diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if
index 6faf8e1..8070200 100644
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@@ -10,12 +10,18 @@ allow $1 consoletype_exec_t:file { getattr read execute };
allow $1 consoletype_t:process transition;
type_transition $1 consoletype_exec_t:process consoletype_t;
dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
+allow $1 consoletype_t:fd use;
+allow consoletype_t $1:fd use;
+allow consoletype_t $1:fifo_file rw_file_perms;
+allow consoletype_t $1:process sigchld;
')
define(`consoletype_transition_depend',`
type consoletype_t, consoletype_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
#######################################
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index dc01a1c..bc718b2 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -20,12 +20,18 @@ allow $1 dmesg_exec_t:file { getattr read execute };
allow $1 dmesg_t:process transition;
type_transition $1 dmesg_exec_t:process dmesg_t;
dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
+allow $1 dmesg_t:fd use;
+allow dmesg_t $1:fd use;
+allow dmesg_t $1:fifo_file rw_file_perms;
+allow dmesg_t $1:process sigchld;
')
define(`dmesg_transition_depend',`
type dmesg_t, dmesg_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index e063dd5..c1150fe 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -10,12 +10,18 @@ allow $1 netutils_exec_t:file { getattr read execute };
allow $1 netutils_t:process transition;
type_transition $1 netutils_exec_t:process netutils_t;
dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
+allow $1 netutils_t:fd use;
+allow netutils_t $1:fd use;
+allow netutils_t $1:fifo_file rw_file_perms;
+allow netutils_t $1:process sigchld;
')
define(`netutils_transition_depend',`
type netutils_t, netutils_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
#######################################
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 1e77b40..cabe283 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -19,12 +19,18 @@ allow $1 rpm_exec_t:file { getattr read execute };
allow $1 rpm_t:process transition;
type_transition $1 rpm_exec_t:process rpm_t;
dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
+allow $1 rpm_t:fd use;
+allow rpm_t $1:fd use;
+allow rpm_t $1:fifo_file rw_file_perms;
+allow rpm_t $1:process sigchld;
')
define(`rpm_transition_depend',`
type rpm_t, rpm_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 7e0737c..d635dcc 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -47,6 +47,9 @@ role $1_r types $1_gpg_pinentry_t;
allow $1_t $1_gpg_t:process transition;
allow $1_t gpg_exec_t:file { getattr read execute };
type_transition $1_t gpg_exec_t:process $1_gpg_t;
+allow $1_t $1_gpg_t:fd use;
+allow $1_gpg_t $1_t:fd use;
+allow $1_gpg_t $1_t:fifo_file rw_file_perms;
allow $1_gpg_t self:capability { ipc_lock setuid };
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
@@ -156,6 +159,9 @@ dontaudit $1_gpg_t var_t:dir search;
allow $1_gpg_t $1_gpg_helper_t:process transition;
allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
+allow $1_gpg_t $1_gpg_helper_t:fd use;
+allow $1_gpg_helper_t $1_t:fd use;
+allow $1_gpg_helper_t $1_t:fifo_file rw_file_perms;
allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
@@ -273,6 +279,9 @@ can_unix_connect($1_gpg_t, $1_gpg_agent_t)
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
+allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
+allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
+allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 8681739..5e312b2 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -19,12 +19,18 @@ allow $1 bootloader_exec_t:file { getattr read execute };
allow $1 bootloader_t:process transition;
type_transition $1 bootloader_exec_t:process bootloader_t;
dontaudit $1 bootloader_t:process { noatsecure siginh rlimitinh };
+allow $1 bootloader_t:fd use;
+allow bootloader_t $1:fd use;
+allow bootloader_t $1:fifo_file rw_file_perms;
+allow bootloader_t $1:process sigchld;
')
define(`bootloader_transition_depend',`
type bootloader_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 92a52f6..227e8b2 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -50,13 +50,13 @@ class chr_file { getattr relabelfrom relabelto };
#
define(`devices_list_device_nodes',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 device_t:lnk_file { getattr read };
')
define(`devices_list_device_nodes_depend',`
type device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class lnk_file { getattr read };
')
@@ -66,12 +66,12 @@ class lnk_file { getattr read };
#
define(`devices_ignore_list_device_nodes',`
requires_block_template(`$0'_depend)
-dontaudit $1 device_t:dir { getattr read search };
+dontaudit $1 device_t:dir r_dir_perms;
')
define(`devices_ignore_list_device_nodes_depend',`
type device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
')
########################################
@@ -94,13 +94,13 @@ class fifo_file getattr;
#
define(`devices_get_generic_block_device_attributes',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read };
+allow $1 device_t:dir r_dir_perms;
allow $1 device_t:blk_file getattr;
')
define(`devices_get_generic_block_device_attributes_depend',`
type device_t;
-class dir { getattr search read };
+class dir r_dir_perms;
class blk_file getattr;
')
@@ -142,13 +142,13 @@ class capability mknod;
#
define(`devices_get_generic_character_device_attributes',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read };
+allow $1 device_t:dir r_dir_perms;
allow $1 device_t:chr_file getattr;
')
define(`devices_get_generic_character_device_attributes_depend',`
type device_t;
-class dir { getattr search read };
+class dir r_dir_perms;
class chr_file getattr;
')
@@ -264,7 +264,7 @@ allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append
define(`devices_manage_generic_block_devices_depend',`
type device_t;
-class dir { getattr search read };
+class dir r_dir_perms;
class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
')
@@ -280,7 +280,7 @@ allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append
define(`devices_manage_generic_character_devices_depend',`
type device_t;
-class dir { getattr search read };
+class dir r_dir_perms;
class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
')
@@ -308,14 +308,14 @@ class dir { getattr search read write add_name remove_name };
#
define(`devices_get_all_block_device_attributes',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 device_node:blk_file getattr;
')
define(`devices_get_all_block_device_attributes_depend',`
attribute device_node;
class blk_file getattr;
-class dir { getattr read search };
+class dir r_dir_perms;
')
########################################
@@ -338,14 +338,14 @@ class blk_file getattr;
#
define(`devices_get_all_character_device_attributes',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 device_node:chr_file getattr;
')
define(`devices_get_all_character_device_attributes_depend',`
attribute device_node;
class chr_file getattr;
-class dir { getattr read search };
+class dir r_dir_perms;
')
########################################
@@ -407,7 +407,7 @@ storage_write_scsi_generic($1)
define(`devices_manage_generic_block_devices_depend',`
attribute device_node;
-class dir { getattr search read };
+class dir r_dir_perms;
class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
')
@@ -424,7 +424,7 @@ typeattribute $1 memory_raw_read, memory_raw_write;
define(`devices_manage_all_character_devices_depend',`
attribute device_node, memory_raw_read, memory_raw_write;
-class dir { getattr search read };
+class dir r_dir_perms;
class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
')
@@ -435,7 +435,7 @@ class chr_file { create ioctl read getattr lock write setattr append link unlink
define(`devices_raw_read_memory',`
requires_block_template(`$0'_depend)
typeattribute $1 memory_raw_read;
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file { getattr read ioctl };
allow $1 self:capability sys_rawio;
')
@@ -443,7 +443,7 @@ allow $1 self:capability sys_rawio;
define(`devices_raw_read_memory_depend',`
type device_t, memory_device_t;
attribute memory_raw_read;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
class capability sys_rawio;
')
@@ -455,7 +455,7 @@ class capability sys_rawio;
define(`devices_raw_write_memory',`
requires_block_template(`$0'_depend)
typeattribute $1 memory_raw_write;
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file write;
allow $1 self:capability sys_rawio;
')
@@ -463,7 +463,7 @@ allow $1 self:capability sys_rawio;
define(`devices_raw_write_memory_depend',`
type device_t, memory_device_t;
attribute memory_raw_write;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file write;
class capability sys_rawio;
')
@@ -504,13 +504,13 @@ class chr_file execute;
#
define(`devices_get_random_data',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file { getattr read ioctl };
')
define(`devices_get_random_data_depend',`
type device_t, random_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -520,13 +520,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_get_pseudorandom_data',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file { getattr read ioctl };
')
define(`devices_get_pseudorandom_data_depend',`
type device_t, urandom_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -536,13 +536,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_add_entropy',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file { getattr write ioctl };
')
define(`devices_add_entropy_depend',`
type device_t, random_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
@@ -552,13 +552,13 @@ class chr_file { getattr write ioctl };
#
define(`devices_set_pseudorandom_seed',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file { getattr write ioctl };
')
define(`devices_set_pseudorandom_seed_depend',`
type device_t, urandom_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
