diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index f6ab7d2..1000a52 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -51,13 +51,20 @@ files_ignore_read_rootfs_file(consoletype_t)
libraries_use_dynamic_loader(consoletype_t)
libraries_use_shared_libraries(consoletype_t)
+tunable_policy(`distro_redhat', `
+filesystem_use_tmpfs_character_devices(consoletype_t)
+')
+
optional_policy(`authlogin.te', `
authlogin_pam_read_runtime_data(consoletype_t)
')
+optional_policy(`userdomain.te',`
+userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
+')
+
ifdef(`TODO',`
-allow consoletype_t unpriv_userdomain:fd use;
allow consoletype_t sysadm_t:fd use;
allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
@@ -97,10 +104,6 @@ optional_policy(`lpd.te', `
allow consoletype_t printconf_t:file { getattr read };
')
-tunable_policy(`distro_redhat', `
-allow consoletype_t tmpfs_t:chr_file rw_file_perms;
-')
-
optional_policy(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index d2dfb22..a202049 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -882,8 +882,15 @@ class filesystem getattr;
')
########################################
-#
-# filesystem_tmpfs_associate(type)
+##
+##
+## Allow the type to associate to tmpfs filesystems.
+##
+##
+## The type of the object to be associated.
+##
+##
+##
#
define(`filesystem_tmpfs_associate',`
requires_block_template(`$0'_depend)
@@ -915,6 +922,100 @@ class dir { getattr search read write add_name };
')
########################################
+##
+##
+## Read and write character nodes on tmpfs filesystems.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`filesystem_use_tmpfs_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:chr_file { getattr read write ioctl };
+')
+
+define(`filesystem_use_tmpfs_character_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read };
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+##
+##
+## Read and write block nodes on tmpfs filesystems.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`filesystem_use_tmpfs_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:blk_file { getattr read write ioctl };
+')
+
+define(`filesystem_use_tmpfs_block_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read };
+class blk_file { getattr read write ioctl };
+')
+
+########################################
+##
+##
+## Read and write, create and delete character
+## nodes on tmpfs filesystems.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`filesystem_manage_tmpfs_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read write add_name remove_name };
+allow $1 tmpfs_t:chr_file { getattr read write ioctl create unlink setattr };
+')
+
+define(`filesystem_mange_tmpfs_character_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read write add_name remove_name };
+class chr_file { getattr read write ioctl create unlink setattr };
+')
+
+########################################
+##
+##
+## Read and write, create and delete block nodes
+## on tmpfs filesystems.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`filesystem_manage_tmpfs_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read write add_name remove_name };
+allow $1 tmpfs_t:blk_file { getattr read write ioctl create unlink setattr };
+')
+
+define(`filesystem_manage_tmpfs_block_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read write add_name remove_name };
+class blk_file { getattr read write ioctl create unlink setattr };
+')
+
+########################################
#
# filesystem_mount_all_filesystems(type)
#
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 2d799f1..cc23bf3 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1058,8 +1058,16 @@ class lnk_file { getattr read };
')
########################################
-#
-# kernel_read_usb_hardware_state(domain)
+##
+##
+## Read USB hardware information using
+## the usbfs filesystem interface.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`kernel_read_usb_hardware_state',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index c48f3bc..ea24f98 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -104,24 +104,37 @@ class chr_file { read write };
')
########################################
-#
-# terminal_use_console(domain)
+##
+##
+## Read from and write to the console.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`terminal_use_console',`
requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
allow $1 console_device_t:chr_file { read write };
')
define(`terminal_use_console_depend',`
type console_device_t;
class chr_file { read write };
-devices_list_device_nodes_depend
')
########################################
-#
-# terminal_ignore_use_console(domain)
+##
+##
+## Do not audit read from or write to the console.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`terminal_ignore_use_console',`
requires_block_template(`$0'_depend)
@@ -155,7 +168,7 @@ devices_list_device_nodes_depend
#
define(`terminal_list_pseudoterminals',`
requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
allow $1 devpts_t:dir { getattr search read };
')
@@ -334,6 +347,29 @@ devices_list_device_nodes_depend
')
########################################
+##
+##
+## Write to general ttys. Has a backchannel of
+## getting all tty attributes.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`terminal_write_general_physical_terminal',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+allow $1 tty_device_t:chr_file { getattr write };
+')
+
+define(`terminal_write_general_physical_terminal_depend',`
+type tty_device_t;
+class chr_file { read write };
+')
+
+########################################
#
# terminal_use_general_physical_terminal(domain)
#
@@ -392,6 +428,29 @@ class chr_file getattr;
')
########################################
+##
+##
+## Write to all private ttys. Has a backchannel of
+## getting all private tty attributes.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`terminal_write_all_private_physical_terminals',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+allow $1 ttynode:chr_file { getattr write };
+')
+
+define(`terminal_write_all_private_physical_terminals_depend',`
+attribute ttynode;
+class chr_file { getattr write };
+')
+
+########################################
#
# terminal_use_all_private_physical_terminals(domain)
#
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index dadf9ec..8cf7256 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -2,7 +2,7 @@
########################################
#
-# cron_per_userdomain_template(domain)
+# cron_per_userdomain_template(domainprefix)
#
define(`cron_per_userdomain_template',`
@@ -213,3 +213,24 @@ ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
dontaudit $1_crontab_t var_run_t:dir search;
') dnl endif TODO
')
+
+########################################
+#
+# cron_admin_template(domainprefix)
+#
+
+define(`cron_admin_template',`
+
+logging_read_system_logs($1_crond_t)
+
+# Allow our crontab domain to unlink a user cron spool file.
+#allow $1_crontab_t user_cron_spool_t:file unlink;
+
+# Manipulate other users crontab.
+kernel_get_selinuxfs_mount_point($1_crontab_t)
+kernel_validate_selinux_context($1_crontab_t)
+kernel_compute_selinux_access_vector($1_crontab_t)
+kernel_compute_selinux_create_context($1_crontab_t)
+kernel_compute_selinux_relabel_context($1_crontab_t)
+kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
+')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index ff41a42..1286ce6 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -204,6 +204,27 @@ type sendmail_exec_t;
class file { getattr read execute execute_no_trans };
')
+########################################
+##
+##
+## Read mail address aliases.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`mta_read_mail_aliases',`
+requires_block_template(`$0'_depend)
+allow $1 etc_aliases_t:file { getattr read };
+')
+
+define(`mta_read_mail_aliases_depend',`
+type etc_aliases_t;
+class file { getattr read };
+')
+
#######################################
#
# mta_modify_mail_aliases(domain)
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 57eb823..1b3a20c 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC
-#######################################
-#
-# clock_transition(domain)
+########################################
+##
+##
+## Execute hwclock in the clock domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`clock_transition',`
requires_block_template(`$0'_depend)
@@ -18,6 +25,36 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute hwclock in the clock domain, and
+## allow the specified role the hwclock domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the clock domain.
+##
+##
+## The type of the terminal allow the clock domain to use.
