diff --git a/Changelog b/Changelog index cf13e5b..a9cac97 100644 --- a/Changelog +++ b/Changelog @@ -16,6 +16,7 @@ - Enhanced setransd support from Darrel Goeddel. - Patches from Dan Walsh: Tue, 24 Oct 2006 + Wed, 29 Nov 2006 - Added modules: aide (Matt Anderson) ccs (Dan Walsh) diff --git a/policy/global_tunables b/policy/global_tunables index 31912d3..1cdee7a 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -596,7 +596,7 @@ gen_tunable(allow_mount_anyfile,false) ## ##

-## Allow spammd to read/write user home directories. +## Allow spamd to read/write user home directories. ##

## gen_tunable(spamd_enable_home_dirs,true) diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if index d44693c..318ce38 100644 --- a/policy/modules/admin/amanda.if +++ b/policy/modules/admin/amanda.if @@ -109,6 +109,26 @@ interface(`amanda_rw_dumpdates_files',` allow $1 amanda_dumpdates_t:file rw_file_perms; ') + +######################################## +## +## Search amanda library directories. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`amanda_manage_lib',` + gen_require(` + type amanda_usr_lib_t; + ') + + allow $1 amanda_usr_lib_t:dir manage_dir_perms; + files_search_usr($1) +') + ######################################## ## ## Allow read/writing amanda logs diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 5846c7c..7bbcc1b 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda,1.4.1) +policy_module(amanda,1.4.2) ####################################### # @@ -75,6 +75,7 @@ allow amanda_t self:unix_stream_socket create_stream_socket_perms; allow amanda_t self:unix_dgram_socket create_socket_perms; allow amanda_t self:tcp_socket create_stream_socket_perms; allow amanda_t self:udp_socket create_socket_perms; +allow amanda_t self:netlink_route_socket r_netlink_socket_perms; # access to amanda_amandates_t allow amanda_t amanda_amandates_t:file { getattr lock read write }; diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 750901c..7668ee2 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.3.1) +policy_module(bootloader,1.3.2) ######################################## # @@ -187,6 +187,10 @@ optional_policy(` ') optional_policy(` + hal_dontaudit_append_lib_files(bootloader_t) +') + +optional_policy(` kudzu_domtrans(bootloader_t) ') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index 4176db1..dc641ee 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -1,5 +1,5 @@ -policy_module(consoletype,1.1.0) +policy_module(consoletype,1.1.1) ######################################## # @@ -84,7 +84,7 @@ optional_policy(` optional_policy(` files_read_etc_files(consoletype_t) firstboot_use_fds(consoletype_t) - firstboot_write_pipes(consoletype_t) + firstboot_rw_pipes(consoletype_t) ') optional_policy(` diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if index 4214456..266e43d 100644 --- a/policy/modules/admin/firstboot.if +++ b/policy/modules/admin/firstboot.if @@ -111,3 +111,21 @@ interface(`firstboot_write_pipes',` allow $1 firstboot_t:fifo_file write; ') + +######################################## +## +## Read and Write to a firstboot unnamed pipe. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`firstboot_rw_pipes',` + gen_require(` + type firstboot_t; + ') + + allow $1 firstboot_t:fifo_file { read write }; +') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index e89db87..4920d65 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -1,5 +1,5 @@ -policy_module(firstboot,1.2.0) +policy_module(firstboot,1.2.1) gen_require(` class passwd rootok; diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index f314733..a964e04 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -1,5 +1,5 @@ -policy_module(logwatch,1.2.0) +policy_module(logwatch,1.2.1) ################################# # @@ -53,6 +53,7 @@ corecmd_exec_shell(logwatch_t) corecmd_exec_ls(logwatch_t) dev_read_urand(logwatch_t) +dev_search_sysfs(logwatch_t) # Read /proc/PID directories for all domains. domain_read_all_domains_state(logwatch_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index c3e0cc6..ccec1e2 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.2.1) +policy_module(prelink,1.2.2) ######################################## # @@ -57,6 +57,7 @@ files_getattr_all_files(prelink_t) files_write_non_security_dirs(prelink_t) files_read_etc_files(prelink_t) files_read_etc_runtime_files(prelink_t) +files_dontaudit_read_all_symlinks(prelink_t) fs_getattr_xattr_fs(prelink_t) @@ -82,6 +83,12 @@ ifdef(`targeted_policy',` # prelink executables in the user homedir userdom_manage_generic_user_home_content_files(prelink_t) + userdom_mmap_generic_user_home_content_files(prelink_t) + userdom_dontaudit_relabel_generic_user_home_content_files(prelink_t) +') + +optional_policy(` + amanda_manage_lib(prelink_t) ') optional_policy(` diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index 4f188d2..fa48c69 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te @@ -1,5 +1,5 @@ -policy_module(quota,1.0.0) +policy_module(quota,1.0.1) ######################################## # @@ -37,6 +37,8 @@ fs_getattr_xattr_fs(quota_t) fs_remount_xattr_fs(quota_t) fs_search_auto_mountpoints(quota_t) +mls_file_read_up(quota_t) + storage_raw_read_fixed_disk(quota_t) term_dontaudit_use_console(quota_t) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 311e466..ad11d34 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.4.1) +policy_module(rpm,1.4.2) ######################################## # @@ -189,6 +189,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + hal_dbus_chat(rpm_t) +') + +optional_policy(` cron_system_entry(rpm_t,rpm_exec_t) ') @@ -196,6 +200,10 @@ optional_policy(` nis_use_ypbind(rpm_t) ') +optional_policy(` + prelink_domtrans(rpm_t) +') + ifdef(`TODO',` # read/write/create any files in the system dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; @@ -270,6 +278,9 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) +mcs_killall(rpm_script_t) +mcs_ptrace_all(rpm_script_t) + mls_file_read_up(rpm_script_t) mls_file_write_down(rpm_script_t) @@ -367,32 +378,3 @@ optional_policy(` usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) ') - -ifdef(`TODO',` -optional_policy(` -can_exec(rpm_script_t,printconf_t) -') - -optional_policy(` -allow cupsd_t rpm_var_lib_t:dir r_dir_perms; -allow cupsd_t rpm_var_lib_t:file r_file_perms; -allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms; -allow cupsd_t initrc_exec_t:file r_file_perms; -domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t) -') - -optional_policy(` -domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t) -') - -optional_policy(` -domain_auto_trans(rpm_t, prelink_exec_t, prelink_t) -') - -ifdef(`hide_broken_symptoms', ` - optional_policy(` - domain_trans(rpm_t, pam_console_exec_t, rpm_script_t) - ') -') - -') dnl end TODO diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 433740a..d48cd01 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.4.1) +policy_module(usermanage,1.4.2) ######################################## # @@ -189,7 +189,7 @@ optional_policy(` # allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; -dontaudit groupadd_t self:capability fsetid; +dontaudit groupadd_t self:capability { fsetid sys_tty_config }; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process { setrlimit setfscreate }; allow groupadd_t self:fd use; @@ -454,6 +454,7 @@ optional_policy(` # allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write }; +dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; allow useradd_t self:fd use; diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te index e7f0d66..e93fb0f 100644 --- a/policy/modules/apps/slocate.te +++ b/policy/modules/apps/slocate.te @@ -1,5 +1,5 @@ -policy_module(slocate,1.2.0) +policy_module(slocate,1.2.1) ################################# # @@ -41,8 +41,6 @@ files_list_all(locate_t) files_getattr_all_files(locate_t) files_read_etc_runtime_files(locate_t) files_read_etc_files(locate_t) -# mls Higher level directories will be refused, so dontaudit -files_dontaudit_getattr_all_dirs(locate_t) fs_getattr_xattr_fs(locate_t) fs_getattr_rpc_pipefs(locate_t) @@ -52,6 +50,11 @@ libs_use_ld_so(locate_t) miscfiles_read_localization(locate_t) +ifdef(`enable_mls',` + # On MLS machines will not be allowed to getattr Anything but SystemLow + files_dontaudit_getattr_all_dirs(locate_t) +') + optional_policy(` cron_system_entry(locate_t, locate_exec_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 20a08e5..ecf1bec 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -171,6 +171,7 @@ ifdef(`distro_gentoo',` /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 2651e3e..7108881 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.4.2) +policy_module(corecommands,1.4.3) ######################################## # diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 51492bb..0af6336 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -969,6 +969,24 @@ interface(`corenet_udp_bind_all_ports',` ######################################## ## +## Do not audit attepts to bind UDP sockets to any ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_udp_bind_all_ports',` + gen_require(` + attribute port_type; + ') + + dontaudit $1 port_type:udp_socket name_bind; +') + +######################################## +## ## Connect TCP sockets to all ports. ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 24921db..b3f13bc 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.2) +policy_module(corenetwork,1.2.3) ######################################## # @@ -110,6 +110,7 @@ network_port(nessus, tcp,1241,s0) network_port(netsupport, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0) network_port(ntp, udp,123,s0) +network_port(ocsp, tcp,9080,s0) network_port(openvpn, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index eb21d4b..428331c 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -20,12 +20,14 @@ /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) @@ -47,13 +49,14 @@ /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) -/dev/raw1394. -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) /dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/smu -c gen_context(system_u:object_r:power_device_t,s0) /dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 1fd7ed9..b19784e 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -568,6 +568,7 @@ interface(`dev_manage_generic_blk_files',` allow $1 device_t:dir rw_dir_perms; allow $1 device_t:blk_file create_file_perms; + allow $1 self:capability mknod; ') ######################################## @@ -587,6 +588,7 @@ interface(`dev_manage_generic_chr_files',` allow $1 device_t:dir rw_dir_perms; allow $1 device_t:chr_file create_file_perms; + allow $1 self:capability mknod; ') ######################################## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index dc5668f..bd3da90 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.2.3) +policy_module(devices,1.2.4) ######################################## # @@ -66,6 +66,12 @@ type framebuf_device_t; dev_node(framebuf_device_t) # +# Type for /dev/kmsg +# +type kmsg_device_t; +dev_node(kmsg_device_t) + +# # Type for /dev/mapper/control # type lvm_control_t; diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index c4bb816..c5527ec 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -641,6 +641,24 @@ interface(`files_dontaudit_getattr_all_symlinks',` ######################################## ## +## Do not audit attempts to read all symbolic links. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_read_all_symlinks',` + gen_require(` + attribute file_type; + ') + + dontaudit $1 file_type:lnk_file read; +') + +######################################## +## ## Do not audit attempts to get the attributes ## of non security symbolic links. ## @@ -4478,7 +4496,7 @@ interface(`files_polyinstantiate_all',` allow $1 self:capability sys_admin; # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { create getattr search write add_name setattr mounton }; + allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir }; # Need to give access to the polyinstantiated subdirectories allow $1 polymember:dir search_dir_perms; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 9f114e8..5b6e748 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.3.1) +policy_module(files,1.3.2) ######################################## # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 52efe48..269f7b1 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.4.2) +policy_module(filesystem,1.4.3) ######################################## # @@ -21,8 +21,10 @@ sid fs gen_context(system_u:object_r:fs_t,s0) # Use xattrs for the following filesystem types. # Requires that a security xattr handler exist for the filesystem. +fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); @@ -182,7 +184,6 @@ genfscon afs / gen_context(system_u:object_r:nfs_t,s0) genfscon hfs / gen_context(system_u:object_r:nfs_t,s0) genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) -genfscon gfs / gen_context(system_u:object_r:nfs_t,s0) ######################################## # @@ -193,6 +194,14 @@ allow filesystem_type self:filesystem associate; ######################################## # +# Rules for filesystems without xattr support +# + +# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example +fs_associate_noxattr(noxattrfs) + +######################################## +# # Unconfined access to this module # diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc index 6fafbd9..61ce491 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc @@ -15,6 +15,7 @@ /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) +/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 06cddf7..ad7759b 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.2.2) +policy_module(terminal,1.2.3) ######################################## # diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index 3f81db7..06f2248 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -44,6 +44,7 @@ ifdef(`distro_suse', ` /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 1eae40d..a041e6e 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.4.2) +policy_module(apache,1.4.3) # # NOTES: @@ -170,6 +170,10 @@ allow httpd_t httpd_modules_t:file rx_file_perms; allow httpd_t httpd_modules_t:dir r_dir_perms; allow httpd_t httpd_modules_t:lnk_file r_file_perms; +apache_domtrans_rotatelogs(httpd_t) +# Apache-httpd needs to be able to send signals to the log rotate procs. +allow httpd_t httpd_rotatelogs_t:process signal_perms; + allow httpd_t httpd_squirrelmail_t:dir create_dir_perms; allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms; allow httpd_t httpd_squirrelmail_t:file create_file_perms; @@ -219,6 +223,8 @@ corenet_tcp_bind_all_nodes(httpd_t) corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) +# Signal self for shutdown +corenet_tcp_connect_http_port(httpd_t) dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) @@ -235,7 +241,7 @@ auth_use_nsswitch(httpd_t) # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_sbin(httpd_t) -corecmd_check_exec_shell(httpd_t) +corecmd_exec_shell(httpd_t) domain_use_interactive_fds(httpd_t) @@ -252,6 +258,8 @@ files_read_etc_files(httpd_t) # for tomcat files_read_var_lib_symlinks(httpd_t) +fs_search_auto_mountpoints(httpd_sys_script_t) + init_use_fds(httpd_t) init_use_script_ptys(httpd_t) @@ -669,6 +677,16 @@ ifdef(`targeted_policy',` ') ') +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) +') + optional_policy(` clamav_domtrans_clamscan(httpd_sys_script_t) ') @@ -714,6 +732,8 @@ files_read_etc_files(httpd_rotatelogs_t) libs_use_ld_so(httpd_rotatelogs_t) libs_use_shared_libs(httpd_rotatelogs_t) +logging_search_logs(httpd_rotatelogs_t) + miscfiles_read_localization(httpd_rotatelogs_t) ifdef(`targeted_policy',` diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if index c82289b..4c2ee43 100644 --- a/policy/modules/services/avahi.if +++ b/policy/modules/services/avahi.if @@ -20,3 +20,24 @@ interface(`avahi_dbus_chat',` allow $1 avahi_t:dbus send_msg; allow avahi_t $1:dbus send_msg; ') + +######################################## +## +## Connect to avahi using a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`avahi_stream_connect',` + gen_require(` + type avahi_t, avahi_var_run_t; + ') + + files_search_pids($1) + allow $1 avahi_var_run_t:dir search_dir_perms; + allow $1 avahi_var_run_t:sock_file rw_file_perms; + allow $1 avahi_t:unix_stream_socket connectto; +') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 4735243..d9dbc91 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -1,5 +1,5 @@ -policy_module(avahi,1.3.0) +policy_module(avahi,1.3.1) ######################################## # diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc index d4ad4d7..510b2f8 100644 --- a/policy/modules/services/bind.fc +++ b/policy/modules/services/bind.fc @@ -29,6 +29,7 @@ ifdef(`distro_gentoo',` ifdef(`distro_redhat',` /etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) /etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) /var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index c35d613..c612b1c 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind,1.2.0) +policy_module(bind,1.2.1) ######################################## # diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index 0c839f0..fd85353 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,5 +1,5 @@ -policy_module(clamav,1.1.0) +policy_module(clamav,1.1.1) ######################################## # @@ -85,6 +85,7 @@ allow clamd_t clamd_var_run_t:dir rw_dir_perms; files_pid_filetrans(clamd_t,clamd_var_run_t,file) kernel_dontaudit_list_proc(clamd_t) +kernel_read_sysctl(clamd_t) corenet_non_ipsec_sendrecv(clamd_t) corenet_tcp_sendrecv_all_if(clamd_t) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 5c72c93..3e08b8a 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.4.1) +policy_module(cron,1.4.2) gen_require(` class passwd rootok; @@ -86,7 +86,7 @@ allow crond_t self:shm create_shm_perms; allow crond_t self:sem create_sem_perms; allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; -allow crond_t self:key { search write }; +allow crond_t self:key { search write link }; allow crond_t crond_var_run_t:file create_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -166,6 +166,11 @@ ifdef(`distro_redhat', ` ') ') +optional_policy(` + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) +') + ifdef(`targeted_policy',` allow crond_t system_crond_tmp_t:dir create_dir_perms; allow crond_t system_crond_tmp_t:file create_file_perms; diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index e73b2d9..1960ed6 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.4.1) +policy_module(cups,1.4.2) ######################################## # @@ -43,6 +43,7 @@ files_tmp_file(cupsd_tmp_t) type cupsd_var_run_t; files_pid_file(cupsd_var_run_t) +mls_trusted_object(cupsd_var_run_t) type hplip_t; type hplip_exec_t; @@ -161,6 +162,7 @@ dev_rw_printer(cupsd_t) dev_read_urand(cupsd_t) dev_read_sysfs(cupsd_t) dev_read_usbfs(cupsd_t) +dev_getattr_printer_dev(cupsd_t) domain_read_all_domains_state(cupsd_t) @@ -518,6 +520,7 @@ corenet_udp_bind_all_nodes(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) dev_read_urand(cupsd_lpd_t) +dev_read_rand(cupsd_lpd_t) fs_getattr_xattr_fs(cupsd_lpd_t) diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc index 8004713..6eabab4 100644 --- a/policy/modules/services/dbus.fc +++ b/policy/modules/services/dbus.fc @@ -4,3 +4,7 @@ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + +ifdef(`distro_redhat',` +/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 9be5003..c81ed90 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus,1.3.0) +policy_module(dbus,1.3.1) gen_require(` class dbus { send_msg acquire_svc }; diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 1373a5c..33599f2 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp,1.3.0) +policy_module(ftp,1.3.1) ######################################## # @@ -127,6 +127,7 @@ auth_write_login_records(ftpd_t) init_use_fds(ftpd_t) init_use_script_ptys(ftpd_t) +init_rw_utmp(ftpd_t) libs_use_ld_so(ftpd_t) libs_use_shared_libs(ftpd_t) diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc index 93f50cb..5dceef6 100644 --- a/policy/modules/services/hal.fc +++ b/policy/modules/services/hal.fc @@ -6,4 +6,6 @@ /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) -/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) + +/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if index 97e7830..abe9a82 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -121,6 +121,25 @@ interface(`hal_read_tmp_files',` ######################################## ## +## Do not audit attempts to read or write +## HAL libraries files +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_dontaudit_append_lib_files',` + gen_require(` + type hald_var_lib_t; + ') + + dontaudit $1 hald_var_lib_t:file ra_file_perms; +') + +######################################## +## ## Read hald PID files. ## ## diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 5d3f09b..e84d7e1 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.4.1) +policy_module(hal,1.4.2) ######################################## # @@ -16,6 +16,9 @@ files_tmp_file(hald_tmp_t) type hald_var_run_t; files_pid_file(hald_var_run_t) +type hald_var_lib_t; +files_type(hald_var_lib_t) + ######################################## # # Local policy @@ -39,6 +42,11 @@ allow hald_t hald_tmp_t:dir create_dir_perms; allow hald_t hald_tmp_t:file create_file_perms; files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) +# var/lib files for hald +allow hald_t hald_var_lib_t:file manage_file_perms; +allow hald_t hald_var_lib_t:sock_file manage_file_perms; +allow hald_t hald_var_lib_t:dir manage_dir_perms; + allow hald_t hald_var_run_t:file create_file_perms; allow hald_t hald_var_run_t:dir rw_dir_perms; files_pid_filetrans(hald_t,hald_var_run_t,file) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index 7854a02..7d917aa 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -56,7 +56,9 @@ interface(`kerberos_use',` corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) corenet_tcp_connect_kerberos_port($1) + corenet_tcp_connect_ocsp_port($1) corenet_sendrecv_kerberos_client_packets($1) + corenet_sendrecv_ocsp_client_packets($1) sysnet_read_config($1) sysnet_dns_name_resolve($1) diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index 079dd88..1bf464d 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -1,5 +1,5 @@ -policy_module(kerberos,1.2.0) +policy_module(kerberos,1.2.1) ######################################## # @@ -156,9 +156,9 @@ optional_policy(` # Use capabilities. Surplus capabilities may be allowed. allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; dontaudit krb5kdc_t self:capability sys_tty_config; -allow krb5kdc_t self:process signal_perms; +allow krb5kdc_t self:process { getsched signal_perms }; allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -allow krb5kdc_t self:tcp_socket connected_stream_socket_perms; +allow krb5kdc_t self:tcp_socket create_stream_socket_perms; allow krb5kdc_t self:udp_socket create_socket_perms; allow krb5kdc_t krb5_conf_t:file r_file_perms; @@ -190,6 +190,9 @@ kernel_list_proc(krb5kdc_t) kernel_read_proc_symlinks(krb5kdc_t) kernel_read_network_state(krb5kdc_t) +corecmd_exec_sbin(krb5kdc_t) +corecmd_exec_bin(krb5kdc_t) + corenet_non_ipsec_sendrecv(krb5kdc_t) corenet_tcp_sendrecv_all_if(krb5kdc_t) corenet_udp_sendrecv_all_if(krb5kdc_t) @@ -201,7 +204,9 @@ corenet_tcp_bind_all_nodes(krb5kdc_t) corenet_udp_bind_all_nodes(krb5kdc_t) corenet_tcp_bind_kerberos_port(krb5kdc_t) corenet_udp_bind_kerberos_port(krb5kdc_t) +corenet_tcp_connect_ocsp_port(krb5kdc_t) corenet_sendrecv_kerberos_server_packets(krb5kdc_t) +corenet_sendrecv_ocsp_client_packets(krb5kdc_t) dev_read_sysfs(krb5kdc_t) dev_read_urand(krb5kdc_t) @@ -214,6 +219,8 @@ term_dontaudit_use_console(krb5kdc_t) domain_use_interactive_fds(krb5kdc_t) files_read_etc_files(krb5kdc_t) +files_read_usr_symlinks(krb5kdc_t) +files_read_var_files(krb5kdc_t) init_use_fds(krb5kdc_t) init_use_script_ptys(krb5kdc_t) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index c769a83..e388b87 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -820,6 +820,7 @@ interface(`mta_dontaudit_rw_queue',` type mqueue_spool_t; ') + dontaudit $1 mqueue_spool_t:dir search_dir_perms; dontaudit $1 mqueue_spool_t:file { getattr read write }; ') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 7e36b87..4754967 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta,1.4.0) +policy_module(mta,1.4.1) ######################################## # diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc index 8e6586a..ff9ec1e 100644 --- a/policy/modules/services/nis.fc +++ b/policy/modules/services/nis.fc @@ -3,7 +3,9 @@ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) -/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) +/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) + +/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if index 129e470..1a83ef4 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -248,9 +248,9 @@ interface(`nis_domtrans_ypxfr',` ') corecmd_search_bin($1) + corecmd_search_sbin($1) domain_auto_trans($1,ypxfr_exec_t,ypxfr_t) - allow $1 ypxfr_t:fd use; allow ypxfr_t $1:fd use; allow ypxfr_t $1:fifo_file rw_file_perms; allow ypxfr_t $1:process sigchld; diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index c471fe1..ac504f9 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -1,5 +1,5 @@ -policy_module(nis,1.2.0) +policy_module(nis,1.2.1) ######################################## # @@ -331,6 +331,12 @@ optional_policy(` allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; +allow ypxfr_t var_yp_t:dir search_dir_perms; +allow ypxfr_t var_yp_t:file read_file_perms; + +allow ypxfr_t ypserv_t:tcp_socket { read write }; +allow ypxfr_t ypserv_t:udp_socket { read write }; + corenet_non_ipsec_sendrecv(ypxfr_t) corenet_tcp_sendrecv_all_if(ypxfr_t) corenet_udp_sendrecv_all_if(ypxfr_t) @@ -349,3 +355,7 @@ corenet_sendrecv_generic_server_packets(ypxfr_t) corenet_sendrecv_all_client_packets(ypxfr_t) files_read_etc_files(ypxfr_t) +files_search_usr(ypxfr_t) + +libs_use_shared_libs(ypxfr_t) +libs_use_ld_so(ypxfr_t) diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index 6346017..4b08b3f 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -1,5 +1,5 @@ -policy_module(oddjob,1.0.1) +policy_module(oddjob,1.0.2) ######################################## # @@ -10,6 +10,7 @@ type oddjob_t; type oddjob_exec_t; domain_type(oddjob_t) init_daemon_domain(oddjob_t, oddjob_exec_t) +domain_subj_id_change_exemption(oddjob_t) type oddjob_mkhomedir_t; type oddjob_mkhomedir_exec_t; @@ -27,7 +28,7 @@ files_pid_file(oddjob_var_run_t) # allow oddjob_t self:capability { audit_write setgid } ; -allow oddjob_t self:process setexec; +allow oddjob_t self:process { setexec signal }; allow oddjob_t self:fifo_file { read write }; allow oddjob_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index e3ba497..eb3344a 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.3.0) +policy_module(postfix,1.3.1) ######################################## # @@ -382,9 +382,9 @@ optional_policy(` locallogin_dontaudit_use_fds(postfix_map_t) ') -# a "run" interface needs to be -# added, and have sysadm_t use it -# in a optional_policy block. +optional_policy(` + nscd_socket_use(postfix_map_t) +') ######################################## # @@ -431,6 +431,10 @@ optional_policy(` mailman_domtrans_queue(postfix_pipe_t) ') +optional_policy(` + uucp_domtrans_uux(postfix_pipe_t) +') + ######################################## # # Postfix postdrop local policy @@ -570,6 +574,8 @@ sysnet_dns_name_resolve(postfix_showq_t) # Postfix smtp delivery local policy # +allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms; + # connect to master process allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; @@ -577,6 +583,10 @@ allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; +optional_policy(` + cyrus_stream_connect(postfix_smtp_t) +') + ######################################## # # Postfix smtpd local policy diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index 086e8a8..a841b19 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.3.1) +policy_module(procmail,1.3.2) ######################################## # @@ -74,6 +74,18 @@ ifdef(`hide_broken_symptoms',` mta_dontaudit_rw_queue(procmail_t) ') +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(procmail_t) + fs_manage_nfs_files(procmail_t) + fs_manage_nfs_symlinks(procmail_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(procmail_t) + fs_manage_cifs_files(procmail_t) + fs_manage_cifs_symlinks(procmail_t) +') + optional_policy(` clamav_domtrans_clamscan(procmail_t) clamav_search_lib(procmail_t) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index a7ec9dd..3e246fe 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -1,5 +1,5 @@ -policy_module(rpc,1.3.1) +policy_module(rpc,1.3.2) ######################################## # @@ -121,6 +121,7 @@ tunable_policy(`nfs_export_all_ro',` # allow gssd_t self:capability { dac_override dac_read_search setuid }; +allow gssd_t self:process getsched; allow gssd_t self:fifo_file { read write }; allow gssd_t gssd_tmp_t:dir create_dir_perms; diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 0245910..c2e220e 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -140,6 +140,7 @@ interface(`samba_read_config',` ') files_search_etc($1) + allow $1 samba_etc_t:dir search_dir_perms; allow $1 samba_etc_t:file { read getattr lock }; ') @@ -161,6 +162,7 @@ interface(`samba_rw_config',` ') files_search_etc($1) + allow $1 samba_etc_t:dir search_dir_perms; allow $1 samba_etc_t:file rw_file_perms; ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 120462b..7759850 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba,1.3.1) +policy_module(samba,1.3.2) ################################# # @@ -525,7 +525,7 @@ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow swat_t self:netlink_audit_socket create; allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; - +allow swat_t self:netlink_route_socket r_netlink_socket_perms; allow swat_t nmbd_exec_t:file { execute read }; @@ -566,9 +566,10 @@ corenet_udp_sendrecv_all_nodes(swat_t) corenet_raw_sendrecv_all_nodes(swat_t) corenet_tcp_sendrecv_all_ports(swat_t) corenet_udp_sendrecv_all_ports(swat_t) -corenet_tcp_bind_all_nodes(swat_t) -corenet_udp_bind_all_nodes(swat_t) corenet_tcp_connect_smbd_port(swat_t) +corenet_tcp_connect_ipp_port(swat_t) +corenet_sendrecv_smbd_client_packets(swat_t) +corenet_sendrecv_ipp_client_packets(swat_t) dev_read_urand(swat_t) @@ -591,6 +592,7 @@ sysnet_read_config(swat_t) optional_policy(` cups_read_rw_config(swat_t) + cups_stream_connect(swat_t) ') optional_policy(` diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 3963dc4..77544c3 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -1,5 +1,5 @@ -policy_module(sasl,1.3.0) +policy_module(sasl,1.3.1) ######################################## # @@ -47,6 +47,8 @@ dev_read_urand(saslauthd_t) fs_getattr_all_fs(saslauthd_t) fs_search_auto_mountpoints(saslauthd_t) +selinux_compute_access_vector(saslauthd_t) + term_dontaudit_use_console(saslauthd_t) auth_domtrans_chk_passwd(saslauthd_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 08f3a9d..2879796 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -1,5 +1,5 @@ -policy_module(snmp,1.2.1) +policy_module(snmp,1.2.2) ######################################## # @@ -77,6 +77,7 @@ dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) dev_read_urand(snmpd_t) dev_read_rand(snmpd_t) +dev_getattr_usbfs_dirs(snmpd_t) domain_use_interactive_fds(snmpd_t) domain_signull_all_domains(snmpd_t) @@ -87,9 +88,10 @@ files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) files_getattr_boot_dirs(snmpd_t) +files_dontaudit_getattr_home_dir(snmpd_t) +fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) -fs_getattr_rpc_dirs(snmpd_t) fs_search_auto_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 805c183..6b064b8 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.4.1) +policy_module(spamassassin,1.4.2) ######################################## # @@ -86,6 +86,7 @@ corenet_sendrecv_spamd_server_packets(spamd_t) corenet_udp_bind_all_nodes(spamd_t) corenet_udp_bind_generic_port(spamd_t) corenet_udp_bind_imaze_port(spamd_t) +corenet_dontaudit_udp_bind_all_ports(spamd_t) corenet_sendrecv_imaze_server_packets(spamd_t) corenet_sendrecv_generic_server_packets(spamd_t) diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te index 52a3455..7f45edb 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te @@ -1,5 +1,5 @@ -policy_module(telnet,1.2.0) +policy_module(telnet,1.2.1) ######################################## # @@ -32,6 +32,7 @@ allow telnetd_t self:tcp_socket connected_stream_socket_perms; allow telnetd_t self:udp_socket create_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow telnetd_t self:netlink_route_socket r_netlink_socket_perms; allow telnetd_t self:capability { setuid setgid }; allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr }; diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 1577565..e3013b9 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -1,5 +1,5 @@ -policy_module(tftp,1.2.0) +policy_module(tftp,1.2.1) ######################################## # @@ -94,6 +94,10 @@ optional_policy(` ') optional_policy(` + nis_use_ypbind(tftpd_t) +') + +optional_policy(` nscd_socket_use(tftpd_t) ') diff --git a/policy/modules/services/uucp.fc b/policy/modules/services/uucp.fc index f1c2fea..0ddfd09 100644 --- a/policy/modules/services/uucp.fc +++ b/policy/modules/services/uucp.fc @@ -1,4 +1,6 @@ +/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0) + /usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0) /var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if index 5efdf15..7b7dbfa 100644 --- a/policy/modules/services/uucp.if +++ b/policy/modules/services/uucp.if @@ -1 +1,66 @@ ## Unix to Unix Copy + +######################################## +## +## Allow the specified domain to append +## to uucp log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`uucp_append_log',` + gen_require(` + type uucpd_log_t; + ') + + logging_search_logs($1) + allow $1 uucpd_log_t:dir r_dir_perms; + allow $1 uucpd_log_t:file { append getattr }; +') + +######################################## +## +## Create, read, write, and delete uucp spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`uucp_manage_spool',` + gen_require(` + type uucpd_spool_t; + ') + + files_search_spool($1) + allow $1 uucpd_spool_t:dir manage_dir_perms; + allow $1 uucpd_spool_t:lnk_file create_lnk_perms; + allow $1 uucpd_spool_t:file manage_file_perms; +') + +######################################## +## +## Execute the master uux program in the +## uux_t domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`uucp_domtrans_uux',` + gen_require(` + type uux_t, uux_exec_t; + ') + + domain_auto_trans($1,uux_exec_t,uux_t) + + allow uux_t $1:fd use; + allow uux_t $1:fifo_file rw_file_perms; + allow uux_t $1:process sigchld; +') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index 8abc8ae..40dc8ec 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -1,5 +1,5 @@ -policy_module(uucp,1.2.0) +policy_module(uucp,1.2.1) ######################################## # @@ -28,9 +28,15 @@ files_type(uucpd_spool_t) type uucpd_log_t; logging_log_file(uucpd_log_t) +type uux_t; +type uux_exec_t; +domain_type(uux_t) +domain_entry_file(uux_t,uux_exec_t) +role system_r types uux_t; + ######################################## # -# Local policy +# UUCPd Local policy # allow uucpd_t self:capability { setuid setgid }; allow uucpd_t self:process signal_perms; @@ -51,9 +57,7 @@ allow uucpd_t uucpd_rw_t:dir create_dir_perms; allow uucpd_t uucpd_rw_t:file create_file_perms; allow uucpd_t uucpd_rw_t:lnk_file create_lnk_perms; -allow uucpd_t uucpd_spool_t:dir create_dir_perms; -allow uucpd_t uucpd_spool_t:file create_file_perms; -allow uucpd_t uucpd_spool_t:lnk_file create_lnk_perms; +uucp_manage_spool(uucpd_t) allow uucpd_t uucpd_tmp_t:dir create_dir_perms; allow uucpd_t uucpd_tmp_t:file create_file_perms; @@ -105,3 +109,38 @@ optional_policy(` optional_policy(` nscd_socket_use(uucpd_t) ') + +######################################## +# +# UUX Local policy +# + +allow uux_t self:capability { setuid setgid }; +allow uux_t self:fifo_file { getattr write }; + +uucp_append_log(uux_t) +uucp_manage_spool(uux_t) + +corecmd_exec_sbin(uux_t) + +files_read_etc_files(uux_t) + +libs_use_ld_so(uux_t) +libs_use_shared_libs(uux_t) + +logging_send_syslog_msg(uux_t) + +miscfiles_read_localization(uux_t) + +ifdef(`targeted_policy',` + term_use_unallocated_ttys(uux_t) + term_use_generic_ptys(uux_t) +') + +optional_policy(` + mta_send_mail(uux_t) +') + +optional_policy(` + nscd_socket_use(uux_t) +') diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index f5c79d6..52b8ee4 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -756,11 +756,30 @@ interface(`xserver_use_xdm_fds',` ######################################## ## +## Do not audit attempts to inherit +## XDM file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_use_xdm_fds',` + gen_require(` + type xdm_t; + ') + + dontaudit $1 xdm_t:fd use; +') + +######################################## +## ## Read and write XDM unnamed pipes. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -774,6 +793,26 @@ interface(`xserver_rw_xdm_pipes',` ######################################## ## +## Do not audit attempts to read and write +## XDM unnamed pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_rw_xdm_pipes',` + + gen_require(` + type xdm_t; + ') + + dontaudit $1 xdm_t:fifo_file { getattr read write }; +') + +######################################## +## ## Connect to XDM over a unix domain ## stream socket. ## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 9ee1d28..fd266ef 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.2.1) +policy_module(xserver,1.2.2) ######################################## # diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 2738cc4..c8e06f8 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -1258,7 +1258,7 @@ interface(`auth_append_login_records',` type wtmp_t; ') - allow $1 wtmp_t:file { getattr append }; + allow $1 wtmp_t:file { getattr append lock }; ') ####################################### @@ -1364,6 +1364,10 @@ interface(`auth_use_nsswitch',` sysnet_use_ldap($1) optional_policy(` + avahi_stream_connect($1) + ') + + optional_policy(` nis_use_ypbind($1) ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index e1d0e1e..e8436f4 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.4.1) +policy_module(authlogin,1.4.2) ######################################## # @@ -172,8 +172,6 @@ dev_getattr_xserver_misc_dev(pam_console_t) dev_setattr_xserver_misc_dev(pam_console_t) dev_read_urand(pam_console_t) -fs_list_auto_mountpoints(pam_console_t) - mls_file_read_up(pam_console_t) mls_file_write_down(pam_console_t) @@ -199,10 +197,12 @@ domain_use_interactive_fds(pam_console_t) files_read_etc_files(pam_console_t) files_search_pids(pam_console_t) files_list_mnt(pam_console_t) +files_dontaudit_search_isid_type_dirs(pam_console_t) # read /etc/mtab files_read_etc_runtime_files(pam_console_t) fs_list_auto_mountpoints(pam_console_t) +fs_list_noxattr_fs(pam_console_t) init_use_fds(pam_console_t) init_use_script_ptys(pam_console_t) @@ -265,6 +265,7 @@ term_dontaudit_use_generic_ptys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) +userdom_dontaudit_use_sysadm_terms(system_chkpwd_t) ######################################## # diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index fc6b5a9..84c947c 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -1,5 +1,5 @@ -policy_module(clock,1.1.1) +policy_module(clock,1.1.2) ######################################## # @@ -25,7 +25,7 @@ allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config dontaudit hwclock_t self:capability sys_tty_config; allow hwclock_t self:process signal_perms; allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow hwclock_t self:fifo_file { getattr read }; +allow hwclock_t self:fifo_file { getattr read write }; # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { rw_file_perms setattr }; @@ -34,7 +34,8 @@ kernel_read_kernel_sysctls(hwclock_t) kernel_list_proc(hwclock_t) kernel_read_proc_symlinks(hwclock_t) -corecmd_search_bin(hwclock_t) +corecmd_exec_bin(hwclock_t) +corecmd_exec_shell(hwclock_t) dev_read_sysfs(hwclock_t) dev_rw_realtime_clock(hwclock_t) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index 4dafe4d..80daa0b 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -1,5 +1,5 @@ -policy_module(hostname,1.3.0) +policy_module(hostname,1.3.1) ######################################## # @@ -57,5 +57,6 @@ sysnet_read_config(hostname_t) sysnet_dns_name_resolve(hostname_t) optional_policy(` + xen_append_log(hostname_t) xen_dontaudit_use_fds(hostname_t) ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 2b4ebea..27ca078 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.4.3) +policy_module(init,1.4.4) gen_require(` class passwd rootok; @@ -205,6 +205,9 @@ allow initrc_t self:netlink_route_socket r_netlink_socket_perms; allow initrc_t initrc_devpts_t:chr_file rw_term_perms; term_create_pty(initrc_t,initrc_devpts_t) +# Going to single user mode +init_exec(initrc_t) + can_exec(initrc_t,initrc_exec_t) allow initrc_t initrc_state_t:dir manage_dir_perms; @@ -492,14 +495,19 @@ ifdef(`targeted_policy',` domain_subj_id_change_exemption(initrc_t) unconfined_domain(initrc_t) - optional_policy(` - mono_domtrans(initrc_t) + ifdef(`distro_redhat',` + # system-config-services causes avc messages that should be dontaudited + unconfined_dontaudit_rw_pipes(daemon) ') tunable_policy(`allow_daemons_use_tty',` term_use_unallocated_ttys(daemon) term_use_generic_ptys(daemon) ') + + optional_policy(` + mono_domtrans(initrc_t) + ') ',` # cjp: require doesnt work in the else of optionals :\ # this also would result in a type transition diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 4e12496..611e2ae 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables,1.1.0) +policy_module(iptables,1.1.1) ######################################## # @@ -85,7 +85,7 @@ ifdef(`targeted_policy', ` optional_policy(` firstboot_use_fds(iptables_t) - firstboot_write_pipes(iptables_t) + firstboot_rw_pipes(iptables_t) ') optional_policy(` @@ -98,6 +98,10 @@ optional_policy(` ') optional_policy(` + ppp_dontaudit_use_fds(iptables_t) +') + +optional_policy(` seutil_sigchld_newrole(iptables_t) ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index a43cf9e..4a4b470 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -131,12 +131,14 @@ ifdef(`distro_gentoo',` /usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0) /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -157,6 +159,7 @@ ifdef(`distro_gentoo',` /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_redhat',` @@ -167,19 +170,15 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php -/usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/gstreamer-.*/libgstmms\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/helix/plugins/vorbisrend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/helix/codecs/colorcvt\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/helix/codecs/cvt1\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -246,6 +245,9 @@ ifdef(`distro_redhat',` HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -258,10 +260,9 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Java, Sun Microsystems (JPackage SRPM) -/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 82970fa..8b7ed0c 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.4.1) +policy_module(libraries,1.4.2) ######################################## # diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if index 364451c..8f5a1cd 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if @@ -75,3 +75,40 @@ interface(`locallogin_signull',` allow $1 local_login_t:process signull; ') + +######################################## +## +## Search for key. +## +## +## +## Domain allowed access. +## +## +# +interface(`locallogin_search_keys',` + gen_require(` + type local_login_t; + ') + + allow $1 local_login_t:key search; +') + + +######################################## +## +## Allow link to the local_login key ring. +## +## +## +## Domain allowed access. +## +## +# +interface(`locallogin_link_keys',` + gen_require(` + type local_login_t; + ') + + allow $1 local_login_t:key link; +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index c15a74c..8f8faa9 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.3.1) +policy_module(locallogin,1.3.2) ######################################## # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 10ddf81..b7bf0ad 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.4.1) +policy_module(logging,1.4.2) ######################################## # @@ -53,6 +53,7 @@ files_pid_file(syslogd_var_run_t) type var_log_t; logging_log_file(var_log_t) +files_mountpoint(var_log_t) ifdef(`enable_mls',` init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index a70e326..4d4fc37 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -95,3 +95,4 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) /var/run/multipathd.