diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index d04e231..a970980 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -1,5 +1,5 @@ -policy_module(kudzu,1.1.1) +policy_module(kudzu,1.1.2) ######################################## # @@ -24,7 +24,6 @@ files_pid_file(kudzu_var_run_t) allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; dontaudit kudzu_t self:capability sys_tty_config; allow kudzu_t self:process { signal_perms execmem }; -auditallow kudzu_t self:process execmem; allow kudzu_t self:fifo_file rw_file_perms; allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow kudzu_t self:unix_dgram_socket create_socket_perms; @@ -72,6 +71,7 @@ modutils_rename_module_config(kudzu_t) storage_read_scsi_generic(kudzu_t) storage_read_tape(kudzu_t) storage_raw_write_fixed_disk(kudzu_t) +storage_raw_write_removable_device(kudzu_t) storage_raw_read_fixed_disk(kudzu_t) storage_raw_read_removable_device(kudzu_t) diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index 17165bf..3433cda 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.0.1) +policy_module(prelink,1.0.2) ######################################## # @@ -65,6 +65,7 @@ files_read_etc_runtime_files(prelink_t) fs_getattr_xattr_fs(prelink_t) libs_use_ld_so(prelink_t) +libs_exec_ld_so(prelink_t) libs_manage_ld_so(prelink_t) libs_relabel_ld_so(prelink_t) libs_use_shared_libs(prelink_t) diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index 50a39d1..f7deda6 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -1,5 +1,5 @@ -policy_module(readahead,1.1.1) +policy_module(readahead,1.1.2) ######################################## # @@ -47,7 +47,9 @@ fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) fs_getattr_all_pipes(readahead_t) fs_getattr_all_files(readahead_t) -fs_search_ramfs(readahead_t) +fs_dontaudit_search_ramfs(readahead_t) +fs_dontaudit_read_ramfs_pipes(readahead_t) +fs_dontaudit_read_ramfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) term_dontaudit_use_console(readahead_t) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 5ee377f..a5f9bba 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -22,7 +22,6 @@ template(`su_restricted_domain_template', ` # Transition from the user domain to this domain. domain_auto_trans($2, su_exec_t, $1_su_t) - allow $2 $1_su_t:fd use; allow $1_su_t $2:fd use; allow $1_su_t $2:fifo_file rw_file_perms; allow $1_su_t $2:process sigchld; @@ -30,9 +29,8 @@ template(`su_restricted_domain_template', ` # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_su_t,$2) allow $2 $1_su_t:fd use; - allow $1_su_t $2:fd use; - allow $1_su_t $2:fifo_file rw_file_perms; - allow $1_su_t $2:process sigchld; + allow $2 $1_su_t:fifo_file rw_file_perms; + allow $2 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te index a3eb389..a3d8488 100644 --- a/refpolicy/policy/modules/admin/su.te +++ b/refpolicy/policy/modules/admin/su.te @@ -1,5 +1,5 @@ -policy_module(su,1.2.0) +policy_module(su,1.2.1) ######################################## # diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 7fb6338..5da7b89 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.1.2) +policy_module(bootloader,1.1.3) ######################################## # @@ -71,7 +71,7 @@ logging_log_file(var_log_ksyms_t) allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; allow bootloader_t self:process { sigkill sigstop signull signal }; -allow bootloader_t self:fifo_file { getattr read write }; +allow bootloader_t self:fifo_file rw_file_perms; allow bootloader_t boot_t:dir { create rw_dir_perms }; allow bootloader_t boot_t:file create_file_perms; @@ -110,7 +110,7 @@ dev_getattr_all_blk_files(bootloader_t) dev_dontaudit_rw_generic_dev_nodes(bootloader_t) dev_read_rand(bootloader_t) dev_read_urand(bootloader_t) -dev_getattr_sysfs_dirs(bootloader_t) +dev_read_sysfs(bootloader_t) # for reading BIOS data dev_read_raw_memory(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 960016c..e0ef744 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.0.2) +policy_module(corenetwork,1.0.3) ######################################## # @@ -46,6 +46,7 @@ network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) network_port(auth, tcp,113,s0) +network_port(bgp, tcp,179,s0, udp,179,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc index e194c75..54bbddf 100644 --- a/refpolicy/policy/modules/kernel/devices.fc +++ b/refpolicy/policy/modules/kernel/devices.fc @@ -58,6 +58,8 @@ ifdef(`distro_suse', ` /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) +/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index c5cc6ea..1e3008f 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.0.0) +policy_module(devices,1.0.1) ######################################## # @@ -159,6 +159,12 @@ fs_noxattr_type(usbfs_t) genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) +# +# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+ +# +type usb_device_t; +dev_node(usb_device_t) + type v4l_device_t; dev_node(v4l_device_t) diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc index 5fc259e..f9032b4 100644 --- a/refpolicy/policy/modules/kernel/files.fc +++ b/refpolicy/policy/modules/kernel/files.fc @@ -173,6 +173,8 @@ HOME_ROOT/lost\+found/.