@@ -568,14 +568,14 @@ class chr_file { getattr write ioctl };
#
define(`devices_use_dev_null',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 null_device_t:chr_file { getattr read write append ioctl };
+allow $1 device_t:dir r_dir_perms;
+allow $1 null_device_t:chr_file rw_file_perms;
')
define(`devices_use_dev_null_depend',`
type device_t, null_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr read write append ioctl };
+class device_t:dir r_dir_perms;
+class chr_file rw_file_perms;
')
########################################
@@ -584,14 +584,14 @@ class chr_file { getattr read write append ioctl };
#
define(`devices_use_dev_zero',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 zero_device_t:chr_file { getattr read write append ioctl };
+allow $1 device_t:dir r_dir_perms;
+allow $1 zero_device_t:chr_file rw_file_perms;
')
define(`devices_use_dev_zero_depend',`
type device_t, zero_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr read write append ioctl };
+class device_t:dir r_dir_perms;
+class chr_file r_file_perms;
')
########################################
@@ -615,13 +615,13 @@ class chr_file execute;
#
define(`devices_read_realtime_clock',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file { getattr read ioctl };
')
define(`devices_read_realtime_clock_depend',`
type device_t, clock_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -631,13 +631,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_write_realtime_clock',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
')
define(`devices_write_realtime_clock_depend',`
type device_t, clock_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { setattr lock write append ioctl };
')
@@ -656,13 +656,13 @@ devices_write_realtime_clock($1)
#
define(`devices_record_sound_input',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr read ioctl };
')
define(`devices_record_sound_input_depend',`
type device_t, sound_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -672,13 +672,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_play_sound',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
define(`devices_play_sound_depend',`
type device_t, sound_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
@@ -688,13 +688,13 @@ class chr_file { getattr write ioctl };
#
define(`devices_read_sound_mixer_levels',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr read ioctl };
')
define(`devices_read_sound_mixer_levels_depend',`
type device_t, sound_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -704,13 +704,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_write_sound_mixer_levels',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
define(`devices_write_sound_mixer_levels_depend',`
type device_t, sound_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
@@ -720,13 +720,13 @@ class chr_file { getattr write ioctl };
#
define(`devices_direct_agp_access',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 agp_device_t:chr_file { getattr read write ioctl };
')
define(`devices_direct_agp_access_depend',`
type device_t, agp_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read write ioctl };
')
@@ -736,13 +736,13 @@ class chr_file { getattr read write ioctl };
#
define(`devices_get_direct_rendering_interface_attributes',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 dri_device_t:chr_file getattr;
')
define(`devices_get_direct_rendering_interface_attributes_depend',`
type device_t, dri_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file getattr;
')
@@ -752,13 +752,13 @@ class chr_file getattr;
#
define(`devices_use_direct_rendering_interface',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 dri_device_t:chr_file { getattr read write ioctl };
')
define(`devices_use_direct_rendering_interface_depend',`
type device_t, dri_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read write ioctl };
')
@@ -782,13 +782,13 @@ class chr_file { getattr read write ioctl };
#
define(`devices_read_mtrr',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file { getattr read ioctl };
')
define(`devices_read_mtrr_depend',`
type device_t, mtrr_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -798,12 +798,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_write_mtrr',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file { getattr write ioctl };
')
define(`devices_write_mtrr_depend',`
type device_t, mtrr_device_t;
+class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
@@ -813,13 +814,13 @@ class chr_file { getattr write ioctl };
#
define(`devices_read_framebuffer',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file { getattr read ioctl };
')
define(`devices_read_framebuffer_depend',`
type framebuf_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -829,13 +830,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_write_framebuffer',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file { getattr write ioctl };
')
define(`devices_write_framebuffer_depend',`
type device_t, framebuf_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
@@ -845,13 +846,13 @@ class chr_file { getattr write ioctl };
#
define(`devices_read_lvm_control_channel',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 lvm_control_t:chr_file { getattr read };
')
define(`devices_read_lvm_control_channel_depend',`
type lvm_control_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { ioctl read getattr lock write append };
')
@@ -861,13 +862,13 @@ class chr_file { ioctl read getattr lock write append };
#
define(`devices_use_lvm_control_channel',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read };
+allow $1 device_t:dir r_dir_perms;
allow $1 lvm_control_t:chr_file { ioctl read getattr lock write append };
')
define(`devices_use_lvm_control_channel_depend',`
type lvm_control_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { ioctl read getattr lock write append };
')
@@ -893,13 +894,13 @@ class chr_file unlink;
#
define(`devices_read_misc',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file { getattr read ioctl };
')
define(`devices_read_misc_depend',`
type device_t, misc_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -909,13 +910,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_write_misc',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file { getattr write ioctl };
')
define(`devices_write_misc_depend',`
type device_t, misc_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
@@ -925,13 +926,13 @@ class chr_file { getattr write ioctl };
#
define(`devices_get_mouse_input',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 mouse_device_t:chr_file { getattr read ioctl };
')
define(`devices_get_mouse_input_depend',`
type device_t, mouse_device_t;
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -941,13 +942,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_get_input_event',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 event_device_t:chr_file { getattr read ioctl };
')
define(`devices_get_input_event_depend',`
type device_t, event_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -957,13 +958,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_get_cpuid',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file { getattr read ioctl };
')
define(`devices_get_cpuid_depend',`
type device_t, cpu_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
@@ -973,13 +974,13 @@ class chr_file { getattr read ioctl };
#
define(`devices_load_cpu_microcode',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file { getattr read write ioctl };
')
define(`devices_load_cpu_microcode_depend',`
type device_t, cpu_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read write ioctl };
')
@@ -989,13 +990,13 @@ class chr_file { getattr read write ioctl };
#
define(`devices_use_scanner',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 scanner_device_t:chr_file { getattr read write ioctl };
')
define(`devices_use_scanner_depend',`
type device_t, scanner_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read write ioctl };
')
@@ -1005,12 +1006,12 @@ class chr_file { getattr read write ioctl };
#
define(`devices_control_system_powermanagement',`
requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
+allow $1 device_t:dir r_dir_perms;
allow $1 power_device_t:chr_file { getattr read write ioctl };
')
define(`devices_control_system_powermanagement_depend',`
type device_t, power_device_t;
-class dir { getattr read search };
+class dir r_dir_perms;
class chr_file { getattr read write ioctl };
')
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 55d391c..4cbb309 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -11,12 +11,18 @@ allow kernel_t $1:process transition;
allow $1 kernel_t:fd use;
type_transition kernel_t $2:process $1;
dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
+allow $1 kernel_t:fd use;
+allow kernel_t $1:fd use;
+allow kernel_t $1:fifo_file rw_file_perms;
+allow kernel_t $1:process sigchld;
')
define(`kernel_make_userland_entrypoint_depend',`
type kernel_t;
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
class file { getattr read execute };
+class fifo_file rw_file_perms;
+class fd use;
')
########################################
@@ -418,15 +424,16 @@ class file { getattr read };
#
define(`kernel_read_system_state',`
requires_block_template(`$0'_depend)
-allow $1 proc_t:dir { getattr search read };
-allow $1 proc_t:{ lnk_file file } { getattr read ioctl };
+allow $1 proc_t:dir r_dir_perms;
+allow $1 proc_t:lnk_file { getattr read };
+allow $1 proc_t:file r_file_perms;
')
define(`kernel_read_system_state_depend',`
type proc_t;
-class dir { search getattr read };
+class dir r_dir_perms;
class lnk_file { getattr read };
-class file { getattr read ioctl };
+class file r_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 96c0d89..c5cc8e2 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -1,4 +1,6 @@
# Copyright (C) 2005 Tresys Technology, LLC
+##
+## Policy for terminals.
