diff --git a/Changelog b/Changelog index 59d75cc..9552a2a 100644 --- a/Changelog +++ b/Changelog @@ -1,4 +1,8 @@ - Enhanced setransd support from Darrel Goeddel. +- Patches from Dan Walsh: + Tue, 24 Oct 2006 +- Added modules: + iscsi (Dan Walsh) * Wed Oct 18 2006 Chris PeBenito - 20061018 - Patch from Russell Coker Thu, 5 Oct 2006 diff --git a/Makefile b/Makefile index 920e128..640b7c4 100644 --- a/Makefile +++ b/Makefile @@ -194,11 +194,6 @@ ifeq "$(DISTRO)" "rhel4" M4PARAM += -D distro_redhat endif -# enable polyinstantiation -ifeq ($(POLY),y) - M4PARAM += -D enable_polyinstantiation -endif - ifneq ($(OUTPUT_POLICY),) CHECKPOLICY += -c $(OUTPUT_POLICY) endif @@ -543,7 +538,6 @@ ifneq "$(DISTRO)" "" endif $(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf - $(verbose) echo "POLY ?= $(POLY)" >> $(headerdir)/build.conf $(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf $(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf $(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf diff --git a/build.conf b/build.conf index 5e721ea..ba35983 100644 --- a/build.conf +++ b/build.conf @@ -42,10 +42,6 @@ DIRECT_INITRC=n # will build a loadable module policy. MONOLITHIC=y -# Polyinstantiation -# Enable polyinstantiated directory support. -POLY=n - # Number of MLS Sensitivities # The sensitivities will be s0 to s(MLS_SENS-1). # Dominance will be in increasing numerical order diff --git a/policy/global_tunables b/policy/global_tunables index 2bfe1e7..31912d3 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -126,6 +126,13 @@ gen_tunable(allow_nfsd_anon_write,false) ## ##

+## Enable polyinstantiated directory support. +##

+##
+gen_tunable(allow_polyinstantiation,false) + +## +##

## Allow rsync to modify public files ## used for public file transfer services. ##

diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 7d2b80a..5846c7c 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda,1.4.0) +policy_module(amanda,1.4.1) ####################################### # @@ -97,7 +97,7 @@ allow amanda_t amanda_gnutarlists_t:file manage_file_perms; allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms; allow amanda_t amanda_log_t:file create_file_perms; -allow amanda_t amanda_log_t:dir { rw_dir_perms setattr }; +allow amanda_t amanda_log_t:dir manage_dir_perms; logging_log_filetrans(amanda_t,amanda_log_t,{ file dir }) allow amanda_t amanda_tmp_t:dir create_dir_perms; @@ -123,6 +123,7 @@ corenet_tcp_sendrecv_all_ports(amanda_t) corenet_udp_sendrecv_all_ports(amanda_t) corenet_tcp_bind_all_nodes(amanda_t) corenet_udp_bind_all_nodes(amanda_t) +corenet_tcp_bind_all_rpc_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te index 3c17fa4..8e9b131 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te @@ -1,5 +1,5 @@ -policy_module(anaconda,1.1.0) +policy_module(anaconda,1.1.1) ######################################## # @@ -36,10 +36,6 @@ unconfined_domain(anaconda_t) userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file }) -ifdef(`distro_redhat',` - bootloader_create_runtime_file(anaconda_t) -') - optional_policy(` dmesg_domtrans(anaconda_t) ') diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index 31f64c2..107cc4a 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -7,8 +7,6 @@ /usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) -#/sbin/grub-.* -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0) -#/sbin/grubby -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index a5f3bbc..750901c 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.3.0) +policy_module(bootloader,1.3.1) ######################################## # diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 03c99f6..c544322 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils,1.2.0) +policy_module(netutils,1.2.1) ######################################## # @@ -87,6 +87,10 @@ optional_policy(` nis_use_ypbind(netutils_t) ') +optional_policy(` + xen_append_log(netutils_t) +') + ######################################## # # Ping local policy diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index e3bb3f3..c3e0cc6 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.2.0) +policy_module(prelink,1.2.1) ######################################## # @@ -24,7 +24,7 @@ logging_log_file(prelink_log_t) # allow prelink_t self:capability { chown dac_override fowner fsetid }; -allow prelink_t self:process { execheap execmem execstack }; +allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_file_perms; allow prelink_t prelink_cache_t:file manage_file_perms; @@ -76,6 +76,14 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) +ifdef(`targeted_policy',` + term_use_unallocated_ttys(prelink_t) + term_use_generic_ptys(prelink_t) + + # prelink executables in the user homedir + userdom_manage_generic_user_home_content_files(prelink_t) +') + optional_policy(` cron_system_entry(prelink_t, prelink_exec_t) ') diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if index 83e3bfe..c58a2bb 100644 --- a/policy/modules/admin/rpm.if +++ b/policy/modules/admin/rpm.if @@ -160,6 +160,27 @@ interface(`rpm_rw_pipes',` ######################################## ## +## Send and receive messages from +## rpm over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_dbus_chat',` + gen_require(` + type rpm_t; + class dbus send_msg; + ') + + allow $1 rpm_t:dbus send_msg; + allow rpm_t $1:dbus send_msg; +') + +######################################## +## ## Create, read, write, and delete the RPM log. ## ## diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index d94db01..311e466 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.4.0) +policy_module(rpm,1.4.1) ######################################## # diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 46300c4..a12e817 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -79,6 +79,7 @@ template(`su_restricted_domain_template', ` auth_domtrans_chk_passwd($1_su_t) auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) + auth_rw_faillog($1_su_t) domain_use_interactive_fds($1_su_t) @@ -266,11 +267,6 @@ template(`su_per_role_template',` ') ') - ifdef(`enable_polyinstantiation',` - fs_mount_xattr_fs($1_su_t) - fs_unmount_xattr_fs($1_su_t) - ') - ifdef(`targeted_policy',` # allow user to suspend terminal. # does not work in strict since the @@ -284,6 +280,11 @@ template(`su_per_role_template',` userdom_manage_all_users_home_content_symlinks($1_su_t) ') + tunable_policy(`allow_polyinstantiation',` + fs_mount_xattr_fs($1_su_t) + fs_unmount_xattr_fs($1_su_t) + ') + tunable_policy(`use_nfs_home_dirs',` fs_search_nfs($1_su_t) ') diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index