+##
+##
+##
+#
+define(`clock_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+clock_transition($1)
+role $2 types hwclock_t;
+allow hwclock_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`clock_transition_add_role_use_terminal_depend',`
+type hwclock_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# clock_execute(domain)
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 041fcf1..dc47297 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -68,6 +68,10 @@ optional_policy(`udev.te', `
udev_read_database(hwclock_t)
')
+optional_policy(`userdomain.te',`
+userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
+')
+
ifdef(`TODO',`
allow hwclock_t proc_t:dir r_dir_perms;
@@ -79,10 +83,8 @@ allow hwclock_t rhgb_t:fd use;
allow hwclock_t rhgb_t:fifo_file { read write };
')
-dontaudit hwclock_t unpriv_userdomain:fd use;
allow hwclock_t autofs_t:dir { search getattr };
-domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
optional_policy(`apmd.te', `
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 082d8d4..f41a158 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -148,8 +148,15 @@ class capability kill;
')
########################################
-#
-# domain_read_all_domains_process_state(domain)
+##
+##
+## Read the process state (/proc/pid) of all domains.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`domain_read_all_domains_process_state',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 0bbddef..b1fcda2 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -263,7 +263,7 @@ type root_t;
class chr_file { read write };
')
-#
+########################################
##
##
## Create an object in the root directory, with a private
@@ -282,7 +282,6 @@ class chr_file { read write };
##
##
#
-
define(`files_create_private_root_dir_entry',`
requires_block_template(`$0'_depend)
allow $1 root_t:dir { getattr search read write add_name remove_name };
@@ -498,8 +497,15 @@ class dir { getattr search read write add_name remove_name };
')
########################################
-#
-# files_list_home_directories(type)
+##
+##
+## Get listing home home directories.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`files_list_home_directories',`
requires_block_template(`$0'_depend)
@@ -570,6 +576,32 @@ class lnk_file { getattr read };
')
########################################
+##
+##
+## Execute programs in /usr/src in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`files_execute_system_source_code_scripts',`
+requires_block_template(`$0'_depend)
+allow $1 usr_t:dir search;
+allow $1 src_t:dir { getattr search read };
+allow $1 src_t:lnk_file { getattr read };
+allow $1 src_t:file { getattr read execute execute_no_trans };
+')
+
+define(`files_read_system_source_code_depend',`
+type usr_t, src_t;
+class dir { getattr search read };
+class file { getattr read execute execute_no_trans };
+class lnk_file { getattr read };
+')
+
+########################################
#
# files_read_system_source_code(domain)
#
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index bee806e..37dc3eb 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -75,8 +75,15 @@ class dir search;
')
########################################
-#
-# hotplug_read_config(domain)
+##
+##
+## Read the configuration files for hotplug.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`hotplug_read_config',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 57fb357..8adac10 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -60,13 +60,9 @@ storage_set_removable_device_attributes(hotplug_t)
terminal_ignore_use_console(hotplug_t)
-init_use_file_descriptors(hotplug_t)
-init_script_use_pseudoterminal(hotplug_t)
-# Allow hotplug (including /sbin/ifup-local) to start/stop services and
-# run sendmail -q
-init_script_transition(hotplug_t)
-# kernel threads inherit from shared descriptor table used by init
-init_ignore_use_control_channel(hotplug_t)
+corecommands_execute_general_programs(hotplug_t)
+corecommands_execute_shell(hotplug_t)
+corecommands_execute_system_programs(hotplug_t)
domain_use_widely_inheritable_file_descriptors(hotplug_t)
@@ -74,11 +70,17 @@ files_read_general_system_config(hotplug_t)
files_create_runtime_system_config(hotplug_t)
files_execute_system_config_script(hotplug_t)
-corecommands_execute_general_programs(hotplug_t)
-corecommands_execute_shell(hotplug_t)
-corecommands_execute_system_programs(hotplug_t)
+init_use_file_descriptors(hotplug_t)
+init_script_use_pseudoterminal(hotplug_t)
+init_script_read_process_state(hotplug_t)
+# Allow hotplug (including /sbin/ifup-local) to start/stop services and
+# run sendmail -q
+init_script_transition(hotplug_t)
+# kernel threads inherit from shared descriptor table used by init
+init_ignore_use_control_channel(hotplug_t)
logging_send_system_log_message(hotplug_t)
+logging_search_system_log_directory(hotplug_t)
libraries_use_dynamic_loader(hotplug_t)
libraries_use_shared_libraries(hotplug_t)
@@ -92,6 +94,8 @@ miscfiles_read_localization(hotplug_t)
mount_transition(hotplug_t)
+userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
+
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hotplug_t)
terminal_ignore_use_general_pseudoterminal(hotplug_t)
@@ -110,6 +114,10 @@ optional_policy(`iptables.te',`
iptables_transition(hotplug_t)
')
+optional_policy(`mta.te', `
+mta_send_mail(hotplug_t)
+')
+
optional_policy(`selinux.te',`
selinux_newrole_sigchld(hotplug_t)
')
@@ -128,7 +136,6 @@ updfstab_transition(hotplug_t)
')
ifdef(`TODO',`
-dontaudit hotplug_t unpriv_userdomain:fd use;
allow hotplug_t autofs_t:dir { search getattr };
dontaudit hotplug_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
@@ -147,11 +154,6 @@ can_network_server(hotplug_t)
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
-allow initrc_t usbdevfs_t:file { getattr read ioctl };
-allow initrc_t modules_dep_t:file { getattr read ioctl };
-# init scripts run /etc/hotplug/usb.rc
-allow initrc_t hotplug_etc_t:dir r_dir_perms;
-
allow hotplug_t kernel_t:process sigchld;
# for when filesystems are not mounted early in the boot
@@ -159,8 +161,6 @@ dontaudit hotplug_t file_t:dir { search getattr };
allow hotplug_t udev_runtime_t:file rw_file_perms;
-allow hotplug_t var_log_t:dir search;
-
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
@@ -178,6 +178,10 @@ allow hotplug_t var_lock_t:file getattr;
optional_policy(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
+')
+
+# this goes to hald:
+optional_policy(`hotplug.te',`
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
')
@@ -186,15 +190,7 @@ optional_policy(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')
-optional_policy(`initrc.te', `
-can_ps(hotplug_t, initrc_t)
-')
-
optional_policy(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')
-
-optional_policy(`mta.te', `
-domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
-')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 37d3fac..8d9d1d2 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -222,6 +222,37 @@ class file { getattr read execute execute_no_trans };
')
########################################
+##
+##
+## Read the process state (/proc/pid) of the init scripts.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`init_script_read_process_state',`
+requires_block_template(`$0'_depend)
+allow $1 initrc_t:dir { search getattr read };
+allow $1 initrc_t:{ file lnk_file } { read getattr };
+allow $1 initrc_t:process getattr;
+# We need to suppress this denial because procps tries to access
+# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+# (2.4 and 2.6). Might want to change procps to not do this, or only if
+# running in a privileged domain.
