diff --git a/refpolicy/policy/modules/admin/alsa.te b/refpolicy/policy/modules/admin/alsa.te index 10de00f..ecdfc01 100644 --- a/refpolicy/policy/modules/admin/alsa.te +++ b/refpolicy/policy/modules/admin/alsa.te @@ -1,5 +1,5 @@ -policy_module(alsa,1.0.0) +policy_module(alsa,1.0.1) ######################################## # @@ -34,6 +34,7 @@ allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms; files_read_etc_files(alsa_t) term_use_generic_pty(alsa_t) +term_dontaudit_use_unallocated_tty(alsa_t) libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 2fafb8a..c9b4e63 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -1,5 +1,5 @@ -policy_module(kudzu,1.1.0) +policy_module(kudzu,1.1.1) ######################################## # @@ -73,6 +73,7 @@ storage_read_scsi_generic(kudzu_t) storage_read_tape_device(kudzu_t) storage_raw_write_fixed_disk(kudzu_t) storage_raw_read_fixed_disk(kudzu_t) +storage_raw_read_removable_device(kudzu_t) term_search_ptys(kudzu_t) term_dontaudit_use_console(kudzu_t) diff --git a/refpolicy/policy/modules/admin/prelink.fc b/refpolicy/policy/modules/admin/prelink.fc index ee0cf31..b94700c 100644 --- a/refpolicy/policy/modules/admin/prelink.fc +++ b/refpolicy/policy/modules/admin/prelink.fc @@ -3,4 +3,6 @@ /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) +/var/lib/misc/prelink\.* -- gen_context(system_u:object_r:prelink_cache_t,s0) + /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index b5f4b1f..934fa44 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.0.0) +policy_module(prelink,1.0.1) ######################################## # @@ -28,6 +28,7 @@ allow prelink_t self:fifo_file rw_file_perms; allow prelink_t prelink_cache_t:file manage_file_perms; files_filetrans_etc(prelink_t, prelink_cache_t, file) +files_filetrans_var_lib(prelink_t, prelink_cache_t, file) allow prelink_t prelink_log_t:dir { setattr rw_dir_perms }; allow prelink_t prelink_log_t:file { create ra_file_perms }; @@ -58,6 +59,7 @@ domain_mmap_all_entry_files(prelink_t) files_list_all(prelink_t) files_getattr_all_files(prelink_t) files_write_non_security_dir(prelink_t) +files_read_etc_files(prelink_t) files_read_etc_runtime_files(prelink_t) fs_getattr_xattr_fs(prelink_t) diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index d07f3a0..193f34d 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -1,5 +1,5 @@ -policy_module(readahead,1.1.0) +policy_module(readahead,1.1.1) ######################################## # @@ -27,7 +27,7 @@ files_filetrans_pid(readahead_t,readahead_var_run_t) kernel_read_kernel_sysctl(readahead_t) kernel_read_system_state(readahead_t) -kernel_getattr_core(readahead_t) +kernel_dontaudit_getattr_core(readahead_t) dev_read_sysfs(readahead_t) dev_getattr_generic_chr_file(readahead_t) @@ -48,6 +48,7 @@ fs_search_auto_mountpoints(readahead_t) fs_getattr_all_pipes(readahead_t) fs_getattr_all_files(readahead_t) fs_search_ramfs(readahead_t) +fs_read_tmpfs_symlinks(readahead_t) term_dontaudit_use_console(readahead_t) diff --git a/refpolicy/policy/modules/admin/tmpreaper.te b/refpolicy/policy/modules/admin/tmpreaper.te index 0b0a423..f9545c9 100644 --- a/refpolicy/policy/modules/admin/tmpreaper.te +++ b/refpolicy/policy/modules/admin/tmpreaper.te @@ -1,5 +1,5 @@ -policy_module(tmpreaper,1.1.0) +policy_module(tmpreaper,1.1.1) ######################################## # @@ -44,6 +44,10 @@ miscfiles_delete_man_pages(tmpreaper_t) cron_system_entry(tmpreaper_t,tmpreaper_exec_t) +optional_policy(`lpd',` + lpd_manage_spool(tmpreaper_t) +') + ifdef(`TODO',` allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink }; ') diff --git a/refpolicy/policy/modules/apps/slocate.te b/refpolicy/policy/modules/apps/slocate.te index 32882f4..7c71035 100644 --- a/refpolicy/policy/modules/apps/slocate.te +++ b/refpolicy/policy/modules/apps/slocate.te @@ -1,5 +1,5 @@ -policy_module(slocate,1.0.0) +policy_module(slocate,1.0.1) ################################# # @@ -41,6 +41,11 @@ files_read_etc_files(locate_t) fs_getattr_xattr_fs(locate_t) +libs_use_shared_libs(locate_t) +libs_use_ld_so(locate_t) + +miscfiles_read_localization(locate_t) + optional_policy(`cron',` cron_system_entry(locate_t, locate_exec_t) ') diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 