d6f1a6f..86e256d 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -1,5 +1,5 @@ -policy_module(su,1.4.0) +policy_module(su,1.4.1) ######################################## # diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 1cbdc2c..433740a 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.4.0) +policy_module(usermanage,1.4.1) ######################################## # @@ -379,6 +379,7 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms; allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_search_var(sysadm_passwd_t) +files_dontaudit_search_home(sysadm_passwd_t) kernel_read_kernel_sysctls(sysadm_passwd_t) # for /proc/meminfo @@ -444,6 +445,7 @@ optional_policy(` optional_policy(` nscd_domtrans(sysadm_passwd_t) + nscd_socket_use(sysadm_passwd_t) ') ######################################## @@ -466,6 +468,24 @@ allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +# for getting the number of groups +kernel_read_kernel_sysctls(useradd_t) + +corecmd_exec_shell(useradd_t) +# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. +corecmd_exec_bin(useradd_t) +corecmd_exec_sbin(useradd_t) + +domain_use_interactive_fds(useradd_t) + +files_manage_etc_files(useradd_t) +files_search_var_lib(useradd_t) +files_relabel_etc_files(useradd_t) +files_read_etc_runtime_files(useradd_t) + +fs_search_auto_mountpoints(useradd_t) +fs_getattr_xattr_fs(useradd_t) + # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) selinux_validate_context(useradd_t) @@ -473,11 +493,6 @@ selinux_compute_access_vector(useradd_t) selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) -# for getting the number of groups -kernel_read_kernel_sysctls(useradd_t) - -fs_search_auto_mountpoints(useradd_t) -fs_getattr_xattr_fs(useradd_t) term_use_all_user_ttys(useradd_t) term_use_all_user_ptys(useradd_t) @@ -489,18 +504,6 @@ auth_rw_lastlog(useradd_t) auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) -corecmd_exec_shell(useradd_t) -# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. -corecmd_exec_bin(useradd_t) -corecmd_exec_sbin(useradd_t) - -domain_use_interactive_fds(useradd_t) - -files_manage_etc_files(useradd_t) -files_search_var_lib(useradd_t) -files_relabel_etc_files(useradd_t) -files_read_etc_runtime_files(useradd_t) - init_use_fds(useradd_t) init_rw_utmp(useradd_t) @@ -513,6 +516,7 @@ miscfiles_read_localization(useradd_t) seutil_read_config(useradd_t) seutil_read_file_contexts(useradd_t) +seutil_read_default_contexts(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # for when /root is the cwd @@ -521,6 +525,7 @@ userdom_dontaudit_search_sysadm_home_dirs(useradd_t) userdom_home_filetrans_generic_user_home_dir(useradd_t) userdom_manage_generic_user_home_content_dirs(useradd_t) userdom_manage_generic_user_home_content_files(useradd_t) +userdom_manage_generic_user_home_dirs(useradd_t) userdom_manage_staff_home_dirs(useradd_t) userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set) diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc index b1e6a5a..3937ebd 100644 --- a/policy/modules/apps/java.fc +++ b/policy/modules/apps/java.fc @@ -2,6 +2,7 @@ # /opt # /opt/(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) # # /usr diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index 0849214..89d9625 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -1,5 +1,5 @@ -policy_module(java,1.2.0) +policy_module(java,1.2.1) ######################################## # @@ -16,7 +16,8 @@ init_system_domain(java_t,java_exec_t) # ifdef(`targeted_policy',` - allow java_t self:process { execstack execmem }; + # execheap is needed for itanium/BEA jrocket + allow java_t self:process { execstack execmem execheap }; unconfined_domain_noaudit(java_t) role system_r types java_t; ') diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te index cb4b9f0..0869e1d 100644 --- a/policy/modules/apps/mono.te +++ b/policy/modules/apps/mono.te @@ -1,5 +1,5 @@ -policy_module(mono,1.2.0) +policy_module(mono,1.2.1) ######################################## # @@ -42,6 +42,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + rpm_dbus_chat(mono_t) + ') + + optional_policy(` unconfined_dbus_connect(mono_t) ') ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index f7ea49e..20a08e5 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -63,6 +63,7 @@ ifdef(`distro_redhat',` /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0) /etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index f86b65e..2651e3e 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.4.1) +policy_module(corecommands,1.4.2) ######################################## # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index e6e5235..2dd29c9 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.0) +policy_module(corenetwork,1.2.1) ######################################## # @@ -92,6 +92,7 @@ network_port(innd, tcp,119,s0) network_port(ipp, tcp,631,s0, udp,631,s0) network_port(ircd, tcp,6667,s0) network_port(isakmp, udp,500,s0) +network_port(iscsi, tcp,3260,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) @@ -205,4 +206,4 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind; -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind; +allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 9967dc0..eb21d4b 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -98,6 +98,7 @@ ifdef(`distro_suse', ` /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) ifdef(`distro_debian',` diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 71814a1..693ae0e 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.2.0) +policy_module(devices,1.2.1) ######################################## # diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 3fd01d9..d5aca09 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -123,6 +123,7 @@ HOME_ROOT/lost\+found/.* <> /media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /media/[^/]*/.* <> +/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) # # /misc diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 2d61900..9f114e8 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.3.0) +policy_module(files,1.3.1) ######################################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index ae9c9f6..ae8939f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -404,6 +404,26 @@ interface(`fs_dontaudit_list_auto_mountpoints',` ######################################## ## +## Create, read, write, and delete symbolic links +## on an autofs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_autofs_symlinks',` + gen_require(` + type autofs_t; + ') + + allow $1 autofs_t:dir rw_dir_perms; + allow $1 autofs_t:lnk_file create_lnk_perms; +') + +######################################## +## ## Get the attributes of directories on ## binfmt_misc filesystems. ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 2cd56aa..eac86c5 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.4.0) +policy_module(filesystem,1.4.1) ######################################## # diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index ef219a5..5f1d353 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -50,9 +50,10 @@ ifdef(`distro_redhat', ` /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 2fac4d0..4ee5f72 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -37,6 +37,7 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',` ') dontaudit $1 fixed_disk_device_t:blk_file getattr; + dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl ') ######################################## diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index c6f25f6..604d244 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,5 +1,5 @@ -policy_module(storage,1.1.0) +policy_module(storage,1.1.1) ######################################## # diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index d67884a..991d70d 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -460,6 +460,26 @@ interface(`term_ioctl_generic_ptys',` ######################################## ## +## Allow setting the attributes of +## generic pty devices. +## +## +## +## Domain allowed access. +## +## +# +# dwalsh: added for rhgb +interface(`term_setattr_generic_ptys',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:chr_file setattr; +') + +######################################## +## ## Dontaudit setting the attributes of ## generic pty devices. ## diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 7f8ad5f..b4dbc4a 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.2.0) +policy_module(terminal,1.2.1) ######################################## # diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 89bd811..30bcb42 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -168,7 +168,7 @@ template(`apache_content_template',` allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; allow httpd_t httpd_$1_script_exec_t:file r_file_perms; - allow httpd_$1_script_t self:process signal_perms; + allow httpd_$1_script_t self:process { setsched signal_perms }; allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; allow httpd_$1_script_t httpd_t:fd use; diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 0e8dba9..a80fd13 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.4.0) +policy_module(apache,1.4.1) # # NOTES: @@ -235,6 +235,7 @@ auth_use_nsswitch(httpd_t) # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_sbin(httpd_t) +corecmd_check_exec_shell(httpd_t) domain_use_interactive_fds(httpd_t) diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 914d5ae..39a1156 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.3.0) +policy_module(automount,1.3.1) ######################################## # @@ -36,6 +36,8 @@ allow automount_t self:unix_stream_socket create_socket_perms; allow automount_t self:unix_dgram_socket create_socket_perms; allow automount_t self:tcp_socket create_stream_socket_perms; allow automount_t self:udp_socket create_socket_perms; +allow automount_t self:rawip_socket create_socket_perms; + allow automount_t self:netlink_route_socket r_netlink_socket_perms; allow automount_t automount_etc_t:file { getattr read }; @@ -128,6 +130,7 @@ fs_search_auto_mountpoints(automount_t) fs_manage_auto_mountpoints(automount_t) fs_unmount_autofs(automount_t) fs_mount_autofs(automount_t) +fs_manage_autofs_symlinks(automount_t) term_dontaudit_use_console(automount_t) term_dontaudit_getattr_pty_dirs(automount_t) diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index f8ea26f..74dde42 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth,1.3.0) +policy_module(bluetooth,1.3.1) ######################################## # @@ -55,11 +55,11 @@ allow bluetooth_t self:udp_socket create_socket_perms; allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms; allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; -allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms; -allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms; +allow bluetooth_t bluetooth_conf_rw_t:dir manage_dir_perms; +allow bluetooth_t bluetooth_conf_rw_t:file manage_file_perms; allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms; -allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms; -allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms; +allow bluetooth_t bluetooth_conf_rw_t:sock_file manage_file_perms; +allow bluetooth_t bluetooth_conf_rw_t:fifo_file manage_file_perms; type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t; domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) @@ -68,16 +68,16 @@ allow bluetooth_helper_t bluetooth_t:fd use; allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms; allow bluetooth_helper_t bluetooth_t:process sigchld; -allow bluetooth_t bluetooth_lock_t:file create_file_perms; +allow bluetooth_t bluetooth_lock_t:file manage_file_perms; files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file) -allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms; -allow bluetooth_t bluetooth_tmp_t:file create_file_perms; +allow bluetooth_t bluetooth_tmp_t:dir manage_dir_perms; +allow bluetooth_t bluetooth_tmp_t:file manage_file_perms; files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir }) -allow bluetooth_t bluetooth_var_lib_t:file create_file_perms; -allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms; -files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,file) +allow bluetooth_t bluetooth_var_lib_t:file manage_file_perms; +allow bluetooth_t bluetooth_var_lib_t:dir manage_dir_perms; +files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,{ dir file } ) allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms; allow bluetooth_t bluetooth_var_run_t:file create_file_perms; diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index ec2390a..5c72c93 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.4.0) +policy_module(cron,1.4.1) gen_require(` class passwd rootok; @@ -86,6 +86,7 @@ allow crond_t self:shm create_shm_perms; allow crond_t self:sem create_sem_perms; allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; +allow