+dontaudit $1 initrc_t:process ptrace;
+')
+
+define(`init_script_read_process_state_depend',`
+type initrc_t;
+class dir { search getattr read };
+class file { read getattr };
+class lnk_file { read getattr };
+class process { getattr ptrace };
+')
+
+########################################
#
# init_script_direct_admin_transition(role,domain)
#
@@ -257,6 +288,20 @@ class fd use;
########################################
#
+# init_script_ignore_use_file_descriptors(domain)
+#
+define(`init_script_ignore_use_file_descriptors',`
+requires_block_template(`$0'_depend)
+dontaudit $1 initrc_t:fd use;
+')
+
+define(`init_script_ignore_use_file_descriptors_depend',`
+type initrc_t;
+class fd use;
+')
+
+########################################
+#
# init_script_get_process_group(domain)
#
define(`init_script_get_process_group',`
@@ -275,6 +320,7 @@ class process getpgid;
#
define(`init_script_use_pseudoterminal',`
requires_block_template(`$0'_depend)
+terminal_list_pseudoterminals($1)
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
')
@@ -298,6 +344,28 @@ class chr_file { read write ioctl };
')
########################################
+##
+##
+## Read and write init script temporary data.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`init_script_modify_temporary_data',`
+requires_block_template(`$0'_depend)
+# FIXME: read tmp_t
+allow $1 initrc_tmp_t:file { getattr read write };
+')
+
+define(`init_script_modify_temporary_data_depend',`
+type initrc_var_run_t;
+class file { getattr read write };
+')
+
+########################################
#
# init_script_read_runtime_data(domain)
#
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index eedd038..bfc3a60 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -187,12 +187,7 @@ kernel_list_usb_hardware(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_ignore_get_message_interface_attributes(initrc_t)
-filesystem_register_binary_executable_type(initrc_t)
-# cjp: not sure why these are here; should use mount policy
-filesystem_mount_all_filesystems(initrc_t)
-filesystem_unmount_all_filesystems(initrc_t)
-filesystem_remount_all_filesystems(initrc_t)
-filesystem_get_all_filesystems_attributes(initrc_t)
+bootloader_read_kernel_symbol_table(initrc_t)
corenetwork_network_tcp_on_all_interfaces(initrc_t)
corenetwork_network_raw_on_all_interfaces(initrc_t)
@@ -215,6 +210,13 @@ devices_read_sound_mixer_levels(initrc_t)
devices_write_sound_mixer_levels(initrc_t)
devices_set_all_character_device_attributes(initrc_t)
+filesystem_register_binary_executable_type(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+filesystem_mount_all_filesystems(initrc_t)
+filesystem_unmount_all_filesystems(initrc_t)
+filesystem_remount_all_filesystems(initrc_t)
+filesystem_get_all_filesystems_attributes(initrc_t)
+
storage_get_fixed_disk_attributes(initrc_t)
storage_set_fixed_disk_attributes(initrc_t)
storage_set_removable_device_attributes(initrc_t)
@@ -222,17 +224,14 @@ storage_set_removable_device_attributes(initrc_t)
terminal_use_all_terminals(initrc_t)
terminal_reset_physical_terminal_labels(initrc_t)
-bootloader_read_kernel_symbol_table(initrc_t)
+corecommands_execute_general_programs(initrc_t)
+corecommands_execute_system_programs(initrc_t)
+corecommands_execute_shell(initrc_t)
domain_kill_all_domains(initrc_t)
domain_read_all_domains_process_state(initrc_t)
domain_use_widely_inheritable_file_descriptors(initrc_t)
-libraries_modify_dynamic_loader_cache(initrc_t)
-libraries_use_dynamic_loader(initrc_t)
-libraries_use_shared_libraries(initrc_t)
-libraries_execute_library_scripts(initrc_t)
-
files_get_all_file_attributes(initrc_t)
files_remove_all_tmp_data(initrc_t)
files_remove_all_lock_files(initrc_t)
@@ -244,9 +243,10 @@ files_execute_system_config_script(initrc_t)
files_read_general_application_resources(initrc_t)
files_manage_pseudorandom_saved_seed(initrc_t)
-corecommands_execute_general_programs(initrc_t)
-corecommands_execute_system_programs(initrc_t)
-corecommands_execute_shell(initrc_t)
+libraries_modify_dynamic_loader_cache(initrc_t)
+libraries_use_dynamic_loader(initrc_t)
+libraries_use_shared_libraries(initrc_t)
+libraries_execute_library_scripts(initrc_t)
logging_send_system_log_message(initrc_t)
@@ -267,14 +267,29 @@ logging_append_all_logs(initrc_t)
udev_modify_database(initrc_t)
+userdomain_read_all_users_data(initrc_t)
+# Allow access to the sysadm TTYs. Note that this will give access to the
+# TTYs to any process in the initrc_t domain. Therefore, daemons and such
+# started from init should be placed in their own domain.
+userdomain_use_admin_terminals(initrc_t)
+
+tunable_policy(`distro_debian', `
+filesystem_tmpfs_associate(initrc_var_run_t)
+')
+
tunable_policy(`distro_redhat',`
kernel_set_selinux_enforcement_mode(initrc_t)
-files_create_boot_flag(initrc_t)
-
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
bootloader_create_runtime_data(initrc_t)
+
+filesystem_use_tmpfs_character_devices(initrc_t)
+
+files_create_boot_flag(initrc_t)
+
+# readahead asks for these
+mta_read_mail_aliases(initrc_t)
') dnl end distro_redhat
optional_policy(`authlogin.te',`
@@ -282,7 +297,15 @@ authlogin_pam_read_runtime_data(initrc_t)
authlogin_pam_remove_runtime_data(initrc_t)
')
+optional_policy(`hotplug.te',`
+kernel_read_usb_hardware_state(initrc_t)
+# init scripts run /etc/hotplug/usb.rc
+hotplug_read_config(initrc_t)
+modutils_read_kernel_module_dependencies(initrc_t)
+')
+
ifdef(`TODO',`
+
# Mount and unmount file systems.
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
@@ -291,15 +314,6 @@ allow initrc_t var_spool_t:file rw_file_perms;
# Set device ownerships/modes.
allow initrc_t xconsole_device_t:fifo_file setattr;
-# Allow access to the sysadm TTYs. Note that this will give access to the
-# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-# started from init should be placed in their own domain.
-allow initrc_t admin_tty_type:chr_file rw_file_perms;
-
-# Read user home directories.
-allow initrc_t { home_root_t home_type }:dir r_dir_perms;
-allow initrc_t home_type:file r_file_perms;
-
# for lsof in shutdown scripts
can_kerberos(initrc_t)
dontaudit initrc_t krb5_conf_t:file write;
@@ -326,7 +340,6 @@ allow initrc_t { etc_t device_t }:dir setattr;
allow initrc_t tmpfs_t:dir setattr;
file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
-allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
')dnl end distro_debian
tunable_policy(`distro_redhat', `
@@ -334,22 +347,13 @@ tunable_policy(`distro_redhat', `
# Redhat systems typically create this file at boot time.
allow initrc_t boot_t:lnk_file rw_file_perms;
-allow initrc_t tmpfs_t:chr_file rw_file_perms;
-allow initrc_t tmpfs_t:dir r_dir_perms;
-
-#
# readahead asks for these
-#
-allow initrc_t etc_aliases_t:file { getattr read };
allow initrc_t var_lib_nfs_t:file { getattr read };
-
')dnl end distro_redhat
#
# Shutting down xinet causes these
#
-# Fam
-dontaudit initrc_t device_t:dir { read write };
# Rsync
dontaudit initrc_t mail_spool_t:lnk_file read;
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
index 5a3d6a8..6eb7669 100644
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC
-#######################################
-#
-# iptables_transition(domain)
+########################################
+##
+##
+## Execute iptables in the iptables domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`iptables_transition',`
requires_block_template(`$0'_depend)
@@ -18,9 +25,46 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
-#######################################
+########################################
+##
+##
+## Execute iptables in the iptables domain, and
+## allow the specified role the iptables domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the iptables domain.
+##
+##
+## The type of the terminal allow the iptables domain to use.
