diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 69b4342..23b4e59 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -2,9 +2,15 @@ ## Enable extra rules in the cron domain ## to support fcron. ## -tunable_def(fcron_crond,false) +gen_tunable(fcron_crond,false) ## ## Allow the use of DNS for name resolution. ## -tunable_def(use_dns,false) +gen_tunable(use_dns,false) + +## +## Allow system cron jobs to relabel filesystem +## for restoring file contexts. +## +gen_tunable(cron_can_relabel,false) diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 735d869..074246d 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -51,7 +51,7 @@ userdom_dontaudit_use_unpriv_user_fd(dmesg_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(dmesg_t) - terminal_ignore_use_general_pseudoterminal(dmesg_t) + term_dontaudit_use_generic_pty(dmesg_t) files_dontaudit_read_root_file(dmesg_t) ') diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 525fff2..7d25e80 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -6,9 +6,6 @@ policy_module(cron, 1.0) # Declarations # -# Allow system cron jobs to relabel filesystem for restoring file contexts. -bool cron_can_relabel false; - type anacron_exec_t; files_file_type(anacron_exec_t) @@ -126,7 +123,7 @@ tunable_policy(`fcron_crond', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(crond_t) - terminal_ignore_use_general_pseudoterminal(crond_t) + term_dontaudit_use_generic_pty(crond_t) files_dontaudit_read_root_file(crond_t) ') @@ -292,9 +289,9 @@ miscfiles_rw_man_cache(system_crond_t) selinux_read_config(system_crond_t) -if (cron_can_relabel) { +tunable_policy(`cron_can_relabel',` selinux_domtrans_setfiles(system_crond_t) -} else { +',` kernel_get_selinuxfs_mount_point(system_crond_t) kernel_validate_context(system_crond_t) kernel_compute_access_vector(system_crond_t) @@ -302,7 +299,7 @@ if (cron_can_relabel) { kernel_compute_relabel_context(system_crond_t) kernel_compute_reachable_user_contexts(system_crond_t) selinux_read_file_contexts(system_crond_t) -} +') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 4fe5d0c..7bce7c0 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -90,7 +90,7 @@ sysnet_read_config(sendmail_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(sendmail_t) - terminal_ignore_use_general_pseudoterminal(sendmail_t) + term_dontaudit_use_generic_pty(sendmail_t) files_dontaudit_read_root_file(sendmail_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 9cc541d..ab39a7c 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -152,7 +152,6 @@ term_getattr_unallocated_ttys(pam_console_t) term_setattr_unallocated_ttys(pam_console_t) init_use_fd(pam_console_t) -init_use_fd(pam_console_t) init_use_script_pty(pam_console_t) domain_use_wide_inherit_fd(pam_console_t) @@ -176,7 +175,7 @@ ifdef(`direct_sysadm_daemon', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(pam_console_t) - terminal_ignore_use_general_pseudoterminal(pam_console_t) + term_dontaudit_use_generic_pty(pam_console_t) files_dontaudit_read_root_file(pam_console_t) ') @@ -186,7 +185,7 @@ optional_policy(`hotplug.te', ` ') optional_policy(`selinux.te',` -selinux_newrole_sigchld(pam_console_t) + selinux_newrole_sigchld(pam_console_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 6cad75b..df0aa9e 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -59,7 +59,7 @@ miscfiles_read_localization(hwclock_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(hwclock_t) - terminal_ignore_use_general_pseudoterminal(hwclock_t) + term_dontaudit_use_generic_pty(hwclock_t) files_dontaudit_read_root_file(hwclock_t) ') diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index ae17162..34ec9a9 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -29,8 +29,6 @@ kernel_read_kernel_sysctl(hostname_t) kernel_read_hardware_state(hostname_t) kernel_dontaudit_use_fd(hostname_t) -files_read_generic_etc_files(hostname_t) -files_dontaudit_search_var(hostname_t) fs_getattr_xattr_fs(hostname_t) term_dontaudit_use_console(hostname_t) @@ -42,6 +40,8 @@ init_use_script_pty(hostname_t) domain_use_wide_inherit_fd(hostname_t) +files_read_generic_etc_files(hostname_t) +files_dontaudit_search_var(hostname_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dir(hostname_t) @@ -60,7 +60,7 @@ ifdef(`distro_redhat', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(hostname_t) - terminal_ignore_use_general_pseudoterminal(hostname_t) + term_dontaudit_use_generic_pty(hostname_t) files_dontaudit_read_root_file(hostname_t) ') diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 991c4fb..a35f1d0 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -119,7 +119,7 @@ ifdef(`distro_redhat', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(hotplug_t) - terminal_ignore_use_general_pseudoterminal(hotplug_t) + term_dontaudit_use_generic_pty(hotplug_t) files_dontaudit_read_root_file(hotplug_t) ') diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index c2b04e8..8e6d477 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -98,7 +98,7 @@ optional_policy(`udev.te', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(iptables_t) - terminal_ignore_use_general_pseudoterminal(iptables_t) + term_dontaudit_use_generic_pty(iptables_t) files_dontaudit_read_root_file(iptables_t) ') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index f2fe8aa..3b6ba04 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -81,7 +81,7 @@ miscfiles_read_localization(auditd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(auditd_t) - terminal_ignore_use_general_pseudoterminal(auditd_t) + term_dontaudit_use_generic_pty(auditd_t) files_dontaudit_read_root_file(auditd_t) ') @@ -245,7 +245,7 @@ ifdef(`klogd.te', `', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(syslogd_t) - terminal_ignore_use_general_pseudoterminal(syslogd_t) + term_dontaudit_use_generic_pty(syslogd_t) files_dontaudit_read_root_file(syslogd_t) ') diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 82f9752..382379a 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -143,7 +143,7 @@ ifdef(`distro_redhat',` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(lvm_t) - terminal_ignore_use_general_pseudoterminal(lvm_t) + term_dontaudit_use_generic_pty(lvm_t) files_dontaudit_read_root_file(lvm_t) ') diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 4b8e79d..efb45c8 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -139,7 +139,7 @@ ifdef(`distro_redhat', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(dhcpc_t) - terminal_ignore_use_general_pseudoterminal(dhcpc_t) + term_dontaudit_use_generic_pty(dhcpc_t) files_dontaudit_read_root_file(dhcpc_t) ') @@ -153,7 +153,7 @@ optional_policy(`hostname.te',` ') optional_policy(`nscd.te',` - nscd_transition(dhcpc_t) + nscd_domtrans(dhcpc_t) ') optional_policy(`selinux.te',` @@ -173,10 +173,10 @@ optional_policy(`userdomain.te',` # init_exec_script(dhcpc_t) optional_policy(`ypbind.te',` - ypbind_transition(dhcpc_t) + ypbind_domtrans(dhcpc_t) ') optional_policy(`ntpd.te',` - ntpd_transition(dhcpc_t) + ntpd_domtrans(dhcpc_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt index 36bb673..2ceba74 100644 --- a/refpolicy/policy/support/loadable_module.spt +++ b/refpolicy/policy/support/loadable_module.spt @@ -61,15 +61,15 @@ define(`optional_policy',` # tunable value as specified by the policy # or if the override value should be used # -define(`deflt_or_overr',`ifdef(`$1',$1,$2)') +define(`dflt_or_overr',`ifdef(`$1',$1,$2)') ############################## # # Tunable declaration # -define(`tunable_def',` +define(`gen_tunable',` ifdef(`monolithic_policy',` - bool $1 deflt_or_overr(`$1'_conf,$2); + bool $1 dflt_or_overr(`$1'_conf,$2); ',` # loadable module tunable # declaration will go here