crond_t self:key { search write }; allow crond_t crond_var_run_t:file create_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -96,6 +97,8 @@ allow crond_t system_cron_spool_t:dir r_dir_perms; allow crond_t system_cron_spool_t:file r_file_perms; kernel_read_kernel_sysctls(crond_t) +kernel_search_key(crond_t) + dev_read_sysfs(crond_t) selinux_get_fs_mount(crond_t) selinux_validate_context(crond_t) diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc index 2f030f0..c673759 100644 --- a/policy/modules/services/cups.fc +++ b/policy/modules/services/cups.fc @@ -37,7 +37,7 @@ /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -51,4 +51,4 @@ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,s0) +/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if index bd14c17..e639ffa 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -81,6 +81,25 @@ interface(`cups_dbus_chat',` ######################################## ## +## Read cups PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cups_read_pid_files',` + gen_require(` + type cupsd_var_run_t; + ') + + files_search_pids($1) + allow $1 cupsd_var_run_t:file r_file_perms; +') + +######################################## +## ## Execute cups_config in the cups_config domain. ## ## diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 92e0cf8..e73b2d9 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.4.0) +policy_module(cups,1.4.1) ######################################## # @@ -68,6 +68,12 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) ') +ifdef(`enable_mls',` + init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh) + + mls_trusted_object(cupsd_var_run_t) +') + ######################################## # # Cups local policy @@ -118,6 +124,9 @@ allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms }; allow cupsd_t cupsd_var_run_t:sock_file create_file_perms; files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) +allow cupsd_t hplip_etc_t:file r_file_perms; +allow cupsd_t hplip_etc_t:dir r_dir_perms; + allow cupsd_t hplip_var_run_t:file { read getattr }; allow cupsd_t ptal_var_run_t:dir search; @@ -158,6 +167,13 @@ domain_read_all_domains_state(cupsd_t) fs_getattr_all_fs(cupsd_t) fs_search_auto_mountpoints(cupsd_t) +mls_fd_use_all_levels(cupsd_t) +mls_file_downgrade(cupsd_t) +mls_file_write_down(cupsd_t) +mls_file_read_up(cupsd_t) +mls_rangetrans_target(cupsd_t) +mls_socket_write_all_levels(cupsd_t) + term_dontaudit_use_console(cupsd_t) term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) @@ -214,6 +230,10 @@ userdom_dontaudit_search_all_users_home_content(cupsd_t) # Write to /var/spool/cups. lpd_manage_spool(cupsd_t) +ifdef(`enable_mls',` + lpd_relabel_spool(cupsd_t) +') + ifdef(`targeted_policy',` files_dontaudit_read_root_files(cupsd_t) @@ -269,6 +289,7 @@ optional_policy(` ') optional_policy(` + # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) ') diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 3d4870c..e546326 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.3.0) +policy_module(dovecot,1.3.1) ######################################## # @@ -186,6 +186,8 @@ files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) +init_rw_utmp(dovecot_auth_t) + libs_use_ld_so(dovecot_auth_t) libs_use_shared_libs(dovecot_auth_t) diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 3a03ee7..5d3f09b 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.4.0) +policy_module(hal,1.4.1) ######################################## # @@ -74,6 +74,7 @@ dev_manage_generic_chr_files(hald_t) dev_rw_generic_usb_dev(hald_t) dev_setattr_generic_usb_dev(hald_t) dev_setattr_usbfs_files(hald_t) +dev_rw_power_management(hald_t) # hal is now execing pm-suspend dev_rw_sysfs(hald_t) @@ -85,6 +86,7 @@ files_read_etc_files(hald_t) files_rw_etc_runtime_files(hald_t) files_manage_mnt_dirs(hald_t) files_manage_mnt_files(hald_t) +files_manage_mnt_symlinks(hald_t) files_search_var_lib(hald_t) files_read_usr_files(hald_t) # hal is now execing pm-suspend diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc index 27b5e8f..59e51aa 100644 --- a/policy/modules/services/lpd.fc +++ b/policy/modules/services/lpd.fc @@ -6,16 +6,21 @@ # # /usr # +/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0) /usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0) /usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index ad18018..b59cd71 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -184,6 +184,7 @@ template(`lpd_per_role_template',` cups_read_config($1_lpr_t) cups_read_config($2) cups_stream_connect($1_lpr_t) + cups_read_pid_files($1_lpr_t) ') optional_policy(` @@ -329,6 +330,25 @@ interface(`lpd_manage_spool',` ######################################## ## +## Relabel from and to the spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`lpd_relabel_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + allow $1 print_spool_t:file { relabelto relabelfrom }; +') + +######################################## +## ## List the contents of the printer spool directories. ## ## diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 3c8b997..4d098e2 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd,1.3.0) +policy_module(lpd,1.3.1) ######################################## # diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index e91707e..be2f7a1 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.4.0) +policy_module(networkmanager,1.4.1) ######################################## # @@ -119,6 +119,10 @@ ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(NetworkManager_t) term_dontaudit_use_generic_ptys(NetworkManager_t) files_dontaudit_read_root_files(NetworkManager_t) + + optional_policy(` + unconfined_rw_pipes(NetworkManager_t) + ') ') optional_policy(` diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index b31120f..6346017 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -1,5 +1,5 @@ -policy_module(oddjob,1.0.0) +policy_module(oddjob,1.0.1) ######################################## # @@ -38,9 +38,12 @@ files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file }) kernel_read_system_state(oddjob_t) -corecmd_search_sbin(oddjob_t) +corecmd_exec_sbin(oddjob_t) +corecmd_exec_bin(oddjob_t) corecmd_exec_shell(oddjob_t) +mcs_process_set_categories(oddjob_t) + selinux_compute_create_context(oddjob_t) files_read_etc_files(oddjob_t) @@ -55,6 +58,7 @@ init_dontaudit_use_fds(oddjob_t) locallogin_dontaudit_use_fds(oddjob_t) ifdef(`targeted_policy',` + term_dontaudit_use_console(oddjob_t) term_dontaudit_use_generic_ptys(oddjob_t) term_dontaudit_use_unallocated_ttys(oddjob_t) ') @@ -83,3 +87,12 @@ libs_use_ld_so(oddjob_mkhomedir_t) libs_use_shared_libs(oddjob_mkhomedir_t) miscfiles_read_localization(oddjob_mkhomedir_t) + +# Add/remove user home directories +userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t) +userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t) +userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t) +userdom_manage_staff_home_dirs(oddjob_mkhomedir_t) +userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set) + diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index e3c9daf..086e8a8 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.3.0) +policy_module(procmail,1.3.1) ######################################## # @@ -43,6 +43,7 @@ corenet_sendrecv_comsat_client_packets(procmail_t) dev_read_urand(procmail_t) fs_getattr_xattr_fs(procmail_t) +fs_search_auto_mountpoints(procmail_t) auth_use_nsswitch(procmail_t) @@ -73,11 +74,6 @@ ifdef(`hide_broken_symptoms',` mta_dontaudit_rw_queue(procmail_t) ') -ifdef(`targeted_policy', ` - corenet_udp_bind_generic_port(procmail_t) - files_getattr_tmp_dirs(procmail_t) -') - optional_policy(` clamav_domtrans_clamscan(procmail_t) clamav_search_lib(procmail_t) diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te index 970dc2d..bd8681d 100644 --- a/policy/modules/services/rhgb.te +++ b/policy/modules/services/rhgb.te @@ -1,5 +1,5 @@ -policy_module(rhgb,1.1.0) +policy_module(rhgb,1.1.1) ######################################## # @@ -13,10 +13,8 @@ init_daemon_domain(rhgb_t,rhgb_exec_t) type rhgb_tmpfs_t; files_tmpfs_file(rhgb_tmpfs_t) -ifdef(`strict_policy',` - type rhgb_devpts_t; - term_pty(rhgb_devpts_t) -') +type rhgb_devpts_t; +term_pty(rhgb_devpts_t) ######################################## # @@ -25,7 +23,7 @@ ifdef(`strict_policy',` allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config }; dontaudit rhgb_t self:capability sys_tty_config; -allow rhgb_t self:process signal_perms; +allow rhgb_t self:process { setpgid signal_perms }; allow rhgb_t self:shm create_shm_perms; allow rhgb_t self:unix_stream_socket create_stream_socket_perms; allow rhgb_t self:fifo_file rw_file_perms; @@ -82,6 +80,8 @@ fs_manage_ramfs_files(rhgb_t) fs_manage_ramfs_pipes(rhgb_t) fs_manage_ramfs_sockets(rhgb_t) +selinux_dontaudit_read_fs(rhgb_t) + term_dontaudit_use_console(rhgb_t) term_use_unallocated_ttys(rhgb_t) term_use_ptmx(rhgb_t) @@ -101,6 +101,9 @@ logging_send_syslog_msg(rhgb_t) miscfiles_read_localization(rhgb_t) miscfiles_read_fonts(rhgb_t) +seutil_search_default_contexts(rhgb_t) +seutil_read_config(rhgb_t) + sysnet_read_config(rhgb_t) sysnet_domtrans_ifconfig(rhgb_t) @@ -118,10 +121,9 @@ ifdef(`strict_policy',` ', ` files_dontaudit_read_root_files(rhgb_t) - term_dontaudit_use_generic_ptys(rhgb_t) - term_dontaudit_setattr_generic_ptys(rhgb_t) + term_use_generic_ptys(rhgb_t) + term_setattr_generic_ptys(rhgb_t) term_dontaudit_use_unallocated_ttys(rhgb_t) - term_dontaudit_use_generic_ptys(rhgb_t) xserver_domtrans_xdm_xserver(rhgb_t) xserver_signal_xdm_xserver(rhgb_t) @@ -129,6 +131,10 @@ ifdef(`strict_policy',` ') optional_policy(` + consoletype_exec(rhgb_t) +') + +optional_policy(` nis_use_ypbind(rhgb_t) ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index a03b4e3..a7ec9dd 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -1,5 +1,5 @@ -policy_module(rpc,1.3.0) +policy_module(rpc,1.3.1) ######################################## # @@ -80,6 +80,9 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) +corenet_tcp_bind_all_rpc_ports(nfsd_t) +corenet_udp_bind_all_rpc_ports(nfsd_t) + fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) @@ -135,6 +138,8 @@ files_list_tmp(gssd_t) files_read_generic_tmp_files(gssd_t) files_read_generic_tmp_symlinks(gssd_t) +miscfiles_read_certs(gssd_t) + tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 0b8656f..120462b 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba,1.3.0) +policy_module(samba,1.3.1) ################################# # @@ -502,6 +502,10 @@ userdom_use_all_users_fds(smbmount_t) userdom_use_sysadm_ttys(smbmount_t) optional_policy(` + cups_read_rw_config(smbd_t) +') + +optional_policy(` nis_use_ypbind(smbmount_t) ') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index 4be2722..a67b52c 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -1,5 +1,5 @@ -policy_module(setroubleshoot,1.1.0) +policy_module(setroubleshoot,1.1.1) ######################################## # @@ -28,7 +28,7 @@ files_pid_file(setroubleshoot_var_run_t) # allow setroubleshootd_t self:capability { dac_override sys_tty_config }; -allow setroubleshootd_t self:process { signal getattr }; +allow setroubleshootd_t self:process { signal getattr getsched }; allow setroubleshootd_t self:fifo_file rw_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 45ccac3..08f3a9d 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -1,5 +1,5 @@ -policy_module(snmp,1.2.0) +policy_module(snmp,1.2.1) ######################################## # @@ -86,6 +86,7 @@ files_read_etc_files(snmpd_t) files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) +files_getattr_boot_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) fs_getattr_rpc_dirs(snmpd_t) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 6f751b1..805c183 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.4.0) +policy_module(spamassassin,1.4.1) ######################################## # @@ -51,6 +51,7 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; +allow spamd_t self:netlink_route_socket r_netlink_socket_perms; allow spamd_t spamd_spool_t:file create_file_perms; allow spamd_t spamd_spool_t:dir create_dir_perms; diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index a91983a..d9e71ca 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -505,6 +505,7 @@ template(`ssh_server_template', ` fs_dontaudit_getattr_all_fs($1_t) auth_rw_login_records($1_t) + auth_rw_faillog($1_t) corecmd_read_bin_symlinks($1_t) corecmd_getattr_bin_files($1_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index c9ddda6..31ac75f 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.4.0) +policy_module(ssh,1.4.1) ######################################## # diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 9b96dcc..9ee1d28 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.2.0) +policy_module(xserver,1.2.1) ######################################## # @@ -463,7 +463,7 @@ allow xdm_xserver_t ramfs_t:file create_file_perms; allow rhgb_t xdm_xserver_t:process