diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index b1ccfcb..516c436 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -103,6 +103,7 @@ dev_setattr_all_blk_files(bootloader_t)
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
+dev_getattr_sysfs_dir(bootloader_t)
# for reading BIOS data
dev_read_raw_memory(bootloader_t)
@@ -113,6 +114,7 @@ term_getattr_all_user_ttys(bootloader_t)
init_getattr_initctl(bootloader_t)
init_use_script_pty(bootloader_t)
init_use_script_fd(bootloader_t)
+init_rw_script_pipe(bootloader_t)
domain_use_wide_inherit_fd(bootloader_t)
@@ -183,10 +185,6 @@ optional_policy(`modutils.te',`
ifdef(`TODO',`
-allow bootloader_t initrc_t:fifo_file { read write };
-
-allow bootloader_t sysfs_t:dir getattr;
-
allow bootloader_t var_t:dir search;
allow bootloader_t var_t:file { getattr read };
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index df0f9dc..aa87733 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -37,7 +37,9 @@
## </interface>
#
define(`dev_node',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node;
+ ')
typeattribute $1 device_node;
@@ -48,10 +50,6 @@ define(`dev_node',`
')
')
-define(`dev_node_depend',`
- attribute device_node;
-')
-
########################################
## <interface name="dev_relabel_all_dev_nodes">
## <summary>
@@ -63,7 +61,17 @@ define(`dev_node_depend',`
## </interface>
#
define(`dev_relabel_all_dev_nodes',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute device_node;
+ type device_t;
+ class dir { getattr relabelfrom };
+ class file { getattr relabelfrom };
+ class lnk_file { getattr relabelfrom };
+ class fifo_file { getattr relabelfrom };
+ class sock_file { getattr relabelfrom };
+ class blk_file { getattr relabelfrom relabelto };
+ class chr_file { getattr relabelfrom relabelto };
+ ')
allow $1 device_node:dir { getattr relabelfrom };
allow $1 device_node:file { getattr relabelfrom };
@@ -74,20 +82,6 @@ define(`dev_relabel_all_dev_nodes',`
allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto };
')
-define(`dev_relabel_all_dev_nodes_depend',`
- attribute device_node;
-
- type device_t;
-
- class dir { getattr relabelfrom };
- class file { getattr relabelfrom };
- class lnk_file { getattr relabelfrom };
- class fifo_file { getattr relabelfrom };
- class sock_file { getattr relabelfrom };
- class blk_file { getattr relabelfrom relabelto };
- class chr_file { getattr relabelfrom relabelto };
-')
-
########################################
## <interface name="dev_list_all_dev_nodes">
## <summary>
@@ -247,6 +241,25 @@ define(`dev_dontaudit_getattr_generic_blk_file_depend',`
')
########################################
+## <interface name="dev_dontaudit_setattr_generic_blk_file">
+## <summary>
+## Dontaudit setattr on generic block devices.
+## </summary>
+## <parameter name="domain">
+## Domain to dontaudit access.
+## </parameter>
+## </interface>
+#
+define(`dev_dontaudit_setattr_generic_blk_file',`
+ gen_require(`
+ type device_t;
+ class blk_file setattr;
+ ')
+
+ dontaudit $1 device_t:blk_file setattr;
+')
+
+########################################
## <interface name="dev_manage_generic_blk_file">
## <summary>
## Allow read, write, create, and delete for generic
@@ -344,6 +357,25 @@ define(`dev_dontaudit_getattr_generic_chr_file_depend',`
')
########################################
+## <interface name="dev_dontaudit_setattr_generic_chr_file">
+## <summary>
+## Dontaudit setattr for generic character device files.
+## </summary>
+## <parameter name="domain">
+## Domain to dontaudit access.
+## </parameter>
+## </interface>
+#
+define(`dev_dontaudit_setattr_generic_chr_file',`
+ gen_require(`
+ type device_t;
+ class chr_file setattr;
+ ')
+
+ dontaudit $1 device_t:chr_file setattr;
+')
+
+########################################
## <interface name="dev_del_generic_symlinks">
## <summary>
## Delete symbolic links in device directories.
@@ -354,21 +386,16 @@ define(`dev_dontaudit_getattr_generic_chr_file_depend',`
## </interface>
#
define(`dev_del_generic_symlinks',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir { getattr read write remove_name };
+ class lnk_file unlink;
+ ')
allow $1 device_t:dir { getattr read write remove_name };
allow $1 device_t:lnk_file unlink;
')
-define(`dev_del_generic_symlinks_depend',`
- attribute device_node, memory_raw_read, memory_raw_write;
-
- type device_t;
-
- class dir { getattr read write remove_name };
- class lnk_file unlink;
-')
-
########################################
## <interface name="dev_manage_generic_symlinks">
## <summary>
@@ -380,19 +407,16 @@ define(`dev_del_generic_symlinks_depend',`
## </interface>
#
define(`dev_manage_generic_symlinks',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t;
+ class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+ class lnk_file { create read getattr setattr link unlink rename };
+ ')
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
')
-define(`dev_manage_generic_symlinks_depend',`
- type device_t;
-
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- class lnk_file { create read getattr setattr link unlink rename };
-')
-
########################################
## <interface name="dev_manage_dev_nodes">
## <summary>
@@ -1072,6 +1096,48 @@ define(`dev_rw_realtime_clock',`
')
########################################
+## <interface name="dev_getattr_snd_dev">
+## <summary>
+## Get the attributes of the sound devices.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_getattr_snd_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file getattr;
+')
+
+########################################
+## <interface name="dev_setattr_snd_dev">
+## <summary>
+## Set the attributes of the sound devices.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_setattr_snd_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file setattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file setattr;
+')