########################################
#
@@ -278,13 +280,13 @@ define(`terminal_use_all_private_pseudoterminals',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 devpts_t:dir { getattr read search };
-allow $1 ptynode:chr_file { read write };
+allow $1 ptynode:chr_file { getattr read write ioctl };
')
define(`terminal_use_all_private_pseudoterminals_depend',`
attribute ptynode;
class dir { getattr search read };
-class chr_file { read write };
+class chr_file { getattr read write ioctl };
')
########################################
@@ -333,6 +335,21 @@ class chr_file setattr;
########################################
#
+# terminal_relabel_general_physical_terminal(domain)
+#
+define(`terminal_relabel_general_physical_terminal',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+allow $1 tty_device_t:chr_file { relabelfrom relabelto };
+')
+
+define(`terminal_relabel_general_physical_terminal_depend',`
+type tty_device_t;
+class chr_file { relabelfrom relabelto };
+')
+
+########################################
+#
# terminal_reset_physical_terminal_labels(domain)
#
define(`terminal_reset_physical_terminal_labels',`
@@ -346,7 +363,6 @@ define(`terminal_reset_physical_terminal_labels_depend',`
attribute ttynode;
type tty_device_t;
class chr_file { relabelfrom relabelto };
-devices_list_device_nodes_depend
')
########################################
@@ -379,12 +395,12 @@ class chr_file { read write };
define(`terminal_use_general_physical_terminal',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
-allow $1 tty_device_t:chr_file { read write };
+allow $1 tty_device_t:chr_file { getattr read write ioctl };
')
define(`terminal_use_general_physical_terminal_depend',`
type tty_device_t;
-class chr_file { read write };
+class chr_file { getattr read write ioctl };
')
########################################
@@ -418,6 +434,21 @@ class chr_file getattr;
########################################
#
+# terminal_set_all_private_physical_terminal_attributes(domain)
+#
+define(`terminal_set_all_private_physical_terminal_attributes',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+allow $1 ttynode:chr_file setattr;
+')
+
+define(`terminal_set_all_private_physical_terminal_attributes_depend',`
+attribute ttynode;
+class chr_file setattr;
+')
+
+########################################
+#
# terminal_ignore_get_all_private_physical_terminal_attributes(domain)
#
define(`terminal_ignore_get_all_private_physical_terminal_attributes',`
@@ -431,6 +462,21 @@ class chr_file getattr;
')
########################################
+#
+# terminal_relabel_all_private_physical_terminals(domain)
+#
+define(`terminal_relabel_all_private_physical_terminals',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+allow $1 ttynode:chr_file { relabelfrom relabelto };
+')
+
+define(`terminal_relabel_all_private_physical_terminals_depend',`
+attribute ttynode;
+class chr_file { relabelfrom relabelto };
+')
+
+########################################
##
##
## Write to all private ttys. Has a backchannel of
@@ -460,12 +506,12 @@ class chr_file { getattr write };
define(`terminal_use_all_private_physical_terminals',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
-allow $1 ttynode:chr_file { read write };
+allow $1 ttynode:chr_file { getattr read write ioctl };
')
define(`terminal_use_all_private_physical_terminals_depend',`
attribute ttynode;
-class chr_file { read write };
+class chr_file { getattr read write ioctl };
')
########################################
@@ -481,3 +527,5 @@ define(`terminal_ignore_use_all_private_physical_terminals_depend',`
attribute ttynode;
class chr_file { read write };
')
+
+##
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 3ee99d9..973bbf4 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -1,4 +1,6 @@
# Copyright (C) 2005 Tresys Technology, LLC
+##
+## Policy common to all email tranfer agents.
#######################################
#
@@ -36,6 +38,10 @@ allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
allow $1_t sendmail_exec_t:lnk_file { getattr read };
allow $1_t $1_mail_t:process transition;
type_transition $1_t sendmail_exec_t:process $1_mail_t;
+allow $1_t $1_mail_t:fd use;
+allow $1_mail_t $1_t:fd use;
+allow $1_mail_t $1_t:fifo_file rw_file_perms;
+allow $1_mail_t $1_t:process sigchld;
kernel_read_kernel_sysctl($1_mail_t)
@@ -174,11 +180,10 @@ allow $1 sendmail_exec_t:file { getattr read execute };
allow $1 system_mail_t:process transition;
type_transition $1 sendmail_exec_t:process system_mail_t;
dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
-
allow $1 system_mail_t:fd use;
-allow system_mail_t $1:process sigchld;
allow system_mail_t $1:fd use;
-allow system_mail_t $1:fifo_file { ioctl read getattr lock write append };
+allow system_mail_t $1:fifo_file rw_file_perms;
+allow system_mail_t $1:process sigchld;
')
define(`mta_send_mail_depend',`
@@ -241,10 +246,30 @@ class file { getattr read write append setattr };
#######################################
#
+# mta_get_mail_spool_attributes(domain)
+#
+define(`mta_get_mail_spool_attributes',`
+requires_block_template(`$0'_depend)
+files_search_system_spool_directory($1)
+allow $1 mail_spool_t:dir r_dir_perms;
+allow $1 mail_spool_t:lnk_file read;
+allow $1 mail_spool_t:file getattr;
+')
+
+define(`mta_get_mail_spool_attributes_depend',`
+type mail_spool_t;
+class dir r_dir_perms;
+class file getattr;
+class lnk_file read;
+')
+
+#######################################
+#
# mta_modify_mail_spool(domain)
#
define(`mta_modify_mail_spool',`
requires_block_template(`$0'_depend)
+files_search_system_spool_directory($1)
allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1 mail_spool_t:file { getattr read write append setattr };
')
@@ -261,6 +286,7 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
#
define(`mta_manage_mail_spool',`
requires_block_template(`$0'_depend)
+files_search_system_spool_directory($1)
allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
')
@@ -286,3 +312,5 @@ type mqueue_spool_t;
class dir { read getattr lock search ioctl add_name remove_name write };
class file { create ioctl read getattr lock write setattr append link unlink rename }
')
+
+##
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index b1ca874..cf84657 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -51,6 +51,10 @@ selinux_read_config($1_chkpwd_t)
allow $1_t chkpwd_exec_t:file { getattr read execute };
allow $1_t $1_chkpwd_t:process transition;
type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
+allow $1_chkpwd_t $1_t:fd use;
+allow $1_t $1_chkpwd_t:fd use;
+allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
+allow $1_chkpwd_t $1_t:process sigchld;
