diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 07544d7..67eeb55 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -98,6 +98,23 @@ interface(`dev_list_all_dev_nodes',`
########################################
##
+## Set the attributes of /dev directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_setattr_dev_dir',`
+ gen_require(`
+ type device_t;
+ class dir setattr;
+ ')
+
+ allow $1 device_t:dir setattr;
+')
+
+########################################
+##
## Dontaudit attempts to list all device nodes.
##
##
@@ -1574,7 +1591,26 @@ interface(`dev_read_mouse',`
########################################
##
-## Read the multiplexed input device (/dev/input).
+## Set the attributes of the printer device nodes.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_setattr_printer',`
+ gen_require(`
+ type device_t, printer_device_t;
+ class dir search;
+ class chr_file setattr;
+ ')
+
+ allow $1 device_t:dir search;
+ allow $1 printer_device_t:chr_file setattr;
+')
+
+########################################
+##
+## Read input event devices (/dev/input).
##
##
## Domain allowed access.
@@ -1891,6 +1927,23 @@ interface(`dev_mount_usbfs',`
########################################
##
+## Get the attributes of a directory in the usb filesystem.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_getattr_usbfs_dir',`
+ gen_require(`
+ type usbfs_t;
+ class dir getattr;
+ ')
+
+ allow $1 usbfs_t:dir getattr;
+')
+
+########################################
+##
## Search the directory containing USB hardware information.
##
##
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index f70cff2..b49601a 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -4,9 +4,9 @@
##
########################################
-##
+##
## Transform specified type into a filesystem type.
-##
+##
##
## The type of the process performing this action.
##
@@ -20,11 +20,11 @@ interface(`fs_type',`
')
########################################
-##
+##
## Transform specified type into a filesystem
## type which does not have extended attribute
## support.
-##
+##
##
## The type of the process performing this action.
##
@@ -40,12 +40,12 @@ interface(`fs_make_noxattr_fs',`
')
########################################
-##
+##
## Associate the specified file type to persistent
## filesystems with extended attributes. This
## allows a file of this type to be created on
## a filesystem such as ext3, JFS, and XFS.
-##
+##
##
## The type of the to be associated.
##
@@ -60,13 +60,13 @@ interface(`fs_associate',`
')
########################################
-##
+##
## Associate the specified file type to
## filesystems which lack extended attributes
## support. This allows a file of this type
## to be created on a filesystem such as
## FAT32, and NFS.
-##
+##
##
## The type of the to be associated.
##
@@ -81,11 +81,11 @@ interface(`fs_associate_noxattr',`
')
########################################
-##
+##
## Mount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -100,12 +100,12 @@ interface(`fs_mount_xattr_fs',`
')
########################################
-##
+##
## Remount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS. This allows
## some mount options to be changed.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -120,11 +120,11 @@ interface(`fs_remount_xattr_fs',`
')
########################################
-##
+##
## Unmount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -139,11 +139,11 @@ interface(`fs_unmount_xattr_fs',`
')
########################################
-##
+##
## Get the attributes of a persistent
## filesystem which has extended
## attributes, such as ext3, JFS, or XFS.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -159,12 +159,12 @@ interface(`fs_getattr_xattr_fs',`
')
########################################
-##
+##
## Do not audit attempts to
## get the attributes of a persistent
## filesystem which has extended
## attributes, such as ext3, JFS, or XFS.
-##
+##
##
## The type of the domain to not audit.
##
@@ -179,11 +179,11 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
')
########################################
-##
+##
## Allow changing of the label of a
## filesystem with extended attributes
## using the context= mount option.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -198,9 +198,9 @@ interface(`fs_relabelfrom_xattr_fs',`
')
########################################
-##
+##
## Mount an automount pseudo filesystem.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -216,10 +216,10 @@ interface(`fs_mount_autofs',`
########################################
-##
+##
## Remount an automount pseudo filesystem
## This allows some mount options to be changed.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -234,9 +234,9 @@ interface(`fs_remount_autofs',`
')
########################################
-##
+##
## Unmount an automount pseudo filesystem.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -251,10 +251,10 @@ interface(`fs_unmount_autofs',`
')
########################################
-##
+##
## Get the attributes of an automount
## pseudo filesystem.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -288,7 +288,7 @@ interface(`fs_search_auto_mountpoints',`
')
########################################
-##
+##
## Register an interpreter for new binary
## file types, using the kernel binfmt_misc
## support. A common use for this is to
@@ -296,7 +296,7 @@ interface(`fs_search_auto_mountpoints',`
## Java byte code. Registered binaries
## can be directly executed on a command line
## without specifying the interpreter.
-##
+##
##
## The type of the domain registering
## the interpreter.
@@ -314,9 +314,9 @@ interface(`fs_register_binary_executable_type',`
')
########################################
-##
+##
## Mount a CIFS or SMB network filesystem.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -331,10 +331,10 @@ interface(`fs_mount_cifs',`
')
########################################
-##
+##
## Remount a CIFS or SMB network filesystem.
## This allows some mount options to be changed.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -349,9 +349,9 @@ interface(`fs_remount_cifs',`
')
########################################
-##
+##
## Unmount a CIFS or SMB network filesystem.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -366,10 +366,10 @@ interface(`fs_unmount_cifs',`
')
########################################
-##
+##
## Get the attributes of a CIFS or
## SMB network filesystem.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -385,9 +385,9 @@ interface(`fs_getattr_cifs',`
')
########################################
-##
+##
## Read files on a CIFS or SMB filesystem.
-##
+##
##
## The type of the domain reading the files.
##
@@ -404,10 +404,10 @@ interface(`fs_read_cifs_files',`
')
########################################
-##
+##
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
-##
+##
##
## The type of the domain to not audit.
##
@@ -422,9 +422,9 @@ interface(`fs_dontaudit_rw_cifs_files',`
')
########################################
-##
+##
## Read symbolic links on a CIFS or SMB filesystem.
-##
+##
##
## The type of the domain reading the symbolic links.
##
@@ -441,11 +441,11 @@ interface(`fs_read_cifs_symlinks',`
')
########################################
-##
+##
## Execute files on a CIFS or SMB
## network filesystem, in the caller
## domain.
-##
+##
##
## The type of the domain executing the files.
##
@@ -461,10 +461,10 @@ interface(`fs_execute_cifs_files',`
')
########################################
-##
+##
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystems.