* <> /usr(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/\.journal <> +/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) + /usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -192,6 +194,7 @@ HOME_ROOT/lost\+found/.* <> /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) +/usr/src(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255) /usr/tmp/.* <> diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index ff04244..73e5560 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -2292,7 +2292,7 @@ interface(`files_setattr_all_tmp_dirs',` attribute tmpfile; ') - allow $1 tmpfile:dir { search getattr }; + allow $1 tmpfile:dir { search setattr }; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index c3862cd..29de9d7 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.1.0) +policy_module(files,1.1.1) ######################################## # diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index e884cef..0702509 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1033,6 +1033,24 @@ interface(`fs_search_inotifyfs',` ######################################## ## +## List inotifyfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_list_inotifyfs',` + gen_require(` + type inotifyfs_t; + ') + + allow $1 inotifyfs_t:dir r_dir_perms; +') + +######################################## +## ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## @@ -1965,6 +1983,42 @@ interface(`fs_dontaudit_search_ramfs',` ######################################## ## +## Dontaudit read on a ramfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_read_ramfs_files',` + gen_require(` + type ramfs_t; + ') + + dontaudit $1 ramfs_t:file read; +') + +######################################## +## +## Dontaudit read on a ramfs fifo_files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_read_ramfs_pipes',` + gen_require(` + type ramfs_t; + ') + + dontaudit $1 ramfs_t:fifo_file read; +') + +######################################## +## ## Write to named pipe on a ramfs filesystem. ## ## diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index dd185a6..e90f68d 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.2.1) +policy_module(filesystem,1.2.2) ######################################## # diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index bd890a6..6b7acd8 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -430,7 +430,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') - dontaudit $1 devpts_t:chr_file { read write }; + dontaudit $1 devpts_t:chr_file { getattr read write }; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index 45e3b67..295bdba 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.0.0) +policy_module(terminal,1.0.1) ######################################## # diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc index 5765eb2..1eb9976 100644 --- a/refpolicy/policy/modules/services/apache.fc +++ b/refpolicy/policy/modules/services/apache.fc @@ -45,6 +45,7 @@ ifdef(`distro_suse', ` /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) +/var/lib/cacti(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -53,6 +54,7 @@ ifdef(`distro_suse', ` /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ifdef(`distro_debian', ` diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 6b13f64..67ef22b 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.2.0) +policy_module(apache,1.2.1) # # NOTES: diff --git a/refpolicy/policy/modules/services/automount.if b/refpolicy/policy/modules/services/automount.if index cf9b87a..5c17e86 100644 --- a/refpolicy/policy/modules/services/automount.if +++ b/refpolicy/policy/modules/services/automount.if @@ -43,3 +43,22 @@ interface(`automount_exec_config',` corecmd_search_sbin($1) can_exec($1,automount_etc_t) ') + +######################################## +## +## Do not audit attempts to get the attributes +## of automount temporary directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`automount_dontaudit_getattr_tmp_dirs',` + gen_require(` + type automount_tmp_t; + ') + + dontaudit $1 automount_tmp_t:dir getattr; +') diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index 9ceb565..3037e1f 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.1.1) +policy_module(automount,1.1.2) ######################################## # diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index ab56c3b..6226fc0 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -429,7 +429,7 @@ interface(`cron_rw_pipes',` type crond_t; ') - allow $1 crond_t:fifo_file { read write }; + allow $1 crond_t:fifo_file { getattr read write }; ') ######################################## diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index e910bc0..fef15dc 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.2.0) +policy_module(cron,1.2.1) gen_require(` class passwd rootok; @@ -108,6 +108,7 @@ auth_domtrans_chk_passwd(crond_t) corecmd_exec_shell(crond_t) corecmd_list_sbin(crond_t) +corecmd_read_sbin_symlinks(crond_t) domain_use_wide_inherit_fd(crond_t) diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index 6ac08a7..4ab327c 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -1,5 +1,5 @@ -policy_module(fetchmail,1.0.1) +policy_module(fetchmail,1.0.2) ######################################## # @@ -44,6 +44,7 @@ kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) kernel_getattr_proc_files(fetchmail_t) kernel_read_proc_symlinks(fetchmail_t) +kernel_dontaudit_read_system_state(fetchmail_t) corenet_non_ipsec_sendrecv(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 96ddc5b..8e85e00 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.2.3) +policy_module(hal,1.2.4) ######################################## # @@ -112,12 +112,15 @@ storage_raw_write_fixed_disk(hald_t) term_dontaudit_use_console(hald_t) term_dontaudit_ioctl_unallocated_ttys(hald_t) term_dontaudit_use_unallocated_ttys(hald_t) +term_dontaudit_use_generic_ptys(hald_t) init_use_fd(hald_t) init_use_script_ptys(hald_t) init_domtrans_script(hald_t) init_write_initctl(hald_t) init_read_utmp(hald_t) +#hal runs shutdown, probably need a shutdown domain +init_rw_utmp(hald_t) libs_use_ld_so(hald_t) libs_use_shared_libs(hald_t) @@ -150,6 +153,10 @@ optional_policy(`apm',` apm_stream_connect(hald_t) ') +optional_policy(`automount', ` + automount_dontaudit_getattr_tmp_dirs(hald_t) +') + optional_policy(`bind',` bind_search_cache(hald_t) ') diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 64f5ed8..91c90a8 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta,1.2.0) +policy_module(mta,1.2.1) ######################################## # @@ -145,6 +145,8 @@ optional_policy(`postfix',` files_getattr_tmp_dirs(system_mail_t) postfix_exec_master(system_mail_t) + postfix_read_config(system_mail_t) + postfix_search_spool(system_mail_t) ifdef(`distro_redhat',` # compatability for old default main.cf diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index 0bb456d..d257644 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.2.1) +policy_module(networkmanager,1.2.2) ######################################## # @@ -30,8 +30,9 @@ allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms; -allow NetworkManager_t NetworkManager_var_run_t:dir rw_dir_perms; -files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t) +allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms; +allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms; +files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 6749d3f..f54a670 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.1.0) +policy_module(postfix,1.1.1) ######################################## # @@ -418,10 +418,13 @@ allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; +corenet_udp_sendrecv_all_if(postfix_postdrop_t) +corenet_udp_sendrecv_all_nodes(postfix_postdrop_t) + term_dontaudit_use_all_user_ptys(postfix_postdrop_t) term_dontaudit_use_all_user_ttys(postfix_postdrop_t) -sysnet_dontaudit_read_config(postfix_postdrop_t) +sysnet_dns_name_resolve(postfix_postdrop_t) mta_rw_user_mail_stream_sockets(postfix_postdrop_t) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 10927ee..8aa512e 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -1,5 +1,5 @@ -policy_module(remotelogin,1.1.0) +policy_module(remotelogin,1.1.1) ######################################## # @@ -96,6 +96,7 @@ files_read_world_readable_symlinks(remote_login_t) files_read_world_readable_pipes(remote_login_t) files_read_world_readable_sockets(remote_login_t) files_list_mnt(remote_login_t) +files_polyinstantiate_all(remote_login_t) # for