+##
+##
+##
#
-# iptables_execute(domain)
+define(`iptables_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+iptables_transition($1)
+role $2 types iptables_t;
+allow iptables_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`iptables_transition_add_role_use_terminal_depend',`
+type iptables_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+##
+##
+## Execute iptables in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`iptables_execute',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index d48f9f3..883d7a6 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -49,13 +49,15 @@ filesystem_get_persistent_filesystem_attributes(iptables_t)
terminal_ignore_use_console(iptables_t)
-init_use_file_descriptors(iptables_t)
-init_script_use_pseudoterminal(iptables_t)
-
domain_use_widely_inheritable_file_descriptors(iptables_t)
files_read_general_system_config(iptables_t)
+init_use_file_descriptors(iptables_t)
+init_script_use_pseudoterminal(iptables_t)
+# to allow rules to be saved on reboot:
+init_script_modify_temporary_data(iptables_t)
+
libraries_use_dynamic_loader(iptables_t)
libraries_use_shared_libraries(iptables_t)
@@ -67,6 +69,19 @@ miscfiles_read_localization(iptables_t)
sysnetwork_ifconfig_transition(iptables_t)
+userdomain_use_all_users_file_descriptors(iptables_t)
+
+tunable_policy(`use_dns',`
+allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces(iptables_t)
+corenetwork_network_raw_on_all_interfaces(iptables_t)
+corenetwork_network_udp_on_all_nodes(iptables_t)
+corenetwork_network_raw_on_all_nodes(iptables_t)
+corenetwork_bind_udp_on_all_nodes(iptables_t)
+corenetwork_network_udp_on_dns_port(iptables_t)
+sysnetwork_read_network_config(iptables_t)
+')
+
optional_policy(`modutils.te', `
modutils_insmod_transition(iptables_t)
')
@@ -92,26 +107,12 @@ allow iptables_t rhgb_t:process sigchld;
allow iptables_t rhgb_t:fd use;
allow iptables_t rhgb_t:fifo_file { read write };
')
-dontaudit iptables_t unpriv_userdomain:fd use;
-allow iptables_t autofs_t:dir { search getattr };
-tunable_policy(`direct_sysadm_daemon', `
-dontaudit iptables_t admin_tty_type:chr_file rw_file_perms;
-')
-domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
-role sysadm_r types iptables_t;
-
-# to allow rules to be saved on reboot
-allow iptables_t initrc_tmp_t:file rw_file_perms;
+allow iptables_t autofs_t:dir { search getattr };
# for iptables -L
-can_resolve(iptables_t)
can_ypbind(iptables_t)
-allow iptables_t userdomain:fd use;
-
-# Access terminals.
-allow iptables_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
optional_policy(`gnome-pty-helper.te',`
allow iptables_t sysadm_gph_t:fd use;
')
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 38d8207..fdaad08 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -11,9 +11,9 @@ type local_login_t; #, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception(local_login_t)
kernel_make_process_identity_change_constraint_exception(local_login_t)
kernel_make_role_change_constraint_exception(local_login_t)
+authlogin_make_login_program_entrypoint(local_login_t)
domain_make_domain(local_login_t)
domain_make_file_descriptors_widely_inheritable(local_login_t)
-authlogin_make_login_program_entrypoint(local_login_t)
role system_r types local_login_t;
type local_login_tmp_t;
@@ -24,10 +24,9 @@ type sulogin_exec_t;
kernel_make_object_identity_change_constraint_exception(sulogin_t)
kernel_make_process_identity_change_constraint_exception(sulogin_t)
kernel_make_role_change_constraint_exception(sulogin_t)
+domain_make_file_descriptors_widely_inheritable(sulogin_t)
init_make_init_domain(sulogin_t,sulogin_exec_t)
init_make_system_domain(sulogin_t,sulogin_exec_t)
-domain_make_file_descriptors_widely_inheritable(sulogin_t)
-
role system_r types sulogin_t;
########################################
@@ -68,8 +67,12 @@ devices_get_pseudorandom_data(local_login_t)
terminal_use_all_private_physical_terminals(local_login_t)
terminal_use_general_physical_terminal(local_login_t)
-init_script_modify_runtime_data(local_login_t)
-init_ignore_use_file_descriptors(local_login_t)
+authlogin_check_password_transition(local_login_t)
+authlogin_ignore_read_shadow_passwords(local_login_t)
+authlogin_modify_login_records(local_login_t)
+authlogin_modify_last_login_log(local_login_t)
+authlogin_pam_execute(local_login_t)
+authlogin_pam_console_manage_runtime_data(local_login_t)
domain_read_all_entrypoint_programs(local_login_t)
@@ -78,22 +81,19 @@ files_read_runtime_system_config(local_login_t)
files_list_home_directories(local_login_t)
files_read_general_application_resources(local_login_t)
+init_script_modify_runtime_data(local_login_t)
+init_ignore_use_file_descriptors(local_login_t)
+
libraries_use_dynamic_loader(local_login_t)
libraries_use_shared_libraries(local_login_t)
logging_send_system_log_message(local_login_t)
+miscfiles_read_localization(local_login_t)
+
selinux_read_config(local_login_t)
selinux_read_default_contexts(local_login_t)
-authlogin_check_password_transition(local_login_t)
-authlogin_ignore_read_shadow_passwords(local_login_t)
-authlogin_modify_login_records(local_login_t)
-authlogin_modify_last_login_log(local_login_t)
-authlogin_pam_execute(local_login_t)
-authlogin_pam_console_manage_runtime_data(local_login_t)
-
-miscfiles_read_localization(local_login_t)
ifdef(`TODO',`
allow local_login_t unpriv_userdomain:fd use;
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index ef0a698..80f0987 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -57,9 +57,18 @@ class unix_dgram_socket { create read getattr write setattr append bind connect
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
')
-#######################################
-#
-# logging_search_system_log_directory(domain)
+########################################
+##
+##
+## Allows the domain to open a file in the
+## log directory, but does not allow the listing
+## of the contents of the log directory.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`logging_search_system_log_directory',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 28cc0e4..a8335de 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -36,6 +36,8 @@ files_make_file(var_log_t)
#
allow klogd_t klogd_tmp_t:file { getattr create read write append setattr unlink };
+files_create_private_tmp_data(klogd_t,klogd_tmp_t)
+
allow klogd_t klogd_var_run_t:file { getattr create read write append setattr unlink };
allow klogd_t self:capability sys_admin;
@@ -46,26 +48,25 @@ kernel_read_messages(klogd_t)
# Control syslog and console logging
kernel_clear_ring_buffer(klogd_t)
kernel_change_ring_buffer_level(klogd_t)
-devices_raw_read_memory(klogd_t)
-
-filesystem_get_all_filesystems_attributes(klogd_t)
bootloader_read_kernel_symbol_table(klogd_t)
-libraries_use_dynamic_loader(klogd_t)
-libraries_use_shared_libraries(klogd_t)
+devices_raw_read_memory(klogd_t)
-files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
-files_create_private_tmp_data(klogd_t,klogd_tmp_t)
+filesystem_get_all_filesystems_attributes(klogd_t)
+files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
+files_read_runtime_system_config(klogd_t)
# read /etc/nsswitch.conf
files_read_general_system_config(klogd_t)
-files_read_runtime_system_config(klogd_t)
-miscfiles_read_localization(klogd_t)
+libraries_use_dynamic_loader(klogd_t)
+libraries_use_shared_libraries(klogd_t)
logging_send_system_log_message(klogd_t)
+miscfiles_read_localization(klogd_t)
+
########################################
#
# syslogd local policy
@@ -104,6 +105,13 @@ kernel_read_kernel_sysctl(syslogd_t)
devices_create_dev_entry(syslogd_t,devlog_t,sock_file)
terminal_ignore_use_console(syslogd_t)
+# Allow syslog to a terminal
+terminal_write_general_physical_terminal(syslogd_t)
+
+# for sending messages to logged in users
+init_script_read_runtime_data(syslogd_t)
+init_script_ignore_write_runtime_data(syslogd_t)
+terminal_write_all_private_physical_terminals(syslogd_t)
corenetwork_network_raw_on_all_interfaces(syslogd_t)
corenetwork_network_udp_on_all_interfaces(syslogd_t)
@@ -132,11 +140,13 @@ sysnetwork_read_network_config(syslogd_t)
miscfiles_read_localization(syslogd_t)
+userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
+
#
# /initrd is not umounted before minilog starts
#
#dontaudit syslogd_t file_t:dir search;
-#allow syslogd_t { tmpfs_t devpts_t }:dir search;
+#allow syslogd_t tmpfs_t:dir search;
#dontaudit syslogd_t unlabeled_t:file read;
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
allow syslogd_t self:capability net_admin;
@@ -165,7 +175,6 @@ files_ignore_read_rootfs_file(syslogd_t)
ifdef(`TODO',`
allow syslogd_t proc_t:lnk_file read;
-dontaudit syslogd_t unpriv_userdomain:fd use;
allow syslogd_t autofs_t:dir { search getattr };
dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
@@ -199,16 +208,8 @@ ifdef(`logrotate.te', `
allow logrotate_t syslogd_exec_t:file r_file_perms;
')
-# for sending messages to logged in users
-allow syslogd_t initrc_var_run_t:file { read lock };
-dontaudit syslogd_t initrc_var_run_t:file write;
-allow syslogd_t ttyfile:chr_file { getattr write };
-
#
# Special case to handle crashes
#
allow syslogd_t { device_t file_t }:sock_file unlink;
-
-# Allow syslog to a terminal
-allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
index d52cabb..8ab67cc 100644
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC
-#######################################
-#
-# lvm_transition(domain)
+########################################
+##
+##
+## Execute lvm programs in the lvm domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`lvm_transition',`
requires_block_template(`$0'_depend)
@@ -18,9 +25,45 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
-#######################################
+########################################
+##
+##
+## Execute lvm programs in the lvm domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to allow the LVM domain.