-##
+##
##
## The type of the domain to not audit.
##
@@ -479,10 +479,10 @@ interface(`fs_read_cifs_files',`
')
########################################
-##
+##
## Create, read, write, and delete directories
## on a CIFS or SMB network filesystem.
-##
+##
##
## The type of the domain managing the directories.
##
@@ -497,10 +497,10 @@ interface(`fs_manage_cifs_dirs',`
')
########################################
-##
+##
## Create, read, write, and delete files
## on a CIFS or SMB network filesystem.
-##
+##
##
## The type of the domain managing the files.
##
@@ -517,10 +517,10 @@ interface(`fs_manage_cifs_files',`
')
########################################
-##
+##
## Create, read, write, and delete symbolic links
## on a CIFS or SMB network filesystem.
-##
+##
##
## The type of the domain managing the symbolic links.
##
@@ -537,10 +537,10 @@ interface(`fs_manage_cifs_symlinks',`
')
########################################
-##
+##
## Create, read, write, and delete named pipes
## on a CIFS or SMB network filesystem.
-##
+##
##
## The type of the domain managing the pipes.
##
@@ -557,10 +557,10 @@ interface(`fs_manage_cifs_named_pipes',`
')
########################################
-##
+##
## Create, read, write, and delete named sockets
## on a CIFS or SMB network filesystem.
-##
+##
##
## The type of the domain managing the sockets.
##
@@ -577,10 +577,10 @@ interface(`fs_manage_cifs_named_sockets',`
')
########################################
-##
+##
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -595,11 +595,11 @@ interface(`fs_mount_dos_fs',`
')
########################################
-##
+##
## Remount a DOS filesystem, such as
## FAT32 or NTFS. This allows
## some mount options to be changed.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -614,10 +614,10 @@ interface(`fs_remount_dos_fs',`
')
########################################
-##
+##
## Unmount a DOS filesystem, such as
## FAT32 or NTFS.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -632,10 +632,10 @@ interface(`fs_unmount_dos_fs',`
')
########################################
-##
+##
## Get the attributes of a DOS
## filesystem, such as FAT32 or NTFS.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -651,10 +651,10 @@ interface(`fs_getattr_dos_fs',`
')
########################################
-##
+##
## Allow changing of the label of a
## DOS filesystem using the context= mount option.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -669,10 +669,10 @@ interface(`fs_relabelfrom_dos_fs',`
')
########################################
-##
+##
## Mount an iso9660 filesystem, which
## is usually used on CDs.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -687,11 +687,11 @@ interface(`fs_mount_iso9660_fs',`
')
########################################
-##
+##
## Remount an iso9660 filesystem, which
## is usually used on CDs. This allows
## some mount options to be changed.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -706,10 +706,10 @@ interface(`fs_remount_iso9660_fs',`
')
########################################
-##
+##
## Unmount an iso9660 filesystem, which
## is usually used on CDs.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -724,10 +724,10 @@ interface(`fs_unmount_iso9660_fs',`
')
########################################
-##
+##
## Get the attributes of an iso9660
## filesystem, which is usually used on CDs.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -743,9 +743,9 @@ interface(`fs_getattr_iso9660_fs',`
')
########################################
-##
+##
## Mount a NFS filesystem.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -760,10 +760,10 @@ interface(`fs_mount_nfs',`
')
########################################
-##
+##
## Remount a NFS filesystem. This allows
## some mount options to be changed.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -778,9 +778,9 @@ interface(`fs_remount_nfs',`
')
########################################
-##
+##
## Unmount a NFS filesystem.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -795,9 +795,9 @@ interface(`fs_unmount_nfs',`
')
########################################
-##
+##
## Get the attributes of a NFS filesystem.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -813,9 +813,9 @@ interface(`fs_getattr_nfs',`
')
########################################
-##
+##
## Read files on a NFS filesystem.
-##
+##
##
## The type of the domain reading the files.
##
@@ -832,9 +832,9 @@ interface(`fs_read_nfs_files',`
')
########################################
-##
+##
## Execute files on a NFS filesystem.
-##
+##
##
## The type of the domain executing the files.
##
@@ -850,10 +850,10 @@ interface(`fs_execute_nfs_files',`
')
########################################
-##
+##
## Do not audit attempts to read or
## write files on a NFS filesystem.
-##
+##
##
## The type of the domain to not audit.
##
@@ -868,9 +868,9 @@ interface(`fs_dontaudit_rw_nfs_files',`
')
########################################
-##
+##
## Read symbolic links on a NFS filesystem.
-##
+##
##
## The type of the domain reading the symbolic links.
##
@@ -887,10 +887,10 @@ interface(`fs_read_nfs_symlinks',`
')
########################################
-##
+##
## Create, read, write, and delete directories
## on a NFS filesystem.
-##
+##
##
## The type of the domain managing the directories.
##
@@ -905,10 +905,10 @@ interface(`fs_manage_nfs_dirs',`
')
########################################
-##
+##
## Create, read, write, and delete files
## on a NFS filesystem.
-##
+##
##
## The type of the domain managing the files.
##
@@ -925,10 +925,10 @@ interface(`fs_manage_nfs_files',`
')
#########################################
-##
+##
## Create, read, write, and delete symbolic links
## on a CIFS or SMB network filesystem.
-##
+##
##
## The type of the domain managing the symbolic links.
##
@@ -945,10 +945,10 @@ interface(`fs_manage_nfs_symlinks',`
')
#########################################
-##
+##
## Create, read, write, and delete named pipes
## on a NFS filesystem.
-##
+##
##
## The type of the domain managing the pipes.
##
@@ -965,10 +965,10 @@ interface(`fs_manage_nfs_named_pipes',`
')
#########################################
-##
+##
## Create, read, write, and delete named sockets
## on a NFS filesystem.
-##
+##
##
## The type of the domain managing the sockets.
##
@@ -985,9 +985,9 @@ interface(`fs_manage_nfs_named_sockets',`
')
########################################
-##
+##
## Mount a NFS server pseudo filesystem.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -1002,10 +1002,10 @@ interface(`fs_mount_nfsd_fs',`
')