signal; ') -ifdef(`enable_polyinstantiation',` +tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp allow xdm_t polymember:dir { add_name remove_name write }; allow xdm_t polymember:lnk_file { create unlink }; diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 370f411..a882151 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -34,6 +34,7 @@ ifdef(`distro_gentoo', ` /var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) /var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0) /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) +/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index d57861b..2738cc4 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -230,7 +230,7 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) - ifdef(`enable_polyinstantiation',` + tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index a89617d..e1d0e1e 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.4.0) +policy_module(authlogin,1.4.1) ######################################## # diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 726297b..fc6b5a9 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -1,5 +1,5 @@ -policy_module(clock,1.1.0) +policy_module(clock,1.1.1) ######################################## # @@ -25,6 +25,7 @@ allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config dontaudit hwclock_t self:capability sys_tty_config; allow hwclock_t self:process signal_perms; allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow hwclock_t self:fifo_file { getattr read }; # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { rw_file_perms setattr }; @@ -33,6 +34,8 @@ kernel_read_kernel_sysctls(hwclock_t) kernel_list_proc(hwclock_t) kernel_read_proc_symlinks(hwclock_t) +corecmd_search_bin(hwclock_t) + dev_read_sysfs(hwclock_t) dev_rw_realtime_clock(hwclock_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 9d69555..b637c6a 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools,1.4.0) +policy_module(fstools,1.4.1) ######################################## # @@ -97,6 +97,7 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) +mls_file_read_up(fsadm_t) mls_file_write_down(fsadm_t) storage_raw_read_fixed_disk(fsadm_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 7abbbdc..d07f35a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.4.0) +policy_module(init,1.4.1) gen_require(` class passwd rootok; @@ -132,6 +132,7 @@ fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) mls_process_write_down(init_t) +mls_fd_use_all_levels(init_t) selinux_set_boolean(init_t) @@ -444,6 +445,7 @@ ifdef(`distro_redhat',` storage_raw_write_fixed_disk(initrc_t) files_create_boot_flag(initrc_t) + files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc new file mode 100644 index 0000000..bc08e13 --- /dev/null +++ b/policy/modules/system/iscsi.fc @@ -0,0 +1,5 @@ +/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) + +/var/lib/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_var_lib_t,s0) +/var/lock/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_lock_t,s0) +/var/run/iscsid.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if new file mode 100644 index 0000000..12e8cfb --- /dev/null +++ b/policy/modules/system/iscsi.if @@ -0,0 +1,22 @@ +## Establish connections to iSCSI devices + +######################################## +## +## Execute a domain transition to run iscsid. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`iscsid_domtrans',` + gen_require(` + type iscsid_t, iscsid_exec_t; + ') + + domain_auto_trans($1,iscsid_exec_t,iscsid_t) + allow iscsid_t $1:fd use; + allow iscsid_t $1:fifo_file rw_file_perms; + allow iscsid_t $1:process sigchld; +') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te new file mode 100644 index 0000000..a18cbab --- /dev/null +++ b/policy/modules/system/iscsi.te @@ -0,0 +1,85 @@ + +policy_module(iscsid,1.0.0) + +######################################## +# +# Declarations +# + +type iscsid_t; +type iscsid_exec_t; +domain_type(iscsid_t) +init_daemon_domain(iscsid_t, iscsid_exec_t) + +type iscsi_lock_t; +files_lock_file(iscsi_lock_t) + +type iscsi_tmp_t; +files_tmp_file(iscsi_tmp_t) + +type iscsi_var_lib_t; +files_type(iscsi_var_lib_t) + +type iscsi_var_run_t; +files_pid_file(iscsi_var_run_t) + +######################################## +# +# iscsid local policy +# + +allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource }; +allow iscsid_t self:process setsched; +allow iscsid_t self:fifo_file { read write }; +allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow iscsid_t self:unix_dgram_socket create_socket_perms; +allow iscsid_t self:sem create_sem_perms; +allow iscsid_t self:shm create_shm_perms; +allow iscsid_t self:netlink_socket create_socket_perms; +allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; +allow iscsid_t self:tcp_socket create_stream_socket_perms; + +allow iscsid_t iscsi_lock_t:file manage_file_perms; +files_lock_filetrans(iscsid_t,iscsi_lock_t,file) + +allow iscsid_t iscsi_tmp_t:dir create_dir_perms; +allow iscsid_t iscsi_tmp_t:file create_file_perms; +fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file ) + +allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; +allow iscsid_t iscsi_var_lib_t:file read_file_perms; +allow iscsid_t iscsi_var_lib_t:lnk_file { getattr read }; +files_search_var_lib(iscsid_t) + +allow iscsid_t iscsi_var_run_t:dir rw_dir_perms; +allow iscsid_t iscsi_var_run_t:file manage_file_perms; +files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) + +corenet_non_ipsec_sendrecv(iscsid_t) +corenet_tcp_sendrecv_all_if(iscsid_t) +corenet_tcp_sendrecv_all_nodes(iscsid_t) +corenet_tcp_sendrecv_all_ports(iscsid_t) +corenet_tcp_connect_http_port(iscsid_t) +corenet_tcp_connect_iscsi_port(iscsid_t) + +dev_rw_sysfs(iscsid_t) + +domain_use_interactive_fds(iscsid_t) + +files_read_etc_files(iscsid_t) + +init_use_fds(iscsid_t) +init_use_script_ptys(iscsid_t) + +libs_use_ld_so(iscsid_t) +libs_use_shared_libs(iscsid_t) + +logging_send_syslog_msg(iscsid_t) + +miscfiles_read_localization(iscsid_t) + +sysnet_dns_name_resolve(iscsid_t) + +ifdef(`targeted_policy',` + term_use_generic_ptys(iscsid_t) +') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 6dd06e2..a43cf9e 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -74,11 +74,11 @@ ifdef(`distro_gentoo',` /opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0) /opt/(.