+##
+##
+## The type of the terminal allow the LVM domain to use.
+##
+##
+##
#
-# lvm_read_config(domain)
+define(`lvm_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+lvm_transition($1)
+role $2 types lvm_t;
+allow lvm_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`lvm_transition_add_role_use_terminal_depend',`
+type lvm_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+##
+##
+## Read LVM configuration files.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`lvm_read_config',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 9c8d0b4..af279df 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -15,18 +15,18 @@ init_make_system_domain(lvm_t,lvm_exec_t)
kernel_make_object_identity_change_constraint_exception(lvm_t)
role system_r types lvm_t;
-type lvm_tmp_t;
-files_make_temporary_file(lvm_tmp_t)
-
-type lvm_metadata_t;
-files_make_file(lvm_metadata_t)
-
type lvm_etc_t;
files_make_file(lvm_etc_t)
type lvm_lock_t;
files_make_lock_file(lvm_lock_t)
+type lvm_metadata_t;
+files_make_file(lvm_metadata_t)
+
+type lvm_tmp_t;
+files_make_temporary_file(lvm_tmp_t)
+
########################################
#
# Local policy
@@ -137,7 +137,6 @@ udev_read_database(lvm_t)
ifdef(`TODO',`
-role sysadm_r types lvm_t;
allow lvm_t autofs_t:dir { search getattr };
# LVM creates block devices in /dev/mapper or /dev/
@@ -154,9 +153,6 @@ allow lvm_t default_context_t:dir search;
allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
allow lvm_t device_t:lnk_file { relabelfrom relabelto };
-# Access terminals.
-allow lvm_t admin_tty_type:chr_file { ioctl read getattr lock write append };
-
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dontaudit lvm_t device_t:fifo_file getattr;
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index b4cc3ec..6a179ff 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC
########################################
-#
-# modutils_read_kernel_module_dependencies(domain)
+##
+##
+## Read the dependencies of kernel modules.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`modutils_read_kernel_module_dependencies',`
requires_block_template(`$0'_depend)
@@ -18,8 +25,16 @@ bootloader_list_kernel_modules_depend
')
########################################
-#
-# modutils_read_kernel_module_loading_config(domain)
+##
+##
+## Read the configuration options used when
+## loading modules.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`modutils_read_kernel_module_loading_config',`
requires_block_template(`$0'_depend)
@@ -32,8 +47,15 @@ class file { getattr create read write setattr unlink };
')
########################################
-#
-# modutils_insmod_transition(domain)
+##
+##
+## Execute insmod in the insmod domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`modutils_insmod_transition',`
requires_block_template(`$0'_depend)
@@ -50,6 +72,37 @@ class process { transition noatsecure siginh rlimitinh };
')
########################################
+##
+##
+## Execute insmod in the insmod domain, and
+## allow the specified role the insmod domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the insmod domain.
+##
+##
+## The type of the terminal allow the insmod domain to use.
+##
+##
+##
+#
+define(`modutils_insmod_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+modutils_insmod_transition($1)
+role $2 types insmod_t;
+allow insmod_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`modutils_insmod_transition_add_role_use_terminal_depend',`
+type insmod_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
#
# modutils_insmod_execute(domain)
#
@@ -64,8 +117,15 @@ class file { getattr read execute execute_no_trans };
')
########################################
-#
-# modutils_depmod_transition(domain)
+##
+##
+## Execute depmod in the depmod domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`modutils_depmod_transition',`
requires_block_template(`$0'_depend)
@@ -82,6 +142,35 @@ class process { transition noatsecure siginh rlimitinh };
')
########################################
+##
+##
+## Execute depmod in the depmod domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the depmod domain.
+##
+##
+## The type of the terminal allow the depmod domain to use.
+##
+##
+##
+#
+define(`modutils_depmod_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+modutils_depmod_transition($1)
+role $2 types insmod_t;
+allow insmod_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`modutils_depmod_transition_add_role_use_terminal_depend',`
+type depmod_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
#
# modutils_depmod_execute(domain)
#
@@ -96,8 +185,15 @@ class file { getattr read execute execute_no_trans };
')
########################################
-#
-# modutils_update_modules_transition(domain)
+##
+##
+## Execute depmod in the depmod domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`modutils_update_modules_transition',`
requires_block_template(`$0'_depend)
@@ -114,6 +210,35 @@ class process { transition noatsecure siginh rlimitinh };
')
########################################
+##
+##
+## Execute update_modules in the update_modules domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the update_modules domain.
+##
+##
+## The type of the terminal allow the update_modules domain to use.
+##
+##
+##
+#
+define(`modutils_update_modules_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+modutils_update_modules_transition($1)
+role $2 types update_modules_t;
+allow update_modules_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
+type update_modules_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
#
# modutils_update_modules_execute(domain)
#
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index f87c5e4..97a80d3 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -110,8 +110,6 @@ allow insmod_t sysfs_t:dir search;
allow insmod_t usbfs_t:dir search;
allow insmod_t usbfs_t:filesystem mount;
-allow insmod_t admin_tty_type:chr_file { getattr read write };
-
# for when /var is not mounted early in the boot
dontaudit insmod_t file_t:dir search;
@@ -159,10 +157,6 @@ ifdef(`TODO',`
allow depmod_t { bin_t sbin_t }:dir search;
-domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
-
-# Access terminals.
-allow depmod_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories.
@@ -228,8 +222,5 @@ logging_send_system_log_message(update_modules_t)
miscfiles_read_localization(update_modules_t)
ifdef(`TODO',`
-role sysadm_r types update_modules_t;
-domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t)
-allow update_modules_t admin_tty_type:chr_file rw_file_perms;
dontaudit update_modules_t sysadm_home_dir_t:dir search;
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index 96606bd..86c21ab 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC
-#######################################
-#
-# mount_transition(domain)
+########################################
+##
+##
+## Execute mount in the mount domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`mount_transition',`
requires_block_template(`$0'_depend)
@@ -18,6 +25,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute mount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the mount domain.
+##
+##
+## The type of the terminal allow the mount domain to use.