1237721..49f0666 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.1.1) +policy_module(bootloader,1.1.2) ######################################## # @@ -115,6 +115,7 @@ dev_getattr_sysfs_dir(bootloader_t) dev_read_raw_memory(bootloader_t) fs_getattr_xattr_fs(bootloader_t) +fs_read_tmpfs_symlinks(bootloader_t) term_getattr_all_user_ttys(bootloader_t) term_dontaudit_manage_pty_dir(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc index 073712d..37aab17 100644 --- a/refpolicy/policy/modules/kernel/files.fc +++ b/refpolicy/policy/modules/kernel/files.fc @@ -115,6 +115,11 @@ HOME_ROOT/lost\+found/.* <> /media/[^/]*/.* <> # +# /misc +# +/misc -d gen_context(system_u:object_r:mnt_t,s0) + +# # /mnt # /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index b269b63..103260c 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -352,12 +352,11 @@ interface(`files_dontaudit_list_non_security',` interface(`files_getattr_all_files',` gen_require(` attribute file_type; - class dir search; - class file getattr; ') allow $1 file_type:dir search; allow $1 file_type:file getattr; + allow $1 file_type:lnk_file getattr; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 3a51441..d8fb574 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -2295,6 +2295,23 @@ interface(`fs_rw_tmpfs_file',` ######################################## ## +## Read tmpfs link files. +## +## +## The type of the process performing this action. +## +# +interface(`fs_read_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + ') + + fs_search_tmpfs($1) + allow $1 tmpfs_t:lnk_file read; +') + +######################################## +## ## Read and write character nodes on tmpfs filesystems. ## ## diff --git a/refpolicy/policy/modules/services/dbus.fc b/refpolicy/policy/modules/services/dbus.fc index a859a53..8004713 100644 --- a/refpolicy/policy/modules/services/dbus.fc +++ b/refpolicy/policy/modules/services/dbus.fc @@ -1,5 +1,6 @@ /etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) +# Sorting does not work correctly if I combine these next two roles /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) - +/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index 4cf2fb9..258a8ea 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.1.1) +policy_module(procmail,1.1.2) ######################################## # @@ -66,6 +66,7 @@ miscfiles_read_localization(procmail_t) userdom_priveleged_home_dir_manager(procmail_t) # Do not audit attempts to access /root. userdom_dontaudit_search_sysadm_home_dir(procmail_t) +userdom_dontaudit_search_staff_home_dir(procmail_t) mta_manage_spool(procmail_t) diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index cdd8699..37de6fb 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -6,6 +6,9 @@ template(`xserver_common_domain_template',` # # Declarations # + gen_require(` + type xkb_var_lib_t, xserver_log_t; + ') type $1_xserver_t; domain_type($1_xserver_t) @@ -202,6 +205,12 @@ template(`xserver_per_userdomain_template',` # Declarations # + gen_require(` + type xauth_exec_t; + type xserver_exec_t; + type iceauth_exec_t; + ') + xserver_common_domain_template($1) role $3 types $1_xserver_t; diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 7772fc8..b2208fb 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.2.0) +policy_module(authlogin,1.2.1) ######################################## # @@ -221,10 +221,6 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(pam_console_t) ') -optional_policy(`alsa',` - alsa_domtrans(pam_console_t) -') - optional_policy(`gpm',` gpm_getattr_gpmctl(pam_console_t) gpm_setattr_gpmctl(pam_console_t) diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 4a4c561..d0a6683 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -81,6 +81,7 @@ fs_remount_xattr_fs(fsadm_t) # for /dev/shm fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dir(fsadm_t) +fs_read_tmpfs_symlinks(fsadm_t) mls_file_write_down(fsadm_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index