########################################
-##
+##
## Mount a NFS server pseudo filesystem.
## This allows some mount options to be changed.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -1020,9 +1020,9 @@ interface(`fs_remount_nfsd_fs',`
')
########################################
-##
+##
## Unmount a NFS server pseudo filesystem.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -1037,10 +1037,10 @@ interface(`fs_unmount_nfsd_fs',`
')
########################################
-##
+##
## Get the attributes of a NFS server
## pseudo filesystem.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -1056,9 +1056,9 @@ interface(`fs_getattr_nfsd_fs',`
')
########################################
-##
+##
## Mount a RAM filesystem.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -1073,10 +1073,10 @@ interface(`fs_mount_ramfs',`
')
########################################
-##
+##
## Remount a RAM filesystem. This allows
## some mount options to be changed.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -1091,9 +1091,9 @@ interface(`fs_remount_ramfs',`
')
########################################
-##
+##
## Unmount a RAM filesystem.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -1108,9 +1108,9 @@ interface(`fs_unmount_ramfs',`
')
########################################
-##
+##
## Get the attributes of a RAM filesystem.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -1126,9 +1126,9 @@ interface(`fs_getattr_ramfs',`
')
########################################
-##
+##
## Mount a ROM filesystem.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -1143,10 +1143,10 @@ interface(`fs_mount_romfs',`
')
########################################
-##
+##
## Remount a ROM filesystem. This allows
## some mount options to be changed.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -1161,9 +1161,9 @@ interface(`fs_remount_romfs',`
')
########################################
-##
+##
## Unmount a ROM filesystem.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -1178,10 +1178,10 @@ interface(`fs_unmount_romfs',`
')
########################################
-##
+##
## Get the attributes of a ROM
## filesystem.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -1197,9 +1197,9 @@ interface(`fs_getattr_romfs',`
')
########################################
-##
+##
## Mount a RPC pipe filesystem.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -1214,10 +1214,10 @@ interface(`fs_mount_rpc_pipefs',`
')
########################################
-##
+##
## Remount a RPC pipe filesystem. This
## allows some mount option to be changed.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -1232,9 +1232,9 @@ interface(`fs_remount_rpc_pipefs',`
')
########################################
-##
+##
## Unmount a RPC pipe filesystem.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -1249,10 +1249,10 @@ interface(`fs_unmount_rpc_pipefs',`
')
########################################
-##
+##
## Get the attributes of a RPC pipe
## filesystem.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -1268,9 +1268,9 @@ interface(`fs_getattr_rpc_pipefs',`
')
########################################
-##
+##
## Mount a tmpfs filesystem.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -1285,9 +1285,9 @@ interface(`fs_mount_tmpfs',`
')
########################################
-##
+##
## Remount a tmpfs filesystem.
-##
+##
##
## The type of the domain remounting the filesystem.
##
@@ -1302,9 +1302,9 @@ interface(`fs_remount_tmpfs',`
')
########################################
-##
+##
## Unmount a tmpfs filesystem.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -1319,10 +1319,10 @@ interface(`fs_unmount_tmpfs',`
')
########################################
-##
+##
## Get the attributes of a tmpfs
## filesystem.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -1338,9 +1338,9 @@ interface(`fs_getattr_tmpfs',`
')
########################################
-##
+##
## Allow the type to associate to tmpfs filesystems.
-##
+##
##
## The type of the object to be associated.
##
@@ -1355,6 +1355,57 @@ interface(`fs_associate_tmpfs',`
')
########################################
+##
+## Get the attributes of tmpfs directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_getattr_tmpfs_dir',`
+ gen_require(`
+ type tmpfs_t;
+ class dir getattr;
+ ')
+
+ allow $1 tmpfs_t:dir getattr;
+')
+
+########################################
+##
+## Set the attributes of tmpfs directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_setattr_tmpfs_dir',`
+ gen_require(`
+ type tmpfs_t;
+ class dir setattr;
+ ')
+
+ allow $1 tmpfs_t:dir setattr;
+')
+
+########################################
+##
+## Search tmpfs directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_search_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ class dir search;
+ ')
+
+ allow $1 tmpfs_t:dir search;
+')
+
+########################################
#
# fs_create_tmpfs_data(domain,derivedtype,[class])
#
@@ -1376,9 +1427,9 @@ interface(`fs_create_tmpfs_data',`
')
########################################
-##
+##
## Read and write character nodes on tmpfs filesystems.
-##
+##
##
## The type of the process performing this action.
##
@@ -1395,9 +1446,9 @@ interface(`fs_use_tmpfs_chr_dev',`
')
########################################
-##
+##
## Relabel character nodes on tmpfs filesystems.
-##
+##
##
## The type of the process performing this action.
##
@@ -1414,9 +1465,9 @@ interface(`fs_relabel_tmpfs_chr_dev',`
')
########################################
-##
+##
## Read and write block nodes on tmpfs filesystems.
-##
+##
##
## The type of the process performing this action.
##
@@ -1433,9 +1484,9 @@ interface(`fs_use_tmpfs_blk_dev',`
')
########################################
-##
+##
## Relabel block nodes on tmpfs filesystems.
-##
+##
##
## The type of the process performing this action.
##
@@ -1452,10 +1503,10 @@ interface(`fs_relabel_tmpfs_blk_dev',`
')
########################################
-##
+##
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
-##
+##
##
## The type of the process performing this action.
##
@@ -1472,10 +1523,10 @@ interface(`fs_manage_tmpfs_symlinks',`
')
########################################
-##
+##
## Read and write, create and delete socket
## files on tmpfs filesystems.
-##
+##
##
## The type of the process performing this action.
##
@@ -1492,10 +1543,10 @@ interface(`fs_manage_tmpfs_sockets',`
')
########################################
-##
+##
## Read and write, create and delete character
## nodes on tmpfs filesystems.
-##
+##
##
## The type of the process performing this action.
##
@@ -1512,10 +1563,10 @@ interface(`fs_manage_tmpfs_chr_dev',`
')
########################################
-##
+##
## Read and write, create and delete block nodes
## on tmpfs filesystems.
-##
+##
##
## The type of the process performing this action.
##
@@ -1532,9 +1583,9 @@ interface(`fs_manage_tmpfs_blk_dev',`
')
########################################
-##
+##
## Mount all filesystems.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -1549,10 +1600,10 @@ interface(`fs_mount_all_fs',`
')
########################################
-##
+##
## Remount all filesystems. This
## allows some mount options to be changed.
-##
+##
##
## The type of the domain mounting the filesystem.
##
@@ -1567,9 +1618,9 @@ interface(`fs_remount_all_fs',`
')
########################################
-##
+##
## Unmount all filesystems.
-##
+##
##
## The type of the domain unmounting the filesystem.
##
@@ -1584,10 +1635,10 @@ interface(`fs_unmount_all_fs',`
')
