diff --git a/Changelog b/Changelog index 017d2ce..647ef43 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Policy size optimization with a non-security file attribute from James + Carter. - Database labeled networking update from KaiGai Kohei. - Several misc changes from the Fedora policy, cherry picked by David Hrdeman. diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 4ba7e8a..9e4865b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -32,10 +32,10 @@ # interface(`files_type',` gen_require(` - attribute file_type; + attribute file_type, non_security_file_type; ') - typeattribute $1 file_type; + typeattribute $1 file_type, non_security_file_type; ') ######################################## @@ -217,11 +217,30 @@ interface(`files_poly_member_tmp',` # interface(`files_security_file',` gen_require(` - attribute security_file_type; + attribute file_type, security_file_type; ') - files_type($1) - typeattribute $1 security_file_type; + typeattribute $1 file_type, security_file_type; +') + +######################################## +## +## Make the specified type usable for +## security file filesystem mount points. +## +## +## +## Type to be used for mount points. +## +## +# +interface(`files_security_mountpoint',` + gen_require(` + attribute mountpoint; + ') + + files_security_file($1) + typeattribute $1 mountpoint; ') ######################################## @@ -316,10 +335,10 @@ interface(`files_dontaudit_getattr_all_dirs',` # interface(`files_list_non_security',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - list_dirs_pattern($1, { file_type -security_file_type }, { file_type -security_file_type }) + list_dirs_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## @@ -335,10 +354,10 @@ interface(`files_list_non_security',` # interface(`files_dontaudit_list_non_security',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - dontaudit $1 { file_type -security_file_type }:dir list_dir_perms; + dontaudit $1 non_security_file_type:dir list_dir_perms; ') ######################################## @@ -354,11 +373,11 @@ interface(`files_dontaudit_list_non_security',` # interface(`files_mounton_non_security',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - allow $1 { file_type -security_file_type }:dir mounton; - allow $1 { file_type -security_file_type }:file mounton; + allow $1 non_security_file_type:dir mounton; + allow $1 non_security_file_type:file mounton; ') ######################################## @@ -373,10 +392,28 @@ interface(`files_mounton_non_security',` # interface(`files_write_non_security_dirs',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; + ') + + allow $1 non_security_file_type:dir write; +') + +######################################## +## +## Allow attempts to manage non-security directories +## +## +## +## Domain to allow +## +## +# +interface(`files_manage_non_security_dirs',` + gen_require(` + attribute non_security_file_type; ') - allow $1 { file_type -security_file_type }:dir write; + allow $1 non_security_file_type:dir manage_dir_perms; ') ######################################## @@ -430,10 +467,10 @@ interface(`files_dontaudit_getattr_all_files',` # interface(`files_dontaudit_getattr_non_security_files',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - dontaudit $1 { file_type -security_file_type }:file getattr; + dontaudit $1 non_security_file_type:file getattr; ') ######################################## @@ -498,11 +535,11 @@ interface(`files_execmod_all_files',` # interface(`files_read_non_security_files',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - read_files_pattern($1, { file_type -security_file_type }, { file_type -security_file_type }) - read_lnk_files_pattern($1, { file_type -security_file_type }, { file_type -security_file_type }) + read_files_pattern($1, non_security_file_type, non_security_file_type) + read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## @@ -648,10 +685,10 @@ interface(`files_dontaudit_read_all_symlinks',` # interface(`files_dontaudit_getattr_non_security_symlinks',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - dontaudit $1 { file_type -security_file_type }:lnk_file getattr; + dontaudit $1 non_security_file_type:lnk_file getattr; ') ######################################## @@ -667,10 +704,10 @@ interface(`files_dontaudit_getattr_non_security_symlinks',` # interface(`files_dontaudit_getattr_non_security_blk_files',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - dontaudit $1 { file_type -security_file_type }:blk_file getattr; + dontaudit $1 non_security_file_type:blk_file getattr; ') ######################################## @@ -686,10 +723,10 @@ interface(`files_dontaudit_getattr_non_security_blk_files',` # interface(`files_dontaudit_getattr_non_security_chr_files',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - dontaudit $1 { file_type -security_file_type }:chr_file getattr; + dontaudit $1 non_security_file_type:chr_file getattr; ') ######################################## @@ -763,10 +800,10 @@ interface(`files_dontaudit_getattr_all_pipes',` # interface(`files_dontaudit_getattr_non_security_pipes',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - dontaudit $1 { file_type -security_file_type }:fifo_file getattr; + dontaudit $1 non_security_file_type:fifo_file getattr; ') ######################################## @@ -820,10 +857,10 @@ interface(`files_dontaudit_getattr_all_sockets',` # interface(`files_dontaudit_getattr_non_security_sockets',` gen_require(` - attribute file_type, security_file_type; + attribute non_security_file_type; ') - dontaudit $1 { file_type -security_file_type }:sock_file getattr; + dontaudit $1 non_security_file_type:sock_file getattr; ') ######################################## @@ -4750,21 +4787,3 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') - -######################################## -## -## Allow attempts to monage any directory -## -## -## -## Domain to allow -## -## -# -interface(`files_manage_non_security_dirs',` - gen_require(` - attribute file_type, security_file_type; - ') - - allow $1 { file_type -security_file_type }:dir manage_dir_perms; -') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index c4e3058..d58f902 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files, 1.9.0) +policy_module(files, 1.9.1) ######################################## # @@ -26,6 +26,8 @@ attribute polymember; # sensitive security files whose accesses should # not be dontaudited for uses attribute security_file_type; +# and its opposite +attribute non_security_file_type; attribute tmpfile; attribute tmpfsfile; diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index ce76009..f5292e8 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging, 1.11.0) +policy_module(logging, 1.11.1) ######################################## # @@ -18,7 +18,7 @@ files_security_file(auditd_etc_t) type auditd_log_t; files_security_file(auditd_log_t) -files_mountpoint(auditd_log_t) +files_security_mountpoint(auditd_log_t) type auditd_t; type auditd_exec_t;