when /var/mail is a sym-link files_read_var_symlinks(remote_login_t) @@ -152,6 +153,10 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(remote_login_t) ') +optional_policy(`alsa',` + alsa_domtrans(remote_login_t) +') + optional_policy(`nis',` nis_use_ypbind(remote_login_t) ') @@ -163,30 +168,3 @@ optional_policy(`nscd',` optional_policy(`usermanage',` usermanage_read_crack_db(remote_login_t) ') - -ifdef(`TODO',` -# this goes to xdm: -optional_policy(`remotelogin',` - # FIXME: what is this for? - remotelogin_signull(xdm_t) -') -# Login can polyinstantiate -polyinstantiater(remote_login_t) - -ifdef(`alsa.te', ` -domain_auto_trans($1_login_t, alsa_exec_t, alsa_t) -') - -allow remote_login_t userpty_type:chr_file { setattr write }; -allow remote_login_t ptyfile:chr_file { getattr ioctl }; - -optional_policy(`rlogind',` - allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms }; - allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto }; -') - -optional_policy(`telnetd',` - allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms }; - allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto }; -') -') dnl endif TODO diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 04c215c..1aa7495 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -65,6 +65,7 @@ term_dontaudit_use_console(sendmail_t) # for piping mail to a command corecmd_exec_shell(sendmail_t) +corecmd_search_sbin(sendmail_t) domain_use_wide_inherit_fd(sendmail_t) diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 6bdea17..a3643ff 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.2.1) +policy_module(spamassassin,1.2.2) ######################################## # @@ -77,6 +77,7 @@ corenet_tcp_bind_spamd_port(spamd_t) # DnsResolver.pm module which binds to # random ports >= 1024. corenet_udp_bind_generic_port(spamd_t) +corenet_tcp_connect_razor_port(spamd_t) dev_read_sysfs(spamd_t) dev_read_urand(spamd_t) diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index 14369df..9d5d17e 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -1,5 +1,5 @@ -policy_module(zebra,1.1.0) +policy_module(zebra,1.1.1) ######################################## # @@ -34,7 +34,7 @@ allow zebra_t self:file { ioctl read write getattr lock append }; allow zebra_t self:unix_dgram_socket create_socket_perms; allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; -allow zebra_t self:tcp_socket connected_stream_socket_perms; +allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; allow zebra_t self:udp_socket create_socket_perms; allow zebra_t self:rawip_socket create_socket_perms; diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 0d3b9d2..7c345eb 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools,1.2.0) +policy_module(fstools,1.2.1) ######################################## # @@ -57,6 +57,8 @@ kernel_getattr_proc(fsadm_t) kernel_rw_unlabeled_dirs(fsadm_t) kernel_rw_unlabeled_blk_files(fsadm_t) +bootloader_getattr_boot_dirs(fsadm_t) + dev_getattr_all_chr_files(fsadm_t) # mkreiserfs and other programs need this for UUID dev_read_rand(fsadm_t) diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 79c490c..d701311 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.2.0) +policy_module(libraries,1.2.1) ######################################## # @@ -71,6 +71,7 @@ domain_use_wide_inherit_fd(ldconfig_t) files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_search_tmp(ldconfig_t) +files_search_usr(ldconfig_t) # for when /etc/ld.so.cache is mislabeled: files_delete_etc_files(ldconfig_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 56dcfa2..fce565b 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.1.2) +policy_module(locallogin,1.1.3) ######################################## # @@ -141,6 +141,8 @@ files_read_world_readable_pipes(local_login_t) files_read_world_readable_sockets(local_login_t) # for when /var/mail is a symlink files_read_var_symlinks(local_login_t) +# Login can polyinstantiate +files_polyinstantiate_all(local_login_t) init_rw_utmp(local_login_t) init_dontaudit_use_fd(local_login_t) @@ -214,11 +216,6 @@ optional_policy(`alsa',` alsa_domtrans(local_login_t) ') -ifdef(`TODO',` -# Login can polyinstantiate -polyinstantiater(local_login_t) -') dnl endif TODO - ################################# # # Sulogin local policy diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 50b3a47..6e039f8 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.2.1) +policy_module(logging,1.2.2) ######################################## # @@ -80,6 +80,8 @@ domain_use_wide_inherit_fd(auditctl_t) mls_file_read_up(auditctl_t) +term_use_all_terms(auditctl_t) + init_use_script_ptys(auditctl_t) init_dontaudit_use_fd(auditctl_t) @@ -114,7 +116,7 @@ allow auditctl_t admin_tty_type:chr_file rw_file_perms; allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; -allow auditd_t self:process { signal_perms setsched }; +allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file { getattr read write }; allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index d57696d..7ff39ff 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.2.1) +policy_module(mount,1.2.2) ######################################## # @@ -33,6 +33,8 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) dev_rw_lvm_control(mount_t) +dev_dontaudit_getattr_memory_dev(mount_t) +dev_getattr_sound_dev(mount_t) storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 8447279..9a7e3b9 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.1.3) +policy_module(selinuxutil,1.1.4) gen_require(` bool secure_mode; @@ -249,6 +249,7 @@ term_use_all_user_ttys(newrole_t) term_use_all_user_ptys(newrole_t) term_relabel_all_user_ttys(newrole_t) term_relabel_all_user_ptys(newrole_t) +term_dontaudit_use_unallocated_ttys(newrole_t) auth_domtrans_chk_passwd(newrole_t) @@ -354,6 +355,7 @@ init_use_fd(restorecon_t) init_use_script_ptys(restorecon_t) domain_use_wide_inherit_fd(restorecon_t) +domain_dontaudit_search_all_domains_state(restorecon_t) files_read_etc_runtime_files(restorecon_t) files_read_etc_files(restorecon_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 6805508..c729e05 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.2.1) +policy_module(udev,1.2.2) ######################################## # @@ -90,7 +90,7 @@ dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) fs_getattr_all_fs(udev_t) -fs_search_inotifyfs(udev_t) +fs_list_inotifyfs(udev_t) selinux_get_fs_mount(udev_t) selinux_validate_context(udev_t) @@ -106,7 +106,7 @@ corecmd_exec_sbin(udev_t) corecmd_exec_shell(udev_t) domain_exec_all_entry_files(udev_t) -domain_dontaudit_list_all_domains_state(udev_t) +domain_read_all_domains_state(udev_t) files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 6e0d8dd..e63d827 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -19,6 +19,7 @@ interface(`unconfined_domain_noaudit',` # Use any Linux capability. allow $1 self:capability *; + allow $1 self:fifo_file create_file_perms; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index b091fac..4eeced6 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.2.3) +policy_module(unconfined,1.2.4) ######################################## # @@ -89,6 +89,10 @@ ifdef(`targeted_policy',` firstboot_domtrans(unconfined_t) ') + optional_policy(`fstools',` + fstools_domtrans(unconfined_t) + ') + optional_policy(`lpd',` lpd_domtrans_checkpc(unconfined_t) ') @@ -101,6 +105,10 @@ ifdef(`targeted_policy',` mono_domtrans(unconfined_t) ') + optional_policy(`mount',` + mount_domtrans(unconfined_t) + ') + optional_policy(`netutils',` netutils_domtrans_ping(unconfined_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 5fb7042..d0e73f3 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -3049,6 +3049,25 @@ interface(`userdom_dontaudit_search_staff_home_dir',` ######################################## ## +## Do not audit attempts to append to the staff +## users home directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_append_staff_home_files',` + gen_require(` + type staff_home_t; + ') + + dontaudit $1 staff_home_t:file append; +') + +######################################## +## ## Read files in the staff users home directory. ## ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 2d4457a..ac593ef 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.2.6) +policy_module(userdomain,1.2.7) gen_require(` role sysadm_r, staff_r, user_r; @@ -156,6 +156,8 @@ ifdef(`targeted_policy',` mls_process_read_up(sysadm_t) + init_exec(sysadm_t) + ifdef(`direct_sysadm_daemon',` optional_policy(`init',` init_run_daemon(sysadm_t,sysadm_r,admin_terminal) @@ -166,6 +168,7 @@ ifdef(`targeted_policy',` logging_read_audit_log(secadm_t) logging_domtrans_auditctl(secadm_t) mls_process_read_up(secadm_t) + userdom_dontaudit_append_staff_home_files(secadm_t) ', ` logging_domtrans_auditctl(sysadm_t) logging_read_audit_log(sysadm_t) @@ -224,6 +227,10 @@ ifdef(`targeted_policy',` optional_policy(`dmesg',` dmesg_exec(sysadm_t) + + ifdef(`enable_mls',` + dmesg_exec(secadm_t) + ') ') optional_policy(`dmidecode',`