+##
+##
+##
+#
+define(`mount_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+mount_transition($1)
+role $2 types mount_t;
+allow mount_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`mount_transition_add_role_use_terminal_depend',`
+type mount_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# mount_use_file_descriptors(domain)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 35d13d2..b2e18b0 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -21,6 +21,9 @@ allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr
kernel_read_system_state(mount_t)
kernel_ignore_use_file_descriptors(mount_t)
+corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t)
+corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t)
+
devices_get_all_block_device_attributes(mount_t)
devices_list_device_nodes(mount_t)
@@ -37,11 +40,9 @@ files_unmount_root_filesystem(mount_t)
terminal_use_console(mount_t)
-corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t)
-corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t)
-
-init_use_file_descriptors(mount_t)
-init_script_use_pseudoterminal(mount_t)
+# required for mount.smbfs
+corecommands_execute_system_programs(mount_t)
+corecommands_execute_general_programs(mount_t)
domain_use_widely_inheritable_file_descriptors(mount_t)
@@ -51,21 +52,55 @@ files_read_general_system_config(mount_t)
files_create_runtime_system_config(mount_t)
files_mount_on_all_mountpoints(mount_t)
+init_use_file_descriptors(mount_t)
+init_script_use_pseudoterminal(mount_t)
+
libraries_use_dynamic_loader(mount_t)
libraries_use_shared_libraries(mount_t)
-# required for mount.smbfs
-corecommands_execute_system_programs(mount_t)
-corecommands_execute_general_programs(mount_t)
-
logging_send_system_log_message(mount_t)
miscfiles_read_localization(mount_t)
+userdomain_use_all_users_file_descriptors(mount_t)
+
+tunable_policy(`distro_redhat',`
+filesystem_use_tmpfs_character_devices(mount_t)
+allow mount_t tmpfs_t:dir mounton;
+
+optional_policy(`authlogin.te',`
+authlogin_pam_console_read_runtime_data(mount_t)
+# mount config by default sets fscontext=removable_t
+allow mount_t dosfs_t:filesystem relabelfrom;
+') dnl end authlogin
+
+') dnl end distro_redhat
+
+optional_policy(`portmap.te', `
+# for nfs
+#can_ypbind(mount_t)
+#allow portmap_t mount_t:udp_socket { sendto recvfrom };
+#allow mount_t portmap_t:udp_socket { sendto recvfrom };
+#allow mount_t rpc_pipefs_t:dir search;
+corenetwork_network_tcp_on_all_interfaces(mount_t)
+corenetwork_network_raw_on_all_interfaces(mount_t)
+corenetwork_network_udp_on_all_interfaces(mount_t)
+corenetwork_network_tcp_on_all_nodes(mount_t)
+corenetwork_network_raw_on_all_nodes(mount_t)
+corenetwork_network_udp_on_all_nodes(mount_t)
+corenetwork_network_tcp_on_all_ports(mount_t)
+corenetwork_network_udp_on_all_ports(mount_t)
+corenetwork_bind_tcp_on_all_nodes(mount_t)
+corenetwork_bind_udp_on_all_nodes(mount_t)
+corenetwork_bind_tcp_on_general_port(mount_t)
+corenetwork_bind_udp_on_general_port(mount_t)
+corenetwork_bind_tcp_on_reserved_port(mount_t)
+corenetwork_bind_udp_on_reserved_port(mount_t)
+')
+
ifdef(`TODO',`
-# Mount, remount and unmount file systems.
-# nfsv4 has a filesystem to mount for its userspace daemons
-allow mount_t var_lib_nfs_t:dir mounton;
+# this goes to the nfs/rpc module
+files_make_mountpoint(var_lib_nfs_t)
# TODO: Need to examine this further. Not sure how to handle this
#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
@@ -83,59 +118,18 @@ allow mount_t fs_t:filesystem relabelfrom;
# This rule needs to be generalized. Only admin, initrc should have it.
allow mount_t file_type:filesystem { unmount mount relabelto };
-allow mount_t userdomain:fd use;
-
-domain_auto_trans(sysadm_t, mount_exec_t, mount_t)
-role sysadm_r types mount_t;
-allow mount_t sysadm_tty_device_t:chr_file { getattr read write ioctl };
-allow mount_t sysadm_devpts_t:chr_file { getattr read write };
ifdef(`gnome-pty-helper.te', `
allow mount_t sysadm_gph_t:fd use;
')
-tunable_policy(`distro_redhat',`
-optional_policy(`authlogin.te',`
-r_dir_file($2_t,pam_var_console_t)
-# mount config by default sets fscontext=removable_t
-allow $2_t dosfs_t:filesystem relabelfrom;
-') dnl end authlogin
-') dnl end distro_redhat
-
optional_policy(`rhgb.te', `
allow mount_t rhgb_t:process sigchld;
allow mount_t rhgb_t:fd use;
allow mount_t rhgb_t:fifo_file { read write };
')
-tunable_policy(`distro_redhat', `
-allow mount_t tmpfs_t:chr_file { read write };
-allow mount_t tmpfs_t:dir mounton;
-')
-
optional_policy(`automount.te', `
allow mount_t autofs_t:dir read;
')
-optional_policy(`portmap.te', `
-# for nfs
-can_ypbind(mount_t)
-can_udp_send(mount_t, portmap_t)
-can_udp_send(portmap_t, mount_t)
-allow mount_t rpc_pipefs_t:dir search;
-corenetwork_network_tcp_on_all_interfaces(mount_t)
-corenetwork_network_raw_on_all_interfaces(mount_t)
-corenetwork_network_udp_on_all_interfaces(mount_t)
-corenetwork_network_tcp_on_all_nodes(mount_t)
-corenetwork_network_raw_on_all_nodes(mount_t)
-corenetwork_network_udp_on_all_nodes(mount_t)
-corenetwork_network_tcp_on_all_ports(mount_t)
-corenetwork_network_udp_on_all_ports(mount_t)
-corenetwork_bind_tcp_on_all_nodes(mount_t)
-corenetwork_bind_udp_on_all_nodes(mount_t)
-corenetwork_bind_tcp_on_general_port(mount_t)
-corenetwork_bind_udp_on_general_port(mount_t)
-corenetwork_bind_tcp_on_reserved_port(mount_t)
-corenetwork_bind_udp_on_reserved_port(mount_t)
-')
-
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index 1df3c3e..be9abdb 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC
#######################################
-#
-# selinux_checkpolicy_transition(domain)
+##
+##
+## Execute checkpolicy in the checkpolicy domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_checkpolicy_transition',`
requires_block_template(`$0'_depend)
@@ -18,6 +25,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute checkpolicy in the checkpolicy domain, and
+## allow the specified role the checkpolicy domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the checkpolicy domain.
+##
+##
+## The type of the terminal allow the checkpolicy domain to use.
+##
+##
+##
+#
+define(`selinux_checkpolicy_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_checkpolicy_transition($1)
+role $2 types checkpolicy_t;
+allow checkpolicy_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
+type checkpolicy_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_checkpolicy_execute(domain)
@@ -33,8 +71,15 @@ class file { getattr read execute execute_no_trans };
')
#######################################
-#
-# selinux_load_policy_transition(domain)
+##
+##
+## Execute load_policy in the load_policy domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_load_policy_transition',`
requires_block_template(`$0'_depend)
@@ -50,6 +95,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute load_policy in the load_policy domain, and
+## allow the specified role the load_policy domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the load_policy domain.
+##
+##
+## The type of the terminal allow the load_policy domain to use.
+##
+##
+##
+#
+define(`selinux_load_policy_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_load_policy_transition($1)
+role $2 types load_policy_t;
+allow load_policy_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
+type load_policy_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_load_policy_execute(domain)
@@ -79,8 +155,15 @@ class file { getattr read };
')
#######################################
-#
-# selinux_newrole_transition(domain)
+##
+##
+## Execute newrole in the load_policy domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend)
@@ -91,11 +174,42 @@ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
')
define(`selinux_newrole_transition_depend',`
-type newrole_exec_t;
+type newrole_t, newrole_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute newrole in the newrole domain, and
+## allow the specified role the newrole domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the newrole domain.
+##
+##
+## The type of the terminal allow the newrole domain to use.