########################################
-##
+##
## Get the attributes of all persistent
## filesystems.
-##
+##
##
## The type of the domain doing the
## getattr on the filesystem.
@@ -1603,10 +1654,10 @@ interface(`fs_getattr_all_fs',`
')
########################################
-##
+##
## Do not audit attempts to get the attributes
## all filesystems.
-##
+##
##
## The type of the domain to not audit.
##
@@ -1621,9 +1672,9 @@ interface(`fs_dontaudit_getattr_all_fs',`
')
########################################
-##
+##
## Get the quotas of all filesystems.
-##
+##
##
## The type of the domain getting quotas.
##
@@ -1638,9 +1689,9 @@ interface(`fs_get_all_fs_quotas',`
')
########################################
-##
+##
## Set the quotas of all filesystems.
-##
+##
##
## The type of the domain setting quotas.
##
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 5ea4411..1d5644a 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -6,10 +6,10 @@
##
########################################
-##
+##
## Allows to start userland processes
## by transitioning to the specified domain.
-##
+##
##
## The process type entered by kernel.
##
@@ -34,10 +34,10 @@ interface(`kernel_userland_entry',`
')
########################################
-##
+##
## Allows the kernel to mount filesystems on
## the specified directory type.
-##
+##
##
## The type of the directory to use as a mountpoint.
##
@@ -52,9 +52,9 @@ interface(`kernel_rootfs_mountpoint',`
')
########################################
-##
+##
## Send a SIGCHLD signal to kernel threads.
-##
+##
##
## The type of the process sending the signal.
##
@@ -69,10 +69,10 @@ interface(`kernel_sigchld',`
')
########################################
-##
+##
## Allows the kernel to share state information with
## the caller.
-##
+##
##
## The type of the process with which to share state information.
##
@@ -87,9 +87,9 @@ interface(`kernel_share_state',`
')
########################################
-##
+##
## Permits caller to use kernel file descriptors.
-##
+##
##
## The type of the process using the descriptors.
##
@@ -104,10 +104,10 @@ interface(`kernel_use_fd',`
')
########################################
-##
+##
## Do not audit attempts to use
## kernel file descriptors.
-##
+##
##
## The type of process not to audit.
##
@@ -122,9 +122,9 @@ interface(`kernel_dontaudit_use_fd',`
')
########################################
-##
+##
## Allows caller to load kernel modules
-##
+##
##
## The process type to allow to load kernel modules.
##
@@ -140,9 +140,9 @@ interface(`kernel_load_module',`
')
########################################
-##
+##
## Allows caller to read the ring buffer.
-##
+##
##
## The process type allowed to read the ring buffer.
##
@@ -157,9 +157,9 @@ interface(`kernel_read_ring_buffer',`
')
########################################
-##
+##
## Do not audit attempts to read the ring buffer.
-##
+##
##
## The domain to not audit.
##
@@ -191,9 +191,9 @@ interface(`kernel_change_ring_buffer_level',`
')
########################################
-##
+##
## Allows the caller to clear the ring buffer.
-##
+##
##
## The process type clearing the buffer.
##
@@ -208,9 +208,9 @@ interface(`kernel_clear_ring_buffer',`
')
########################################
-##
+##
## Get information on all System V IPC objects.
-##
+##
##
##
##
@@ -225,9 +225,79 @@ interface(`kernel_get_sysvipc_info',`
')
########################################
-##
-## Allows caller to read system state information.
-##
+##
+## Get the attributes of the proc filesystem.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kernel_getattr_proc',`
+ gen_require(`
+ type proc_t;
+ class filesystem getattr;
+ ')
+
+ allow $1 proc_t:filesystem getattr;
+')
+
+########################################
+##
+## Search directories in /proc.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kernel_search_proc',`
+ gen_require(`
+ type proc_t;
+ class dir search;
+ ')
+
+ allow $1 proc_t:dir search;
+')
+
+########################################
+##
+## List the contents of directories in /proc.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kernel_list_proc',`
+ gen_require(`
+ type proc_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 proc_t:dir r_dir_perms;
+')
+
+########################################
+##
+## Read symbolic links in /proc.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kernel_read_proc_symlinks',`
+ gen_require(`
+ type proc_t;
+ class dir search;
+ class lnk_file { getattr read };
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_t:lnk_file { getattr read };
+')
+
+########################################
+##
+## Allows caller to read system state information in proc.
+##
##
## The process type reading the system state information.
##
@@ -246,10 +316,10 @@ interface(`kernel_read_system_state',`
')
########################################
-##
+##
## Do not audit attempts by caller to
-## read system state information.
-##
+## read system state information in proc.
+##
##
## The process type not to audit.
##
@@ -264,9 +334,9 @@ interface(`kernel_dontaudit_read_system_state',`
')
#######################################
-##
+##
## Allow caller to read the state information for software raid.
-##
+##
##
## The process type reading software raid state.
##
@@ -283,9 +353,9 @@ interface(`kernel_read_software_raid_state',`
')
########################################
-##
+##
## Allows caller to get attribues of core kernel interface.
-##
+##
##
## The process type getting the attibutes.
##
@@ -302,10 +372,10 @@ interface(`kernel_getattr_core',`
')
########################################
-##
+##
## Do not audit attempts to get the attributes of
## core kernel interfaces.
-##
+##
##
## The process type to not audit.
##
@@ -320,10 +390,10 @@ interface(`kernel_dontaudit_getattr_core',`
')
########################################
-##
+##
## Allow caller to read kernel messages
## using the /proc/kmsg interface.
-##
+##
##
## The process type reading the messages.
##
@@ -342,10 +412,10 @@ interface(`kernel_read_messages',`
')
########################################
-##
+##
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
-##
+##
##
## The process type getting the attributes.
##
@@ -362,10 +432,10 @@ interface(`kernel_getattr_message_if',`
')
########################################
-##
+##
## Do not audit attempts by caller to get the attributes of kernel
## message interfaces.
-##
+##
##
## The process type not to audit.
##
@@ -380,9 +450,9 @@ interface(`kernel_dontaudit_getattr_message_if',`
')
########################################
-##
+##
## Allow caller to read the network state information.
-##
+##
##
## The process type reading the state.
##
@@ -401,9 +471,9 @@ interface(`kernel_read_network_state',`
')
########################################
-##
+##
## Do not audit attempts by caller to search the sysctl directory.
-##
+##
##
## The process type not to audit.
##
@@ -419,9 +489,9 @@ interface(`kernel_dontaudit_search_sysctl_dir',`
')