+
+########################################
## <interface name="dev_read_snd_dev">
## <summary>
## Read the sound devices.
@@ -1082,18 +1148,16 @@ define(`dev_rw_realtime_clock',`
## </interface>
#
define(`dev_read_snd_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file r_file_perms;
')
-define(`dev_read_snd_dev_depend',`
- type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_write_snd_dev">
## <summary>
@@ -1105,19 +1169,16 @@ define(`dev_read_snd_dev_depend',`
## </interface>
#
define(`dev_write_snd_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
-define(`dev_write_snd_dev_depend',`
- type device_t, sound_device_t;
-
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
-')
-
########################################
## <interface name="dev_read_snd_mixer_dev">
## <summary>
@@ -1129,19 +1190,16 @@ define(`dev_write_snd_dev_depend',`
## </interface>
#
define(`dev_read_snd_mixer_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr read ioctl };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr read ioctl };
')
-define(`dev_read_snd_mixer_dev_depend',`
- type device_t, sound_device_t;
-
- class dir r_dir_perms;
- class chr_file { getattr read ioctl };
-')
-
########################################
## <interface name="dev_write_snd_mixer_dev">
## <summary>
@@ -1153,19 +1211,16 @@ define(`dev_read_snd_mixer_dev_depend',`
## </interface>
#
define(`dev_write_snd_mixer_dev',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
-define(`dev_write_snd_mixer_dev_depend',`
- type device_t, sound_device_t;
-
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
-')
-
########################################
## <interface name="dev_rw_agp_dev">
## <summary>
@@ -1309,6 +1364,48 @@ define(`dev_write_mtrr_depend',`
')
########################################
+## <interface name="dev_getattr_framebuffer">
+## <summary>
+## Get the attributes of the framebuffer device.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_getattr_framebuffer',`
+ gen_require(`
+ type framebuf_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file getattr;
+')
+
+########################################
+## <interface name="dev_setattr_framebuffer">
+## <summary>
+## Set the attributes of the framebuffer device.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_setattr_framebuffer',`
+ gen_require(`
+ type framebuf_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file setattr;
+')
+
+########################################
## <interface name="dev_read_framebuffer">
## <summary>
## Read the framebuffer device.
@@ -1319,19 +1416,16 @@ define(`dev_write_mtrr_depend',`
## </interface>
#
define(`dev_read_framebuffer',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type framebuf_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file r_file_perms;
')
-define(`dev_read_framebuffer_depend',`
- type framebuf_device_t;
-
- class dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_write_framebuffer">
## <summary>
@@ -1343,19 +1437,16 @@ define(`dev_read_framebuffer_depend',`
## </interface>
#
define(`dev_write_framebuffer',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, framebuf_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file { getattr write ioctl };
')
-define(`dev_write_framebuffer_depend',`
- type device_t, framebuf_device_t;
-
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
-')
-
########################################
## <interface name="dev_read_lvm_control">
## <summary>
@@ -1429,6 +1520,88 @@ define(`dev_delete_lvm_control_depend',`
')
########################################
+## <interface name="dev_getattr_misc">
+## <summary>
+## Get the attributes of miscellaneous devices.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_getattr_misc',`
+ gen_require(`
+ type device_t, misc_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 misc_device_t:chr_file getattr;
+')
+
+########################################
+## <interface name="dev_dontaudit_getattr_misc">
+## <summary>
+## Do not audit attempts to get the attributes
+## of miscellaneous devices.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_dontaudit_getattr_misc',`
+ gen_require(`
+ type misc_device_t;
+ class chr_file getattr;
+ ')
+
+ dontaudit $1 misc_device_t:chr_file getattr;
+')
+
+########################################
+## <interface name="dev_setattr_misc">
+## <summary>
+## Set the attributes of miscellaneous devices.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_setattr_misc',`
+ gen_require(`
+ type device_t, misc_device_t;
+ class dir r_dir_perms;
+ class chr_file setattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 misc_device_t:chr_file setattr;
+')
+
+########################################
+## <interface name="dev_dontaudit_setattr_misc">
+## <summary>
+## Do not audit attempts to set the attributes
+## of miscellaneous devices.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_dontaudit_setattr_misc',`
+ gen_require(`
+ type misc_device_t;
+ class chr_file setattr;
+ ')
+
+ dontaudit $1 misc_device_t:chr_file setattr;
+')
+
+########################################
## <interface name="dev_read_misc">
## <summary>
## Read miscellaneous devices.
@@ -1439,19 +1612,16 @@ define(`dev_delete_lvm_control_depend',`
## </interface>
#
define(`dev_read_misc',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, misc_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file r_file_perms;
')
-define(`dev_read_misc_depend',`
- type device_t, misc_device_t;
-
- class dir r_dir_perms;
- class chr_file r_file_perms;
-')
-
########################################
## <interface name="dev_write_misc">
## <summary>
@@ -1463,41 +1633,77 @@ define(`dev_read_misc_depend',`
## </interface>
#
define(`dev_write_misc',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, misc_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file { getattr write ioctl };
')
-define(`dev_write_misc_depend',`
- type device_t, misc_device_t;
+########################################
+## <interface name="dev_getattr_mouse">
+## <summary>
+## Get the attributes of the mouse devices.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_getattr_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mouse_device_t:chr_file getattr;
')
########################################
-## <interface name="dev_read_mouse">
+## <interface name="dev_setattr_mouse">
## <summary>
-## Read the mouse devices.
+## Set the attributes of the mouse devices.