# Write to the user domain tty.
#userdomain_use_$1_terminal($1_chkpwd_t)
@@ -80,10 +84,12 @@ define(`authlogin_per_userdomain_template_depend',`
attribute can_read_shadow_passwords;
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
class file { getattr read execute };
-class process { getattr transition };
+class process { getattr transition sigchld };
class capability setuid;
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+class fd use;
+class fifo_file rw_file_perms;
')
#######################################
@@ -121,12 +127,18 @@ allow $1 login_exec_t:file { getattr read execute };
allow $1 $2:process transition;
type_transition $1 login_exec_t:process $2;
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
+allow $1 $2:fd use;
+allow $2 $1:fd use;
+allow $2 $1:fifo_file rw_file_perms;
+allow $2 $1:process sigchld;
')
define(`authlogin_login_program_transition_depend',`
type login_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
#######################################
@@ -138,6 +150,10 @@ requires_block_template(`$0'_depend)
allow $1 chkpwd_exec_t:file { getattr read execute };
allow $1 system_chkpwd_t:process transition;
type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
+allow $1 system_chkpwd_t:fd use;
+allow system_chkpwd_t $1:fd use;
+allow system_chkpwd_t $1:fifo_file rw_file_perms;
+allow system_chkpwd_t $1:process sigchld;
dontaudit $1 shadow_t:file { getattr read };
#allow $1_t sbin_t:dir search;
@@ -161,8 +177,10 @@ sysnetwork_read_network_config($1)
define(`authlogin_check_password_transition_depend',`
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
class file { getattr read execute };
-class process transition;
+class process { transition sigchld };
class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+class fd use;
+class fifo_file rw_file_perms;
')
#######################################
@@ -267,6 +285,21 @@ class file relabelto;
#######################################
#
+# authlogin_modify_login_failure_records(domain)
+#
+define(`authlogin_modify_login_failure_records',`
+requires_block_template(`$0'_depend)
+logging_search_system_log_directory($1)
+allow $1 faillog_t:file { read write append };
+')
+
+define(`authlogin_modify_login_failure_records_depend',`
+type faillog_t;
+class file { read write append };
+')
+
+#######################################
+#
# authlogin_modify_last_login_log(domain)
#
define(`authlogin_modify_last_login_log',`
@@ -297,12 +330,18 @@ allow $1 pam_exec_t:file { getattr read execute };
allow $1 pam_t:process transition;
type_transition $1 pam_exec_t:process pam_t;
dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
+allow $1 pam_t:fd use;
+allow pam_t $1:fd use;
+allow pam_t $1:fifo_file rw_file_perms;
+allow pam_t $1:process sigchld;
')
define(`authlogin_pam_transition_depend',`
type pam_t, pam_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd
+class fifo_file rw_file_perms;
')
########################################
@@ -394,12 +433,18 @@ allow $1 pam_console_exec_t:file { getattr read execute };
allow $1 pam_console_t:process transition;
type_transition $1 pam_console_exec_t:process pam_console_t;
dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
+allow $1 pam_console_t:fd use;
+allow pam_console_t $1:fd use;
+allow pam_console_t $1:fifo_file rw_file_perms;
+allow pam_console_t $1:process sigchld;
')
define(`authlogin_pam_console_transition_depend',`
type pam_console_t, pam_console_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
#######################################
@@ -525,12 +570,18 @@ allow $1 utempter_exec_t:file { getattr read execute };
allow $1 utempter_t:process transition;
type_transition $1 utempter_exec_t:process utempter_t;
dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
+allow $1 utempter_t:fd use;
+allow utempter_t $1:fd use;
+allow utempter_t $1:fifo_file rw_file_perms;
+allow utempter_t $1:process sigchld;
')
define(`authlogin_utempter_transition_depend',`
type utempter_t, utempter_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 0ba002e..73e32dd 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -17,12 +17,18 @@ allow $1 hwclock_exec_t:file { getattr read execute };
allow $1 hwclock_t:process transition;
type_transition $1 hwclock_exec_t:process hwclock_t;
dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
+allow $1 hwclock_t:fd use;
+allow hwclock_t $1:fd use;
+allow hwclock_t $1:fifo_file rw_file_perms;
+allow hwclock_t $1:process sigchld;
')
define(`clock_transition_depend',`
type hwclock_t, hwclock_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index 82065f4..2fc23a0 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -54,14 +54,14 @@ define(`corecommands_execute_general_programs',`
requires_block_template(`$0'_depend)
allow $1 bin_t:dir { getattr search read };
allow $1 bin_t:lnk_file { getattr read };
-allow $1 bin_t:file { getattr read ioctl execute execute_no_trans };
+allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
')
define(`corecommands_execute_general_programs_depend',`
type bin_t;
class dir { getattr search read };
class lnk_file { getattr read };
-class file { getattr read ioctl execute execute_no_trans };
+class file { getattr read ioctl lock execute execute_no_trans };
')
########################################
@@ -84,12 +84,12 @@ class dir search;
#
define(`corecommands_read_system_programs_directory',`
requires_block_template(`$0'_depend)
-allow $1 sbin_t:dir { getattr search read };
+allow $1 sbin_t:dir r_dir_perms;
')
define(`corecommands_read_system_programs_directory_depend',`
type sbin_t;
-class dir { getattr search read };
+class dir r_dir_perms;
')
########################################
@@ -114,14 +114,14 @@ define(`corecommands_execute_system_programs',`
requires_block_template(`$0'_depend)
allow $1 sbin_t:dir { getattr search read };
allow $1 sbin_t:lnk_file { getattr read };
-allow $1 sbin_t:file { getattr read ioctl execute execute_no_trans };
+allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
')
define(`corecommands_execute_system_programs_depend',`
type sbin_t;
class dir { getattr search read };
class lnk_file { getattr read };
-class file { getattr read ioctl execute execute_no_trans };
+class file { getattr read ioctl lock execute execute_no_trans };
')
########################################
@@ -130,16 +130,16 @@ class file { getattr read ioctl execute execute_no_trans };
#
define(`corecommands_execute_shell',`
requires_block_template(`$0'_depend)
-allow $1 bin_t:dir { getattr search read };
+allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file { getattr read };
-allow $1 shell_exec_t:file { getattr read execute execute_no_trans };
+allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
')
define(`corecommands_execute_shell_depend',`
type bin_t, shell_exec_t;
-class dir { getattr search read };
+class dir r_dir_perms;
class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+class file { getattr read lock ioctl execute execute_no_trans };
')
########################################
@@ -148,22 +148,24 @@ class file { getattr read execute execute_no_trans };
#
define(`corecommands_execute_ls',`
requires_block_template(`$0'_depend)
-allow $1 bin_t:dir { getattr search read };
+allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file { getattr read };
-allow $1 ls_exec_t:file { getattr read execute execute_no_trans };
+allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
')
define(`corecommands_execute_shell_depend',`
type bin_t, ls_exec_t;
-class dir { getattr search read };
+class dir r_dir_perms;
class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+class file { getattr read lock ioctl execute execute_no_trans };
')
########################################
-##
+##
##
-## Execute a shell in the target domain.
+## Execute a shell in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
##
##
## The type of the process performing this action.
@@ -174,22 +176,51 @@ class file { getattr read execute execute_no_trans };
##
##
#
-define(`corecommands_shell_transition',`
+define(`corecommands_shell_explicit_transition',`
requires_block_template(`$0'_depend)
allow $1 bin_t:dir { getattr search read };
allow $1 bin_t:lnk_file { getattr read };
allow $1 shell_exec_t:file { getattr read execute };
allow $1 $2:process transition;
-type_transition $1 shell_exec_t:process $2;
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
+allow $1 $2:fd use;
+allow $2 $1:fd use;
+allow $2 $1:fifo_file rw_file_perms;
+allow $2 $1:process sigchld;
')
-define(`corecommands_shell_transition_depend',`
+define(`corecommands_shell_explicit_transition_depend',`
type bin_t, shell_exec_t;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
+')
+
+########################################
+##
+##
+## Execute a shell in the target domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The type of the shell process.
