diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 59e8d3f..f20e41a 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -1,5 +1,5 @@ -policy_module(apm,1.0) +policy_module(apm,1.0.1) ######################################## # @@ -138,6 +138,7 @@ libs_use_shared_libs(apmd_t) logging_send_syslog_msg(apmd_t) miscfiles_read_localization(apmd_t) +miscfiles_read_hwdata(apmd_t) modutils_domtrans_insmod(apmd_t) modutils_read_module_conf(apmd_t) @@ -168,7 +169,6 @@ ifdef(`distro_redhat',` ') ',` - # for ifconfig which is run all the time kernel_dontaudit_search_sysctl(apmd_t) ') @@ -195,6 +195,14 @@ optional_policy(`cron',` cron_domtrans_anacron_system_job(apmd_t) ') +optional_policy(`dbus',` + dbus_stub(apmd_t) + + optional_policy(`networkmanager',` + networkmanager_dbus_chat(apmd_t) + ') +') + optional_policy(`logrotate',` logrotate_use_fd(apmd_t) ') @@ -227,7 +235,4 @@ allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append }; optional_policy(`cron',` allow apmd_t crond_t:fifo_file { getattr read write ioctl }; ') - -r_dir_file(apmd_t, hwdata_t) - ') diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index 7e1359e..3259c6a 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -1,5 +1,19 @@ ## Desktop messaging bus +######################################## +## +## DBUS stub interface. No access allowed. +## +## +## N/A +## +# +interface(`dbus_stub',` + gen_require(` + type system_dbusd_t; + ') +') + ####################################### ## ## The per user domain template for the dbus module. @@ -173,9 +187,6 @@ template(`dbus_system_bus_client_template',` gen_require(` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t; - class dir search; - class sock_file write; - class unix_stream_socket connectto; class dbus send_msg; ') diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 6955ca3..187d09b 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -34,6 +34,7 @@ role system_r types dovecot_auth_t; # # dovecot local policy # + allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; allow dovecot_t self:process { setrlimit signal_perms }; @@ -141,6 +142,7 @@ optional_policy(`udev',` # # dovecot auth local policy # + allow dovecot_auth_t self:capability { setgid setuid }; allow dovecot_auth_t self:process signal_perms; allow dovecot_auth_t self:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 4234ace..d0c1694 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -137,10 +137,13 @@ optional_policy(`cups',` ') optional_policy(`dbus',` - allow hald_t self:dbus send_msg; dbus_system_bus_client_template(hald,hald_t) dbus_send_system_bus_msg(hald_t) dbus_connect_system_bus(hald_t) + + optional_policy(`networkmanager',` + networkmanager_dbus_chat(hald_t) + ') ') optional_policy(`dmidecode',` diff --git a/refpolicy/policy/modules/services/howl.if b/refpolicy/policy/modules/services/howl.if index 7091f8b..5b0900e 100644 --- a/refpolicy/policy/modules/services/howl.if +++ b/refpolicy/policy/modules/services/howl.if @@ -1 +1,17 @@ ## Port of Apple Rendezvous multicast DNS + +######################################## +## +## Send generic signals to howl. +## +## +## Domain allowed access. +## +# +interface(`howl_signal',` + gen_require(` + type howl_t; + ') + + allow $1 howl_t:process signal; +') diff --git a/refpolicy/policy/modules/services/networkmanager.if b/refpolicy/policy/modules/services/networkmanager.if index 96dbbc6..e07d97d 100644 --- a/refpolicy/policy/modules/services/networkmanager.if +++ b/refpolicy/policy/modules/services/networkmanager.if @@ -1 +1,20 @@ ## Manager for dynamically switching between networks. + +######################################## +## +## Send and receive messages from +## NetworkManager over dbus. +## +## +## Domain allowed access. +## +# +interface(`networkmanager_dbus_chat',` + gen_require(` + type NetworkManager_t; + class dbus send_msg; + ') + + allow $1 NetworkManager_t:dbus send_msg; + allow NetworkManager_t $1:dbus send_msg; +') diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index d70bbea..69472b9 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,0.9) +policy_module(networkmanager,1.0.0) ######################################## # @@ -65,6 +65,8 @@ fs_search_auto_mountpoints(NetworkManager_t) mls_file_read_up(NetworkManager_t) +selinux_dontaudit_search_fs(NetworkManager_t) + term_dontaudit_use_console(NetworkManager_t) corecmd_exec_shell(NetworkManager_t) @@ -98,12 +100,16 @@ seutil_read_config(NetworkManager_t) sysnet_domtrans_ifconfig(NetworkManager_t) sysnet_domtrans_dhcpc(NetworkManager_t) sysnet_signal_dhcpc(NetworkManager_t) +sysnet_read_dhcpc_pid(NetworkManager_t) +sysnet_delete_dhcpc_pid(NetworkManager_t) +sysnet_search_dhcp_state(NetworkManager_t) # in /etc created by NetworkManager will be labelled net_conf_t. sysnet_manage_config(NetworkManager_t) sysnet_create_config(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fd(NetworkManager_t) userdom_dontaudit_search_sysadm_home_dir(NetworkManager_t) +userdom_dontaudit_use_unpriv_user_tty(NetworkManager_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(NetworkManager_t) @@ -119,6 +125,16 @@ optional_policy(`consoletype',` consoletype_exec(NetworkManager_t) ') +optional_policy(`dbus',` + dbus_system_bus_client_template(NetworkManager,NetworkManager_t) + dbus_connect_system_bus(NetworkManager_t) + dbus_send_system_bus_msg(NetworkManager_t) +') + +optional_policy(`howl',` + howl_signal(NetworkManager_t) +') + optional_policy(`mount',` mount_send_nfs_client_request(NetworkManager_t) ') @@ -142,48 +158,3 @@ optional_policy(`udev',` optional_policy(`vpn',` vpn_domtrans(NetworkManager_t) ') - -########################################################### -# -# Partially converted rules. THESE ARE ONLY TEMPORARY -# - -optional_policy(`dbus',` - gen_require(` - class dbus send_msg; - ') - - allow NetworkManager_t self:dbus send_msg; - - allow NetworkManager_t userdomain:dbus send_msg; - allow userdomain NetworkManager_t:dbus send_msg; - - allow NetworkManager_t initrc_t:dbus send_msg; - allow initrc_t NetworkManager_t:dbus send_msg; - - allow NetworkManager_t apmd_t:dbus send_msg; - allow apmd_t NetworkManager_t:dbus send_msg; - - dbus_system_bus_client_template(NetworkManager,NetworkManager_t) - dbus_connect_system_bus(NetworkManager_t) - dbus_send_system_bus_msg(NetworkManager_t) - - ifdef(`targeted_policy',` - allow NetworkManager_t unconfined_t:dbus send_msg; - allow unconfined_t NetworkManager_t:dbus send_msg; - ') - - optional_policy(`hal',` - allow NetworkManager_t hald_t:dbus send_msg; - allow hald_t NetworkManager_t:dbus send_msg; - ') -') - -allow NetworkManager_t howl_t:process signal; - -allow NetworkManager_t dhcp_state_t:dir search; -allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink }; - -allow NetworkManager_t var_lib_t:dir search; -dontaudit NetworkManager_t user_ttynode:chr_file { read write }; -dontaudit NetworkManager_t security_t:dir search; diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 73a2f73..2f3e785 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.0) +policy_module(init,1.0.1) gen_require(` class passwd rootok; @@ -497,14 +497,10 @@ optional_policy(`cpucontrol',` optional_policy(`dbus',` dbus_connect_system_bus(initrc_t) dbus_send_system_bus_msg(initrc_t) + dbus_system_bus_client_template(initrc,initrc_t) - # FIXME - allow initrc_t system_dbusd_t:unix_stream_socket connectto; - allow initrc_t system_dbusd_var_run_t:sock_file write; - - ifdef(`targeted_policy',` - allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; - allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; + optional_policy(`networkmanager',` + networkmanager_dbus_chat(initrc_t) ') ') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 4eca013..7348834 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -57,6 +57,14 @@ ifdef(`targeted_policy',` bluetooth_domtrans_helper(unconfined_t) ') + optional_policy(`dbus',` + dbus_stub(unconfined_t) + + optional_policy(`networkmanager',` + networkmanager_dbus_chat(unconfined_t) + ') + ') + optional_policy(`dmidecode',` dmidecode_domtrans(unconfined_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index b653070..d5aec82 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -310,6 +310,10 @@ template(`base_user_template',` optional_policy(`dbus',` dbus_system_bus_client_template($1,$1_t) + + optional_policy(`networkmanager',` + networkmanager_dbus_chat($1_t) + ') ') optional_policy(`dictd',` @@ -2466,7 +2470,7 @@ interface(`userdom_write_unpriv_user_tmp',` # interface(`userdom_dontaudit_use_unpriv_user_tty',` ifdef(`targeted_policy',` - term_dontaudit_use_generic_pty($1) + term_dontaudit_use_unallocated_tty($1) ',` gen_require(` attribute user_ttynode;