diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index b257b2b..7ea3893 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -183,7 +183,7 @@ interface(`term_dontaudit_use_console',` type console_device_t; ') - dontaudit $1 console_device_t:chr_file { read write }; + dontaudit $1 console_device_t:chr_file rw_file_perms; ') ######################################## @@ -364,11 +364,10 @@ interface(`term_dontaudit_use_generic_pty',` interface(`term_use_controlling_term',` gen_require(` type devtty_t; - class chr_file { getattr read write ioctl }; ') dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file { getattr read write ioctl }; + allow $1 devtty_t:chr_file { rw_term_perms lock append }; ') ######################################## @@ -668,11 +667,10 @@ interface(`term_write_unallocated_ttys',` interface(`term_use_unallocated_tty',` gen_require(` type tty_device_t; - class chr_file { getattr read write ioctl }; ') dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file { getattr read write ioctl }; + allow $1 tty_device_t:chr_file { rw_term_perms lock append }; ') ######################################## diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 75c64f0..761c12e 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -142,7 +142,7 @@ miscfiles_read_localization(apmd_t) modutils_domtrans_insmod(apmd_t) modutils_read_module_conf(apmd_t) -seutil_dontaudit_search_config(apmd_t) +seutil_dontaudit_read_config(apmd_t) userdom_dontaudit_use_unpriv_user_fd(apmd_t) userdom_dontaudit_search_sysadm_home_dir(apmd_t) @@ -191,6 +191,10 @@ optional_policy(`clock.te',` clock_rw_adjtime(apmd_t) ') +optional_policy(`cron.te',` + cron_domtrans_anacron_system_job(apmd_t) +') + optional_policy(`logrotate.te',` logrotate_use_fd(apmd_t) ') @@ -221,7 +225,6 @@ ifdef(`TODO',` allow apmd_t proc_t:file write; allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append }; optional_policy(`cron.te',` - domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t) allow apmd_t crond_t:fifo_file { getattr read write ioctl }; ') diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 68478f7..5ecf6cd 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -161,9 +161,10 @@ optional_policy(`rhgb.te',` # allow bluetooth_helper_t self:capability sys_nice; +allow bluetooth_helper_t self:process getsched; allow bluetooth_helper_t self:fifo_file rw_file_perms; allow bluetooth_helper_t self:shm create_shm_perms; -allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms; +allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow bluetooth_helper_t bluetooth_t:socket { read write }; diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index 62e42d2..f6e399e 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -33,7 +33,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms; allow canna_t self:tcp_socket create_stream_socket_perms; allow canna_t canna_log_t:file create_file_perms; -allow canna_t canna_log_t:dir rw_dir_perms; +allow canna_t canna_log_t:dir { rw_dir_perms setattr }; logging_create_log(canna_t,canna_log_t,{ file dir }) allow canna_t canna_var_lib_t:dir create_dir_perms; @@ -54,6 +54,7 @@ corenet_tcp_sendrecv_all_if(canna_t) corenet_raw_sendrecv_all_if(canna_t) corenet_tcp_sendrecv_all_nodes(canna_t) corenet_raw_sendrecv_all_nodes(canna_t) +corenet_tcp_sendrecv_all_ports(canna_t) corenet_tcp_bind_all_nodes(canna_t) corenet_tcp_connect_all_ports(canna_t) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index eade946..2f1179c 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -324,7 +324,7 @@ interface(`cron_system_entry',` allow $1 system_crond_t:fifo_file rw_file_perms; allow $1 system_crond_t:process sigchld; - allow $1 crond_t:fifo_file { getattr read write ioctl }; + allow $1 crond_t:fifo_file rw_file_perms; allow $1 crond_t:fd use; allow $1 crond_t:process sigchld; ') @@ -418,6 +418,27 @@ interface(`cron_search_spool',` ######################################## ## +## Execute APM in the apm domain. +## +## +## Domain allowed access. +## +# +interface(`cron_domtrans_anacron_system_job',` + gen_require(` + type system_crond_t, anacron_exec_t; + ') + + domain_auto_trans($1,anacron_exec_t,system_crond_t) + + allow $1 system_crond_t:fd use; + allow system_crond_t $1:fd use; + allow system_crond_t $1:fifo_file rw_file_perms; + allow system_crond_t $1:process sigchld; +') + +######################################## +## ## Inherit and use a file descriptor ## from system cron jobs. ## diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 78c88d1..31c7581 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -75,6 +75,7 @@ corenet_tcp_sendrecv_all_nodes(dovecot_t) corenet_raw_sendrecv_all_nodes(dovecot_t) corenet_tcp_sendrecv_all_ports(dovecot_t) corenet_tcp_bind_all_nodes(dovecot_t) +corenet_tcp_connect_all_ports(dovecot_t) dev_read_sysfs(dovecot_t) dev_read_urand(dovecot_t) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index d6db068..504e104 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -823,10 +823,9 @@ interface(`files_create_root',` interface(`files_dontaudit_read_root_file',` gen_require(` type root_t; - class file read; ') - dontaudit $1 root_t:file read; + dontaudit $1 root_t:file { getattr read }; ') ######################################## @@ -2150,7 +2149,7 @@ interface(`files_search_var',` type var_t; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; ') ######################################## @@ -2215,11 +2214,9 @@ interface(`files_manage_var_dirs',` interface(`files_read_var_files',` gen_require(` type var_t; - class dir search; - class file r_file_perms; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_t:file r_file_perms; ') @@ -2253,11 +2250,9 @@ interface(`files_manage_var_files',` interface(`files_read_var_symlink',` gen_require(` type var_t; - class dir search; - class lnk_file { getattr read }; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_t:lnk_file { getattr read }; ') @@ -2273,8 +2268,6 @@ interface(`files_read_var_symlink',` interface(`files_manage_var_symlinks',` gen_require(` type var_t; - class dir rw_dir_perms; - class lnk_file create_lnk_perms; ') allow $1 var_t:dir rw_dir_perms; @@ -2321,10 +2314,9 @@ interface(`files_create_var',` interface(`files_getattr_var_lib_dir',` gen_require(` type var_t, var_lib_t; - class dir getattr; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir getattr; ') @@ -2339,10 +2331,9 @@ interface(`files_getattr_var_lib_dir',` interface(`files_search_var_lib',` gen_require(` type var_t, var_lib_t; - class dir search; ') - allow $1 { var_t var_lib_t }:dir search; + allow $1 { var_t var_lib_t }:dir search_dir_perms; ') ######################################## @@ -2356,10 +2347,9 @@ interface(`files_search_var_lib',` interface(`files_list_var_lib',` gen_require(` type var_t, var_lib_t; - class dir r_dir_perms; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir r_dir_perms; ') @@ -2383,7 +2373,7 @@ interface(`files_create_var_lib',` class dir rw_dir_perms; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir rw_dir_perms; ifelse(`$3',`',` @@ -2406,7 +2396,7 @@ interface(`files_read_var_lib_files',` type var_t, var_lib_t; ') - allow $1 { var_t var_lib_t }:dir search; + allow $1 { var_t var_lib_t }:dir search_dir_perms; allow $1 var_lib_t:file r_file_perms; ') @@ -2423,7 +2413,7 @@ interface(`files_read_var_lib_symlinks',` type var_t, var_lib_t; ') - allow $1 { var_t var_lib_t }:dir search; + allow $1 { var_t var_lib_t }:dir search_dir_perms; allow $1 var_lib_t:lnk_file { getattr read }; ') @@ -2434,11 +2424,9 @@ interface(`files_read_var_lib_symlinks',` interface(`files_manage_urandom_seed',` gen_require(` type var_t, var_lib_t; - class dir rw_file_perms; - class file { getattr create read write setattr unlink }; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir rw_dir_perms; allow $1 var_lib_t:file { getattr create read write setattr unlink }; ') @@ -2449,12 +2437,10 @@ interface(`files_manage_urandom_seed',` # interface(`files_search_locks',` gen_require(` - type var_t; - type var_lock_t; - class dir search; + type var_t, var_lock_t; ') - allow $1 { var_t var_lock_t }:dir search; + allow $1 { var_t var_lock_t }:dir search_dir_perms; ') ######################################## @@ -2488,7 +2474,7 @@ interface(`files_rw_locks_dir',` type var_t, var_lock_t; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:dir