diff --git a/policy/modules/admin/accountsd.fc b/policy/modules/admin/accountsd.fc deleted file mode 100644 index 1adca53..0000000 --- a/policy/modules/admin/accountsd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - -/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --git a/policy/modules/admin/accountsd.if b/policy/modules/admin/accountsd.if deleted file mode 100644 index ae9e219..0000000 --- a/policy/modules/admin/accountsd.if +++ /dev/null @@ -1,173 +0,0 @@ -## Accountsservice D-Bus interfaces for querying and manipulating user account information. - -######################################## -## -## Execute a domain transition to -## run Account Service daemon. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`accountsd_domtrans',` - gen_require(` - type accountsd_t, accountsd_exec_t; - ') - - domtrans_pattern($1, accountsd_exec_t, accountsd_t) - corecmd_search_bin($1) - files_search_usr($1) -') - -######################################## -## -## Search Accounts Service daemon -## lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_search_lib',` - gen_require(` - type accountsd_var_lib_t; - ') - - allow $1 accountsd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read Accounts Service daemon -## lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_read_lib_files',` - gen_require(` - type accountsd_var_lib_t; - ') - - read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Manage Account Service daemon -## lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_manage_lib_files',` - gen_require(` - type accountsd_var_lib_t; - ') - - manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Manage Account Service daemon -## lib content. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_manage_var_lib',` - gen_require(` - type accountsd_var_lib_t; - ') - - manage_dirs_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) - manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) - manage_lnk_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Send and receive messages from -## Account Service daemon over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_dbus_chat',` - gen_require(` - type accountsd_t; - class dbus send_msg; - ') - - allow $1 accountsd_t:dbus send_msg; - allow accountsd_t $1:dbus send_msg; -') - -######################################## -## -## Do not audit attempts to read and -## write Account Service daemon pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_dontaudit_rw_fifo_file',` - gen_require(` - type accountsd_t; - ') - - dontaudit $1 accountsd_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an Account Service daemon environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`accountsd_admin',` - gen_require(` - type accountsd_t, accountsd_var_lib_t; - ') - - allow $1 accountsd_t:process { ptrace signal_perms }; - read_files_pattern($1, accountsd_t, accountsd_t) - - admin_pattern($1, accountsd_var_lib_t) - files_search_var_lib($1) -') diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index c6a1872..852f36f 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -37,46 +37,26 @@ interface(`gnome_role',` ######################################## ## -## Execute gconf programs in -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_exec_gconf',` - gen_require(` - type gconfd_exec_t; - ') - - can_exec($1, gconfd_exec_t) -') - -######################################## -## -## Read gconf config files. +## gconf connection template. ## ## ## -## Domain allowed access. +## The type of the user domain. ## ## # -template(`gnome_read_gconf_config',` +interface(`gnome_stream_connect_gconf',` gen_require(` - type gconf_etc_t; + type gconfd_t, gconf_tmp_t; ') - allow $1 gconf_etc_t:dir list_dir_perms; - read_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) + read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) + allow $1 gconfd_t:unix_stream_socket connectto; ') -####################################### +######################################## ## -## Create, read, write, and delete gconf config files. +## Run gconfd in gconfd domain. ## ## ## @@ -84,70 +64,51 @@ template(`gnome_read_gconf_config',` ## ## # -interface(`gnome_manage_gconf_config',` +interface(`gnome_domtrans_gconfd',` gen_require(` - type gconf_etc_t; + type gconfd_t, gconfd_exec_t; ') - manage_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) + domtrans_pattern($1, gconfd_exec_t, gconfd_t) ') ######################################## ## -## gconf connection template. +## Dontaudit search gnome homedir content (.config) ## ## ## -## Domain allowed access. -## -## -# -interface(`gnome_stream_connect_gconf',` - gen_require(` - type gconfd_t, gconf_tmp_t; - ') - - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; -') - -######################################## -## -## Run gconfd in gconfd domain. -## -## -## -## Domain allowed access. +## The type of the user domain. ## ## # -interface(`gnome_domtrans_gconfd',` +interface(`gnome_dontaudit_search_config',` gen_require(` - type gconfd_t, gconfd_exec_t; + attribute gnome_home_type; ') - domtrans_pattern($1, gconfd_exec_t, gconfd_t) + dontaudit $1 gnome_home_type:dir search_dir_perms; ') ######################################## ## -## Read gnome homedir content (.config) +## manage gnome homedir content (.config) ## ## ## -## Domain allowed access. +## The type of the user domain. ## ## # -template(`gnome_read_config',` +interface(`gnome_manage_config',` gen_require(` attribute gnome_home_type; ') - list_dirs_pattern($1, gnome_home_type, gnome_home_type) - read_files_pattern($1, gnome_home_type, gnome_home_type) - read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) + allow $1 gnome_home_type:dir manage_dir_perms; + allow $1 gnome_home_type:file manage_file_perms; + allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; + userdom_search_user_home_dirs($1) ') ######################################## @@ -258,6 +219,45 @@ interface(`gnome_write_generic_cache_files',` ######################################## ## +## read gnome homedir content (.config) +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_read_config',` + gen_require(` + attribute