+##
+##
+##
+#
+define(`corecommands_shell_transition',`
+requires_block_template(`$0'_depend)
+corecommands_shell_explicit_transition($1,$2)
+type_transition $1 shell_exec_t:process $2;
+')
+
+define(`corecommands_shell_transition_depend',`
+type shell_exec_t;
')
########################################
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 4ff71ac..234207d 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -278,12 +278,12 @@ class process { getattr ptrace };
#
define(`domain_ignore_read_all_domains_process_dirs',`
requires_block_template(`$0'_depend)
-dontaudit $1 domain:dir { getattr search read };
+dontaudit $1 domain:dir r_dir_perms;
')
define(`domain_ignore_read_all_domains_process_dirs_depend',`
attribute domain;
-class dir { getattr search read };
+class dir r_dir_perms;
')
@@ -402,12 +402,12 @@ class fifo_file getattr;
#
define(`domain_execute_all_entrypoint_programs',`
requires_block_template(`$0'_depend)
-allow $1 entry_type:file { getattr read ioctl execute execute_no_trans };
+allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
')
define(`domain_execute_all_entrypoint_programs_depend',`
attribute entry_type;
-class file { getattr read ioctl execute execute_no_trans };
+class file { getattr read ioctl lock execute execute_no_trans };
')
########################################
@@ -416,12 +416,14 @@ class file { getattr read ioctl execute execute_no_trans };
#
define(`domain_read_all_entrypoint_programs',`
requires_block_template(`$0'_depend)
-allow $1 entry_type:{ file lnk_file } { getattr read };
+allow $1 entry_type:lnk_file { getattr read };
+allow $1 entry_type:file r_file_perms;
')
define(`domain_read_all_entrypoint_programs_depend',`
attribute entry_type;
-class file { getattr read };
+class file r_file_perms;
+class lnk_file { getattr read };
')
##
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 6d7c4a5..bdebc30 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -136,7 +136,7 @@ class sock_file getattr;
#
define(`files_relabel_all_files',`
requires_block_template(`$0'_depend)
-allow $1 { file_type $2 }:dir { getattr search read relabelfrom relabelto };
+allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
@@ -149,7 +149,7 @@ selinux_relabelto_binary_policy($1)
define(`files_relabel_all_files_depend',`
attribute file_type;
-class dir { getattr search read relabelfrom relabelto };
+class dir { r_dir_perms relabelfrom relabelto };
class file { relabelfrom relabelto };
class lnk_file { relabelfrom relabelto };
class fifo_file { relabelfrom relabelto };
@@ -215,12 +215,12 @@ class dir search;
#
define(`files_read_all_directories',`
requires_block_template(`$0'_depend)
-allow $1 file_type:dir { getattr search read };
+allow $1 file_type:dir r_dir_perms;
')
define(`files_read_all_directories_depend',`
attribute file_type;
-class dir { getattr search read };
+class dir r_dir_perms;
')
########################################
@@ -237,20 +237,6 @@ attribute file_type;
class dir search;
')
-########################################
-#
-# files_read_all_directories(domain)
-#
-define(`files_read_all_directories',`
-requires_block_template(`$0'_depend)
-allow $1 file_type:dir { getattr search read };
-')
-
-define(`files_read_all_directories_depend',`
-attribute file_type;
-class dir { getattr search read };
-')
-
#######################################
#
# files_relabelto_all_file_type_filesystems(domain)
@@ -313,13 +299,13 @@ class dir { getattr search mounton };
#
define(`files_read_root_dir',`
requires_block_template(`$0'_depend)
-allow $1 root_t:dir { getattr search read };
+allow $1 root_t:dir r_dir_perms;
allow $1 root_t:lnk_file { getattr read };
')
define(`files_read_root_dir_depend',`
type root_t;
-class dir { getattr search read };
+class dir r_dir_perms;
class lnk_file { getattr read };
')
@@ -329,12 +315,12 @@ class lnk_file { getattr read };
#
define(`files_create_root_dir_entry',`
requires_block_template(`$0'_depend)
-allow $1 root_t:dir { getattr search read write add_name };
+allow $1 root_t:dir ra_dir_perms;
')
define(`files_create_root_dir_entry_depend',`
type root_t;
-class dir { getattr search read write add_name };
+class dir ra_dir_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index 41a67b2..4c55da3 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -10,12 +10,18 @@ allow $1 getty_exec_t:file { getattr read execute };
allow $1 getty_t:process transition;
type_transition $1 getty_exec_t:process getty_t;
dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
+allow $1 getty_t:fd use;
+allow getty_t $1:fd use;
+allow getty_t $1:fifo_file rw_file_perms;
+allow getty_t $1:process sigchld;
')
define(`getty_transition_depend',`
type getty_t, getty_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
#######################################
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 9536e3e..ce2f2a6 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -2,6 +2,11 @@
policy_module(getty,1.0)
+########################################
+#
+# Declarations
+#
+
type getty_t;
type getty_exec_t;
init_make_init_domain(getty_t,getty_exec_t)
@@ -30,9 +35,12 @@ allow getty_t self:process { getpgid getsession };
allow getty_t getty_etc_t:dir { getattr search read };
allow getty_t getty_etc_t:file { getattr read };
+files_create_private_config(getty_t,getty_etc_t,{ file dir })
allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
+files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir })
+
allow getty_t getty_log_t:file { getattr append setattr };
kernel_read_hardware_state(getty_t)
@@ -48,8 +56,6 @@ init_script_modify_runtime_data(getty_t)
init_script_use_pseudoterminal(getty_t)
files_modify_system_runtime_data(getty_t)
-files_create_private_config(getty_t,getty_etc_t,{ file dir })
-files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir })
files_manage_system_lock_files(getty_t)
files_read_runtime_system_config(getty_t)
files_read_general_system_config(getty_t)
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index e7ec93d..5a47de8 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -9,6 +9,7 @@
##
##
## The type of the process performing this action.
+## Has a sigchld signal backchannel.
##
##
##
@@ -19,12 +20,18 @@ allow $1 hostname_exec_t:file { getattr read execute };
allow $1 hostname_t:process transition;
type_transition $1 hostname_exec_t:process hostname_t;
dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
+allow $1 hostname_t:fd use;
+allow hostname_t $1:fd use;
+allow hostname_t $1:fifo_file rw_file_perms;
+allow hostname_t $1:process sigchld;
')
define(`hostname_transition_depend',`
type hostname_t, hostname_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -32,6 +39,7 @@ class process { transition noatsecure siginh rlimitinh };
##
## Execute hostname in the hostname domain, and
## allow the specified role the hostname domain.
+## Has a sigchld signal backchannel.
##
##
## The type of the process performing this action.
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index e4002c9..e9a49c6 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -1,4 +1,9 @@
# Copyright (C) 2005 Tresys Technology, LLC
+##
+##
+## Policy for hotplug system, for supporting the
+## connection and disconnection of devices at runtime.
