries_read_shared_libraries(setfiles_t)
@@ -398,12 +409,10 @@ files_manage_all_files_labels(setfiles_t)
ifdef(`TODO',`
-allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl };
-
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
role sysadm_r types setfiles_t;
-allow setfiles_t { userdomain privfd }:fd use;
+allow setfiles_t userdomain:fd use;
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run!
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 42f74c3..7d869e9 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -106,6 +106,8 @@ terminal_use_controlling_terminal(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t)
+domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
+
libraries_use_dynamic_loader(checkpolicy_t)
libraries_read_shared_libraries(checkpolicy_t)
@@ -117,11 +119,9 @@ domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
# directory search permissions for path to source and binary policy files
-allow checkpolicy_t root_t:dir search;
allow checkpolicy_t etc_t:dir search;
# Read the devpts root directory.
-allow checkpolicy_t devpts_t:dir r_dir_perms;
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Other access
@@ -133,7 +133,8 @@ allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
# so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t)
-allow checkpolicy_t { userdomain privfd }:fd use;
+allow checkpolicy_t userdomain:fd use;
+
') dnl endif TODO
########################################
@@ -165,6 +166,8 @@ terminal_list_pseudoterminals(load_policy_t)
init_script_use_file_descriptors(load_policy_t)
init_script_use_pseudoterminal(load_policy_t)
+domain_use_widely_inheritable_file_descriptors(load_policy_t)
+
libraries_use_dynamic_loader(load_policy_t)
libraries_read_shared_libraries(load_policy_t)
@@ -178,9 +181,9 @@ domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
allow load_policy_t etc_t:dir search;
# Other access
-allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr };
+allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
-allow load_policy_t { userdomain privfd }:fd use;
+allow load_policy_t userdomain:fd use;
allow load_policy_t sysadm_tmp_t:file { getattr write } ;
') dnl endif TODO
@@ -223,6 +226,11 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
terminal_list_pseudoterminals(newrole_t)
terminal_use_controlling_terminal(newrole_t)
+# Write to utmp.
+init_script_modify_runtime_data(newrole_t)
+
+domain_use_widely_inheritable_file_descriptors(newrole_t)
+
files_read_general_system_config(newrole_t)
libraries_use_dynamic_loader(newrole_t)
@@ -243,9 +251,6 @@ allow newrole_t autofs_t:dir { search getattr };
# for when the user types "exec newrole" at the command line
allow newrole_t privfd:process sigchld;
-# Inherit descriptors from the current session.
-allow newrole_t privfd:fd use;
-
# Execute /sbin/pwdb_chkpwd to check the password.
allow newrole_t sbin_t:dir r_dir_perms;
@@ -283,9 +288,6 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
# for when the network connection is killed
dontaudit unpriv_userdomain newrole_t:process signal;
-# Write to utmp.
-allow newrole_t var_run_t:dir r_dir_perms;
-allow newrole_t initrc_var_run_t:file rw_file_perms;
') dnl ifdef TODO
########################################
@@ -310,9 +312,13 @@ kernel_compute_reachable_user_contexts(restorecon_t)
filesystem_get_persistent_filesystem_attributes(restorecon_t)
+terminal_use_general_physical_terminal(restorecon_t)
+
init_use_file_descriptors(restorecon_t)
init_script_use_pseudoterminal(restorecon_t)
+domain_use_widely_inheritable_file_descriptors(restorecon_t)
+
files_read_runtime_system_config(restorecon_t)
files_read_general_system_config(restorecon_t)
@@ -332,12 +338,12 @@ devices_manage_all_devices_labels(restorecon_t)
files_manage_all_files_labels(restorecon_t)
ifdef(`TODO',`
-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+allow restorecon_t admin_tty_type:chr_file { read write ioctl };
domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
role sysadm_r types restorecon_t;
-allow restorecon_t { userdomain privfd }:fd use;
+allow restorecon_t userdomain:fd use;
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run!
@@ -375,11 +381,16 @@ kernel_compute_reachable_user_contexts(setfiles_t)
filesystem_get_persistent_filesystem_attributes(setfiles_t)
terminal_use_controlling_terminal(setfiles_t)
+terminal_use_all_users_physical_terminals(setfiles_t)
+terminal_use_all_users_pseudoterminals(setfiles_t)
+terminal_use_general_physical_terminal(setfiles_t)
init_use_file_descriptors(setfiles_t)
init_script_use_file_descriptors(setfiles_t)
init_script_use_pseudoterminal(setfiles_t)
+domain_use_widely_inheritable_file_descriptors(setfiles_t)
+
libraries_use_dynamic_loader(setfiles_t)
libraries_read_shared_libraries(setfiles_t)
@@ -398,12 +409,10 @@ files_manage_all_files_labels(setfiles_t)
ifdef(`TODO',`
-allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl };
-
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
role sysadm_r types setfiles_t;
-allow setfiles_t { userdomain privfd }:fd use;
+allow setfiles_t userdomain:fd use;
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run!
