diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 6b226d2..fb77e18 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -276,6 +276,7 @@ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit e allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:fd use; allow passwd_t self:fifo_file rw_file_perms; +allow passwd_t self:sock_file r_file_perms; allow passwd_t self:unix_dgram_socket create_socket_perms; allow passwd_t self:unix_stream_socket create_stream_socket_perms; allow passwd_t self:unix_dgram_socket sendto; diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index aa11b47..08b43f0 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -1345,6 +1345,23 @@ interface(`dev_rw_mouse',` ######################################## ## +## Get the attributes of the mtrr device. +## +## +## Domain allowed access. +## +# +interface(`dev_getattr_mtrr',` + gen_require(` + type device_t, mtrr_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 mtrr_device_t:chr_file getattr; +') + +######################################## +## ## Read the mtrr device. ## ## diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 935f1ba..1c35439 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -78,10 +78,6 @@ allow crond_t self:msg { send receive }; allow crond_t crond_var_run_t:file create_file_perms; files_create_pid(crond_t,crond_var_run_t) -allow crond_t crond_tmp_t:dir create_dir_perms; -allow crond_t crond_tmp_t:file create_file_perms; -files_create_tmp_files(crond_t, crond_tmp_t, { file dir }) - allow crond_t cron_spool_t:dir rw_dir_perms; allow crond_t cron_spool_t:file r_file_perms; allow crond_t system_cron_spool_t:dir r_dir_perms; @@ -145,6 +141,13 @@ ifdef(`distro_redhat', ` ') ifdef(`targeted_policy',` + allow crond_t system_crond_tmp_t:dir create_dir_perms; + allow crond_t system_crond_tmp_t:file create_file_perms; + allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms; + allow crond_t system_crond_tmp_t:sock_file create_file_perms; + allow crond_t system_crond_tmp_t:fifo_file create_file_perms; + files_create_tmp_files(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file }) + unconfined_domain_template(crond_t) # cjp: fix this to generic_user interfaces @@ -154,6 +157,10 @@ ifdef(`targeted_policy',` userdom_manage_user_home_subdir_pipes(user,crond_t) userdom_manage_user_home_subdir_sockets(user,crond_t) userdom_create_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file }) +',` + allow crond_t crond_tmp_t:dir create_dir_perms; + allow crond_t crond_tmp_t:file create_file_perms; + files_create_tmp_files(crond_t, crond_tmp_t, { file dir }) ') tunable_policy(`fcron_crond', ` @@ -224,7 +231,7 @@ optional_policy(`squid.te',` ') ifdef(`targeted_policy',` - # cjp: fix: + # cjp: FIXME allow crond_t unconfined_t:process transition; ',` allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index d8fc342..b3517f7 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -316,7 +316,7 @@ allow ptal_t ptal_var_run_t:file create_file_perms; allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms; allow ptal_t ptal_var_run_t:sock_file create_file_perms; allow ptal_t ptal_var_run_t:fifo_file create_file_perms; -files_create_pid(ptal_t,ptal_var_run_t,{ file lnk_file sock_file fifo_file }) +files_create_pid(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file }) allow ptal_t ptal_var_run_t:file create_file_perms; allow ptal_t ptal_var_run_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 3a23b3b..672ef1c 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -58,6 +58,7 @@ allow slapd_t slapd_tmp_t:file create_file_perms; files_create_tmp_files(slapd_t, slapd_tmp_t, { file dir }) allow slapd_t slapd_var_run_t:file create_file_perms; +allow slapd_t slapd_var_run_t:dir rw_dir_perms; files_create_pid(slapd_t,slapd_var_run_t) kernel_read_system_state(slapd_t) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 91f1140..ae4d994 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -28,6 +28,7 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; allow remote_login_t self:fifo_file rw_file_perms; +allow remote_login_t self:sock_file r_file_perms; allow remote_login_t self:unix_dgram_socket create_socket_perms; allow remote_login_t self:unix_stream_socket create_stream_socket_perms; allow remote_login_t self:unix_dgram_socket sendto; diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 87cb644..7702c76 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -330,6 +330,7 @@ allow smbd_t mtrr_device_t:file getattr; # # nmbd Local policy # + dontaudit nmbd_t self:capability sys_tty_config; allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow nmbd_t self:fd use; @@ -345,6 +346,7 @@ allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow nmbd_t nmbd_var_run_t:file create_file_perms; +allow nmbd_t nmbd_var_run_t:dir rw_dir_perms; files_create_pid(nmbd_t,nmbd_var_run_t) allow nmbd_t samba_etc_t:dir { search getattr }; @@ -378,6 +380,7 @@ corenet_udp_bind_all_nodes(nmbd_t) corenet_udp_bind_nmbd_port(nmbd_t) dev_read_sysfs(nmbd_t) +dev_getattr_mtrr(nmbd_t) fs_getattr_all_fs(nmbd_t) fs_search_auto_mountpoints(nmbd_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index fe5626d..3d6e691 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -40,10 +40,12 @@ files_pid_file(udev_var_run_t) # allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_nice }; +dontaudit udev_t self:capability sys_tty_config; allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_file_perms; +allow udev_t self:sock_file r_file_perms; allow udev_t self:shm create_shm_perms; allow udev_t self:sem create_sem_perms; allow udev_t self:msgq create_msgq_perms; @@ -66,8 +68,9 @@ allow udev_t udev_etc_t:file r_file_perms; allow udev_t udev_tbl_t:file create_file_perms; dev_create_dev_node(udev_t,udev_tbl_t,file) -allow udev_t udev_var_run_t:dir rw_dir_perms; allow udev_t udev_var_run_t:file create_file_perms; +allow udev_t udev_var_run_t:dir rw_dir_perms; +files_create_pid(udev_t,udev_var_run_t) kernel_read_system_state(udev_t) kernel_getattr_core(udev_t) @@ -154,6 +157,9 @@ ifdef(`distro_redhat',` ') ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(udev_t) + term_dontaudit_use_generic_pty(udev_t) + unconfined_domain_template(udev_t) ') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 2affdb7..ab9c9c6 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -46,6 +46,10 @@ ifdef(`targeted_policy',` amanda_domtrans_recover(unconfined_t) ') + optional_policy(`apache.te',` + apache_domtrans_helper(unconfined_t) + ') + optional_policy(`bind.te',` bind_domtrans_ndc(unconfined_t) ')