+##
#######################################
#
@@ -10,12 +15,18 @@ allow $1 hotplug_exec_t:file { getattr read execute };
allow $1 hotplug_t:process transition;
type_transition $1 hotplug_exec_t:process hotplug_t;
dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
+allow $1 hotplug_t:fd use;
+allow hotplug_t $1:fd use;
+allow hotplug_t $1:fifo_file rw_file_perms;
+allow hotplug_t $1:process sigchld;
')
define(`hotplug_transition_depend',`
type hotplug_t, hotplug_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
#######################################
@@ -99,3 +110,5 @@ class file { read getattr lock ioctl };
class dir { read getattr lock search ioctl };
class lnk_file { getattr read };
')
+
+##
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 1d1f5e9..db255bb 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -13,13 +13,18 @@ allow init_t $1:process transition;
allow init_t $2:file { getattr read execute };
dontaudit init_t $1:process { noatsecure siginh rlimitinh };
type_transition init_t $2:process $1;
+allow $1 init_t:fd use;
+allow init_t $1:fd use;
+allow $1 init_t:fifo_file rw_file_perms;
+allow $1 init_t:process sigchld;
')
define(`init_make_init_domain_depend',`
type init_t;
class file { getattr read execute };
class fd use;
-class process { transition noatsecure siginh rlimitinh };
+class fifo_file rw_file_perms;
+class process { transition noatsecure siginh rlimitinh sigchld };
role system_r;
')
@@ -36,17 +41,16 @@ allow initrc_t $1:process transition;
allow initrc_t $2:file { getattr read execute };
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
type_transition initrc_t $2:process $1;
+allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
-# backchannels:
+allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
-# cjp: probably for logging
-allow $1 initrc_t:fifo_file { getattr write };
')
define(`init_make_daemon_domain_depend',`
type initrc_t;
class file { getattr read execute };
-class fifo_file { getattr write };
+class fifo_file rw_file_perms;
class fd use;
class process { transition noatsecure siginh rlimitinh sigchld };
role system_r;
@@ -65,18 +69,17 @@ allow initrc_t $1:process transition;
allow initrc_t $2:file { getattr read execute };
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
type_transition initrc_t $2:process $1;
+allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
-# backchannels:
+allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
-# cjp: probably for logging
-allow $1 initrc_t:fifo_file { getattr write };
')
define(`init_make_system_domain_depend',`
type initrc_t;
class file { getattr read execute };
class fd use;
-class fifo_file { getattr write };
+class fifo_file rw_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
role system_r;
')
@@ -91,12 +94,18 @@ allow $1 init_exec_t:file { getattr read execute };
allow $1 init_t:process transition;
type_transition $1 init_exec_t:process init_t;
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+allow $1 init_t:fd use;
+allow init_t $1:fd use;
+allow init_t $1:fifo_file rw_file_perms;
+allow init_t $1:process sigchld;
')
define(`init_transition_depend',`
type init_t, init_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -222,12 +231,18 @@ allow $1 initrc_exec_t:file { getattr read execute };
allow $1 initrc_t:process transition;
type_transition $1 initrc_exec_t:process init_t;
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+allow $1 initrc_t:fd use;
+allow initrc_t $1:fd use;
+allow initrc_t $1:fifo_file rw_file_perms;
+allow initrc_t $1:process sigchld;
')
define(`init_script_transition_depend',`
type initrc_t, initrc_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -277,26 +292,6 @@ class process { getattr ptrace };
########################################
#
-# init_script_direct_admin_transition(role,domain)
-#
-define(`init_script_direct_admin_transition',`
-requires_block_template(`$0'_depend)
-allow $2 initrc_exec_t:file { getattr read execute };
-allow $2 initrc_t:process transition;
-type_transition $2 initrc_exec_t:file init_t;
-role_transition $1 initrc_exec_t system_r;
-dontaudit $2 init_t:process { noatsecure siginh rlimitinh };
-')
-
-define(`init_script_direct_admin_transition_depend',`
-type initrc_t, initrc_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
-kernel_system_role_transition_depend
-')
-
-########################################
-#
# init_script_use_file_descriptors(domain)
#
define(`init_script_use_file_descriptors',`
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
index b8e9aa0..c0d6335 100644
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@@ -17,12 +17,18 @@ allow $1 iptables_exec_t:file { getattr read execute };
allow $1 iptables_t:process transition;
type_transition $1 iptables_exec_t:process iptables_t;
dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
+allow $1 iptables_t:fd use;
+allow iptables_t $1:fd use;
+allow iptables_t $1:fifo_file rw_file_perms;
+allow iptables_t $1:process sigchld;
')
define(`iptables_transition_depend',`
type iptables_t, iptables_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 9600fa0..12379bc 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -19,12 +19,18 @@ allow $1 ldconfig_exec_t:file { getattr read execute };
allow $1 ldconfig_t:process transition;
type_transition $1 ldconfig_exec_t:process ldconfig_t;
dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
+allow $1 ldconfig_t:fd use;
+allow ldconfig_t $1:fd use;
+allow ldconfig_t $1:fifo_file rw_file_perms;
+allow ldconfig_t $1:process sigchld;
')
define(`libraries_ldconfig_transition_depend',`
type ldconfig_t, ldconfig_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -71,18 +77,18 @@ class chr_file { getattr read write ioctl };
define(`libraries_use_dynamic_loader',`
requires_block_template(`$0'_depend)
files_read_general_system_config_directory($1)
-allow $1 lib_t:dir { getattr search read };
-allow $1 lib_t:lnk_file { getattr read };
-allow $1 ld_so_t:lnk_file { getattr read };
-allow $1 ld_so_t:file { getattr read execute };
-allow $1 ld_so_cache_t:file { getattr read };
+allow $1 lib_t:dir r_dir_perms;
+allow $1 lib_t:lnk_file r_file_perms;
+allow $1 ld_so_t:lnk_file r_file_perms;
+allow $1 ld_so_t:file rx_file_perms;
+allow $1 ld_so_cache_t:file r_file_perms;
')
define(`libraries_use_dynamic_loader_depend',`
type lib_t, ld_so_t, ld_so_cache_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read execute };
+class dir r_dir_perms;
+class lnk_file r_file_perms;
+class file rx_file_perms;
')
########################################
@@ -127,17 +133,17 @@ class file { execute execmod };
#
define(`libraries_execute_dynamic_loader',`
requires_block_template(`$0'_depend)
-allow $1 lib_t:dir { getattr search read };
-allow $1 lib_t:lnk_file { getattr read };
-allow $1 ld_so_t:lnk_file { getattr read };
-allow $1 ld_so_t:file { getattr read execute execute_no_trans };
+allow $1 lib_t:dir r_dir_perms;
+allow $1 lib_t:lnk_file r_file_perms;
+allow $1 ld_so_t:lnk_file r_file_perms;
+allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
')
define(`libraries_execute_dynamic_loader_depend',`
type lib_t, ld_so_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+class dir r_dir_perms;
+class lnk_file r_file_perms;
+class file { r_file_perms execute execute_no_trans };
')
########################################
@@ -227,17 +233,17 @@ class file { getattr read execute execute_no_trans };
define(`libraries_use_shared_libraries',`
requires_block_template(`$0'_depend)
files_search_general_application_resources_dir($1)
-allow $1 lib_t:dir { getattr search read };
-allow $1 lib_t:lnk_file { getattr read };
-allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read };
-allow $1 { shlib_t texrel_shlib_t }:file { getattr read execute };
+allow $1 lib_t:dir r_dir_perms;
+allow $1 lib_t:lnk_file r_file_perms;
+allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
+allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
')
define(`libraries_use_shared_libraries_depend',`
type lib_t, shlib_t, texrel_shlib_t;
-class dir { getattr searc read };
-class lnk_file { getattr read };
-class file { getattr read execute };
+class dir r_dir_perms;
+class lnk_file r_file_perms;
+class file rx_dir_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 9a611c6..2426a07 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -66,11 +66,16 @@ devices_get_pseudorandom_data(local_login_t)
terminal_use_all_private_physical_terminals(local_login_t)
terminal_use_general_physical_terminal(local_login_t)
+terminal_relabel_general_physical_terminal(local_login_t)
+terminal_relabel_all_private_physical_terminals(local_login_t)
+terminal_set_all_private_physical_terminal_attributes(local_login_t)
+terminal_set_general_physical_terminal_attributes(local_login_t)
authlogin_check_password_transition(local_login_t)
authlogin_ignore_read_shadow_passwords(local_login_t)
authlogin_modify_login_records(local_login_t)
authlogin_modify_last_login_log(local_login_t)
+authlogin_modify_login_failure_records(local_login_t)
authlogin_pam_execute(local_login_t)
authlogin_pam_console_manage_runtime_data(local_login_t)
@@ -78,8 +83,8 @@ domain_read_all_entrypoint_programs(local_login_t)
files_read_general_system_config(local_login_t)
files_read_runtime_system_config(local_login_t)
-files_list_home_directories(local_login_t)
files_read_general_application_resources(local_login_t)
+files_manage_system_lock_files(var_lock_t)
init_script_modify_runtime_data(local_login_t)
init_ignore_use_file_descriptors(local_login_t)
@@ -94,8 +99,14 @@ miscfiles_read_localization(local_login_t)
selinux_read_config(local_login_t)
selinux_read_default_contexts(local_login_t)
+userdomain_all_users_explicit_transition(local_login_t)
+userdomain_signal_all_userdomains(local_login_t)
+userdomain_search_all_users_home_dirs(local_login_t)
userdomain_use_all_unprivileged_users_file_descriptors(local_login_t)
+# Search for mail spool file.