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) +/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 512955c..f787968 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm,1.4.1) +policy_module(lvm,1.4.2) ######################################## # @@ -30,6 +30,9 @@ files_lock_file(lvm_lock_t) type lvm_metadata_t; files_type(lvm_metadata_t) +type lvm_var_lib_t; +files_type(lvm_var_lib_t) + type lvm_var_run_t; files_pid_file(lvm_var_run_t) @@ -44,7 +47,7 @@ files_tmp_file(lvm_tmp_t) dontaudit clvmd_t self:capability sys_tty_config; allow clvmd_t self:process signal_perms; allow clvmd_t self:socket create_socket_perms; -allow clvmd_t self:fifo_file { read write }; +allow clvmd_t self:fifo_file rw_file_perms; allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; @@ -53,9 +56,18 @@ allow clvmd_t clvmd_var_run_t:file create_file_perms; allow clvmd_t clvmd_var_run_t:dir rw_dir_perms; files_pid_filetrans(clvmd_t,clvmd_var_run_t,file) +allow clvmd_t lvm_metadata_t:dir search_dir_perms; +allow clvmd_t lvm_metadata_t:file { getattr read }; + kernel_read_kernel_sysctls(clvmd_t) +kernel_read_system_state(clvmd_t) kernel_list_proc(clvmd_t) kernel_read_proc_symlinks(clvmd_t) +kernel_search_debugfs(clvmd_t) + +corecmd_exec_shell(clvmd_t) +corecmd_read_bin_symlinks(clvmd_t) +corecmd_read_sbin_symlinks(clvmd_t) corenet_non_ipsec_sendrecv(clvmd_t) corenet_tcp_sendrecv_all_if(clvmd_t) @@ -72,6 +84,10 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t) corenet_sendrecv_generic_server_packets(clvmd_t) dev_read_sysfs(clvmd_t) +dev_manage_generic_chr_files(clvmd_t) + +files_read_etc_files(clvmd_t) +files_list_usr(clvmd_t) fs_getattr_all_fs(clvmd_t) fs_search_auto_mountpoints(clvmd_t) @@ -80,7 +96,7 @@ term_dontaudit_use_console(clvmd_t) domain_use_interactive_fds(clvmd_t) -files_list_usr(clvmd_t) +storage_raw_read_fixed_disk(clvmd_t) init_use_fds(clvmd_t) init_use_script_ptys(clvmd_t) @@ -100,6 +116,9 @@ sysnet_read_config(clvmd_t) userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_sysadm_home_dirs(clvmd_t) +lvm_domtrans(clvmd_t) +lvm_read_config(clvmd_t) + ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(clvmd_t) term_dontaudit_use_generic_ptys(clvmd_t) @@ -107,10 +126,19 @@ ifdef(`targeted_policy', ` ') optional_policy(` + ccs_stream_connect(clvmd_t) +') + +optional_policy(` nis_use_ypbind(clvmd_t) ') optional_policy(` + ricci_dontaudit_rw_modcluster_pipes(clvmd_t) + ricci_dontaudit_use_modcluster_fds(clvmd_t) +') + +optional_policy(` udev_read_db(clvmd_t) ') @@ -147,6 +175,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:file create_file_perms; files_lock_filetrans(lvm_t,lvm_lock_t,file) +allow lvm_t lvm_var_lib_t:dir manage_dir_perms; +allow lvm_t lvm_var_lib_t:file manage_file_perms; +files_var_lib_filetrans(lvm_t,lvm_var_lib_t,{ dir file }) + allow lvm_t lvm_var_run_t:file manage_file_perms; allow lvm_t lvm_var_run_t:sock_file manage_file_perms; allow lvm_t lvm_var_run_t:dir manage_dir_perms; @@ -216,8 +248,7 @@ storage_manage_fixed_disk(lvm_t) term_dontaudit_getattr_all_user_ttys(lvm_t) term_dontaudit_getattr_pty_dirs(lvm_t) -corecmd_search_sbin(lvm_t) -corecmd_dontaudit_getattr_sbin_files(lvm_t) +corecmd_exec_sbin(lvm_t) domain_use_interactive_fds(lvm_t) @@ -259,6 +290,10 @@ optional_policy(` ') optional_policy(` + ccs_stream_connect(lvm_t) +') + +optional_policy(` gpm_dontaudit_getattr_gpmctl(lvm_t) ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 2457477..91e6fc8 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -40,6 +40,7 @@ ifdef(`distro_gentoo',` /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) +/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 2927a70..a6bea3a 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,5 +1,5 @@ -policy_module(miscfiles,1.1.0) +policy_module(miscfiles,1.1.1) ######################################## # diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 3ea8c4b..7c0a391 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.4.1) +policy_module(mount,1.4.2) ######################################## # @@ -32,6 +32,9 @@ ifdef(`targeted_policy',` allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; allow mount_t mount_loopback_t:file r_file_perms; +allow mount_t self:netlink_route_socket r_netlink_socket_perms; + +can_exec(mount_t, mount_exec_t) allow mount_t mount_tmp_t:file create_file_perms; allow mount_t mount_tmp_t:dir create_dir_perms; diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 64c9107..1ba3328 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -1,5 +1,5 @@ -policy_module(raid,1.1.1) +policy_module(raid,1.1.2) ######################################## # @@ -38,12 +38,15 @@ dev_read_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) dev_dontaudit_getattr_generic_files(mdadm_t) +dev_dontaudit_getattr_generic_chr_files(mdadm_t) +dev_dontaudit_getattr_generic_blk_files(mdadm_t) fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) # RAID block device access storage_manage_fixed_disk(mdadm_t) +storage_dev_filetrans_fixed_disk(mdadm_t) term_dontaudit_use_console(mdadm_t) term_dontaudit_list_ptys(mdadm_t) @@ -81,6 +84,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + gpm_dontaudit_getattr_gpmctl(mdadm_t) +') + +optional_policy(` seutil_sigchld_newrole(mdadm_t) ') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 9cae237..9e946e4 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.3.4) +policy_module(selinuxutil,1.3.5) ifdef(`strict_policy',` gen_require(` @@ -338,6 +338,7 @@ optional_policy(` # allow restorecon_t self:capability { dac_override dac_read_search fowner }; +dontaudit restorecon_t self:capability sys_tty_config; allow restorecon_t self:fifo_file rw_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; @@ -362,6 +363,7 @@ dev_rw_generic_files(restorecon_t) fs_getattr_xattr_fs(restorecon_t) fs_search_auto_mountpoints(restorecon_t) +fs_getattr_all_dirs(restorecon_t) mls_file_read_up(restorecon_t) mls_file_write_down(restorecon_t) @@ -449,6 +451,7 @@ selinux_compute_user_contexts(restorecond_t) auth_relabel_all_files_except_shadow(restorecond_t ) auth_read_all_files_except_shadow(restorecond_t) +auth_use_nsswitch(restorecond_t) init_use_fds(restorecond_t) init_dontaudit_use_script_ptys(restorecond_t) diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index 471b06a..b772df3 100644 --- a/policy/modules/system/unconfined.fc +++ b/policy/modules/system/unconfined.fc @@ -7,6 +7,6 @@ ifdef(`targeted_policy',` /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/local/RealPlay/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 59fc8f0..9f4f7ec 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -352,6 +352,25 @@ interface(`unconfined_rw_pipes',` ######################################## ## +## Do not audit attempts to read and write +## unconfined domain unnamed pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_pipes',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:fifo_file rw_file_perms; +') + +######################################## +## ## Connect to the unconfined domain using ## a unix domain stream socket. ## diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 8ceeea6..248a1a0 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.4.1) +policy_module(unconfined,1.4.2) ######################################## # @@ -33,6 +33,9 @@ ifdef(`targeted_policy',` files_create_boot_flag(unconfined_t) + mcs_killall(unconfined_t) + mcs_ptrace_all(unconfined_t) + init_domtrans_script(unconfined_t) libs_domtrans_ldconfig(unconfined_t) @@ -83,6 +86,10 @@ ifdef(`targeted_policy',` optional_policy(` networkmanager_dbus_chat(unconfined_t) ') + + optional_policy(` + oddjob_dbus_chat(unconfined_t) + ') ') optional_policy(` @@ -189,5 +196,9 @@ ifdef(`targeted_policy',` init_dbus_chat_script(unconfined_execmem_t) unconfined_dbus_chat(unconfined_execmem_t) + + optional_policy(` + hal_dbus_chat(unconfined_execmem_t) + ') ') ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 96002f0..240ff34 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -24,6 +24,7 @@ template(`userdom_base_user_template',` gen_require(` + attribute userdomain; class context contains; ') @@ -136,6 +137,10 @@ template(`userdom_base_user_template',` ## # template(`userdom_ro_home_template',` + gen_require(` + attribute home_type, home_dir_type, $1_file_type; + ') + # type for contents of home directory type $1_home_t, $1_file_type, home_type; files_type($1_home_t) @@ -220,6 +225,10 @@ template(`userdom_ro_home_template',` ## # template(`userdom_manage_home_template',` + gen_require(` + attribute home_type, home_dir_type, $1_file_type; + ') + # type for contents of home directory type $1_home_t, $1_file_type, home_type; files_type($1_home_t) @@ -347,6 +356,10 @@ template(`userdom_poly_home_template',` ## # template(`userdom_manage_tmp_template',` + gen_require(` + attribute $1_file_type; + ') + type $1_tmp_t, $1_file_type; files_tmp_file($1_tmp_t) @@ -415,6 +428,10 @@ template(`userdom_poly_tmp_template',` ## # template(`userdom_manage_tmpfs_template',` + gen_require(` + attribute $1_file_type; + ') + type $1_tmpfs_t, $1_file_type; files_tmpfs_file($1_tmpfs_t) @@ -673,6 +690,8 @@ template(`userdom_common_user_template',` allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_t self:process { ptrace setfscreate }; + allow $1_t self:context contains; + # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -1859,7 +1878,7 @@ template(`userdom_read_user_home_content_files',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_dir_t:dir search_dir_perms; allow $2 $1_home_t:dir search_dir_perms; allow $2 $1_home_t:file r_file_perms; ') @@ -1962,8 +1981,8 @@ template(`userdom_read_user_home_content_symlinks',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search; - allow $2 $1_home_t:dir search; + allow $2 $1_home_dir_t:dir search_dir_perms; + allow $2 $1_home_t:dir search_dir_perms; allow $2 $1_home_t:lnk_file r_file_perms; ') @@ -1998,8 +2017,8 @@ template(`userdom_exec_user_home_content_files',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search; - allow $2 $1_home_t:dir search; + allow $2 $1_home_dir_t:dir search_dir_perms; + allow $2 $1_home_t:dir search_dir_perms; can_exec($2,$1_home_t) ') @@ -2069,7 +2088,7 @@ template(`userdom_manage_user_home_content_files',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_dir_t:dir search_dir_perms; allow $2 $1_home_t:dir rw_dir_perms; allow $2 $1_home_t:file create_file_perms; ') @@ -2142,7 +2161,7 @@ template(`userdom_manage_user_home_content_symlinks',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_dir_t:dir search_dir_perms; allow $2 $1_home_t:dir rw_dir_perms; allow $2 $1_home_t:lnk_file create_lnk_perms; ') @@ -2180,7 +2199,7 @@ template(`userdom_manage_user_home_content_pipes',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_dir_t:dir search_dir_perms; allow $2 $1_home_t:dir rw_dir_perms; allow $2 $1_home_t:fifo_file create_file_perms; ') @@ -2218,7 +2237,7 @@ template(`userdom_manage_user_home_content_sockets',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_dir_t:dir search_dir_perms; allow $2 $1_home_t:dir rw_dir_perms; allow $2 $1_home_t:sock_file create_file_perms; ') @@ -3977,7 +3996,7 @@ interface(`userdom_search_staff_home_dirs',` ') files_search_home($1) - allow $1 staff_home_dir_t:dir search; + allow $1 staff_home_dir_t:dir search_dir_perms; ') ######################################## @@ -3996,7 +4015,7 @@ interface(`userdom_dontaudit_search_staff_home_dirs',` type staff_home_dir_t; ') - dontaudit $1 staff_home_dir_t:dir search; + dontaudit $1 staff_home_dir_t:dir search_dir_perms; ') ######################################## @@ -4025,6 +4044,29 @@ interface(`userdom_manage_staff_home_dirs',` ######################################## ## +## Relabel to staff home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabelto_staff_home_dirs',` + ifdef(`targeted_policy',` + userdom_relabelto_generic_user_home_dirs($1) + ',` + gen_require(` + type staff_home_dir_t; + ') + + files_search_home($1) + allow $1 staff_home_dir_t:dir relabelto; + ') +') + +######################################## +## ## Do not audit attempts to append to the staff ## users home directory. ## @@ -4343,7 +4385,7 @@ interface(`userdom_search_sysadm_home_dirs',` type sysadm_home_dir_t; ') - allow $1 sysadm_home_dir_t:dir search; + allow $1 sysadm_home_dir_t:dir search_dir_perms; ') ######################################## @@ -4858,7 +4900,7 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',` type user_home_t; ') - dontaudit $1 user_home_t:dir search; + dontaudit $1 user_home_t:dir search_dir_perms; ') ######################################## @@ -4905,6 +4947,25 @@ interface(`userdom_manage_generic_user_home_content_dirs',` ######################################## ## +## Relabel to staff home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabelto_generic_user_home_dirs',` + gen_require(` + type staff_home_dir_t; + ') + + files_search_home($1) + allow $1 user_home_dir_t:dir relabelto; +') + +######################################## +## ## Read files in generic user home directories. ## ## @@ -4926,6 +4987,26 @@ interface(`userdom_read_generic_user_home_content_files',` ######################################## ## +## Mmap of generic user +## home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_mmap_generic_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + files_search_home($1) + allow $1 user_home_t:file execute; +') + +######################################## +## ## Create, read, write, and delete files ## in generic user home directories. ## @@ -4948,6 +5029,25 @@ interface(`userdom_manage_generic_user_home_content_files',` ######################################## ## +## Do not audit attempts to relabel generic user +## home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_relabel_generic_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + dontaudit $1 user_home_t:file { relabelto relabelfrom }; +') + +######################################## +## ## Create, read, write, and delete symbolic ## links in generic user home directories. ## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 865fd42..0b6b653 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,2.0.3) +policy_module(userdomain,2.0.4) gen_require(` role sysadm_r, staff_r, user_r; @@ -155,8 +155,14 @@ ifdef(`strict_policy',` init_exec(secadm_t) logging_read_audit_log(secadm_t) logging_read_generic_logs(secadm_t) + logging_read_audit_config(secadm_t) userdom_dontaudit_append_staff_home_content_files(secadm_t) userdom_dontaudit_read_sysadm_home_content_files(secadm_t) + + optional_policy(` + aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) + ') + optional_policy(` netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) ') diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc index 83a9755..be99029 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc @@ -8,6 +8,7 @@ /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) /var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) +/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 032eb7b..7d7f4bf 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -1,5 +1,5 @@ -policy_module(xen,1.1.1) +policy_module(xen,1.1.2) ######################################## # @@ -86,8 +86,8 @@ allow xend_t self:netlink_route_socket r_netlink_socket_perms; allow xend_t self:tcp_socket create_stream_socket_perms; allow xend_t self:packet_socket create_socket_perms; -allow xend_t xen_image_t:dir r_dir_perms; -allow xend_t xen_image_t:file rw_file_perms; +allow xend_t xen_image_t:dir manage_dir_perms; +allow xend_t xen_image_t:file manage_file_perms; allow xend_t xen_image_t:blk_file rw_file_perms; allow xend_t xenctl_t:fifo_file create_file_perms; @@ -143,8 +143,10 @@ corenet_tcp_bind_soundd_port(xend_t) corenet_tcp_bind_generic_port(xend_t) corenet_tcp_bind_vnc_port(xend_t) corenet_tcp_connect_xserver_port(xend_t) +corenet_tcp_connect_xen_port(xend_t) corenet_sendrecv_xserver_client_packets(xend_t) corenet_sendrecv_xen_server_packets(xend_t) +corenet_sendrecv_xen_client_packets(xend_t) corenet_sendrecv_soundd_server_packets(xend_t) corenet_rw_tun_tap_dev(xend_t) @@ -152,6 +154,7 @@ dev_read_urand(xend_t) dev_manage_xen(xend_t) dev_filetrans_xen(xend_t) dev_rw_sysfs(xend_t) +dev_rw_xen(xend_t) domain_read_all_domains_state(xend_t) domain_dontaudit_read_all_domains_state(xend_t) @@ -232,6 +235,10 @@ kernel_read_kernel_sysctls(xenconsoled_t) kernel_write_xen_state(xenconsoled_t) kernel_read_xen_state(xenconsoled_t) +dev_manage_xen(xenconsoled_t) +dev_filetrans_xen(xenconsoled_t) +dev_rw_sysfs(xenconsoled_t) + domain_dontaudit_ptrace_all_domains(xenconsoled_t) files_read_usr_files(xenconsoled_t)