diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc index 37e4561..7bbff29 100644 --- a/refpolicy/policy/modules/admin/rpm.fc +++ b/refpolicy/policy/modules/admin/rpm.fc @@ -30,3 +30,7 @@ ifdef(`distro_suse', ` /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) ') + +ifdef(`enable_mls',` +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) +') diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 2b1a7c5..6b99dec 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -87,6 +87,7 @@ template(`su_per_userdomain_template',` auth_domtrans_user_chk_passwd($1_su_t,$1) auth_dontaudit_read_shadow($1_su_t) + auth_use_nsswitch($1_su_t) domain_wide_inherit_fd($1_su_t) @@ -109,8 +110,7 @@ template(`su_per_userdomain_template',` userdom_use_user_terminals($1,$1_su_t) - if(secure_mode) - { + if(secure_mode) { # Only allow transitions to unprivileged user domains. userdom_spec_domtrans_unpriv_users($1_su_t) } else { @@ -134,10 +134,6 @@ template(`su_per_userdomain_template',` kerberos_use($1_su_t) ') - optional_policy(`nis.te',` - nis_use_ypbind($1_su_t) - ') - optional_policy(`nscd.te',` nscd_use_socket($1_su_t) ') diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index 0509092..f202e08 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -59,14 +59,15 @@ template(`sudo_per_userdomain_template',` allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; allow $1_sudo_t self:fifo_file rw_file_perms; - allow $1_sudo_t self:unix_dgram_socket create_socket_perms; - allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; - allow $1_sudo_t self:unix_dgram_socket sendto; - allow $1_sudo_t self:unix_stream_socket connectto; allow $1_sudo_t self:shm create_shm_perms; allow $1_sudo_t self:sem create_sem_perms; allow $1_sudo_t self:msgq create_msgq_perms; allow $1_sudo_t self:msg { send receive }; + allow $1_sudo_t self:unix_dgram_socket create_socket_perms; + allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; + allow $1_sudo_t self:unix_dgram_socket sendto; + allow $1_sudo_t self:unix_stream_socket connectto; + allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; # Enter this derived domain from the user domain domain_auto_trans($2, sudo_exec_t, $1_sudo_t) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 6e63f7a..58d5924 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -425,6 +425,24 @@ interface(`kernel_search_debugfs',` ######################################## ## +## Read information from the debugging filesystem. +## +## +## Domain allowed access. +## +# +interface(`kernel_read_debugfs',` + gen_require(` + type debugfs_t; + ') + + allow $1 debugfs_t:dir r_file_perms; + allow $1 debugfs_t:file r_file_perms; + allow $1 debugfs_t:lnk_file { getattr read }; +') + +######################################## +## ## Get the attributes of the proc filesystem. ## ## @@ -504,9 +522,6 @@ interface(`kernel_read_proc_symlinks',` interface(`kernel_read_system_state',` gen_require(` type proc_t; - class dir r_dir_perms; - class lnk_file { getattr read }; - class file r_file_perms; ') allow $1 proc_t:dir r_dir_perms; @@ -516,6 +531,27 @@ interface(`kernel_read_system_state',` ######################################## ## +## Write to generic proc entries. +## +## +## Domain allowed access. +## +# +# cjp: this should probably go away. any +# file thats writable in proc should really +# have its own label. +# +interface(`kernel_write_proc_file',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:dir search; + allow $1 proc_t:file write; +') + +######################################## +## ## Do not audit attempts by caller to ## read system state information in proc. ## diff --git a/refpolicy/policy/modules/kernel/terminal.fc b/refpolicy/policy/modules/kernel/terminal.fc index 49dafec..e43d08c 100644 --- a/refpolicy/policy/modules/kernel/terminal.fc +++ b/refpolicy/policy/modules/kernel/terminal.fc @@ -11,6 +11,7 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) +/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index b853c52..4760266 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -21,6 +21,7 @@ init_system_domain(named_t,named_checkconf_exec_t) # A type for configuration files of named. type named_conf_t; files_type(named_conf_t) +files_mountpoint(named_conf_t) # for secondary zone files type named_cache_t; @@ -149,6 +150,17 @@ ifdef(`targeted_policy',` #dontaudit ndc_t unlabeled_t:file { getattr read }; ') +optional_policy(`dbus.te',` + gen_require(` + class dbus send_msg; + ') + + allow named_t self:dbus send_msg; + dbus_system_bus_client_template(named,named_t) + dbus_connect_system_bus(named_t) + dbus_send_system_bus_msg(named_t) +') + optional_policy(`nis.te',` nis_use_ypbind(named_t) ') diff --git a/refpolicy/policy/modules/services/bluetooth.fc b/refpolicy/policy/modules/services/bluetooth.fc index f61784d..611008a 100644 --- a/refpolicy/policy/modules/services/bluetooth.fc +++ b/refpolicy/policy/modules/services/bluetooth.fc @@ -2,10 +2,12 @@ # /etc # /etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) +/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0) # # /usr # +/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) @@ -16,4 +18,5 @@ # # /var # +/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 0c237cc..68478f7 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -12,31 +12,53 @@ init_daemon_domain(bluetooth_t,bluetooth_exec_t) type bluetooth_conf_t; files_type(bluetooth_conf_t) +type bluetooth_conf_rw_t; +files_type(bluetooth_conf_rw_t) + +type bluetooth_helper_t; +type bluetooth_helper_exec_t; +domain_type(bluetooth_helper_t) +domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t) +role system_r types bluetooth_helper_t; + type bluetooth_lock_t; files_lock_file(bluetooth_lock_t) type bluetooth_tmp_t; files_tmp_file(bluetooth_tmp_t) +type bluetooth_var_lib_t; +files_type(bluetooth_var_lib_t) + type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) ######################################## # -# Local policy +# Bluetooth services local policy # + allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; dontaudit bluetooth_t self:capability sys_tty_config; -allow bluetooth_t self:process signal_perms; +allow bluetooth_t self:process { getsched signal_perms }; +allow bluetooth_t self:fifo_file rw_file_perms; +allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:unix_dgram_socket create_socket_perms; allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect }; allow bluetooth_t self:udp_socket create_socket_perms; -allow bluetooth_t bluetooth_conf_t:dir search; +allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms; allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; +allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms; +allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms; +allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms; +allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms; +allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms; +type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t; + allow bluetooth_t bluetooth_lock_t:file create_file_perms; files_create_lock(bluetooth_t,bluetooth_lock_t) @@ -44,14 +66,17 @@ allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms; allow bluetooth_t bluetooth_tmp_t:file create_file_perms; files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir }) +allow bluetooth_t bluetooth_var_lib_t:file create_file_perms; +allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms; +files_create_var_lib(bluetooth_t,bluetooth_var_lib_t) + allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms; allow bluetooth_t bluetooth_var_run_t:file create_file_perms; allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms; files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file }) kernel_read_kernel_sysctl(bluetooth_t) -kernel_list_proc(bluetooth_t) -kernel_read_proc_symlinks(bluetooth_t) +kernel_read_system_state(bluetooth_t) corenet_tcp_sendrecv_all_if(bluetooth_t) corenet_udp_sendrecv_all_if(bluetooth_t) @@ -66,16 +91,24 @@ corenet_udp_sendrecv_all_ports(bluetooth_t) dev_read_sysfs(bluetooth_t) dev_rw_usbfs(bluetooth_t) +dev_read_urand(bluetooth_t) fs_getattr_all_fs(bluetooth_t) fs_search_auto_mountpoints(bluetooth_t) term_dontaudit_use_console(bluetooth_t) +#Handle bluetooth serial devices +term_use_unallocated_tty(bluetooth_t) corecmd_exec_bin(bluetooth_t) +corecmd_exec_shell(bluetooth_t) domain_use_wide_inherit_fd(bluetooth_t) +files_read_etc_files(bluetooth_t) +files_read_etc_runtime_files(bluetooth_t) +files_read_usr_files(bluetooth_t) + init_use_fd(bluetooth_t) init_use_script_pty(bluetooth_t) @@ -85,6 +118,7 @@ libs_use_shared_libs(bluetooth_t) logging_send_syslog_msg(bluetooth_t) miscfiles_read_localization(bluetooth_t) +miscfiles_read_fonts(bluetooth_t) sysnet_read_config(bluetooth_t) @@ -119,4 +153,73 @@ ifdef(`TODO',` optional_policy(`rhgb.te',` rhgb_domain(bluetooth_t) ') +') dnl end TOOD + +######################################## +# +# Bluetooth helper local policy +# + +allow bluetooth_helper_t self:capability sys_nice; +allow bluetooth_helper_t self:fifo_file rw_file_perms; +allow bluetooth_helper_t self:shm create_shm_perms; +allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms; + +allow bluetooth_helper_t bluetooth_t:socket { read write }; + +kernel_read_system_state(bluetooth_helper_t) +kernel_read_kernel_sysctl(bluetooth_helper_t) + +term_dontaudit_use_all_user_ttys(bluetooth_helper_t) + +corecmd_exec_bin(bluetooth_helper_t) +corecmd_exec_shell(bluetooth_helper_t) + +domain_read_all_domains_state(bluetooth_helper_t) + +files_read_etc_files(bluetooth_helper_t) +files_read_etc_runtime_files(bluetooth_helper_t) +files_read_usr_files(bluetooth_helper_t) +files_dontaudit_list_default(bluetooth_helper_t) + +libs_use_ld_so(bluetooth_helper_t) +libs_use_shared_libs(bluetooth_helper_t) + +miscfiles_read_localization(bluetooth_helper_t) +miscfiles_read_fonts(bluetooth_helper_t) + +optional_policy(`nscd.te',` + nscd_use_socket(bluetooth_helper_t) +') + +ifdef(`TODO',` +domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) + +# a "run" interface needs to be +# added, and have sysadm_t use it +# in a optional_policy block. + +allow bluetooth_helper_t tmp_t:dir search; + +allow bluetooth_helper_t home_dir_type:dir search; + +ifdef(`xserver.te', ` + allow bluetooth_helper_t xserver_log_t:dir search; + allow bluetooth_helper_t xserver_log_t:file { getattr read }; +') + +ifdef(`targeted_policy', ` + allow bluetooth_helper_t tmp_t:sock_file { read write }; + allow bluetooth_helper_t tmpfs_t:file { read write }; + allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; + allow bluetooth_t unconfined_t:dbus send_msg; + allow unconfined_t bluetooth_t:dbus send_msg; +', ` + ifdef(`xdm.te', ` + allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write }; + ') + + allow bluetooth_t unpriv_userdomain:dbus send_msg; + allow unpriv_userdomain bluetooth_t:dbus send_msg; ') +') dnl end TODO diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 3dc798a..4457dc0 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -51,7 +51,7 @@ files_tmp_file(system_crond_tmp_t) # Cron Local policy # -allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; +allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; @@ -182,6 +182,12 @@ rhgb_domain(crond_t) # crond tries to search /root. Not sure why. allow crond_t sysadm_home_dir_t:dir r_dir_perms; +ifdef(`apache.te',` +allow system_crond_t httpd_modules_t:lnk_file read; +# Needed for certwatch +can_exec(system_crond_t, httpd_modules_t) +') + # to search /home allow crond_t user_home_dir_type:dir r_dir_perms; ') dnl endif TODO diff --git a/refpolicy/policy/modules/services/dhcp.fc b/refpolicy/policy/modules/services/dhcp.fc index c7a11b2..4d40b6b 100644 --- a/refpolicy/policy/modules/services/dhcp.fc +++ b/refpolicy/policy/modules/services/dhcp.fc @@ -1,6 +1,7 @@ /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) +/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) /var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/ftp.fc b/refpolicy/policy/modules/services/ftp.fc index f5b01d9..926bef8 100644 --- a/refpolicy/policy/modules/services/ftp.fc +++ b/refpolicy/policy/modules/services/ftp.fc @@ -22,5 +22,6 @@ /var/run/proftpd/proftpd\.scoreboard -- gen_context(system_u:object_r:ftpd_var_run_t,s0) /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) +/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 32eda81..fb89452 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -133,11 +133,15 @@ tunable_policy(`allow_ftpd_anon_write',` tunable_policy(`ftp_home_dir',` # allow access to /home - files_getattr_home_dir(ftpd_t) + files_list_home(ftpd_t) userdom_read_all_user_files(ftpd_t) userdom_manage_all_user_dirs(ftpd_t) userdom_manage_all_user_files(ftpd_t) userdom_manage_all_user_symlinks(ftpd_t) + + ifdef(`targeted_policy',` + userdom_create_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file }) + ') ') tunable_policy(`ftpd_is_daemon',` @@ -198,4 +202,13 @@ ifdef(`TODO',` optional_policy(`rhgb.te',` rhgb_domain(ftpd_t) ') + +# cjp: this was in base user macro, but we cannot +# use typeattribute ftpd_t