diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc index fe84747..4fa7216 100644 --- a/refpolicy/policy/modules/admin/rpm.fc +++ b/refpolicy/policy/modules/admin/rpm.fc @@ -14,8 +14,10 @@ ifdef(`distro_redhat', ` /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) ') /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index 9523976..af76502 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -71,6 +71,7 @@ interface(`rpm_run',` rpm_domtrans($1) role $2 types rpm_t; role $2 types rpm_script_t; + seutil_run_loadpol(rpm_script_t,$2,$3) allow rpm_t $3:chr_file rw_term_perms; ') diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index a882b96..852982a 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.2.0) +policy_module(rpm,1.2.1) ######################################## # @@ -288,6 +288,7 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) +term_use_all_terms(rpm_script_t) auth_dontaudit_getattr_shadow(rpm_script_t) # ideally we would not need this diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te index 6ca236f..a0a06c9 100644 --- a/refpolicy/policy/modules/apps/mono.te +++ b/refpolicy/policy/modules/apps/mono.te @@ -1,5 +1,5 @@ -policy_module(mono,1.0.0) +policy_module(mono,1.0.1) ######################################## # @@ -18,7 +18,7 @@ domain_entry_file(mono_t,mono_exec_t) # ifdef(`targeted_policy',` - allow mono_t self:process execheap; + allow mono_t self:process { execheap execmem }; unconfined_domain_template(mono_t) role system_r types mono_t; ') diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc index 37aab17..3316660 100644 --- a/refpolicy/policy/modules/kernel/files.fc +++ b/refpolicy/policy/modules/kernel/files.fc @@ -126,6 +126,11 @@ HOME_ROOT/lost\+found/.* <> /mnt/[^/]*/.* <> # +# /net +# +/net -d gen_context(system_u:object_r:mnt_t,s0) + +# # /opt # /opt(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 103260c..9d9a127 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -321,7 +321,7 @@ interface(`files_list_non_security',` attribute file_type, security_file_type; ') - dontaudit $1 { file_type -security_file_type }:dir r_dir_perms; + allow $1 { file_type -security_file_type }:dir r_dir_perms; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index d8fb574..38358ae 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -971,6 +971,22 @@ interface(`fs_read_eventpollfs',` ######################################## ## +## Search inotifyfs filesystem. +## +## +## Domain allowed access. +## +# +interface(`fs_search_inotifyfs',` + gen_require(` + type inotifyfs_t; + ') + + allow $1 inotifyfs_t:dir search_dir_perms; +') + +######################################## +## ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## diff --git a/refpolicy/policy/modules/kernel/storage.fc b/refpolicy/policy/modules/kernel/storage.fc index d3cc161..b4b34f4 100644 --- a/refpolicy/policy/modules/kernel/storage.fc +++ b/refpolicy/policy/modules/kernel/storage.fc @@ -42,8 +42,8 @@ ifdef(`distro_redhat', ` /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) /dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255) - /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 53a4dc1..39f0aa0 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.2.0) +policy_module(cups,1.2.1) ######################################## # @@ -148,6 +148,7 @@ fs_getattr_all_fs(cupsd_t) fs_search_auto_mountpoints(cupsd_t) term_dontaudit_use_console(cupsd_t) +term_write_unallocated_ttys(cupsd_t) auth_domtrans_chk_passwd(cupsd_t) auth_dontaudit_read_pam_pid(cupsd_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 07a9fb2..8c476b2 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.2.1) +policy_module(hal,1.2.2) ######################################## # @@ -116,6 +116,8 @@ term_dontaudit_use_unallocated_tty(hald_t) init_use_fd(hald_t) init_use_script_pty(hald_t) init_domtrans_script(hald_t) +init_write_initctl(hald_t) +init_read_utmp(hald_t) libs_use_ld_so(hald_t) libs_use_shared_libs(hald_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 55f1cc5..1d68157 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.1.1) +policy_module(locallogin,1.1.2) ######################################## # @@ -239,6 +239,7 @@ allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) fs_search_auto_mountpoints(sulogin_t) +fs_use_tmpfs_chr_dev(sulogin_t) files_read_etc_files(sulogin_t) # because file systems are not mounted: diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index ce7a596..7ae0e5d 