## </summary>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
-define(`dev_read_mouse',`
- gen_require(`$0'_depend)
+define(`dev_setattr_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ class dir r_dir_perms;
+ class chr_file setattr;
+ ')
allow $1 device_t:dir r_dir_perms;
- allow $1 mouse_device_t:chr_file r_file_perms;
+ allow $1 mouse_device_t:chr_file setattr;
')
-define(`dev_read_mouse_depend',`
- type device_t, mouse_device_t;
+########################################
+## <interface name="dev_read_mouse">
+## <summary>
+## Read the mouse devices.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_read_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
- class chr_file r_file_perms;
+ allow $1 mouse_device_t:chr_file r_file_perms;
')
########################################
@@ -1560,23 +1766,102 @@ define(`dev_read_cpuid_depend',`
## </interface>
#
define(`dev_rw_cpu_microcode',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, cpu_device_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file rw_file_perms;
')
-define(`dev_rw_cpu_microcode_depend',`
- type device_t, cpu_device_t;
+########################################
+## <interface name="dev_getattr_scanner">
+## <summary>
+## Get the attributes of the scanner device.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_getattr_scanner',`
+ gen_require(`
+ type device_t, scanner_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
- class dir r_dir_perms;
- class chr_file rw_file_perms;
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 scanner_device_t:chr_file getattr;
+')
+
+########################################
+## <interface name="dev_dontaudit_getattr_scanner">
+## <summary>
+## Do not audit attempts to get the attributes of
+## the scanner device.
+## </summary>
+## <parameter name="domain">
+## Domain to not audit.
+## </parameter>
+## </interface>
+#
+define(`dev_dontaudit_getattr_scanner',`
+ gen_require(`
+ type scanner_device_t;
+ class chr_file getattr;
+ ')
+
+ dontaudit $1 scanner_device_t:chr_file getattr;
+')
+
+########################################
+## <interface name="dev_setattr_scanner">
+## <summary>
+## Set the attributes of the scanner device.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_setattr_scanner',`
+ gen_require(`
+ type device_t, scanner_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 scanner_device_t:chr_file setattr;
+')
+
+########################################
+## <interface name="dev_dontaudit_setattr_scanner">
+## <summary>
+## Do not audit attempts to set the attributes of
+## the scanner device.
+## </summary>
+## <parameter name="domain">
+## Domain to not audit.
+## </parameter>
+## </interface>
+#
+define(`dev_dontaudit_setattr_scanner',`
+ gen_require(`
+ type scanner_device_t;
+ class chr_file getattr;
+ ')
+
+ dontaudit $1 scanner_device_t:chr_file setattr;
')
########################################
## <interface name="dev_rw_scanner">
## <summary>
-## Read and write the the scanner device.
+## Read and write the scanner device.
## </summary>
## <parameter name="domain">
## Domain allowed access.
@@ -1584,17 +1869,56 @@ define(`dev_rw_cpu_microcode_depend',`
## </interface>
#
define(`dev_rw_scanner',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, scanner_device_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 scanner_device_t:chr_file rw_file_perms;
')
-define(`dev_rw_scanner_depend',`
- type device_t, scanner_device_t;
+########################################
+## <interface name="dev_getattr_power_management">
+## <summary>
+## Get the attributes of the the power management device.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_getattr_power_management',`
+ gen_require(`
+ type device_t, power_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
- class dir r_dir_perms;
- class chr_file rw_file_perms;
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 power_device_t:chr_file getattr;
+')
+
+########################################
+## <interface name="dev_setattr_power_management">
+## <summary>
+## Set the attributes of the the power management device.
+## </summary>
+## <parameter name="domain">
+## Domain allowed access.
+## </parameter>
+## </interface>
+#
+define(`dev_setattr_power_management',`
+ gen_require(`
+ type device_t, power_device_t;
+ class dir r_dir_perms;
+ class chr_file setattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 power_device_t:chr_file setattr;
')
########################################
@@ -1608,190 +1932,227 @@ define(`dev_rw_scanner_depend',`
## </interface>
#
define(`dev_rw_power_management',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type device_t, power_device_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
allow $1 device_t:dir r_dir_perms;
allow $1 power_device_t:chr_file rw_file_perms;
')
-define(`dev_rw_power_management_depend',`
- type device_t, power_device_t;
+########################################
+## <interface name="dev_getattr_sysfs_dir">
+## <summary>
+## Get the attributes of sysfs directories.
+## </summary>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## </interface>
+#
+define(`dev_getattr_sysfs_dir',`
+ gen_require(`
+ type sysfs_t;
+ class dir getattr;
+ ')
- class dir r_dir_perms;
- class chr_file rw_file_perms;
+ allow $1 sysfs_t:dir getattr;
')
########################################
## <interface name="dev_search_sysfs">
-## <description>
+## <summary>
## Search the directory containing hardware information.
-## </description>
+## </summary>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`dev_search_sysfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sysfs_t;
+ class dir search;
+ ')
allow $1 sysfs_t:dir search;
')
-define(`dev_search_sysfs_depend',`
- type sysfs_t;
-
- class dir search;
-')
-
########################################
## <interface name="dev_read_sysfs">
-## <description>
+## <summary>
## Allow caller to read hardware state information.
-## </description>
+## </summary>
## <parameter name="domain">
## The process type reading hardware state information.
## </parameter>
## </interface>
#
define(`dev_read_sysfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sysfs_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 sysfs_t:dir r_dir_perms;
allow $1 sysfs_t:{ file lnk_file } r_file_perms;
')
-define(`dev_read_sysfs_depend',`
- type sysfs_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
-')
-
########################################
## <interface name="dev_rw_sysfs">
-## <description>
+## <summary>
## Allow caller to modify hardware state information.
-## </description>
+## </summary>
## <parameter name="domain">
## The process type modifying hardware state information.
## </parameter>
## </interface>
#
define(`dev_rw_sysfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sysfs_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 sysfs_t:dir r_dir_perms;
allow $1 sysfs_t:lnk_file r_file_perms;
allow $1 sysfs_t:file rw_file_perms;
')
-define(`dev_rw_sysfs_depend',`
- type sysfs_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
- class lnk_file r_file_perms;
-')