+##
+##
+##
+#
+define(`selinux_newrole_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_newrole_transition($1)
+role $2 types newrole_t;
+allow newrole_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_newrole_transition_add_role_use_terminal_depend',`
+type newrole_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_newrole_execute(domain)
@@ -110,6 +224,28 @@ type newrole_t, newrole_exec_t;
class file { getattr read execute execute_no_trans };
')
+########################################
+##
+##
+## Do not audit the caller attempts to send
+## a signal to newrole.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`selinux_newrole_ignore_signal',`
+requires_block_template(`$0'_depend)
+dontaudit $1 newrole_t:process signal;
+')
+
+define(`selinux_newrole_ignore_signal_depend',`
+type newrole_t;
+class process signal;
+')
+
#######################################
#
# selinux_newrole_sigchld(domain)
@@ -139,8 +275,15 @@ class fd use;
')
#######################################
-#
-# selinux_restorecon_transition(domain)
+##
+##
+## Execute restorecon in the restorecon domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_restorecon_transition',`
requires_block_template(`$0'_depend)
@@ -156,6 +299,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute restorecon in the restorecon domain, and
+## allow the specified role the restorecon domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the restorecon domain.
+##
+##
+## The type of the terminal allow the restorecon domain to use.
+##
+##
+##
+#
+define(`selinux_restorecon_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_restorecon_transition($1)
+role $2 types restorecon_t;
+allow restorecon_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
+type restorecon_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_restorecon_execute(domain)
@@ -171,8 +345,15 @@ class file { getattr read execute execute_no_trans };
')
########################################
-#
-# selinux_run_init_transition(domain)
+##
+##
+## Execute run_init in the run_init domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend)
@@ -189,6 +370,37 @@ class process { transition noatsecure siginh rlimitinh };
')
########################################
+##
+##
+## Execute run_init in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the run_init domain.
+##
+##
+## The type of the terminal allow the run_init domain to use.
+##
+##
+##
+#
+define(`selinux_run_init_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_run_init_transition($1)
+role $2 types run_init_t;
+allow run_init_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_run_init_transition_add_role_use_terminal_depend',`
+type run_init_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
#
# selinux_run_init_use_file_descriptors(domain)
#
@@ -202,9 +414,16 @@ type run_init_t;
class fd use;
')
-#######################################
-#
-# selinux_setfiles_transition(domain)
+########################################
+##
+##
+## Execute setfiles in the setfiles domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_setfiles_transition',`
requires_block_template(`$0'_depend)
@@ -220,6 +439,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute setfiles in the setfiles domain, and
+## allow the specified role the setfiles domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the setfiles domain.
+##
+##
+## The type of the terminal allow the setfiles domain to use.
+##
+##
+##
+#
+define(`selinux_setfiles_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_setfiles_transition($1)
+role $2 types setfiles_t;
+allow setfiles_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
+type setfiles_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_setfiles_execute(domain)
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 92739bf..7ecde92 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -117,6 +117,9 @@ terminal_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
+# directory search permissions for path to source and binary policy files
+files_search_general_system_config_directory(checkpolicy_t)
+
init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t)
@@ -126,20 +129,8 @@ libraries_use_shared_libraries(checkpolicy_t)
userdomain_use_all_users_file_descriptors(checkpolicy_t)
ifdef(`TODO',`
-role sysadm_r types checkpolicy_t;
-domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
-allow checkpolicy_t sysadm_tmp_t:file { getattr write };
-
-# directory search permissions for path to source and binary policy files
-allow checkpolicy_t etc_t:dir search;
-
# Read the devpts root directory.
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-
-# Allow users to execute checkpolicy without a domain transition
-# so it can be used without privilege to write real binary policy file
-can_exec(unpriv_userdomain, checkpolicy_exec_t)
') dnl endif TODO
########################################
@@ -180,10 +171,6 @@ miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t)
ifdef(`TODO',`
-role sysadm_r types load_policy_t;
-domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
-allow load_policy_t sysadm_tmp_t:file { getattr write };
-allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
# directory search permissions for path to binary policy files
allow load_policy_t etc_t:dir search;
@@ -227,11 +214,13 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
terminal_use_all_private_physical_terminals(newrole_t)
terminal_use_all_private_pseudoterminals(newrole_t)
-# Write to utmp.
-init_script_modify_runtime_data(newrole_t)
+authlogin_check_password_transition(newrole_t)
domain_use_widely_inheritable_file_descriptors(newrole_t)
+# Write to utmp.
+init_script_modify_runtime_data(newrole_t)
+
files_read_general_system_config(newrole_t)
libraries_use_dynamic_loader(newrole_t)
@@ -241,13 +230,10 @@ logging_send_system_log_message(newrole_t)
miscfiles_read_localization(newrole_t)
-authlogin_check_password_transition(newrole_t)
+userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
ifdef(`TODO',`
-in_user_role(newrole_t)
-role sysadm_r types newrole_t;
-allow newrole_t unpriv_userdomain:fd use;
can_ypbind(newrole)
ifdef(`automount.te', `
allow newrole_t autofs_t:dir { search getattr };
@@ -283,10 +269,6 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
# for some PAM modules and for cwd
dontaudit newrole_t { home_root_t home_type }:dir search;
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain newrole_t:process signal;
-
') dnl ifdef TODO
########################################
@@ -340,17 +322,20 @@ files_read_all_directories(restorecon_t)
# this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t)
+tunable_policy(`distro_redhat', `
+filesystem_use_tmpfs_character_devices(restorecon_t)
+filesystem_use_tmpfs_block_devices(restorecon_t)
+')
+
ifdef(`TODO',`
-allow restorecon_t admin_tty_type:chr_file { read write ioctl };
-domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
-role sysadm_r types restorecon_t;
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute };
tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
+allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
+allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
')
allow restorecon_t fs_type:dir r_dir_perms;
@@ -391,6 +376,7 @@ devices_ignore_list_device_nodes(run_init_t)
terminal_ignore_list_pseudoterminals(run_init_t)
+authlogin_check_password_transition(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t)
corecommands_execute_general_programs(run_init_t)
@@ -423,11 +409,6 @@ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t)
-', `
-domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
-role sysadm_r types run_init_t;
-domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
-allow run_init_t admin_tty_type:chr_file rw_file_perms;
') dnl endif targeted policy
tunable_policy(`distro_gentoo', `
@@ -479,6 +460,8 @@ logging_send_system_log_message(setfiles_t)
miscfiles_read_localization(setfiles_t)
userdomain_use_all_users_file_descriptors(setfiles_t)
+# for config files in a home directory
+userdomain_read_all_users_data(setfiles_t)
# relabeling rules
kernel_relabel_unlabeled_object(setfiles_t)
@@ -489,10 +472,6 @@ files_manage_all_files_labels(setfiles_t)
authlogin_relabel_to_shadow_passwords(setfiles_t)
ifdef(`TODO',`
-
-domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
-role sysadm_r types setfiles_t;
-
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute };
@@ -501,6 +480,4 @@ allow setfiles_t unlabeled_t:dir read;
allow setfiles_t fs_type:dir r_dir_perms;
-# for config files in a home directory
-allow setfiles_t home_type:file r_file_perms;
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 1df3c3e..be9abdb 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC
#######################################
-#
-# selinux_checkpolicy_transition(domain)
+##
+##
+## Execute checkpolicy in the checkpolicy domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_checkpolicy_transition',`
requires_block_template(`$0'_depend)
@@ -18,6 +25,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute checkpolicy in the checkpolicy domain, and
+## allow the specified role the checkpolicy domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the checkpolicy domain.
+##
+##
+## The type of the terminal allow the checkpolicy domain to use.
