diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 44faeed..774450e 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -90,6 +90,7 @@ interface(`term_tty',` typeattribute $2 ttynode, serial_device; type_change $1 tty_device_t:chr_file $2; + fs_associate($1) files_associate_tmp($1) # Debian login is from shadow utils and does not allow resetting the perms. @@ -715,6 +716,25 @@ interface(`term_setattr_unallocated_ttys',` ######################################## ## +## Do not audit attempts to set the attributes +## of unallocated tty device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_dontaudit_setattr_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dontaudit $1 tty_device_t:chr_file setattr; +') + +######################################## +## ## Do not audit attempts to ioctl ## unallocated tty device nodes. ## @@ -776,6 +796,25 @@ interface(`term_reset_tty_labels',` ######################################## ## +## Append to unallocated ttys. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_append_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tty_device_t:chr_file { getattr append }; +') + +######################################## +## ## Write to unallocated ttys. ## ## diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 497652a..c2f3639 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.1.4) +policy_module(terminal,1.1.5) ######################################## # diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 1006dc4..1b0376d 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -265,6 +265,7 @@ term_dontaudit_use_unallocated_ttys(system_chkpwd_t) term_dontaudit_use_generic_ptys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) +userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) ######################################## # diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if index d5c66e3..542db15 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -55,14 +55,14 @@ interface(`clock_run',` ') ######################################## -## -## Execute hwclock in the caller domain. -## -## +## +## Execute hwclock in the caller domain. +## +## ## -## The type of the process performing this action. +## The type of the process performing this action. ## -## +## # interface(`clock_exec',` gen_require(` @@ -73,14 +73,32 @@ interface(`clock_exec',` ') ######################################## -## -## Allow executing domain to modify clock drift -## -## +## +## Do not audit attempts to write clock drift adjustments. +## +## ## -## The type of the process performing this action. +## Domain to not audit. ## -## +## +# +interface(`clock_dontaudit_write_adjtime',` + gen_require(` + type adjtime_t; + ') + + dontaudit $1 adjtime_t:file write; +') + +######################################## +## +## Read and write clock drift adjustments. +## +## +## +## Domain allowed access. +## +## # interface(`clock_rw_adjtime',` gen_require(` @@ -90,4 +108,3 @@ interface(`clock_rw_adjtime',` allow $1 adjtime_t:file rw_file_perms; files_list_etc($1) ') - diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 03d9885..8b7cef3 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -1,5 +1,5 @@ -policy_module(clock,1.0.1) +policy_module(clock,1.0.2) ######################################## # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index ab9d4b3..2cb9b8c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -416,6 +416,9 @@ ifdef(`distro_gentoo',` # mounting tmpfs on /dev fs_tmpfs_filetrans(initrc_t,initrc_state_t,file) + # init scripts touch this + clock_dontaudit_write_adjtime(initrc_t) + optional_policy(` arpwatch_manage_data_files(initrc_t) ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 0c1b3ed..195a1a1 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.3.9) +policy_module(logging,1.3.10) ######################################## # @@ -349,6 +349,13 @@ miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_sysadm_home_dirs(syslogd_t) +ifdef(`distro_gentoo',` + # default gentoo syslog-ng config appends kernel + # and high priority messages to /dev/tty12 + term_append_unallocated_ttys(syslogd_t) + term_dontaudit_setattr_unallocated_ttys(syslogd_t) +') + ifdef(`distro_suse',` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)