bef9e09..55f1cc5 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.1.0) +policy_module(locallogin,1.1.1) ######################################## # @@ -210,13 +210,13 @@ optional_policy(`usermanage',` usermanage_read_crack_db(local_login_t) ') +optional_policy(`alsa',` + alsa_domtrans(local_login_t) +') + ifdef(`TODO',` # Login can polyinstantiate polyinstantiater(local_login_t) - -ifdef(`alsa.te', ` -domain_auto_trans($1_login_t, alsa_exec_t, alsa_t) -') ') dnl endif TODO ################################# @@ -282,3 +282,7 @@ ifdef(`sulogin_no_pam', ` optional_policy(`nis',` nis_use_ypbind(sulogin_t) ') + +optional_policy(`nscd',` + nscd_use_socket(sulogin_t) +') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index b59549e..082d7f6 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.2.0) +policy_module(logging,1.2.1) ######################################## # @@ -98,10 +98,12 @@ role sysadm_r types auditctl_t; audit_manager_domain(secadm_t) ifdef(`targeted_policy', `', ` -ifdef(`separate_secadm', `', ` +ifdef(`enable_mls', ` +audit_manager_domain(secadm_t) +', ` audit_manager_domain(sysadm_t) -allow auditctl_t admin_tty_type:chr_file rw_file_perms; ') +allow auditctl_t admin_tty_type:chr_file rw_file_perms; ') ') dnl end TODO @@ -272,9 +274,6 @@ allow syslogd_t self:udp_socket { connected_socket_perms connect }; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file create_file_perms; files_filetrans_pid(syslogd_t,devlog_t,sock_file) -# cjp: I belive these are not needed: -allow syslogd_t devlog_t:unix_stream_socket name_bind; -allow syslogd_t devlog_t:unix_dgram_socket name_bind; # create/append log files. allow syslogd_t var_log_t:dir rw_dir_perms; @@ -325,8 +324,7 @@ corenet_udp_sendrecv_all_ports(syslogd_t) corenet_non_ipsec_sendrecv(syslogd_t) corenet_udp_bind_all_nodes(syslogd_t) corenet_tcp_bind_syslogd_port(syslogd_t) -#cjp: why? -corenet_tcp_connect_rsh_port(syslogd_t) +corenet_udp_bind_syslogd_port(syslogd_t) fs_getattr_all_fs(syslogd_t) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index daf1185..331dd1e 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm,1.2.0) +policy_module(lvm,1.2.1) ######################################## # @@ -198,6 +198,7 @@ dev_dontaudit_getattr_generic_pipe(lvm_t) fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) +fs_read_tmpfs_symlinks(lvm_t) storage_relabel_fixed_disk(lvm_t) # LVM creates block devices in /dev/mapper or /dev/ diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 87a764f..8552c97 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.2.0) +policy_module(mount,1.2.1) ######################################## # @@ -46,6 +46,7 @@ fs_remount_all_fs(mount_t) fs_relabelfrom_all_fs(mount_t) fs_search_auto_mountpoints(mount_t) fs_use_tmpfs_chr_dev(mount_t) +fs_read_tmpfs_symlinks(mount_t) term_use_all_terms(mount_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index ddc25ba..a070ebf 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -219,7 +219,6 @@ template(`base_user_template',` corecmd_exec_sbin($1_t) corecmd_exec_ls($1_t) - domain_exec_all_entry_files($1_t) domain_use_wide_inherit_fd($1_t) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. @@ -533,6 +532,7 @@ template(`unpriv_user_template', ` typeattribute $1_t unpriv_userdomain; domain_wide_inherit_fd($1_t) + domain_exec_all_entry_files($1_t) typeattribute $1_devpts_t user_ptynode; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 4fdac5f..374a6b7 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.2.2) +policy_module(userdomain,1.2.3) gen_require(` role sysadm_r, staff_r, user_r, secadm_r; @@ -145,6 +145,8 @@ ifdef(`targeted_policy',` allow sysadm_t user_home_dir_t:dir create_dir_perms; files_filetrans_home(sysadm_t,user_home_dir_t) + corecmd_exec_shell(sysadm_t) + mls_process_read_up(sysadm_t) logging_read_audit_log(sysadm_t) @@ -194,6 +196,10 @@ ifdef(`targeted_policy',` certwatach_run(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`consoletype',` + consoletype_exec(sysadm_t) + ') + optional_policy(`ddcprobe',` ddcprobe_run(sysadm_t,sysadm_r,admin_terminal) ')