diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index b34146e..c566b7f 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils,1.3.1) +policy_module(netutils,1.3.2) ######################################## # @@ -65,6 +65,8 @@ corenet_tcp_connect_all_ports(netutils_t) corenet_sendrecv_all_client_packets(netutils_t) corenet_udp_bind_generic_node(netutils_t) +dev_read_sysfs(netutils_t) + fs_getattr_xattr_fs(netutils_t) domain_use_interactive_fds(netutils_t) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index fc2e6c8..cbbd523 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2503,6 +2503,25 @@ interface(`dev_list_sysfs',` ######################################## ## <summary> +## Write in a sysfs directories. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +# cjp: added for cpuspeed +interface(`dev_write_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:dir write; +') + +######################################## +## <summary> ## Allow caller to read hardware state information. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index ff6b4ce..1e04a53 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.3.1) +policy_module(devices,1.3.2) ######################################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 2857769..172ce14 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1096,6 +1096,24 @@ interface(`fs_relabelfrom_dos_fs',` ######################################## ## <summary> +## Read files on a DOS filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_read_dos_files',` + gen_require(` + type dosfs_t; + ') + + read_files_pattern($1,dosfs_t,dosfs_t) +') + +######################################## +## <summary> ## Create, read, write, and delete files ## on a DOS filesystem. ## </summary> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 33f3447..be1b0e6 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.5.1) +policy_module(filesystem,1.5.2) ######################################## # diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 5f1d353..ff4e269 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -42,7 +42,8 @@ ifdef(`distro_redhat', ` /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) +/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 71aff40..983ed54 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,5 +1,5 @@ -policy_module(storage,1.2.0) +policy_module(storage,1.2.1) ######################################## # diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te index bedc36f..81c14b9 100644 --- a/policy/modules/services/cpucontrol.te +++ b/policy/modules/services/cpucontrol.te @@ -1,5 +1,5 @@ -policy_module(cpucontrol,1.1.0) +policy_module(cpucontrol,1.1.1) ######################################## # @@ -91,6 +91,7 @@ files_pid_filetrans(cpuspeed_t,cpuspeed_var_run_t,file) kernel_read_system_state(cpuspeed_t) kernel_read_kernel_sysctls(cpuspeed_t) +dev_write_sysfs_dirs(cpuspeed_t) dev_rw_sysfs(cpuspeed_t) domain_use_interactive_fds(cpuspeed_t) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index 5a7d7bc..dbb2b6e 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -111,3 +111,70 @@ interface(`ipsec_manage_pid',` files_search_pids($1) manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t) ') + +######################################## +## <summary> +## Execute racoon in the racoon domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`ipsec_domtrans_racoon',` + gen_require(` + type racoon_t, racoon_exec_t; + ') + + domtrans_pattern($1,racoon_exec_t,racoon_t) +') + +######################################## +## <summary> +## Execute setkey in the setkey domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`ipsec_domtrans_setkey',` + gen_require(` + type setkey_t, setkey_exec_t; + ') + + domtrans_pattern($1,setkey_exec_t,setkey_t) +') + +######################################## +## <summary> +## Execute setkey and allow the specified role the domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the racoon and setkey domains. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the terminal allow the racoon and setkey domains to use. +## </summary> +## </param> +## <rolecap/> +# +interface(`ipsec_run_setkey',` + gen_require(` + type setkey_t; + ') + + ipsec_domtrans_setkey($1) + role $2 types setkey_t; + allow setkey_t $3:chr_file rw_term_perms; +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 2b7ec22..794838b 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,5 +1,5 @@ -policy_module(ipsec,1.2.1) +policy_module(ipsec,1.2.2) ######################################## # diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index cc40dcb..d968d18 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables,1.2.1) +policy_module(iptables,1.2.2) ######################################## # @@ -77,9 +77,10 @@ sysnet_dns_name_resolve(iptables_t) userdom_use_all_users_fds(iptables_t) ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(iptables_t) - term_dontaudit_use_generic_ptys(iptables_t) + term_use_unallocated_ttys(iptables_t) + term_use_generic_ptys(iptables_t) files_dontaudit_read_root_files(iptables_t) + unconfined_rw_pipes(iptables_t) ') optional_policy(` diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 46425d7..b4c73bf 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1337,6 +1337,10 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') + optional_policy(` + ipsec_run_setkey($1,$2,$3) + ') + optional_policy(` netlabel_run_mgmt($1,$2, $3) ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index ec35724..a4c05ff 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,2.1.3) +policy_module(userdomain,2.1.4) gen_require(` role sysadm_r, staff_r, user_r;