-
########################################
## <interface name="dev_search_usbfs">
-## <description>
+## <summary>
## Search the directory containing USB hardware information.
-## </description>
+## </summary>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`dev_search_usbfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type usbfs_t;
+ class dir search;
+ ')
allow $1 usbfs_t:dir search;
')
-define(`dev_search_usbfs_depend',`
- type usbfs_t;
-
- class dir search;
-')
-
########################################
## <interface name="dev_list_usbfs">
-## <description>
+## <summary>
## Allow caller to get a list of usb hardware.
-## </description>
+## </summary>
## <parameter name="domain">
## The process type getting the list.
## </parameter>
## </interface>
#
define(`dev_list_usbfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type usbfs_t;
+ class dir r_dir_perms;
+ class file getattr;
+ class lnk_file r_file_perms;
+ ')
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:lnk_file r_file_perms;
allow $1 usbfs_t:file getattr;
')
-define(`dev_list_usbfs_depend',`
- type usbfs_t;
-
- class dir r_dir_perms;
- class file getattr;
- class lnk_file r_file_perms;
-')
-
########################################
## <interface name="dev_read_usbfs">
-## <description>
+## <summary>
## Read USB hardware information using
## the usbfs filesystem interface.
-## </description>
+## </summary>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`dev_read_usbfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type usbfs_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:{ file lnk_file } r_file_perms;
')
-define(`dev_read_usbfs_depend',`
- type usbfs_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
-')
-
########################################
## <interface name="dev_rw_usbfs">
-## <description>
+## <summary>
## Allow caller to modify usb hardware configuration files.
-## </description>
+## </summary>
## <parameter name="domain">
## The process type modifying the options.
## </parameter>
## </interface>
#
define(`dev_rw_usbfs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type usbfs_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ class lnk_file r_file_perms;
+ ')
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:lnk_file r_file_perms;
allow $1 usbfs_t:file rw_file_perms;
')
-define(`dev_rw_usbfs_depend',`
- type usbfs_t;
+########################################
+## <interface name="dev_getattr_video_dev">
+## <summary>
+## Get the attributes of video4linux devices.
+## </summary>
+## <parameter name="domain">
+## The process type modifying the options.
+## </parameter>
+## </interface>
+#
+define(`dev_getattr_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
- class dir r_dir_perms;
- class file rw_file_perms;
- class lnk_file r_file_perms;
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 v4l_device_t:chr_file getattr;
+')
+
+########################################
+## <interface name="dev_setattr_video_dev">
+## <summary>
+## Set the attributes of video4linux devices.
+## </summary>
+## <parameter name="domain">
+## The process type modifying the options.
+## </parameter>
+## </interface>
+#
+define(`dev_setattr_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ class dir r_dir_perms;
+ class chr_file setattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 v4l_device_t:chr_file setattr;
')
## </module>
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 496eb1c..d6deee8 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -19,7 +19,12 @@
## </interface>
#
define(`kernel_userland_entry',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class process sigchld;
+ class fifo_file rw_file_perms;
+ class fd use;
+ ')
domain_auto_trans(kernel_t, $2, $1)
@@ -29,15 +34,6 @@ define(`kernel_userland_entry',`
allow $1 kernel_t:process sigchld;
')
-define(`kernel_userland_entry_depend',`
- type kernel_t;
-
- class process { transition noatsecure siginh rlimitinh sigchld };
- class file { getattr read execute };
- class fifo_file rw_file_perms;
- class fd use;
-')
-
########################################
## <interface name="kernel_rootfs_mountpoint">
## <description>
@@ -62,6 +58,25 @@ define(`kernel_rootfs_mountpoint_depend',`
')
########################################
+## <interface name="kernel_sigchld">
+## <description>
+## Send a SIGCHLD signal to kernel threads.
+## </description>
+## <parameter name="domain">
+## The type of the process sending the signal.
+## </parameter>
+## </interface>
+#
+define(`kernel_sigchld',`
+ gen_require(`
+ type kernel_t;
+ class process sigchld;
+ ')
+
+ allow kernel_t $1:process sigchld;
+')
+
+########################################
## <interface name="kernel_share_state">
## <description>
## Allows the kernel to share state information with
@@ -73,17 +88,14 @@ define(`kernel_rootfs_mountpoint_depend',`
## </interface>
#
define(`kernel_share_state',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type kernel_t;
+ class process share;
+ ')
allow kernel_t $1:process share;
')
-define(`kernel_share_state_depend',`
- type kernel_t;
-
- class process share;
-')
-
########################################
## <interface name="kernel_use_fd">
## <description>
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 7a340cf..233326f 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -228,6 +228,48 @@ define(`storage_raw_write_lvm_volume',`
')
########################################
+## <interface name="storage_getattr_scsi_generic">
+## <description>
+## Allow the caller to get the attributes of
+## the generic SCSI interface device nodes.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## </interface>
+#
+define(`storage_getattr_scsi_generic',`
+ gen_require(`
+ type scsi_generic_device_t;
+ class blk_file getattr;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:blk_file getattr;
+')
+
+########################################
+## <interface name="storage_setattr_scsi_generic">
+## <description>
+## Allow the caller to set the attributes of
+## the generic SCSI interface device nodes.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## </interface>
+#
+define(`storage_setattr_scsi_generic',`
+ gen_require(`
+ type scsi_generic_device_t;
+ class blk_file setattr;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:blk_file setattr;
+')
+
+########################################
## <interface name="storage_read_scsi_generic">
## <description>
## Allow the caller to directly read, in a
@@ -384,6 +426,26 @@ define(`storage_setattr_removable_device',`
')
########################################
+## <interface name="storage_dontaudit_setattr_removable_device">
+## <description>
+## Do not audit attempts made by the caller to set
+## the attributes of removable devices device nodes.
+## </description>
+## <parameter name="domain">
+## The type of the process to not audit.