########################################
-##
+##
## Allow caller to read the device sysctls.
-##
+##
##
## The process type to allow to read the device sysctls.
##
@@ -440,9 +510,9 @@ interface(`kernel_read_device_sysctl',`
')
########################################
-##
+##
## Read and write device sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -460,9 +530,9 @@ interface(`kernel_rw_device_sysctl',`
')
########################################
-##
+##
## Allow caller to read virtual memory sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -481,9 +551,9 @@ interface(`kernel_read_vm_sysctl',`
')
########################################
-##
+##
## Read and write virtual memory sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -501,9 +571,9 @@ interface(`kernel_rw_vm_sysctl',`
')
########################################
-##
+##
## Do not audit attempts by caller to search sysctl network directories.
-##
+##
##
## The process type not to audit.
##
@@ -518,9 +588,9 @@ interface(`kernel_dontaudit_search_network_sysctl_dir',`
')
########################################
-##
+##
## Allow caller to read network sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -540,9 +610,9 @@ interface(`kernel_read_net_sysctl',`
')
########################################
-##
+##
## Allow caller to modiry contents of sysctl network files.
-##
+##
##
## The type of the process performing this action.
##
@@ -561,10 +631,10 @@ interface(`kernel_rw_net_sysctl',`
')
########################################
-##
+##
## Allow caller to read unix domain
## socket sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -583,10 +653,10 @@ interface(`kernel_read_unix_sysctl',`
')
########################################
-##
+##
## Read and write unix domain
## socket sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -605,9 +675,9 @@ interface(`kernel_rw_unix_sysctl',`
')
########################################
-##
+##
## Read the hotplug sysctl.
-##
+##
##
## The type of the process performing this action.
##
@@ -626,9 +696,9 @@ interface(`kernel_read_hotplug_sysctl',`
')
########################################
-##
+##
## Read and write the hotplug sysctl.
-##
+##
##
## The type of the process performing this action.
##
@@ -647,9 +717,9 @@ interface(`kernel_rw_hotplug_sysctl',`
')
########################################
-##
+##
## Read the modprobe sysctl.
-##
+##
##
## The type of the process performing this action.
##
@@ -668,9 +738,9 @@ interface(`kernel_read_modprobe_sysctl',`
')
########################################
-##
+##
## Read and write the modprobe sysctl.
-##
+##
##
## The type of the process performing this action.
##
@@ -689,9 +759,9 @@ interface(`kernel_rw_modprobe_sysctl',`
')
########################################
-##
+##
## Read generic kernel sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -710,9 +780,9 @@ interface(`kernel_read_kernel_sysctl',`
')
########################################
-##
+##
## Read and write generic kernel sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -731,9 +801,9 @@ interface(`kernel_rw_kernel_sysctl',`
')
########################################
-##
+##
## Read filesystem sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -752,9 +822,9 @@ interface(`kernel_read_fs_sysctl',`
')
########################################
-##
+##
## Read and write fileystem sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -773,9 +843,9 @@ interface(`kernel_rw_fs_sysctl',`
')
########################################
-##
+##
## Read IRQ sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -793,9 +863,9 @@ interface(`kernel_read_irq_sysctl',`
')
########################################
-##
+##
## Read and write IRQ sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -848,9 +918,9 @@ interface(`kernel_rw_rpc_sysctl',`
')
########################################
-##
+##
## Allow caller to read all sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -869,9 +939,9 @@ interface(`kernel_read_all_sysctl',`
')
########################################
-##
+##
## Read and write all sysctls.
-##
+##
##
## The type of the process performing this action.
##
@@ -890,9 +960,9 @@ interface(`kernel_rw_all_sysctl',`
')
########################################
-##
+##
## Send a kill signal to unlabeled processes.
-##
+##
##
## The type of the process performing this action.
##
@@ -907,9 +977,9 @@ interface(`kernel_kill_unlabeled',`
')
########################################
-##
+##
## Send general signals to unlabeled processes.
-##
+##
##
## The type of the process performing this action.
##
@@ -924,9 +994,9 @@ interface(`kernel_signal_unlabeled',`
')
########################################
-##
+##
## Send a null signal to unlabeled processes.
-##
+##
##
## The type of the process performing this action.
##
@@ -941,9 +1011,9 @@ interface(`kernel_signull_unlabeled',`
')
########################################
-##
+##
## Send a stop signal to unlabeled processes.
-##
+##
##
## The type of the process performing this action.
##
@@ -958,9 +1028,9 @@ interface(`kernel_sigstop_unlabeled',`
')
########################################
-##
+##
## Send a child terminated signal to unlabeled processes.
-##
+##
##
## The type of the process performing this action.
##
@@ -975,10 +1045,10 @@ interface(`kernel_sigchld_unlabeled',`
')
########################################
-##
+##
## Do not audit attempts by caller to get attributes for
## unlabeled block devices.
-##
+##
##
## The process type not to audit.
##
@@ -986,16 +1056,50 @@ interface(`kernel_sigchld_unlabeled',`
interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
gen_require(`
type unlabeled_t;
- class process getattr;
+ class blk_file getattr;
+ ')
+
+ allow $1 unlabeled_t:blk_file getattr;
+')
+
+########################################
+##
+## Read and write unlabeled directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kernel_rw_unlabeled_dir',`
+ gen_require(`
+ type unlabeled_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 unlabeled_t:dir rw_dir_perms;
+')
+
+########################################
+##
+## Read and write unlabeled block device nodes.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kernel_use_unlabeled_blk_dev',`
+ gen_require(`
+ type unlabeled_t;
+ class blk_file rw_file_perms;
')
allow $1 unlabeled_t:blk_file getattr;
')
########################################
-##
+##
## Allow caller to relabel unlabeled objects.
-##
+##
##
## The process type relabeling the objects.
##
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 659efa2..4a80395 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -162,6 +162,27 @@ interface(`storage_manage_fixed_disk',`
########################################
##
+## Create fixed disk device nodes on a tmpfs filesystem.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`storage_create_fixed_disk_tmpfs',`
+ gen_require(`
+ attribute fixed_disk_raw_read, fixed_disk_raw_write;
+ type fixed_disk_device_t;
+ class blk_file create_file_perms;
+ ')
+
+ allow $1 fixed_disk_device_t:blk_file create_file_perms;
+ fs_create_tmpfs_data($1,fixed_disk_device_t,blk_file)
+
+ typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+')