gnome_home_type; + ') + + list_dirs_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) +') + +######################################## +## +## Set attributes of Gnome config dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_setattr_config_dirs',` + gen_require(` + type gnome_home_t; + ') + + setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) + files_search_home($1) +') + +######################################## +## ## Create objects in a Gnome gconf home directory ## with an automatic type transition to ## a specified private type. @@ -525,62 +525,3 @@ interface(`gnome_dbus_chat_gconfdefault',` allow $1 gconfdefaultsm_t:dbus send_msg; allow gconfdefaultsm_t $1:dbus send_msg; ') - -######################################## -## -## Dontaudit search gnome homedir content (.config) -## -## -## -## The type of the user domain. -## -## -# -interface(`gnome_dontaudit_search_config',` - gen_require(` - attribute gnome_home_type; - ') - - dontaudit $1 gnome_home_type:dir search_dir_perms; -') - -######################################## -## -## Set attributes of Gnome config dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_setattr_config_dirs',` - gen_require(` - type gnome_home_t; - ') - - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) - files_search_home($1) -') - -######################################## -## -## manage gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_config',` - gen_require(` - attribute gnome_home_type; - ') - - allow $1 gnome_home_type:dir manage_dir_perms; - allow $1 gnome_home_type:file manage_file_perms; - allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; - userdom_search_user_home_dirs($1) -') - diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te index 48b59f9..59867f6 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -50,8 +50,8 @@ manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file}) -userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file}) +files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) +userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) corenet_sendrecv_http_client_packets(telepathy_msn_t) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 4b49efa..ef14126 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -5310,25 +5310,6 @@ interface(`files_getattr_generic_locks',` ######################################## ## -## Delete generic lock files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_generic_locks',` - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - delete_files_pattern($1, var_lock_t, var_lock_t) -') - -######################################## -## ## Create, read, write, and delete generic ## lock files. ## diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 812078c..f9930a3 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -1233,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` + type tty_device_t; attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file getattr; + allow $1 tty_device_t:chr_file getattr; ') ######################################## diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te index 1875064..2ddeb70 100644 --- a/policy/modules/roles/dbadm.te +++ b/policy/modules/roles/dbadm.te @@ -5,56 +5,28 @@ policy_module(dbadm, 1.0.0) # Declarations # -## -## -## Allow dbadm to manage files in users home directories -## -## -gen_tunable(dbadm_manage_user_files, false) - -## -## -## Allow dbadm to read files in users home directories -## -## -gen_tunable(dbadm_read_user_files, false) - role dbadm_r; -userdom_base_user_template(dbadm) +userdom_unpriv_user_template(dbadm) ######################################## # # database admin local policy # -allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; - -files_dontaudit_search_all_dirs(dbadm_t) -files_delete_generic_locks(dbadm_t) -files_list_var(dbadm_t) - -selinux_get_enforce_mode(dbadm_t) - -logging_send_syslog_msg(dbadm_t) - -userdom_dontaudit_search_user_home_dirs(dbadm_t) - -tunable_policy(`dbadm_manage_user_files',` - userdom_manage_user_home_content_files(dbadm_t) - userdom_read_user_tmp_files(dbadm_t) - userdom_write_user_tmp_files(dbadm_t) +optional_policy(` + mysql_admin(dbadm_t, dbadm_r) ') -tunable_policy(`dbadm_read_user_files',` - userdom_read_user_home_content_files(dbadm_t) - userdom_read_user_tmp_files(dbadm_t) +optional_policy(` + postgresql_admin(dbadm_t, dbadm_r) ') +# For starting up daemon processes optional_policy(` - mysql_admin(dbadm_t, dbadm_r) + su_role_template(dbadm, dbadm_r, dbadm_t) ') optional_policy(` - postgresql_admin(dbadm_t, dbadm_r) + sudo_role_template(dbadm, dbadm_r, dbadm_t) ') diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te index 1632f10..2724c11 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0) type accountsd_t; type accountsd_exec_t; dbus_system_domain(accountsd_t, accountsd_exec_t) +init_daemon_domain(accountsd_t, accountsd_exec_t) +role system_r types accountsd_t; type accountsd_var_lib_t; files_type(accountsd_var_lib_t) @@ -55,3 +57,8 @@ optional_policy(` optional_policy(` policykit_dbus_chat(accountsd_t) ') + +optional_policy(` + xserver_dbus_chat_xdm(accountsd_t) + xserver_manage_xdm_etc_files(accountsd_t) +') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 691b539..939877a 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -678,6 +678,7 @@ list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +allow cronjob_t user_cron_spool_t:file create_lnk_perms; tunable_policy(`fcron_crond', ` allow crond_t user_cron_spool_t:file manage_file_perms; diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index bd9e35e..26a93da 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -446,7 +446,9 @@ files_mounton_default(initrc_t) files_manage_mnt_dirs(initrc_t) files_manage_mnt_files(initrc_t) -fs_write_cgroup_files(initrc_t) +fs_delete_cgroup_dirs(initrc_t) +fs_list_cgroup_dirs(initrc_t) +fs_rw_cgroup_files(initrc_t) fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs
-## Allow dbadm to manage files in users home directories -##
-## Allow dbadm to read files in users home directories -##