+## </parameter>
+## </interface>
+#
+define(`storage_dontaudit_setattr_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ class blk_file setattr;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file setattr;
+')
+
+########################################
## <interface name="storage_raw_read_removable_device">
## <description>
## Allow the caller to directly read from
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 7cd0618..88f96d9 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -1,21 +1,6 @@
## <module name="authlogin" layer="system">
## <summary>Common policy for authentication and user login.</summary>
-
-########################################
-## <interface name="authlogin_per_userdomain_template">
-## <description>
-##
-## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
-## <parameter name="userdomain_prefix">
-##
-## </parameter>
-## </interface>
-#
-
#######################################
#
# Per user domain template for this module
@@ -110,31 +95,21 @@ define(`authlogin_per_userdomain_template_depend',`
########################################
## <interface name="auth_login_entry_type">
## <description>
-##
+## Use the login program as an entry point program.
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
-##
+## The type of process using the login program as entry point.
## </parameter>
## </interface>
#
-
-#######################################
-#
-# auth_login_entry_type(domain)
-#
define(`auth_login_entry_type',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type login_exec_t;
+ ')
domain_entry_file($1,login_exec_t)
')
-define(`auth_login_entry_type_depend',`
- type login_exec_t;
-')
-
########################################
## <interface name="auth_domtrans_login_program">
## <description>
@@ -149,13 +124,15 @@ define(`auth_login_entry_type_depend',`
## </interface>
#
define(`auth_domtrans_login_program',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type login_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- # FIXME: search bin_t
- allow $1 login_exec_t:file rx_file_perms;
- allow $1 $2:process transition;
- type_transition $1 login_exec_t:process $2;
- dontaudit $1 $2:process { noatsecure siginh rlimitinh };
+ corecmd_search_bin($1)
+ domain_auto_trans($1,login_exec_t,$2)
allow $1 $2:fd use;
allow $2 $1:fd use;
@@ -163,35 +140,26 @@ define(`auth_domtrans_login_program',`
allow $2 $1:process sigchld;
')
-define(`auth_domtrans_login_program_depend',`
- type login_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="auth_domtrans_chk_passwd">
## <description>
-##
+## Run unix_chkpwd to check a password.
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
-##
+## The type of the process performing this action.
## </parameter>
## </interface>
#
-#######################################
-#
-# auth_domtrans_chk_passwd(domain)
-#
define(`auth_domtrans_chk_passwd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type system_chkpwd_t, chkpwd_exec_t, shadow_t;
+ class process sigchld;
+ class udp_socket create_socket_perms;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+ corecmd_search_sbin($1)
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
allow $1 system_chkpwd_t:fd use;
@@ -200,7 +168,6 @@ define(`auth_domtrans_chk_passwd',`
allow system_chkpwd_t $1:process sigchld;
dontaudit $1 shadow_t:file { getattr read };
- #allow $1_t sbin_t:dir search;
#can_ypbind($1_t)
#can_kerberos($1_t)
#can_ldap($1_t)
@@ -217,145 +184,99 @@ define(`auth_domtrans_chk_passwd',`
')
')
-define(`auth_domtrans_chk_passwd_depend',`
- type system_chkpwd_t, chkpwd_exec_t, shadow_t;
-
- class file rx_file_perms;
- class process { transition sigchld };
- class udp_socket create_socket_perms;
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="auth_dontaudit_getattr_shadow">
## <description>
##
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
-##
+## The type of the process performing this action.
## </parameter>
## </interface>
#
-#######################################
-#
-# auth_dontaudit_getattr_shadow(domain)
-#
define(`auth_dontaudit_getattr_shadow',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type shadow_t;
+ class file stat_file_perms;
+ ')
dontaudit $1 shadow_t:file getattr;
')
-define(`auth_dontaudit_getattr_shadow_depend',`
- type shadow_t;
-
- class file stat_file_perms;
-')
-
########################################
## <interface name="auth_read_shadow">
## <description>
-##
+## Read the shadow passwords file (/etc/shadow)
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
-##
+## The type of the process performing this action.
## </parameter>
## </interface>
#
-#######################################
-#
-# auth_read_shadow(domain)
-#
define(`auth_read_shadow',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute can_read_shadow_passwords;
+ type shadow_t;
+ class file r_file_perms;
+ ')
files_list_etc($1)
allow $1 shadow_t:file r_file_perms;
typeattribute $1 can_read_shadow_passwords;
')
-define(`auth_read_shadow_depend',`
- attribute can_read_shadow_passwords;
-
- type shadow_t;
-
- class file r_file_perms;
-')
-
########################################
## <interface name="auth_dontaudit_read_shadow">
## <description>
-##
+## Do not audit attempts to read the shadow
+## password file (/etc/shadow).
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
-##
+## The type of the domain to not audit.
## </parameter>
## </interface>
#
-#######################################
-#
-# auth_dontaudit_read_shadow(domain)
-#
define(`auth_dontaudit_read_shadow',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type shadow_t;
+ class file r_file_perms;
+ ')
dontaudit $1 shadow_t:file { getattr read };
')
-define(`auth_dontaudit_read_shadow_depend',`
- type shadow_t;
-
- class file r_file_perms;
-')
-
########################################
## <interface name="auth_rw_shadow">
## <description>
-##
+## Read and write the shadow password file (/etc/shadow).
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
-##
+## The type of the process performing this action.