+
+########################################
+##
## Relabel fixed disk device nodes.
##
##
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 219bcab..9a692dd 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -249,6 +249,24 @@ interface(`mta_rw_aliases',`
')
#######################################
+##
+## Do not audit attempts to read a symlink
+## in the mail spool.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`mta_dontaudit_read_spool_symlink',`
+ gen_require(`
+ type mail_spool_t;
+ class lnk_file read;
+ ')
+
+ dontaudit $1 mail_spool_t:lnk_file read;
+')
+
+#######################################
#
# mta_getattr_spool(domain)
#
@@ -313,4 +331,3 @@ interface(`mta_manage_queue',`
allow $1 mqueue_spool_t:dir rw_dir_perms;
allow $1 mqueue_spool_t:file create_file_perms;
')
-
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index bc9eae6..e760ff7 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -318,5 +318,5 @@ optional_policy(`xserver.te', `
#allow utempter_t xdm_t:fd use;
xserver_use_xdm_fd(utempter_t)
#allow utempter_t xdm_t:fifo_file { write getattr };
- xserver_write_xdm_fifo(utempter_t)
+ xdm_write_fifo(utempter_t)
')
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 71bcd63..0e4387e 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -30,6 +30,8 @@ dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
kernel_read_kernel_sysctl(hwclock_t)
+kernel_list_proc(hwclock_t)
+kernel_read_proc_symlinks(hwclock_t)
dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
@@ -77,10 +79,6 @@ optional_policy(`userdomain.te',`
')
ifdef(`TODO',`
-
-allow hwclock_t proc_t:dir r_dir_perms;
-allow hwclock_t proc_t:lnk_file read;
-
optional_policy(`rhgb.te', `
rhgb_domain(hwclock_t)
')
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index e92629f..8512cd9 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -86,10 +86,10 @@ interface(`files_tmp_file',`
')
########################################
-##
+##
## Transform the type into a file, for use on a
## virtual memory filesystem (tmpfs).
-##
+##
##
## The type to be transformed.
##
@@ -126,10 +126,10 @@ interface(`files_getattr_all_files',`
')
########################################
-##
+##
## Relabel all files on the filesystem, except
## the listed exceptions.
-##
+##
##
## The type of the domain perfoming this action.
##
@@ -163,10 +163,10 @@ interface(`files_relabel_all_files',`
')
########################################
-##
+##
## Manage all files on the filesystem, except
## the listed exceptions.
-##
+##
##
## The type of the domain perfoming this action.
##
@@ -303,11 +303,11 @@ interface(`files_list_root',`
')
########################################
-##
+##
## Create an object in the root directory, with a private
## type. If no object class is specified, the
## default is file.
-##
+##
##
## The type of the process performing this action.
##
@@ -416,6 +416,108 @@ interface(`files_unmount_rootfs',`
')
########################################
+##
+## List contents of directories with the default file type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_list_default',`
+ gen_require(`
+ type default_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 default_t:dir r_dir_perms;
+')
+
+########################################
+##
+## Mount a filesystem on a directory with the default file type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_mounton_default',`
+ gen_require(`
+ type default_t;
+ class dir { getattr search mounton };
+ ')
+
+ allow $1 default_t:dir { getattr search mounton };
+')
+
+########################################
+##
+## Read files with the default file type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_read_default_files',`
+ gen_require(`
+ type default_t;
+ class file r_file_perms;
+ ')
+
+ allow $1 default_t:file r_file_perms;
+')
+
+########################################
+##
+## Read symbolic links with the default file type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_read_default_symlinks',`
+ gen_require(`
+ type default_t;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 default_t:lnk_file r_file_perms;
+')
+
+########################################
+##
+## Read sockets with the default file type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_read_default_sockets',`
+ gen_require(`
+ type default_t;
+ class sock_file r_file_perms;
+ ')
+
+ allow $1 default_t:sock_file r_file_perms;
+')
+
+########################################
+##
+## Read named pipes with the default file type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_read_default_pipes',`
+ gen_require(`
+ type default_t;
+ class fifo_file r_file_perms;
+ ')
+
+ allow $1 default_t:fifo_file r_file_perms;
+')
+
+########################################
#
# files_search_etc(domain)
#
@@ -429,6 +531,23 @@ interface(`files_search_etc',`
')
########################################
+##
+## Set the attributes of the /etc directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_setattr_etc_dir',`
+ gen_require(`
+ type etc_t;
+ class dir setattr;
+ ')
+
+ allow $1 etc_t:dir setattr;
+')
+
+########################################
#
# files_list_etc(domain)
#
@@ -493,9 +612,9 @@ interface(`files_manage_etc_files',`
')
########################################
-##
+##
## Delete system configuration files in /etc.
-##
+##
##
## The type of the process performing this action.
##
@@ -615,6 +734,24 @@ interface(`files_dontaudit_search_isid_type_dir',`
########################################
##
+## List the contents of directories on new filesystems
+## that have not yet been labeled.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`files_list_isid_type_dir',`
+ gen_require(`
+ type file_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 file_t:dir r_dir_perms;
+')
+
+########################################
+##
## Read and write directories on new filesystems
## that have not yet been labeled.
##
@@ -651,6 +788,24 @@ interface(`files_manage_isid_type_dir',`
########################################
##
+## Mount a filesystem on a directory on new filesystems
+## that has not yet been labeled.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`files_mounton_isid_type_dir',`
+ gen_require(`
+ type file_t;
+ class dir { getattr search mounton };
+ ')
+
+ allow $1 file_t:dir { getattr search mounton };
+')
+
+########################################
+##
## Create, read, write, and delete files
## on new filesystems that have not yet been labeled.
##
@@ -858,6 +1013,23 @@ interface(`files_list_mnt',`
########################################
##
+## Create, read, write, and delete directories in /mnt.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_manage_mnt_dirs',`
+ gen_require(`
+ type mnt_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 mnt_t:dir create_dir_perms;
+')
+
+########################################
+##
## Search the tmp directory (/tmp)
##
##
@@ -943,9 +1115,9 @@ interface(`files_read_usr_files',`
')
########################################
-##
+##
## Execute programs in /usr/src in the caller domain.
-##
+##
##
## The type of the process performing this action.
##
@@ -1027,9 +1199,9 @@ interface(`files_read_var_files',`
')
########################################
-##
+##
## Search the /var/lib directory.
-##
+##
##
## The type of the process performing this action.
##
@@ -1141,6 +1313,24 @@ interface(`files_create_lock',`
')
########################################
+##
+## Do not audit attempts to get the attributes
+## of the /var/run directory.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`files_dontaudit_getattr_pid_dir',`
+ gen_require(`
+ type var_run_t;
+ class dir getattr;
+ ')
+
+ dontaudit $1 var_run_t:dir getattr;
+')
+
+########################################
#
# files_search_pids(domain)
#
@@ -1218,9 +1408,9 @@ interface(`files_rw_generic_pids',`
')