+mta_get_mail_spool_attributes(local_login_t)
+
ifdef(`TODO',`
can_ypbind(local_login_t)
@@ -117,15 +128,9 @@ allow local_login_t default_t:notdevfile_class_set r_file_perms;
allow local_login_t readable_t:dir r_dir_perms;
allow local_login_t readable_t:notdevfile_class_set r_file_perms;
-# Read /var, /var/spool
-allow local_login_t { var_t var_spool_t }:dir search;
-
# for when /var/mail is a sym-link
allow local_login_t var_t:lnk_file read;
-# Read /dev directories and any symbolic links.
-allow local_login_t device_t:lnk_file r_file_perms;
-
dontaudit local_login_t sysfs_t:dir search;
allow local_login_t autofs_t:dir { search read getattr };
@@ -140,18 +145,6 @@ ifdef(`crack.te', `
allow local_login_t crack_db_t:file r_file_perms;
')
-# Permit login to search the user home directories.
-allow local_login_t home_root_t:dir search;
-allow local_login_t home_dir_type:dir search;
-
-# Write to /var/log/btmp
-allow local_login_t faillog_t:file { append read write };
-
-# Search for mail spool file.
-allow local_login_t mail_spool_t:dir r_dir_perms;
-allow local_login_t mail_spool_t:file getattr;
-allow local_login_t mail_spool_t:lnk_file read;
-
allow local_login_t mouse_device_t:chr_file { getattr setattr };
tunable_policy(`targeted_policy',`
@@ -159,10 +152,6 @@ unconfined_domain(local_login_t)
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
')
-# But also permit other user domains to be entered by login.
-domain_trans(local_login_t, shell_exec_t, userdomain)
-allow local_login_t userdomain:process signal;
-
# Do not audit denied attempts to access devices.
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
@@ -177,18 +166,6 @@ dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
# Do not audit denied attempts to access /mnt.
dontaudit local_login_t mnt_t:dir r_dir_perms;
-# Create lock file.
-allow local_login_t var_lock_t:dir rw_dir_perms;
-allow local_login_t var_lock_t:file create_file_perms;
-
-# Read and write ttys.
-allow local_login_t tty_device_t:chr_file setattr;
-allow local_login_t ttyfile:chr_file setattr;
-
-# Relabel ttys.
-allow local_login_t tty_device_t:chr_file { relabelfrom relabelto };
-allow local_login_t ttyfile:chr_file { relabelfrom relabelto };
-
optional_policy(`gpm.te',`
allow local_login_t gpmctl_t:sock_file { getattr setattr };
')
@@ -241,6 +218,7 @@ selinux_read_default_contexts(sulogin_t)
authlogin_read_shadow_passwords(sulogin_t)
+userdomain_sysadm_shell_transition(sulogin_t)
userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)
# suse and debian do not use pam with sulogin...
@@ -264,7 +242,6 @@ kernel_compute_selinux_reachable_user_contexts(sulogin_t)
ifdef(`TODO',`
-domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
can_ypbind(sulogin_t)
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
index d84f8d2..4c9437c 100644
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@@ -1,4 +1,6 @@
# Copyright (C) 2005 Tresys Technology, LLC
+##
+## Policy for logical volume management programs.
########################################
##
@@ -17,12 +19,18 @@ allow $1 lvm_exec_t:file { getattr read execute };
allow $1 lvm_t:process transition;
type_transition $1 lvm_exec_t:process lvm_t;
dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
+allow $1 lvm_t:fd use;
+allow lvm_t $1:fd use;
+allow lvm_t $1:fifo_file rw_file_perms;
+allow lvm_t $1:process sigchld;
')
define(`lvm_transition_depend',`
type lvm_t, lvm_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -76,3 +84,4 @@ type lvm_t, lvm_exec_t;
class file { getattr read };
')
+##
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index b124ce3..5066301 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -65,7 +65,9 @@ allow $1 insmod_exec_t:file { getattr read execute };
allow $1 insmod_t:process transition;
type_transition $1 insmod_exec_t:process insmod_t;
dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
-# backchannel:
+allow $1 insmod_t:fd use;
+allow insmod_t $1:fd use;
+allow insmod_t $1:fifo_file rw_file_perms;
allow insmod_t $1:process sigchld;
')
@@ -73,6 +75,8 @@ define(`modutils_insmod_transition_depend',`
type insmod_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -138,12 +142,18 @@ allow $1 depmod_exec_t:file { getattr read execute };
allow $1 depmod_t:process transition;
type_transition $1 depmod_exec_t:process depmod_t;
dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
+allow $1 depmod_t:fd use;
+allow depmod_t $1:fd use;
+allow depmod_t $1:fifo_file rw_file_perms;
+allow depmod_t $1:process sigchld;
')
define(`modutils_depmod_transition_depend',`
type depmod_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -206,12 +216,18 @@ allow $1 update_modules_exec_t:file { getattr read execute };
allow $1 update_modules_t:process transition;
type_transition $1 update_modules_exec_t:process update_modules_t;
dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
+allow $1 update_modules_t:fd use;
+allow update_modules_t $1:fd use;
+allow update_modules_t $1:fifo_file rw_file_perms;
+allow update_modules_t $1:process sigchld;
')
define(`modutils_update_modules_transition_depend',`
type update_modules_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh signal };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index 51bfc3b..574bf39 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -17,12 +17,18 @@ allow $1 mount_exec_t:file { getattr read execute };
allow $1 mount_t:process transition;
type_transition $1 mount_exec_t:process mount_t;
dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
+allow $1 mount_t:fd use;
+allow mount_t $1:fd use;
+allow mount_t $1:fifo_file rw_file_perms;
+allow mount_t $1:process sigchld;
')
define(`mount_transition_depend',`
type mount_t, mount_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index fd97ed4..8700646 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -19,12 +19,18 @@ allow $1 checkpolicy_exec_t:file { getattr read execute };
allow $1 checkpolicy_t:process transition;
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
+allow $1 checkpolicy_t:fd use;
+allow checkpolicy_t $1:fd use;
+allow checkpolicy_t $1:fifo_file rw_file_perms;
+allow checkpolicy_t $1:process sigchld;
')
define(`selinux_checkpolicy_transition_depend',`
type checkpolicy_t, checkpolicy_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -33,6 +39,7 @@ class process { transition noatsecure siginh rlimitinh };
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
+## Has a SIGCHLD signal backchannel.
##
##
## The type of the process performing this action.
@@ -89,12 +96,18 @@ allow $1 load_policy_exec_t:file { getattr read execute };
allow $1 load_policy_t:process transition;
type_transition $1 load_policy_exec_t:process load_policy_t;
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
+allow $1 load_policy_t:fd use;
+allow load_policy_t $1:fd use;
+allow load_policy_t $1:fifo_file rw_file_perms;
+allow load_policy_t $1:process sigchld;
')
define(`selinux_load_policy_transition_depend',`
type load_policy_t, load_policy_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -103,6 +116,7 @@ class process { transition noatsecure siginh rlimitinh };
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
+## Has a SIGCHLD signal backchannel.