## </parameter>
## </interface>
#
-#######################################
-#
-# auth_rw_shadow(domain)
-#
define(`auth_rw_shadow',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute can_read_shadow_passwords, can_write_shadow_passwords;
+ type shadow_t;
+ class file rw_file_perms;
+ ')
files_list_etc($1)
allow $1 shadow_t:file rw_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
-define(`auth_rw_shadow_depend',`
- attribute can_read_shadow_passwords, can_write_shadow_passwords;
-
- type shadow_t;
- class file rw_file_perms;
-')
-
#######################################
#
# auth_manage_shadow(domain)
#
define(`auth_manage_shadow',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute can_read_shadow_passwords, can_write_shadow_passwords;
+ type shadow_t;
+ class file create_file_perms;
+ ')
allow $1 shadow_t:file create_file_perms;
files_create_etc_config($1,shadow_t,file)
@@ -363,49 +284,34 @@ define(`auth_manage_shadow',`
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
-define(`auth_manage_shadow_depend',`
- attribute can_read_shadow_passwords, can_write_shadow_passwords;
-
- type shadow_t;
-
- class file create_file_perms;
-')
-
#######################################
#
# auth_relabelto_shadow(domain)
#
define(`auth_relabelto_shadow',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute can_relabelto_shadow_passwords;
+ type shadow_t;
+ class file relabelto;
+ ')
files_search_etc($1)
allow $1 shadow_t:file relabelto;
typeattribute $1 can_relabelto_shadow_passwords;
')
-define(`auth_relabelto_shadow_depend',`
- attribute can_relabelto_shadow_passwords;
-
- type shadow_t;
-
- class file relabelto;
-')
-
#######################################
#
# auth_rw_faillog(domain)
#
define(`auth_rw_faillog',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type faillog_t;
+ class file rw_file_perms;
+ ')
- allow $1 faillog_t:file rw_file_perms;
logging_search_logs($1)
-')
-
-define(`auth_rw_faillog_depend',`
- type faillog_t;
-
- class file rw_file_perms;
+ allow $1 faillog_t:file rw_file_perms;
')
#######################################
@@ -413,18 +319,15 @@ define(`auth_rw_faillog_depend',`
# auth_rw_lastlog(domain)
#
define(`auth_rw_lastlog',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type lastlog_t;
+ class file { getattr read write setattr };
+ ')
logging_search_logs($1)
allow $1 lastlog_t:file { getattr read write setattr };
')
-define(`auth_rw_lastlog_depend',`
- type lastlog_t;
-
- class file { getattr read write setattr };
-')
-
########################################
## <interface name="auth_domtrans_pam">
## <description>
@@ -436,7 +339,12 @@ define(`auth_rw_lastlog_depend',`
## </interface>
#
define(`auth_domtrans_pam',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type pam_t, pam_exec_t;
+ class process sigchld;
+ class fd
+ class fifo_file rw_file_perms;
+ ')
domain_auto_trans($1,pam_exec_t,pam_t)
@@ -446,15 +354,6 @@ define(`auth_domtrans_pam',`
allow pam_t $1:process sigchld;
')
-define(`auth_domtrans_pam_depend',`
- type pam_t, pam_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="auth_run_pam">
## <description>
@@ -472,54 +371,44 @@ define(`auth_domtrans_pam_depend',`
## </interface>
#
define(`auth_run_pam',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type pam_t;
+ class chr_file rw_file_perms;
+ ')
auth_domtrans_pam($1)
role $2 types pam_t;
allow pam_t $3:chr_file rw_file_perms;
')
-define(`auth_run_pam_depend',`
- type pam_t;
-
- class chr_file rw_file_perms;
-')
-
########################################
## <interface name="auth_exec_pam">
## <description>
-##
+## Execute the pam program.
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
-##
+## The type of the process performing this action.
## </parameter>
## </interface>
#
-#######################################
-#
-# auth_exec_pam(domain)
-#
define(`auth_exec_pam',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type pam_exec_t;
+ ')
can_exec($1,pam_exec_t)
')
-define(`auth_exec_pam_depend',`
- type pam_exec_t;
-
- class file { getattr read execute execute_no_trans };
-')
-
#######################################
#
# auth_read_pam_pid(domain)
#
define(`auth_read_pam_pid',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type pam_var_run_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
files_search_var($1)
files_search_pids($1)
@@ -527,32 +416,22 @@ define(`auth_read_pam_pid',`
allow $1 pam_var_run_t:file r_file_perms;
')
-define(`auth_read_pam_pid_depend',`
- type pam_var_run_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
########################################
## <interface name="auth_delete_pam_pid">
## <description>
-##
+## Delete pam PID files.
## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
## <parameter name="domain">
-##
+## The type of the process performing this action.