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 8f04d2a..28a35e5 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -2,6 +2,24 @@
########################################
#
+# sysnetwork_dhcpc_transition(domain)
+#
+define(`sysnetwork_dhcpc_transition',`
+requires_block_template(`$0'_depend)
+allow $1 dhcpc_exec_t:file { getattr read execute };
+allow $1 dhcpc_t:process transition;
+type_transition $1 dhcpc_exec_t:file dhcpc_t;
+dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`sysnetwork_dhcpc_transition_depend',`
+type dhcpc_t, dhcpc_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+#
# sysnetwork_ifconfig_transition(domain)
#
define(`sysnetwork_ifconfig_transition',`
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 554e424..652ceab 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -133,6 +133,10 @@ optional_policy(`hostname.te',`
hostname_transition(dhcpc_t)
')
+optional_policy(`nscd.te',`
+nscd_transition(dhcpc_t)
+')
+
optional_policy(`selinux.te',`
selinux_newrole_sigchld(dhcpc_t)
')
@@ -142,7 +146,7 @@ udev_read_database(dhcpc_t)
')
#
-# dhclient sometimes starts ypbind and ntdp
+# dhclient sometimes starts ypbind and ntpd
#
init_script_execute(dhcpc_t)
optional_policy(`ypbind.te',`
@@ -156,6 +160,7 @@ ifdef(`TODO',`
allow dhcpc_t null_device_t:chr_file r_file_perms;
allow dhcpc_t autofs_t:dir { search getattr };
dontaudit dhcpc_t sysadm_home_dir_t:dir search;
+
optional_policy(`rhgb.te', `
allow dhcpc_t rhgb_t:process sigchld;
allow dhcpc_t rhgb_t:fd use;
@@ -164,14 +169,9 @@ allow dhcpc_t rhgb_t:fifo_file { read write };
can_ypbind(dhcpc_t)
-allow dhcpc_t devpts_t:dir search;
-
# for localization
allow dhcpc_t lib_t:file { getattr read };
-ifdef(`nscd.te', `
-domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
-')
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
@@ -261,6 +261,9 @@ kernel_read_network_state(ifconfig_t)
filesystem_get_persistent_filesystem_attributes(ifconfig_t)
+terminal_ignore_use_all_users_physical_terminals(ifconfig_t)
+terminal_ignore_use_all_users_pseudoterminals(ifconfig_t)
+
init_use_file_descriptors(ifconfig_t)
init_script_use_pseudoterminal(ifconfig_t)
init_run_init_use_file_descriptors(ifconfig_t)
@@ -288,7 +291,6 @@ role sysadm_r types ifconfig_t;
allow ifconfig_t userdomain:fd use;
# Access terminals.
-allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 9d795cd..a611d9a 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -97,16 +97,30 @@ modutils_insmod_transition(udev_t)
logging_send_system_log_message(udev_t)
+sysnetwork_ifconfig_transition(udev_t)
+
+optional_policy(`authlogin.te',`
+authlogin_pam_console_read_runtime_data(udev_t)
+authlogin_pam_console_transition(udev_t)
+')
+
optional_policy(`consoletype.te',`
consoletype_execute(udev_t)
')
+optional_policy(`hotplug.te',`
+hotplug_read_config(udev_t)
+')
+
+optional_policy(`sysnetwork.te',`
+sysnetwork_dhcpc_transition(udev_t)
+')
+
ifdef(`TODO',`
allow udev_t var_log_t:dir search;
allow udev_t var_lock_t:dir search;
allow udev_t var_lock_t:file getattr;
-# Mount
allow udev_t mnt_t:dir search;
allow udev_t devpts_t:dir { getattr search };
@@ -119,8 +133,6 @@ dontaudit udev_t file_t:dir search;
dontaudit udev_t domain:dir r_dir_perms;
dontaudit udev_t ttyfile:chr_file unlink;
-domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
-
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
dbusd_client(system, udev)
@@ -134,7 +146,7 @@ allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_p
allow udev_t tmpfs_t:dir search;
# for arping used for static IP addresses on PCMCIA ethernet
-domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
+netutils_transition(udev_t)
') dnl end ifdef distro_redhat
tunable_policy(`hide_broken_symptoms',`
@@ -146,17 +158,4 @@ optional_policy(`xdm.te',`
allow udev_t xdm_var_run_t:file { getattr read };
')
-optional_policy(`hotplug.te',`
-r_dir_file(udev_t, hotplug_etc_t)
-')
-
-optional_policy(`authlogin.te',`
-allow udev_t pam_var_console_t:dir search;
-allow udev_t pam_var_console_t:file { getattr read };
-authlogin_pam_console_transition(udev_t)
-')
-
-optional_policy(`sysnetwork.te',`
-domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
-')
') dnl endif TODO