########################################
-##
+##
## Do not audit attempts to write to daemon runtime data files.
-##
+##
##
## The type of the process performing this action.
##
@@ -1235,9 +1425,9 @@ interface(`files_dontaudit_write_all_pids',`
')
########################################
-##
+##
## Do not audit attempts to ioctl daemon runtime data files.
-##
+##
##
## The type of the process performing this action.
##
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index e8729a8..179e3a8 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -49,6 +49,11 @@ kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctl(fsadm_t)
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)
+# mkreiserfs needs this
+kernel_getattr_proc(fsadm_t)
+# Access to /initrd devices
+kernel_rw_unlabeled_dir(fsadm_t)
+kernel_use_unlabeled_blk_dev(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
@@ -60,11 +65,16 @@ dev_search_usbfs(fsadm_t)
# for swapon
dev_getattr_sysfs_dir(fsadm_t)
dev_search_sysfs(fsadm_t)
+# Access to /initrd devices
+dev_getattr_usbfs_dir(fsadm_t)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)
+# for /dev/shm
+fs_search_tmpfs(fsadm_t)
+fs_getattr_tmpfs_dir(fsadm_t)
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
@@ -78,13 +88,15 @@ domain_use_wide_inherit_fd(fsadm_t)
files_list_home(fsadm_t)
files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
-files_list_mnt(fsadm_t)
files_manage_lost_found(fsadm_t)
+files_manage_isid_type_dir(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
# Access to /initrd devices
files_rw_isid_type_dir(fsadm_t)
files_rw_isid_type_blk_node(fsadm_t)
+# Recreate /mnt/cdrom.
+files_manage_mnt_dirs(fsadm_t)
init_use_fd(fsadm_t)
init_use_script_pty(fsadm_t)
@@ -102,6 +114,14 @@ seutil_read_config(fsadm_t)
userdom_use_unpriv_users_fd(fsadm_t)
+tunable_policy(`read_default_t',`
+ files_list_default(fsadm_t)
+ files_read_default_files(fsadm_t)
+ files_read_default_symlinks(fsadm_t)
+ files_read_default_sockets(fsadm_t)
+ files_read_default_pipes(fsadm_t)
+')
+
optional_policy(`cron.te',`
# for smartctl cron jobs
cron_system_entry(fsadm_t,fsadm_exec_t)
@@ -112,32 +132,13 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
-# for /dev/shm
-allow fsadm_t tmpfs_t:dir { getattr search };
allow fsadm_t bin_t:dir r_dir_perms;
allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
allow fsadm_t sbin_t:dir r_dir_perms;
allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
-if (read_default_t) {
-allow fsadm_t default_t:dir r_dir_perms;
-allow fsadm_t default_t:notdevfile_class_set r_file_perms;
-}
-
-# mkreiserfs needs this
-allow fsadm_t proc_t:filesystem getattr;
-
-allow fsadm_t file_t:dir { search read getattr rmdir create };
-
-# Recreate /mnt/cdrom.
-allow fsadm_t mnt_t:dir { rmdir create };
# Access terminals.
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
-# Access to /initrd devices
-allow fsadm_t unlabeled_t:dir rw_dir_perms;
-allow fsadm_t unlabeled_t:blk_file rw_file_perms;
-allow fsadm_t usbfs_t:dir getattr;
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 994e546..dfdc20a 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -26,6 +26,8 @@ sysnet_read_config(hostname_t)
kernel_read_kernel_sysctl(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
+kernel_list_proc(hostname_t)
+kernel_read_proc_symlinks(hostname_t)
dev_read_sysfs(hostname_t)
@@ -89,14 +91,7 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-
-##daemon_base_domain(hostname, , nosysadm)
-##must remembe to go back and take care of the nosysadm part
-allow hostname_t proc_t:dir r_dir_perms;
-allow hostname_t proc_t:lnk_file read;
-
optional_policy(`rhgb.te', `
rhgb_domain(hostname_t)
')
-##end daemon_base_domain
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index a9d17f5..0de4cb5 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -59,6 +59,7 @@ corenet_tcp_bind_all_nodes(hotplug_t)
dev_read_sysfs(hotplug_t)
dev_read_usbfs(hotplug_t)
+dev_setattr_printer(hotplug_t)
dev_setattr_snd_dev(hotplug_t)
# for SSP:
dev_read_urand(hotplug_t)
@@ -197,8 +198,4 @@ optional_policy(`hald.te', `
optional_policy(`hotplug.te',`
hotplug_read_config(hald_t)
')
-
-optional_policy(`lpd.te', `
- allow hotplug_t printer_device_t:chr_file setattr;
-')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index f11db47..49f1c22 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -276,6 +276,12 @@ files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spools(initrc_t)
+# Mount and unmount file systems.
+# cjp: not sure why these are here; should use mount policy
+files_list_isid_type_dir(initrc_t)
+files_mounton_isid_type_dir(initrc_t)
+files_list_default(initrc_t)
+files_mounton_default(initrc_t)
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
@@ -304,7 +310,15 @@ userdom_read_all_user_files(initrc_t)
userdom_use_sysadm_terms(initrc_t)
ifdef(`distro_debian', `
+ dev_setattr_dev_dir(initrc_t)
+
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
+
+ # for storing state under /dev/shm
+ fs_setattr_tmpfs_dir(initrc_t)
+ storage_create_fixed_disk_tmpfs(initrc_t)
+
+ files_setattr_etc_dir(initrc_t)
')
ifdef(`distro_redhat',`
@@ -340,6 +354,10 @@ ifdef(`distro_redhat',`
mta_read_aliases(initrc_t)
')
+ifdef(`targeted_policy',`
+ unconfined_shell_domtrans(initrc_t)
+')
+
optional_policy(`hotplug.te',`
dev_read_usbfs(initrc_t)
@@ -360,6 +378,10 @@ optional_policy(`lvm.te',`
dev_create_generic_chr_file(initrc_t)
')
+optional_policy(`mta.te',`
+ mta_dontaudit_read_spool_symlink(initrc_t)
+')
+
optional_policy(`nis.te',`
nis_udp_sendto_ypbind(initrc_t)
nis_list_var_yp(initrc_t)
@@ -381,7 +403,7 @@ optional_policy(`rpm.te',`
# why is this needed:
rpm_manage_db(initrc_t)
-') dnl end rpm.te
+')
optional_policy(`ssh.te',`
optional_policy(`inetd.te',`
@@ -402,10 +424,6 @@ optional_policy(`sysnetwork.te',`
')
ifdef(`TODO',`
-
-# Mount and unmount file systems.