## </parameter>
## </interface>
#
-#######################################
-#
-# auth_delete_pam_pid(domain)
-#
define(`auth_delete_pam_pid',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type pam_var_run_t;
+ class dir { getattr search read write remove_name };
+ class file { getattr unlink };
+ ')
files_search_var($1)
files_search_pids($1)
@@ -560,19 +439,17 @@ define(`auth_delete_pam_pid',`
allow $1 pam_var_run_t:file { getattr unlink };
')
-define(`auth_delete_pam_pid_depend',`
- type pam_var_run_t;
-
- class dir { getattr search read write remove_name };
- class file { getattr unlink };
-')
-
#######################################
#
# auth_domtrans_pam_console(domain)
#
define(`auth_domtrans_pam_console',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type pam_console_t, pam_console_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
domain_auto_trans($1,pam_console_exec_t,pam_console_t)
@@ -582,52 +459,31 @@ define(`auth_domtrans_pam_console',`
allow pam_console_t $1:process sigchld;
')
-define(`auth_domtrans_pam_console_depend',`
- type pam_console_t, pam_console_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
-########################################
-## <interface name="auth_list_pam_console_data">
-## <description>
-##
-## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
-## <parameter name="domain">
-##
-## </parameter>
-## </interface>
-#
#######################################
#
# auth_list_pam_console_data(domain)
#
define(`auth_list_pam_console_data',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type pam_var_console_t;
+ class dir r_dir_perms;
+ ')
files_search_var($1)
files_search_pids($1)
allow $1 pam_var_console_t:dir r_dir_perms;
')
-define(`auth_list_pam_console_data_depend',`
- type pam_var_console_t;
-
- class dir r_dir_perms;
-')
-
#######################################
#
# auth_read_pam_console_data(domain)
#
define(`auth_read_pam_console_data',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type pam_var_console_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
files_search_var($1)
files_search_pids($1)
@@ -635,19 +491,17 @@ define(`auth_read_pam_console_data',`
allow $1 pam_var_console_t:file r_file_perms;
')
-define(`auth_read_pam_console_data_depend',`
- type pam_var_console_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
-')
-
#######################################
#
# auth_manage_pam_console_data(domain)
#
define(`auth_manage_pam_console_data',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type pam_var_console_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ class lnk_file create_lnk_perms;
+ ')
files_search_var($1)
files_search_pids($1)
@@ -656,14 +510,6 @@ define(`auth_manage_pam_console_data',`
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
')
-define(`auth_manage_pam_console_data_depend',`
- type pam_var_console_t;
-
- class dir rw_dir_perms;
- class file create_file_perms;
- class lnk_file create_lnk_perms;
-')
-
########################################
## <interface name="auth_relabel_all_files_except_shadow">
## <description>
@@ -681,15 +527,13 @@ define(`auth_manage_pam_console_data_depend',`
#
define(`auth_relabel_all_files_except_shadow',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type shadow_t;
+ ')
files_relabel_all_files($1,$2 -shadow_t)
')
-define(`auth_relabel_all_files_except_shadow_depend',`
- type shadow_t;
-')
-
########################################
## <interface name="auth_manage_all_files_except_shadow">
## <description>
@@ -707,15 +551,13 @@ define(`auth_relabel_all_files_except_shadow_depend',`
#
define(`auth_manage_all_files_except_shadow',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type shadow_t;
+ ')
files_manage_all_files($1,$2 -shadow_t)
')
-define(`auth_manage_all_files_except_shadow_depend',`
- type shadow_t;
-')
-
########################################
## <interface name="auth_domtrans_utempter">
## <description>
@@ -727,7 +569,12 @@ define(`auth_manage_all_files_except_shadow_depend',`
## </interface>
#
define(`auth_domtrans_utempter',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type utempter_t, utempter_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
domain_auto_trans($1,utempter_exec_t,utempter_t)
@@ -737,15 +584,6 @@ define(`auth_domtrans_utempter',`
allow utempter_t $1:process sigchld;
')
-define(`auth_domtrans_utempter_depend',`
- type utempter_t, utempter_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
## <interface name="auth_run_utempter">
## <description>
@@ -763,75 +601,43 @@ define(`auth_domtrans_utempter_depend',`
## </interface>
#
define(`auth_run_utempter',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type utempter_t;
+ class chr_file rw_file_perms;
+ ')
auth_domtrans_utempter($1)
role $2 types utempter_t;
allow utempter_t $3:chr_file rw_file_perms;
')
-define(`auth_run_utempter_depend',`
- type utempter_t;
-
- class chr_file rw_file_perms;
-')
-
-########################################
-## <interface name="auth_read_login_records">
-## <description>
-##
-## </description>
-## <securitydesc>
-## ...
-## </securitydesc>
-## <parameter name="domain">
-##
-## </parameter>
-## </interface>
-#
#######################################
#
# auth_read_login_records(domain)
#
define(`auth_read_login_records',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type wtmp_t;
+ class file r_file_perms;
+ ')
logging_search_logs($1)
allow $1 wtmp_t:file r_file_perms;
')
-define(`auth_read_login_records_depend',`
- type wtmp_t;
-
- class file r_file_perms;
-')
-
-########################################
-## <interface name="auth_dontaudit_write_login_records">
-## <description>
-##
-## </description>
-## <parameter name="domain">
-##
-## </parameter>
-## </interface>
-#
#######################################
#
# auth_dontaudit_write_login_records(domain)
#
define(`auth_dontaudit_write_login_records',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type wtmp_t;
+ class file write;
+ ')
dontaudit $1 wtmp_t:file write;
')
-define(`auth_read_login_records_depend',`
- type wtmp_t;
-
- class file write;
-')
-
#######################################
#
# auth_rw_login_records(domain)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index fdd84a1..82d24c0 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -141,12 +141,27 @@ kernel_read_system_state(pam_console_t)
kernel_use_fd(pam_console_t)
dev_read_sysfs(pam_console_t)
+dev_getattr_framebuffer(pam_console_t)
+dev_setattr_framebuffer(pam_console_t)
+dev_getattr_misc(pam_console_t)
+dev_setattr_misc(pam_console_t)
+dev_getattr_mouse(pam_console_t)
+dev_setattr_mouse(pam_console_t)
+dev_getattr_power_management(pam_console_t)
+dev_setattr_power_management(pam_console_t)
+dev_getattr_scanner(pam_console_t)
+dev_setattr_scanner(pam_console_t)
+dev_getattr_snd_dev(pam_console_t)
