diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index 5696994..f966524 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -52,6 +52,7 @@ domain_use_wide_inherit_fd(acct_t) files_read_etc_files(acct_t) files_read_etc_runtime_files(acct_t) +files_list_usr(acct_t) # for nscd files_dontaudit_search_pids(acct_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 08aa301..5b96691 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -66,9 +66,9 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin allow bootloader_t self:process { sigkill sigstop signull signal }; allow bootloader_t self:fifo_file { getattr read write }; -allow bootloader_t boot_t:dir ra_dir_perms; -allow bootloader_t boot_t:file { rw_file_perms create }; -allow bootloader_t boot_t:lnk_file { r_file_perms create unlink }; +allow bootloader_t boot_t:dir rw_dir_perms; +allow bootloader_t boot_t:file create_file_perms; +allow bootloader_t boot_t:lnk_file create_lnk_perms; allow bootloader_t bootloader_etc_t:file r_file_perms; # uncomment the following lines if you use "lilo -p" diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 9b2e9eb..7217d1f 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -116,6 +116,11 @@ optional_policy(`nscd.te',` nscd_use_socket(hald_t) ') +optional_policy(`pcmcia.te',` + pcmcia_manage_pid(hald_t) + pcmcia_manage_runtime_chr(hald_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(hald_t) ') diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index d8b8374..4830cf0 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -14,6 +14,7 @@ type mysqld_var_run_t; files_pid_file(mysqld_var_run_t) type mysqld_db_t; +files_type(mysqld_db_t) type mysqld_etc_t alias etc_mysqld_t; files_type(mysqld_etc_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 7635bb1..e05857b 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -73,8 +73,6 @@ template(`authlogin_per_userdomain_template',` seutil_read_config($1_chkpwd_t) - #can_ldap($1_chkpwd_t) - # Transition from the user domain to this domain. domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) @@ -104,6 +102,17 @@ template(`authlogin_per_userdomain_template',` kerberos_use($1_chkpwd_t) ') + optional_policy(`ldap.te',` + allow $1_chkpwd_t self:tcp_socket create_socket_perms; + corenet_tcp_sendrecv_all_if($1_chkpwd_t) + corenet_raw_sendrecv_all_if($1_chkpwd_t) + corenet_tcp_sendrecv_all_nodes($1_chkpwd_t) + corenet_raw_sendrecv_all_nodes($1_chkpwd_t) + corenet_tcp_sendrecv_ldap_port($1_chkpwd_t) + corenet_tcp_bind_all_nodes($1_chkpwd_t) + sysnet_read_config($1_chkpwd_t) + ') + optional_policy(`nis.te',` nis_use_ypbind($1_chkpwd_t) ') @@ -243,7 +252,16 @@ interface(`auth_domtrans_chk_passwd',` kerberos_use($1) ') - #can_ldap($1) + optional_policy(`ldap.te',` + allow $1 self:tcp_socket create_socket_perms; + corenet_tcp_sendrecv_all_if($1) + corenet_raw_sendrecv_all_if($1) + corenet_tcp_sendrecv_all_nodes($1) + corenet_raw_sendrecv_all_nodes($1) + corenet_tcp_sendrecv_ldap_port($1) + corenet_tcp_bind_all_nodes($1) + sysnet_read_config($1) + ') optional_policy(`nis.te',` nis_use_ypbind($1) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index f804998..d0f55e4 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -287,6 +287,17 @@ optional_policy(`kerberos.te',` kerberos_use(system_chkpwd_t) ') +optional_policy(`ldap.te',` + allow system_chkpwd_t self:tcp_socket create_socket_perms; + corenet_tcp_sendrecv_all_if(system_chkpwd_t) + corenet_raw_sendrecv_all_if(system_chkpwd_t) + corenet_tcp_sendrecv_all_nodes(system_chkpwd_t) + corenet_raw_sendrecv_all_nodes(system_chkpwd_t) + corenet_tcp_sendrecv_ldap_port(system_chkpwd_t) + corenet_tcp_bind_all_nodes(system_chkpwd_t) + sysnet_read_config(system_chkpwd_t) +') + optional_policy(`nis.te',` nis_use_ypbind(system_chkpwd_t) ') @@ -295,10 +306,6 @@ optional_policy(`nscd.te',` nscd_use_socket(system_chkpwd_t) ') -ifdef(`TODO',` -can_ldap(system_chkpwd_t) -') dnl end TODO - ######################################## # # Utempter local policy diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index dc7a989..2aa0a18 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1610,6 +1610,24 @@ interface(`files_search_usr',` ######################################## ## +## List the contents of generic +## directories in /usr. +## +## +## Domain allowed access. +## +# +interface(`files_list_usr',` + gen_require(` + type usr_t; + class dir r_dir_perms; + ') + + allow $1 usr_t:dir r_dir_perms; +') + +######################################## +## ## Get the attributes of files in /usr. ## ## diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 8aaa31a..3956bc6 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -13,6 +13,7 @@ domain_wide_inherit_fd(getty_t) type getty_etc_t; typealias getty_etc_t alias etc_getty_t; +files_type(getty_etc_t) type getty_log_t; logging_log_file(getty_log_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index a55cd76..1a7e128 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -48,9 +48,8 @@ type initrc_exec_t; domain_entry_file(initrc_t,initrc_exec_t) type initrc_devpts_t; -fs_associate(initrc_devpts_t) -fs_associate_noxattr(initrc_devpts_t) term_pty(initrc_devpts_t) +files_type(initrc_devpts_t) type initrc_var_run_t; files_pid_file(initrc_var_run_t) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index ee7a5ad..5de1e2c 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -54,8 +54,7 @@ dontaudit auditd_t self:capability sys_tty_config; allow auditd_t self:process { signal_perms setsched }; allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow auditd_t var_log_t:dir search; -allow auditd_t auditd_log_t:dir rw_dir_perms; +allow auditd_t var_log_t:dir rw_dir_perms; allow auditd_t auditd_log_t:file create_file_perms; allow auditd_t auditd_var_run_t:file create_file_perms; @@ -78,6 +77,7 @@ init_use_script_pty(auditd_t) domain_use_wide_inherit_fd(auditd_t) files_read_etc_files(auditd_t) +files_list_usr(auditd_t) logging_send_syslog_msg(auditd_t) diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 025c886..59430db 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -148,11 +148,6 @@ optional_policy(`pcmcia.te',` pcmcia_domtrans_cardctl(apmd_t) ') -# this goes to hald -optional_policy(`pcmcia.te',` - pcmcia_manage_pid(hald_t) - pcmcia_manage_runtime_chr(hald_t) -') optional_policy(`rhgb.te',` rhgb_domain(cardmgr_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 2a8d5b4..939929e 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -35,6 +35,7 @@ template(`base_user_template',` # user pseudoterminal type $1_devpts_t; term_user_pty($1_t,$1_devpts_t) + files_type($1_devpts_t) # type for contents of home directory type $1_home_t, $1_file_type, home_type; @@ -42,7 +43,7 @@ template(`base_user_template',` # type of home directory type $1_home_dir_t, home_dir_type, home_type; - files_type($1_home_t) + files_type($1_home_dir_t) type $1_tmp_t, $1_file_type; files_tmp_file($1_tmp_t)