-allow initrc_t { file_t default_t }:dir { read search getattr mounton };
-
# Set device ownerships/modes.
allow initrc_t xconsole_device_t:fifo_file setattr;
@@ -417,29 +435,13 @@ su_restricted_domain(initrc,system)
role system_r types initrc_su_t;
')
-ifdef(`distro_debian', `
- allow initrc_t { etc_t device_t }:dir setattr;
-
- # for storing state under /dev/shm
- allow initrc_t tmpfs_t:dir setattr;
- file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
-')
-
ifdef(`distro_redhat', `
# readahead asks for these
allow initrc_t var_lib_nfs_t:file r_file_perms;
')
-ifdef(`targeted_policy', `
- domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+ifdef(`targeted_policy',`
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
- domain_trans(initrc_t, shell_exec_t, unconfined_t)
')
-
-#
-# Shutting down xinet causes these
-#
-# Rsync
-dontaudit initrc_t mail_spool_t:lnk_file read;
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 43ce4d0..5b83f34 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -76,22 +76,20 @@ logging_send_syslog_msg(ldconfig_t)
userdom_use_all_user_fd(ldconfig_t)
-ifdef(`TODO',`
-
-ifdef(`apache.te', `
- # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
- dontaudit ldconfig_t httpd_modules_t:dir search;
-')
-
-ifdef(`hide_broken_symptoms', `
- ifdef(`unconfined.te',`
- dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`unconfined.te',`
+ unconfined_dontaudit_rw_tcp_socket(ldconfig_t)
')
')
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
allow ldconfig_t lib_t:file r_file_perms;
- unconfined_domain(ldconfig_t)
+ unconfined_domain_template(ldconfig_t)
')
+ifdef(`TODO',`
+optional_policy(`apache.te',`
+ # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
+ dontaudit ldconfig_t httpd_modules_t:dir search;
+')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index c1cd442..1778eee 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -143,6 +143,19 @@ ifdef(`distro_redhat',`
files_dontaudit_read_root_file(local_login_t)
')
+ifdef(`targeted_policy',`
+ unconfined_domain_template(local_login_t)
+ unconfined_shell_domtrans(local_login_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(local_login_t)
+ files_read_default_files(local_login_t)
+ files_read_default_symlinks(local_login_t)
+ files_read_default_sockets(local_login_t)
+ files_read_default_pipes(local_login_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(local_login_t)
fs_read_nfs_symlinks(local_login_t)
@@ -168,11 +181,6 @@ allow local_login_t bin_t:notdevfile_class_set r_file_perms;
allow local_login_t sbin_t:dir r_dir_perms;
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
-tunable_policy(`read_default_t',`
- allow local_login_t default_t:dir r_dir_perms;
- allow local_login_t default_t:notdevfile_class_set r_file_perms;
-')
-
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
allow local_login_t readable_t:dir r_dir_perms;
@@ -181,19 +189,14 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
# for when /var/mail is a sym-link
allow local_login_t var_t:lnk_file read;
-dontaudit local_login_t device_t:lnk_file { getattr setattr };
+dontaudit local_login_t device_t:lnk_file setattr;
-# this goes to xserver:
+# this goes to xdm:
optional_policy(`locallogin.te',`
# FIXME: what is this for?
locallogin_signull(xdm_t)
')
-ifdef(`targeted_policy',`
- unconfined_domain(local_login_t)
- domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
-')
-
optional_policy(`gpm.te',`
allow local_login_t gpmctl_t:sock_file { getattr setattr };
')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 8c6312e..c32a9b3 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -59,6 +59,8 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_pid(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
+kernel_list_proc(auditd_t)
+kernel_read_proc_symlinks(auditd_t)
dev_read_sysfs(auditd_t)
@@ -100,9 +102,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-allow auditd_t proc_t:dir r_dir_perms;
-allow auditd_t proc_t:lnk_file read;
-
optional_policy(`rhgb.te', `
rhgb_domain(auditd_t)
')
@@ -188,6 +187,7 @@ allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_pid(syslogd_t,syslogd_var_run_t)
kernel_read_kernel_sysctl(syslogd_t)
+kernel_read_proc_symlinks(syslogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
@@ -269,7 +269,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-allow syslogd_t proc_t:lnk_file read;
dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
rhgb_domain(syslogd_t)
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 28e47aa..7236074 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -125,6 +125,7 @@ domain_use_wide_inherit_fd(lvm_t)
files_search_var(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
+files_dontaudit_getattr_pid_dir(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(lvm_t)
@@ -165,7 +166,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-dontaudit lvm_t var_run_t:dir getattr;
optional_policy(`gnome-pty-helper.te', `
allow lvm_t sysadm_gph_t:fd use;
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 86eb2f5..72daa8a 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -82,7 +82,7 @@ template(`unconfined_domain_template',`
## Domain allowed access.
##
#
-interface(`unconfined_domtrans_shell',`
+interface(`unconfined_shell_domtrans',`
gen_require(`
unconfined_t;
@@ -144,6 +144,34 @@ interface(`unconfined_rw_pipe',`
########################################
##
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+##
+##
+##
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+##
+##
+## This interface was added due to a broken
+## symptom in ldconfig.
+##
+##
+##
+## Domain to not audit.
+##
+#
+interface(`unconfined_dontaudit_rw_tcp_socket',`
+ gen_require(`
+ type unconfined_t;
+ class tcp_socket { read write };
+ ')
+
+ dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+##
## Add the unconfined domain to the specified role.
##
##
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index c112ae6..68cd0b1 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -17,6 +17,7 @@ role system_r types unconfined_t;
#
unconfined_domain_template(unconfined_t)
+
logging_send_syslog_msg(unconfined_t)
#role sysadm_r types unconfined_t;
@@ -29,6 +30,8 @@ ifdef(`targeted_policy',`
# macros and domains from the "strict" policy.
# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+ init_domtrans_script(unconfined_t)
+
userdom_unconfined(unconfined_t)
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 5cf505e..0f9cb97 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -904,7 +904,7 @@ interface(`userdom_spec_domtrans_unpriv_users',`
interface(`userdom_shell_domtrans_sysadm',`
ifdef(`targeted_policy',`
#cjp: need to doublecheck this one
- unconfined_domtrans_shell($1)
+ unconfined_shell_domtrans($1)
',`
gen_require(`
type sysadm_t;