*/)?lib64/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0) -/opt/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0) +/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0) ifdef(`distro_gentoo',` # despite the extensions, they are actually libs @@ -261,6 +261,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre /usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 143981c..82970fa 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.4.0) +policy_module(libraries,1.4.1) ######################################## # diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 350efeb..c15a74c 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.3.0) +policy_module(locallogin,1.3.1) ######################################## # @@ -47,7 +47,7 @@ allow local_login_t self:shm create_shm_perms; allow local_login_t self:sem create_sem_perms; allow local_login_t self:msgq create_msgq_perms; allow local_login_t self:msg { send receive }; -allow local_login_t self:key { search write }; +allow local_login_t self:key { search write link }; allow local_login_t local_login_lock_t:file create_file_perms; files_lock_filetrans(local_login_t,local_login_lock_t,file) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index b1cfda1..10ddf81 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.4.0) +policy_module(logging,1.4.1) ######################################## # @@ -136,6 +136,8 @@ dev_read_sysfs(auditd_t) fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) +selinux_search_fs(auditctl_t) + term_dontaudit_use_console(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf @@ -164,6 +166,7 @@ miscfiles_read_localization(auditd_t) mls_file_read_up(auditd_t) mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory mls_rangetrans_target(auditd_t) +mls_fd_use_all_levels(auditd_t) seutil_dontaudit_read_config(auditd_t) diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc index b2b7f82..72c746e 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc @@ -1,7 +1,4 @@ - -######################################## -# -# mount file contexts -# /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + +/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 9a4b9ba..3ea8c4b 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.4.0) +policy_module(mount,1.4.1) ######################################## # @@ -38,6 +38,7 @@ allow mount_t mount_tmp_t:dir create_dir_perms; files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) kernel_read_system_state(mount_t) +kernel_read_kernel_sysctls(mount_t) kernel_dontaudit_getattr_core_if(mount_t) dev_getattr_all_blk_files(mount_t) @@ -104,6 +105,7 @@ mls_file_write_down(mount_t) sysnet_use_portmap(mount_t) selinux_get_enforce_mode(mount_t) +seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 42825f9..64c9107 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -1,5 +1,5 @@ -policy_module(raid,1.1.0) +policy_module(raid,1.1.1) ######################################## # @@ -22,7 +22,9 @@ files_pid_file(mdadm_var_run_t) allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; +allow mdadm_t self:fifo_file rw_file_perms; +allow mdadm_t mdadm_var_run_t:dir rw_dir_perms; allow mdadm_t mdadm_var_run_t:file create_file_perms; files_pid_filetrans(mdadm_t,mdadm_var_run_t,file) @@ -49,6 +51,7 @@ term_dontaudit_list_ptys(mdadm_t) # Helper program access corecmd_exec_bin(mdadm_t) corecmd_exec_sbin(mdadm_t) +corecmd_exec_shell(mdadm_t) domain_use_interactive_fds(mdadm_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 3380aac..23dcfc8 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.3.2) +policy_module(selinuxutil,1.3.3) ifdef(`strict_policy',` gen_require(` @@ -270,6 +270,7 @@ mls_file_write_down(newrole_t) mls_file_upgrade(newrole_t) mls_file_downgrade(newrole_t) mls_process_set_level(newrole_t) +mls_fd_share_all_levels(newrole_t) selinux_get_fs_mount(newrole_t) selinux_validate_context(newrole_t) @@ -286,6 +287,7 @@ term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) auth_domtrans_chk_passwd(newrole_t) +auth_rw_faillog(newrole_t) corecmd_list_bin(newrole_t) corecmd_read_bin_symlinks(newrole_t) @@ -580,6 +582,7 @@ mls_file_write_down(semanage_t) mls_rangetrans_target(semanage_t) mls_file_read_up(semanage_t) +selinux_validate_context(semanage_t) selinux_get_enforce_mode(semanage_t) # for setsebool: selinux_set_boolean(semanage_t) diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 49da6d2..71c1a90 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,5 +1,5 @@ -policy_module(setrans,1.1.1) +policy_module(setrans,1.1.2) ######################################## # @@ -58,6 +58,9 @@ mls_file_write_down(setrans_t) mls_net_receive_all_levels(setrans_t) mls_rangetrans_target(setrans_t) mls_socket_write_all_levels(setrans_t) +mls_process_read_up(setrans_t) +mls_socket_read_all_levels(setrans_t) +mls_fd_use_all_levels(setrans_t) selinux_compute_access_vector(setrans_t) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 0c98c70..8ceeea6 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.4.0) +policy_module(unconfined,1.4.1) ######################################## # @@ -60,14 +60,6 @@ ifdef(`targeted_policy',` ') optional_policy(` - bluetooth_domtrans_helper(unconfined_t) - ') - - optional_policy(` - bootloader_domtrans(unconfined_t) - ') - - optional_policy(` init_dbus_chat_script(unconfined_t) dbus_stub(unconfined_t) @@ -94,10 +86,6 @@ ifdef(`targeted_policy',` ') optional_policy(` - dmidecode_domtrans(unconfined_t) - ') - - optional_policy(` firstboot_domtrans(unconfined_t) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 87137bc..70120a1 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -135,10 +135,12 @@ template(`userdom_ro_home_template',` files_type($1_home_t) files_associate_tmp($1_home_t) fs_associate_tmpfs($1_home_t) + files_mountpoint($1_home_t) # type of home directory type $1_home_dir_t, home_dir_type, home_type; files_type($1_home_dir_t) + files_mountpoint($1_home_dir_t) files_associate_tmp($1_home_dir_t) fs_associate_tmpfs($1_home_dir_t) @@ -3995,12 +3997,7 @@ interface(`userdom_dontaudit_search_staff_home_dirs',` # interface(`userdom_manage_staff_home_dirs',` ifdef(`targeted_policy',` - gen_require(` - type user_home_dir_t; - ') - - files_search_home($1) - allow $1 user_home_dir_t:dir manage_dir_perms; + userdom_manage_generic_user_home_dirs($1) ',` gen_require(` type staff_home_dir_t; @@ -4823,6 +4820,26 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',` ######################################## ## +## Create, read, write, and delete generic user +## home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_generic_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') + + files_search_home($1) + allow $1 user_home_dir_t:dir