privhome; interface +# since typeattribute doesnt work in conditionals +ifdef(`ftpd.te' , ` +if (ftpd_is_daemon) { +file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) +} +') ') diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 0eff9fd..edbd64b 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -42,6 +42,7 @@ files_create_pid(hald_t,hald_var_run_t) kernel_read_system_state(hald_t) kernel_read_network_state(hald_t) kernel_read_kernel_sysctl(hald_t) +kernel_write_proc_file(hald_t) corenet_tcp_sendrecv_all_if(hald_t) corenet_raw_sendrecv_all_if(hald_t) diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 49f0f9e..80d986a 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -37,7 +37,7 @@ allow mysqld_t self:fifo_file { read write }; allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; -allow mysqld_t self:tcp_socket connected_socket_perms; +allow mysqld_t self:udp_socket create_socket_perms; allow mysqld_t mysqld_db_t:dir create_dir_perms; allow mysqld_t mysqld_db_t:file create_file_perms; @@ -62,11 +62,15 @@ kernel_read_proc_symlinks(mysqld_t) kernel_read_system_state(mysqld_t) corenet_tcp_sendrecv_all_if(mysqld_t) +corenet_udp_sendrecv_all_if(mysqld_t) corenet_raw_sendrecv_all_if(mysqld_t) corenet_tcp_sendrecv_all_nodes(mysqld_t) +corenet_udp_sendrecv_all_nodes(mysqld_t) corenet_raw_sendrecv_all_nodes(mysqld_t) corenet_tcp_sendrecv_all_ports(mysqld_t) +corenet_udp_sendrecv_all_ports(mysqld_t) corenet_tcp_bind_all_nodes(mysqld_t) +corenet_udp_bind_all_nodes(mysqld_t) corenet_tcp_bind_mysqld_port(mysqld_t) corenet_tcp_connect_mysqld_port(mysqld_t) @@ -110,6 +114,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(mysqld_t) ') +optional_policy(`mount.te',` + mount_send_nfs_client_request(mysqld_t) +') + optional_policy(`nis.te',` nis_use_ypbind(mysqld_t) ') diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index 6a4c53d..8c9428a 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -121,6 +121,22 @@ interface(`nis_use_ypbind',` ######################################## ## +## Send generic signals to ypbind. +## +## +## The type of the process performing this action. +## +# +interface(`nis_signal_ypbind',` + gen_require(` + type ypbind_t; + ') + + allow $1 ypbind_t:process signal; +') + +######################################## +## ## Send UDP network traffic to NIS clients. ## ## @@ -129,7 +145,7 @@ interface(`nis_use_ypbind',` # interface(`nis_list_var_yp',` gen_require(` - type ypbind_t; + type var_yp_t; ') files_search_var($1) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 0aa6e98..91f1140 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -69,6 +69,7 @@ auth_rw_lastlog(remote_login_t) auth_rw_faillog(remote_login_t) auth_exec_pam(remote_login_t) auth_manage_pam_console_data(remote_login_t) +auth_domtrans_pam_console(remote_login_t) corecmd_list_bin(remote_login_t) corecmd_list_sbin(remote_login_t) @@ -170,6 +171,10 @@ optional_policy(`remotelogin.te',` # Login can polyinstantiate polyinstantiater(remote_login_t) +ifdef(`alsa.te', ` +domain_auto_trans($1_login_t, alsa_exec_t, alsa_t) +') + allow remote_login_t userpty_type:chr_file { setattr write }; allow remote_login_t ptyfile:chr_file { getattr ioctl }; diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index ef74be1..cdfb1f4 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -110,3 +110,5 @@ ifdef(`distro_suse',` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0) + +/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 8fe9c87..d6db068 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -20,8 +20,13 @@ ## ######################################## -# -# files_type(type) +## +## Make the specified type usable for files +## in a filesystem. +## +## +## Type to be used for files. +## # interface(`files_type',` gen_require(` @@ -221,6 +226,9 @@ interface(`files_tmpfs_file',` ## Domain allowed access. ## # +# cjp: this is an odd interface, because to getattr +# all dirs, you need to search all the parent directories +# interface(`files_getattr_all_dirs',` gen_require(` attribute file_type; @@ -250,6 +258,22 @@ interface(`files_dontaudit_getattr_all_dirs',` ######################################## ## +## Search all directories. +## +## +## Domain allowed access. +## +# +interface(`files_search_all',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:dir { getattr search }; +') + +######################################## +## ## List