##
##
## The type of the process performing this action.
@@ -173,12 +187,18 @@ allow $1 newrole_exec_t:file { getattr read execute };
allow $1 newrole_t:process transition;
type_transition $1 newrole_exec_t:process newrole_t;
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
+allow $1 newrole_t:fd use;
+allow newrole_t $1:fd use;
+allow newrole_t $1:fifo_file rw_file_perms;
+allow newrole_t $1:process sigchld;
')
define(`selinux_newrole_transition_depend',`
type newrole_t, newrole_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -293,12 +313,18 @@ allow $1 restorecon_exec_t:file { getattr read execute };
allow $1 restorecon_t:process transition;
type_transition $1 restorecon_exec_t:process restorecon_t;
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
+allow $1 restorecon_t:fd use;
+allow restorecon_t $1:fd use;
+allow restorecon_t $1:fifo_file rw_file_perms;
+allow restorecon_t $1:process sigchld;
')
define(`selinux_restorecon_transition_depend',`
type restorecon_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -363,12 +389,18 @@ allow $1 run_init_exec_t:file { getattr read execute };
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:process run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
+allow $1 run_init_t:fd use;
+allow run_init_t $1:fd use;
+allow run_init_t $1:fifo_file rw_file_perms;
+allow run_init_t $1:process sigchld;
')
define(`selinux_run_init_transition_depend',`
type run_init_t, run_init_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -433,12 +465,18 @@ allow $1 setfiles_exec_t:file { getattr read execute };
allow $1 setfiles_t:process transition;
type_transition $1 setfiles_exec_t:process setfiles_t;
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
+allow $1 setfiles_t:fd use;
+allow setfiles_t $1:fd use;
+allow setfiles_t $1:fifo_file rw_file_perms;
+allow setfiles_t $1:process sigchld;
')
define(`selinux_setfiles_transition_depend',`
type setfiles_t, setfiles_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index fd97ed4..8700646 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -19,12 +19,18 @@ allow $1 checkpolicy_exec_t:file { getattr read execute };
allow $1 checkpolicy_t:process transition;
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
+allow $1 checkpolicy_t:fd use;
+allow checkpolicy_t $1:fd use;
+allow checkpolicy_t $1:fifo_file rw_file_perms;
+allow checkpolicy_t $1:process sigchld;
')
define(`selinux_checkpolicy_transition_depend',`
type checkpolicy_t, checkpolicy_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -33,6 +39,7 @@ class process { transition noatsecure siginh rlimitinh };
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
+## Has a SIGCHLD signal backchannel.
##
##
## The type of the process performing this action.
@@ -89,12 +96,18 @@ allow $1 load_policy_exec_t:file { getattr read execute };
allow $1 load_policy_t:process transition;
type_transition $1 load_policy_exec_t:process load_policy_t;
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
+allow $1 load_policy_t:fd use;
+allow load_policy_t $1:fd use;
+allow load_policy_t $1:fifo_file rw_file_perms;
+allow load_policy_t $1:process sigchld;
')
define(`selinux_load_policy_transition_depend',`
type load_policy_t, load_policy_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -103,6 +116,7 @@ class process { transition noatsecure siginh rlimitinh };
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
+## Has a SIGCHLD signal backchannel.
##
##
## The type of the process performing this action.
@@ -173,12 +187,18 @@ allow $1 newrole_exec_t:file { getattr read execute };
allow $1 newrole_t:process transition;
type_transition $1 newrole_exec_t:process newrole_t;
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
+allow $1 newrole_t:fd use;
+allow newrole_t $1:fd use;
+allow newrole_t $1:fifo_file rw_file_perms;
+allow newrole_t $1:process sigchld;
')
define(`selinux_newrole_transition_depend',`
type newrole_t, newrole_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -293,12 +313,18 @@ allow $1 restorecon_exec_t:file { getattr read execute };
allow $1 restorecon_t:process transition;
type_transition $1 restorecon_exec_t:process restorecon_t;
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
+allow $1 restorecon_t:fd use;
+allow restorecon_t $1:fd use;
+allow restorecon_t $1:fifo_file rw_file_perms;
+allow restorecon_t $1:process sigchld;
')
define(`selinux_restorecon_transition_depend',`
type restorecon_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -363,12 +389,18 @@ allow $1 run_init_exec_t:file { getattr read execute };
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:process run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
+allow $1 run_init_t:fd use;
+allow run_init_t $1:fd use;
+allow run_init_t $1:fifo_file rw_file_perms;
+allow run_init_t $1:process sigchld;
')
define(`selinux_run_init_transition_depend',`
type run_init_t, run_init_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
@@ -433,12 +465,18 @@ allow $1 setfiles_exec_t:file { getattr read execute };
allow $1 setfiles_t:process transition;
type_transition $1 setfiles_exec_t:process setfiles_t;
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
+allow $1 setfiles_t:fd use;
+allow setfiles_t $1:fd use;
+allow setfiles_t $1:fifo_file rw_file_perms;
+allow setfiles_t $1:process sigchld;
')
define(`selinux_setfiles_transition_depend',`
type setfiles_t, setfiles_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 9a88945..0de49c3 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -10,12 +10,18 @@ allow $1 dhcpc_exec_t:file { getattr read execute };
allow $1 dhcpc_t:process transition;
type_transition $1 dhcpc_exec_t:process dhcpc_t;
dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
+allow $1 dhcpc_t:fd use;
+allow dhcpc_t $1:fd use;
+allow dhcpc_t $1:fifo_file rw_file_perms;
+allow dhcpc_t $1:process sigchld;
')
define(`sysnetwork_dhcpc_transition_depend',`
type dhcpc_t, dhcpc_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
#######################################
@@ -35,12 +41,18 @@ allow $1 ifconfig_exec_t:file { getattr read execute };
allow $1 ifconfig_t:process transition;
type_transition $1 ifconfig_exec_t:process ifconfig_t;
dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
+allow $1 ifconfig_t:fd use;
+allow ifconfig_t $1:fd use;
+allow ifconfig_t $1:fifo_file rw_file_perms;
+allow ifconfig_t $1:process sigchld;
')
define(`sysnetwork_ifconfig_transition_depend',`
type ifconfig_t, ifconfig_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index cab73b6..bcf83b8 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -10,8 +10,9 @@ allow $1 udev_exec_t:file { getattr read execute };
allow $1 udev_t:process transition;
type_transition $1 udev_exec_t:process udev_t;
dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
-# backchannels:
+allow $1 udev_t:fd use;
allow udev_t $1:fd use;
+allow udev_t $1:fifo_file rw_file_perms;
allow udev_t $1:process sigchld;
')
@@ -19,6 +20,8 @@ define(`udev_transition_depend',`
type udev_t, udev_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
+class fd use;
+class fifo_file rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 882fa9f..0971b72 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -150,6 +150,7 @@ authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t
corecommands_execute_general_programs($1_t)
corecommands_execute_system_programs($1_t)
+corecommands_execute_ls($1_t)
domain_execute_all_entrypoint_programs($1_t)
domain_use_widely_inheritable_file_descriptors($1_t)
@@ -809,6 +810,28 @@ allow $1_t eventpollfs_t:file getattr;
')
########################################
+##
+##
+## Execute a shell in all user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`userdomain_all_users_explicit_transition',`
+requires_block_template(`$0'_depend)
+corecommands_shell_explicit_transition($1,userdomain)
+')
+
+define(`userdomain_all_users_explicit_transition_depend',`
+type sysadm_t;
+')
+
+########################################
##
##
## Execute a shell in the sysadm domain.
@@ -853,14 +876,36 @@ class chr_file { getattr read write ioctl };
')
########################################
+##
+##
+## Search all users home directories.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`userdomain_search_all_users_home_dirs',`
+requires_block_template(`$0'_depend)
+files_list_home_directories($1)
+allow $1 { home_dir_type home_type }:dir search;
+')
+
+define(`userdomain_search_all_users_home_dirs_depend',`
+attribute home_dir_type, home_type;
+class dir search;
+')
+
+########################################
##
##
-## Inherit the file descriptors from all user domains
+## Read all files in all users home directories.
##
##
## The type of the process performing this action.
##
-##
+##
##
#
define(`userdomain_read_all_users_data',`
@@ -898,6 +943,27 @@ class fd use;
')
########################################
+##
+##
+## Send general signals to all user domains.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`userdomain_signal_all_userdomains',`
+requires_block_template(`$0'_depend)
+allow $1 userdomain:process signal;
+')
+
+define(`userdomain_signal_all_userdomains_depend',`
+attribute userdomain;
+class process signal;
+')
+
+########################################
##
##
## Inherit the file descriptors from all user domains.
@@ -927,7 +993,7 @@ class fd use;
##
## The type of the process performing this action.
##
-##
+##
##
#
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`