manage_dir_perms; +') + +######################################## +## ## Create, read, write, and delete ## subdirectories of generic user ## home directories. @@ -4877,13 +4894,13 @@ interface(`userdom_read_generic_user_home_content_files',` # interface(`userdom_manage_generic_user_home_content_files',` gen_require(` - type user_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($1) allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_t:dir rw_dir_perms; - allow $1 user_home_t:file create_file_perms; + allow $1 user_home_t:file manage_file_perms; ') ######################################## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index dea0515..5520823 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,2.0.0) +policy_module(userdomain,2.0.1) gen_require(` role sysadm_r, staff_r, user_r; @@ -128,6 +128,7 @@ ifdef(`strict_policy',` ') ifdef(`enable_mls',` + allow auditadm_t self:capability { dac_read_search dac_override }; seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) domain_kill_all_domains(auditadm_t) seutil_read_bin_policy(auditadm_t) @@ -140,7 +141,7 @@ ifdef(`strict_policy',` logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) - allow secadm_t self:capability dac_override; + allow secadm_t self:capability { dac_read_search dac_override }; corecmd_exec_shell(secadm_t) domain_obj_id_change_exemption(secadm_t) mls_process_read_up(secadm_t) @@ -149,13 +150,16 @@ ifdef(`strict_policy',` mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) auth_relabel_all_files_except_shadow(secadm_t) + dev_relabel_all_dev_nodes(secadm_t) auth_relabel_shadow(secadm_t) init_exec(secadm_t) logging_read_audit_log(secadm_t) logging_read_generic_logs(secadm_t) userdom_dontaudit_append_staff_home_content_files(secadm_t) userdom_dontaudit_read_sysadm_home_content_files(secadm_t) - netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) + optional_policy(` + netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) + ') ',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc index 0a44f00..83a9755 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc @@ -1,3 +1,7 @@ +/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) + +/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) + /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) /usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index ef76b86..032eb7b 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -1,5 +1,5 @@ -policy_module(xen,1.1.0) +policy_module(xen,1.1.1) ######################################## # @@ -14,6 +14,12 @@ files_type(xen_devpts_t); # Xen Image files type xen_image_t; # customizable files_type(xen_image_t) +# xen_image_t can be assigned to blk devices +dev_node(xen_image_t) + +type xenctl_t; +files_type(xenctl_t) + type xend_t; type xend_exec_t; @@ -68,7 +74,7 @@ init_daemon_domain(xm_t, xm_exec_t) # xend local policy # -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw }; +allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw }; dontaudit xend_t self:capability { sys_ptrace }; allow xend_t self:process { signal sigkill }; dontaudit xend_t self:process ptrace; @@ -82,6 +88,10 @@ allow xend_t self:packet_socket create_socket_perms; allow xend_t xen_image_t:dir r_dir_perms; allow xend_t xen_image_t:file rw_file_perms; +allow xend_t xen_image_t:blk_file rw_file_perms; + +allow xend_t xenctl_t:fifo_file create_file_perms; +dev_filetrans(xend_t, xenctl_t, fifo_file) # pid file allow xend_t xend_var_run_t:file manage_file_perms; @@ -132,6 +142,8 @@ corenet_tcp_bind_xen_port(xend_t) corenet_tcp_bind_soundd_port(xend_t) corenet_tcp_bind_generic_port(xend_t) corenet_tcp_bind_vnc_port(xend_t) +corenet_tcp_connect_xserver_port(xend_t) +corenet_sendrecv_xserver_client_packets(xend_t) corenet_sendrecv_xen_server_packets(xend_t) corenet_sendrecv_soundd_server_packets(xend_t) corenet_rw_tun_tap_dev(xend_t) @@ -166,6 +178,8 @@ init_use_script_ptys(xend_t) libs_use_ld_so(xend_t) libs_use_shared_libs(xend_t) +locallogin_dontaudit_use_fds(xend_t) + logging_send_syslog_msg(xend_t) miscfiles_read_localization(xend_t) @@ -176,6 +190,7 @@ sysnet_domtrans_ifconfig(xend_t) sysnet_dns_name_resolve(xend_t) sysnet_delete_dhcpc_pid(xend_t) sysnet_read_dhcpc_pid(xend_t) +sysnet_rw_dhcp_config(xend_t) userdom_dontaudit_search_sysadm_home_dirs(xend_t) @@ -187,6 +202,15 @@ optional_policy(` consoletype_exec(xend_t) ') +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(xend_t) + term_dontaudit_use_generic_ptys(xend_t) + + optional_policy(` + unconfined_rw_pipes(xend_t) + ') +') + ######################################## # # Xen console local policy @@ -210,6 +234,8 @@ kernel_read_xen_state(xenconsoled_t) domain_dontaudit_ptrace_all_domains(xenconsoled_t) +files_read_usr_files(xenconsoled_t) + term_create_pty(xenconsoled_t,xen_devpts_t); term_use_generic_ptys(xenconsoled_t) term_use_console(xenconsoled_t) @@ -250,9 +276,12 @@ kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) dev_create_generic_dirs(xenstored_t) -dev_manage_xen(xenconsoled_t) +dev_manage_xen(xenstored_t) dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) +dev_read_sysfs(xenstored_t) + +files_read_usr_files(xenstored_t) term_use_generic_ptys(xenstored_t) term_use_console(xenconsoled_t) @@ -278,7 +307,8 @@ allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; # internal communication is often done using fifo and unix sockets. allow xm_t self:fifo_file { read write }; -allow xm_t self:unix_stream_socket create_stream_socket_perms; +allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow xm_t self:tcp_socket create_stream_socket_perms; allow xm_t xend_var_lib_t:dir rw_dir_perms; allow xm_t xend_var_lib_t:fifo_file create_file_perms; @@ -296,6 +326,10 @@ kernel_write_xen_state(xm_t) corecmd_exec_bin(xm_t) corecmd_exec_sbin(xm_t) +corenet_tcp_sendrecv_generic_if(xm_t) +corenet_tcp_sendrecv_all_nodes(xm_t) +corenet_tcp_connect_soundd_port(xm_t) + dev_read_urand(xm_t) files_read_etc_runtime_files(xm_t) @@ -314,6 +348,8 @@ libs_use_shared_libs(xm_t) miscfiles_read_localization(xm_t) +sysnet_read_config(xm_t) + xen_append_log(xm_t) xen_stream_connect(xm_t) xen_stream_connect_xenstore(xm_t) diff --git a/support/Makefile.devel b/support/Makefile.devel index e9b039b..9c109eb 100644 --- a/support/Makefile.devel +++ b/support/Makefile.devel @@ -67,11 +67,6 @@ ifneq ($(DISTRO),) M4PARAM += -D distro_$(DISTRO) endif -# enable polyinstantiation -ifeq ($(POLY),y) - M4PARAM += -D enable_polyinstantiation -endif - ifeq ($(DIRECT_INITRC),y) M4PARAM += -D direct_sysadm_daemon endif