+dev_setattr_snd_dev(pam_console_t)
+dev_getattr_video_dev(pam_console_t)
+dev_setattr_video_dev(pam_console_t)
-# Allow to set attributes on /dev entries
storage_getattr_fixed_disk(pam_console_t)
storage_setattr_fixed_disk(pam_console_t)
storage_getattr_removable_device(pam_console_t)
storage_setattr_removable_device(pam_console_t)
+storage_getattr_scsi_generic(pam_console_t)
+storage_setattr_scsi_generic(pam_console_t)
term_use_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
@@ -201,18 +216,7 @@ optional_policy(`rhgb.te', `
')
allow pam_console_t autofs_t:dir { search getattr };
-allow pam_console_t {
-framebuf_device_t
-v4l_device_t
-apm_bios_t
-sound_device_t
-misc_device_t
-scanner_device_t
-mouse_device_t
-power_device_t
-removable_device_t
-scsi_generic_device_t
-}:chr_file { getattr setattr };
+allow pam_console_t apm_bios_t:chr_file { getattr setattr };
ifdef(`gpm.te', `
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 4f8788a..2f78d9a 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -941,6 +941,25 @@ define(`files_dontaudit_search_var_depend',`
')
########################################
+## <interface name="files_search_var_lib">
+## <description>
+## Search the /var/lib directory.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## </interface>
+#
+define(`files_search_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ class dir search;
+ ')
+
+ allow $1 { var_t var_lib_t }:dir search;
+')
+
+########################################
#
# files_manage_urandom_seed(domain)
#
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 52259dd..288427c 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -43,6 +43,8 @@ allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
files_create_pid(hotplug_t,hotplug_var_run_t)
+
+kernel_sigchld(hotplug_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
kernel_read_net_sysctl(hotplug_t)
@@ -58,6 +60,7 @@ corenet_tcp_bind_all_nodes(hotplug_t)
dev_read_sysfs(hotplug_t)
dev_read_usbfs(hotplug_t)
+dev_setattr_snd_dev(hotplug_t)
# for SSP:
dev_read_urand(hotplug_t)
@@ -167,14 +170,9 @@ optional_policy(`rhgb.te', `
allow kernel_t hotplug_etc_t:dir search;
-allow hotplug_t sound_device_t:chr_file setattr;
-
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
-allow hotplug_t kernel_t:process sigchld;
-
-
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index aa96805..9d3013a 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -330,6 +330,25 @@ define(`init_get_script_process_group',`
')
########################################
+## <interface name="init_rw_script_pipe">
+## <description>
+## Read and write init script unnamed pipes.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## </interface>
+#
+define(`init_rw_script_pipe',`
+ gen_require(`
+ type initrc_t;
+ class chr_file { read write };
+ ')
+
+ allow $1 initrc_t:fifo_file { read write };
+')
+
+########################################
#
# init_use_script_pty(domain)
#
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 29b289a..9064a91 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -64,6 +64,7 @@ fs_getattr_xattr_fs(ldconfig_t)
domain_use_wide_inherit_fd(ldconfig_t)
+files_search_var_lib(ldconfig_t)
files_read_generic_etc_files(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
files_delete_generic_etc_files(ldconfig_t)
@@ -83,8 +84,6 @@ ifdef(`apache.te', `
dontaudit ldconfig_t httpd_modules_t:dir search;
')
-allow ldconfig_t { var_t var_lib_t }:dir search;
-
ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index b590167..cc05181 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -54,6 +54,20 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctl(local_login_t)
+dev_setattr_mouse(local_login_t)
+dev_getattr_mouse(local_login_t)
+dev_getattr_snd_dev(local_login_t)
+dev_setattr_snd_dev(local_login_t)
+dev_getattr_power_management(local_login_t)
+dev_setattr_power_management(local_login_t)
+dev_dontaudit_getattr_generic_blk_file(local_login_t)
+dev_dontaudit_setattr_generic_blk_file(local_login_t)
+dev_dontaudit_getattr_generic_chr_file(local_login_t)
+dev_dontaudit_setattr_generic_chr_file(local_login_t)
+dev_dontaudit_getattr_misc(local_login_t)
+dev_dontaudit_setattr_misc(local_login_t)
+dev_dontaudit_getattr_scanner(local_login_t)
+dev_dontaudit_setattr_scanner(local_login_t)
# for SSP/ProPolice
dev_read_urand(local_login_t)
@@ -66,6 +80,8 @@ selinux_compute_user_contexts(local_login_t)
storage_dontaudit_getattr_fixed_disk(local_login_t)
storage_dontaudit_setattr_fixed_disk(local_login_t)
+storage_dontaudit_getattr_removable_device(local_login_t)
+storage_dontaudit_setattr_removable_device(local_login_t)
term_use_all_user_ttys(local_login_t)
term_use_unallocated_tty(local_login_t)
@@ -171,19 +187,11 @@ ifdef(`targeted_policy',`
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
')
-allow local_login_t mouse_device_t:chr_file { getattr setattr };
-allow local_login_t sound_device_t:chr_file { getattr setattr };
-allow local_login_t power_device_t:chr_file { getattr setattr };
-
# Do not audit denied attempts to access devices.
-dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
-dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
-dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
+dontaudit local_login_t device_t:lnk_file { getattr setattr };
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
-dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
-dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
# Do not audit denied attempts to access /mnt.
dontaudit local_login_t mnt_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 86583af..31aa051 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -65,6 +65,8 @@ dev_search_usbfs(insmod_t)
dev_write_mtrr(insmod_t)
dev_read_urand(insmod_t)
dev_rw_agp_dev(insmod_t)
+dev_read_snd_dev(insmod_t)
+dev_write_snd_dev(insmod_t)
fs_getattr_xattr_fs(insmod_t)
@@ -105,8 +107,6 @@ ifdef(`TODO',`
allow insmod_t apm_bios_t:chr_file { read write };
-allow insmod_t sound_device_t:chr_file { read ioctl write };
-
ifdef(`xserver.te', `
allow insmod_t xserver_log_t:file getattr;
')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 8e9737b..a7f4d16 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,4 +1,11 @@
+policy_module(mount,1.0)
+
+########################################
+#
+# Declarations
+#
+
type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 711cab7..591ddae 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -102,6 +102,7 @@ init_dontaudit_write_script_pid(udev_t)
libs_use_ld_so(udev_t)
libs_use_shared_libs(udev_t)
+logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
miscfiles_read_localization(udev_t)
@@ -141,7 +142,7 @@ optional_policy(`sysnetwork.te',`
')
ifdef(`TODO',`
-allow udev_t var_log_t:dir search;
+
allow udev_t var_lock_t:dir search;
allow udev_t var_lock_t:file getattr;