rw_dir_perms; ') @@ -2498,13 +2484,10 @@ interface(`files_rw_locks_dir',` # interface(`files_getattr_generic_locks',` gen_require(` - type var_t; - type var_lock_t; - class dir r_dir_perms; - class file getattr; + type var_t, var_lock_t; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:dir r_dir_perms; allow $1 var_lock_t:file getattr; ') @@ -2516,8 +2499,6 @@ interface(`files_getattr_generic_locks',` interface(`files_manage_generic_locks',` gen_require(` type var_lock_t; - class dir { getattr search create read write setattr add_name remove_name rmdir }; - class file { getattr create read write setattr unlink }; ') allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir }; diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 29fe566..c8df5f1 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -610,11 +610,10 @@ interface(`init_unix_connect_script',` interface(`init_use_script_pty',` gen_require(` type initrc_devpts_t; - class chr_file rw_term_perms; ') term_list_ptys($1) - allow $1 initrc_devpts_t:chr_file rw_term_perms; + allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index d1a0700..f226777 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -35,8 +35,13 @@ files_type(shlib_t) # texrel_shlib_t is the type of shared objects in the system lib # directories, which require text relocation. # -type texrel_shlib_t; -files_type(texrel_shlib_t) + +ifdef(`targeted_policy',` + typealias lib_t alias texrel_shlib_t; +',` + type texrel_shlib_t; + files_type(texrel_shlib_t) +') kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t) kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t }) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 36fd3bd..77a1e1a 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -150,10 +150,6 @@ userdom_dontaudit_search_sysadm_home_dir(auditd_t) # cjp: this is questionable userdom_use_sysadm_tty(auditd_t) -ifdef(`targeted_policy',` - unconfined_domain_template(auditd_t) -') - optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(auditd_t) ') diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 9e919ff..b1ba783 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -32,9 +32,10 @@ domain_entry_file(cardmgr_t,cardctl_exec_t) # Use capabilities (net_admin for route), setuid for cardctl allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; dontaudit cardmgr_t self:capability sys_tty_config; +allow cardmgr_t self:process signal_perms; +allow cardmgr_t self:fifo_file rw_file_perms; allow cardmgr_t self:unix_dgram_socket create_socket_perms; allow cardmgr_t self:unix_stream_socket create_socket_perms; -allow cardmgr_t self:fifo_file rw_file_perms; allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms; dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file) @@ -124,6 +125,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinuxutils.te',` + seutil_dontaudit_read_config(cardmgr_t) seutil_sigchld_newrole(cardmgr_t) ') diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 3c5b3cc..3498ce3 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -486,8 +486,6 @@ interface(`seutil_dontaudit_search_config',` interface(`seutil_dontaudit_read_config',` gen_require(` type selinux_config_t; - class dir search; - class file { getattr read }; ') dontaudit $1 selinux_config_t:dir search; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index dfe9c8b..b14131b 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -65,6 +65,7 @@ ifdef(`targeted_policy',` # dont need to use the full role_change() allow sysadm_r system_r; + allow sysadm_r user_r; allow user_r system_r; allow user_r sysadm_r; allow system_r sysadm_r; diff --git a/refpolicy/policy/support/obj_perm_sets.spt b/refpolicy/policy/support/obj_perm_sets.spt index 03fcb24..458c17c 100644 --- a/refpolicy/policy/support/obj_perm_sets.spt +++ b/refpolicy/policy/support/obj_perm_sets.spt @@ -194,7 +194,7 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ # # Directory # -define(`search_dir_perms',`{ search }') +define(`search_dir_perms',`{ getattr search }') define(`getattr_dir_perms',`{ getattr }') define(`setattr_dir_perms',`{ setattr }') define(`list_dir_perms',`{ getattr search read lock ioctl }')