the contents of all directories. ## ## diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 635e6c5..5a92e15 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -112,6 +112,8 @@ files_rw_isid_type_dir(fsadm_t) files_rw_isid_type_blk_node(fsadm_t) # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) +# for tune2fs +files_search_all(fsadm_t) init_use_fd(fsadm_t) init_use_script_pty(fsadm_t) diff --git a/refpolicy/policy/modules/system/ipsec.fc b/refpolicy/policy/modules/system/ipsec.fc index ffe8566..f0aa1f1 100644 --- a/refpolicy/policy/modules/system/ipsec.fc +++ b/refpolicy/policy/modules/system/ipsec.fc @@ -29,4 +29,6 @@ /usr/sbin/racoon -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) + /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 554404c..78267cd 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -113,6 +113,7 @@ auth_rw_lastlog(local_login_t) auth_rw_faillog(local_login_t) auth_exec_pam(local_login_t) auth_manage_pam_console_data(local_login_t) +auth_domtrans_pam_console(local_login_t) corecmd_list_bin(local_login_t) corecmd_list_sbin(local_login_t) @@ -221,6 +222,10 @@ optional_policy(`locallogin.te',` ') # Login can polyinstantiate polyinstantiater(local_login_t) + +ifdef(`alsa.te', ` +domain_auto_trans($1_login_t, alsa_exec_t, alsa_t) +') ') dnl endif TODO ################################# diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc index 5327fda..92c7e5c 100644 --- a/refpolicy/policy/modules/system/miscfiles.fc +++ b/refpolicy/policy/modules/system/miscfiles.fc @@ -30,6 +30,7 @@ /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +/usr/share/hwdata(/.*)? gen_context(system_u:object_r:hwdata_t,s0) /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index f8652d9..9959852 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -53,7 +53,7 @@ can_exec(insmod_t, insmod_exec_t) kernel_load_module(insmod_t) kernel_read_system_state(insmod_t) kernel_mount_debugfs(insmod_t) -kernel_search_debugfs(insmod_t) +kernel_read_debugfs(insmod_t) # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctl(insmod_t) kernel_rw_kernel_sysctl(insmod_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 4afa29b..0006949 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -188,12 +188,13 @@ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit allow newrole_t self:process setexec; allow newrole_t self:fd use; allow newrole_t self:fifo_file rw_file_perms; -allow newrole_t self:unix_dgram_socket sendto; -allow newrole_t self:unix_stream_socket connectto; allow newrole_t self:shm create_shm_perms; allow newrole_t self:sem create_sem_perms; allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; +allow newrole_t self:unix_dgram_socket sendto; +allow newrole_t self:unix_stream_socket connectto; +allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read }; allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms; allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; @@ -287,6 +288,7 @@ kernel_read_system_state(restorecon_t) dev_rw_generic_file(restorecon_t) fs_getattr_xattr_fs(restorecon_t) +fs_search_auto_mountpoints(restorecon_t) mls_file_read_up(restorecon_t) mls_file_write_down(restorecon_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc index fe1511a..4511dc4 100644 --- a/refpolicy/policy/modules/system/sysnetwork.fc +++ b/refpolicy/policy/modules/system/sysnetwork.fc @@ -21,6 +21,7 @@ # /sbin # /sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) +/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) @@ -45,5 +46,6 @@ /var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) +/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 9cac143..df4f089 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -181,6 +181,7 @@ optional_policy(`netutils.te',` optional_policy(`nis.te',` nis_use_ypbind(dhcpc_t) + nis_signal_ypbind(dhcpc_t) # dhclient sometimes starts ypbind init_exec_script(dhcpc_t) #nis_domtrans_ypbind(dhcpc_t) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 0d885fc..45dafca 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -57,7 +57,7 @@ ifdef(`targeted_policy',` type user_home_t alias { staff_home_t sysadm_home_t }, home_type; files_type(user_home_t) - type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type; + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type; files_type(user_home_dir_t) unconfined_role(user_r)