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils,1.0.0) +policy_module(modutils,1.0.1) gen_require(` bool secure_mode_insmod; @@ -113,6 +113,8 @@ logging_search_logs(insmod_t) miscfiles_read_localization(insmod_t) +seutil_read_file_contexts(insmod_t) + if( ! secure_mode_insmod ) { kernel_domtrans_to(insmod_t,insmod_exec_t) } diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 6cb043e..ba76789 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.1.1) +policy_module(selinuxutil,1.1.2) gen_require(` bool secure_mode; @@ -414,7 +414,7 @@ ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; - allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read }; + allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 6812ad1..cc1be10 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.2.0) +policy_module(udev,1.2.1) ######################################## # @@ -90,6 +90,7 @@ dev_rw_generic_file(udev_t) dev_delete_generic_file(udev_t) fs_getattr_all_fs(udev_t) +fs_search_inotifyfs(udev_t) selinux_get_fs_mount(udev_t) selinux_validate_context(udev_t) diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 3a10295..fdb3987 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -54,8 +54,13 @@ template(`unconfined_domain_template',` tunable_policy(`allow_execmem && allow_execstack',` # Allow making the stack executable via mprotect. allow $1 self:process execstack; + ', ` + # These are fairly common but seem to be harmless + # caused by using shared libraries built with old tool chains + dontaudit $1 self:process execstack; ') + optional_policy(`authlogin',` auth_unconfined($1) ') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index d5d0110..0ca10fc 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.2.1) +policy_module(unconfined,1.2.2) ######################################## # diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 10ea2a7..bcfeb15 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -848,9 +848,6 @@ template(`admin_user_template',` fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) - selinux_set_enforce_mode($1_t) - selinux_set_boolean($1_t) - selinux_set_parameters($1_t) # Get security policy decisions: selinux_get_fs_mount($1_t) selinux_validate_context($1_t) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 3cd7f1d..92d9aa6 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.2.4) +policy_module(userdomain,1.2.5) gen_require(` role sysadm_r, staff_r, user_r; @@ -156,14 +156,21 @@ ifdef(`targeted_policy',` mls_process_read_up(sysadm_t) - logging_read_audit_log(sysadm_t) - ifdef(`direct_sysadm_daemon',` optional_policy(`init',` init_run_daemon(sysadm_t,sysadm_r,admin_terminal) ') ') + ifdef(`enable_mls',` + logging_read_audit_log(secadm_t) + logging_domtrans_auditctl(secadm_t) + mls_process_read_up(secadm_t) + ', ` + logging_domtrans_auditctl(sysadm_t) + logging_read_audit_log(sysadm_t) + ') + tunable_policy(`allow_ptrace',` domain_ptrace_all_domains(sysadm_t) ') @@ -205,12 +212,20 @@ ifdef(`targeted_policy',` optional_policy(`consoletype',` consoletype_exec(sysadm_t) + + ifdef(`enable_mls',` + consoletype_exec(secadm_t) + ') ') optional_policy(`ddcprobe',` ddcprobe_run(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`dmesg',` + dmesg_exec(sysadm_t) + ') + optional_policy(`dmidecode',` dmidecode_run(sysadm_t,sysadm_r,admin_terminal) ') @@ -320,13 +335,27 @@ ifdef(`targeted_policy',` ') optional_policy(`selinuxutil',` - seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal) - seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal) seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal) - seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) - - ifdef(`targeted_policy',`',` - seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) + seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) + + ifdef(`enable_mls',` + selinux_set_enforce_mode(secadm_t) + selinux_set_boolean(secadm_t) + selinux_set_parameters(secadm_t) + + seutil_manage_binary_pol(secadm_t) + seutil_run_checkpol(secadm_t,secadm_r,admin_terminal) + seutil_run_loadpol(secadm_t,secadm_r,admin_terminal) + seutil_run_setfiles(secadm_t,secadm_r,admin_terminal) + ', ` + selinux_set_enforce_mode(sysadm_t) + selinux_set_boolean(sysadm_t) + selinux_set_parameters(sysadm_t) + + seutil_manage_binary_pol(sysadm_t) + seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal) + seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal) + seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) ') ')