+##
+##
+##
+#
+define(`selinux_checkpolicy_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_checkpolicy_transition($1)
+role $2 types checkpolicy_t;
+allow checkpolicy_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
+type checkpolicy_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_checkpolicy_execute(domain)
@@ -33,8 +71,15 @@ class file { getattr read execute execute_no_trans };
')
#######################################
-#
-# selinux_load_policy_transition(domain)
+##
+##
+## Execute load_policy in the load_policy domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_load_policy_transition',`
requires_block_template(`$0'_depend)
@@ -50,6 +95,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute load_policy in the load_policy domain, and
+## allow the specified role the load_policy domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the load_policy domain.
+##
+##
+## The type of the terminal allow the load_policy domain to use.
+##
+##
+##
+#
+define(`selinux_load_policy_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_load_policy_transition($1)
+role $2 types load_policy_t;
+allow load_policy_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
+type load_policy_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_load_policy_execute(domain)
@@ -79,8 +155,15 @@ class file { getattr read };
')
#######################################
-#
-# selinux_newrole_transition(domain)
+##
+##
+## Execute newrole in the load_policy domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend)
@@ -91,11 +174,42 @@ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
')
define(`selinux_newrole_transition_depend',`
-type newrole_exec_t;
+type newrole_t, newrole_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute newrole in the newrole domain, and
+## allow the specified role the newrole domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the newrole domain.
+##
+##
+## The type of the terminal allow the newrole domain to use.
+##
+##
+##
+#
+define(`selinux_newrole_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_newrole_transition($1)
+role $2 types newrole_t;
+allow newrole_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_newrole_transition_add_role_use_terminal_depend',`
+type newrole_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_newrole_execute(domain)
@@ -110,6 +224,28 @@ type newrole_t, newrole_exec_t;
class file { getattr read execute execute_no_trans };
')
+########################################
+##
+##
+## Do not audit the caller attempts to send
+## a signal to newrole.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`selinux_newrole_ignore_signal',`
+requires_block_template(`$0'_depend)
+dontaudit $1 newrole_t:process signal;
+')
+
+define(`selinux_newrole_ignore_signal_depend',`
+type newrole_t;
+class process signal;
+')
+
#######################################
#
# selinux_newrole_sigchld(domain)
@@ -139,8 +275,15 @@ class fd use;
')
#######################################
-#
-# selinux_restorecon_transition(domain)
+##
+##
+## Execute restorecon in the restorecon domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_restorecon_transition',`
requires_block_template(`$0'_depend)
@@ -156,6 +299,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute restorecon in the restorecon domain, and
+## allow the specified role the restorecon domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the restorecon domain.
+##
+##
+## The type of the terminal allow the restorecon domain to use.
+##
+##
+##
+#
+define(`selinux_restorecon_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_restorecon_transition($1)
+role $2 types restorecon_t;
+allow restorecon_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
+type restorecon_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_restorecon_execute(domain)
@@ -171,8 +345,15 @@ class file { getattr read execute execute_no_trans };
')
########################################
-#
-# selinux_run_init_transition(domain)
+##
+##
+## Execute run_init in the run_init domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend)
@@ -189,6 +370,37 @@ class process { transition noatsecure siginh rlimitinh };
')
########################################
+##
+##
+## Execute run_init in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the run_init domain.
+##
+##
+## The type of the terminal allow the run_init domain to use.
+##
+##
+##
+#
+define(`selinux_run_init_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_run_init_transition($1)
+role $2 types run_init_t;
+allow run_init_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_run_init_transition_add_role_use_terminal_depend',`
+type run_init_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
#
# selinux_run_init_use_file_descriptors(domain)
#
@@ -202,9 +414,16 @@ type run_init_t;
class fd use;
')
-#######################################
-#
-# selinux_setfiles_transition(domain)
+########################################
+##
+##
+## Execute setfiles in the setfiles domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`selinux_setfiles_transition',`
requires_block_template(`$0'_depend)
@@ -220,6 +439,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+##
+##
+## Execute setfiles in the setfiles domain, and
+## allow the specified role the setfiles domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the setfiles domain.
+##
+##
+## The type of the terminal allow the setfiles domain to use.
+##
+##
+##
+#
+define(`selinux_setfiles_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_setfiles_transition($1)
+role $2 types setfiles_t;
+allow setfiles_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
+type setfiles_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# selinux_setfiles_execute(domain)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 92739bf..7ecde92 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -117,6 +117,9 @@ terminal_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
+# directory search permissions for path to source and binary policy files
+files_search_general_system_config_directory(checkpolicy_t)
+
init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t)
@@ -126,20 +129,8 @@ libraries_use_shared_libraries(checkpolicy_t)
userdomain_use_all_users_file_descriptors(checkpolicy_t)
ifdef(`TODO',`
-role sysadm_r types checkpolicy_t;
-domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
-allow checkpolicy_t sysadm_tmp_t:file { getattr write };
-
-# directory search permissions for path to source and binary policy files
-allow checkpolicy_t etc_t:dir search;
-
# Read the devpts root directory.
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-
-# Allow users to execute checkpolicy without a domain transition
-# so it can be used without privilege to write real binary policy file
-can_exec(unpriv_userdomain, checkpolicy_exec_t)
') dnl endif TODO
########################################
@@ -180,10 +171,6 @@ miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t)
ifdef(`TODO',`
-role sysadm_r types load_policy_t;
-domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
-allow load_policy_t sysadm_tmp_t:file { getattr write };
-allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
# directory search permissions for path to binary policy files
allow load_policy_t etc_t:dir search;
@@ -227,11 +214,13 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
terminal_use_all_private_physical_terminals(newrole_t)
terminal_use_all_private_pseudoterminals(newrole_t)
-# Write to utmp.
-init_script_modify_runtime_data(newrole_t)
+authlogin_check_password_transition(newrole_t)
domain_use_widely_inheritable_file_descriptors(newrole_t)
+# Write to utmp.
+init_script_modify_runtime_data(newrole_t)
+
files_read_general_system_config(newrole_t)
libraries_use_dynamic_loader(newrole_t)
@@ -241,13 +230,10 @@ logging_send_system_log_message(newrole_t)
miscfiles_read_localization(newrole_t)
-authlogin_check_password_transition(newrole_t)
+userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
ifdef(`TODO',`
-in_user_role(newrole_t)
-role sysadm_r types newrole_t;
-allow newrole_t unpriv_userdomain:fd use;
can_ypbind(newrole)
ifdef(`automount.te', `
allow newrole_t autofs_t:dir { search getattr };
@@ -283,10 +269,6 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
# for some PAM modules and for cwd
dontaudit newrole_t { home_root_t home_type }:dir search;
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain newrole_t:process signal;
-
') dnl ifdef TODO
########################################
@@ -340,17 +322,20 @@ files_read_all_directories(restorecon_t)
# this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t)
+tunable_policy(`distro_redhat', `
+filesystem_use_tmpfs_character_devices(restorecon_t)
+filesystem_use_tmpfs_block_devices(restorecon_t)
+')
+
ifdef(`TODO',`
-allow restorecon_t admin_tty_type:chr_file { read write ioctl };
-domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
-role sysadm_r types restorecon_t;
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute };
tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
+allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
+allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
')
allow restorecon_t fs_type:dir r_dir_perms;
@@ -391,6 +376,7 @@ devices_ignore_list_device_nodes(run_init_t)
terminal_ignore_list_pseudoterminals(run_init_t)
+authlogin_check_password_transition(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t)
corecommands_execute_general_programs(run_init_t)
@@ -423,11 +409,6 @@ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t)
-', `
-domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
-role sysadm_r types run_init_t;
-domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
-allow run_init_t admin_tty_type:chr_file rw_file_perms;
') dnl endif targeted policy
tunable_policy(`distro_gentoo', `
@@ -479,6 +460,8 @@ logging_send_system_log_message(setfiles_t)
miscfiles_read_localization(setfiles_t)
userdomain_use_all_users_file_descriptors(setfiles_t)
+# for config files in a home directory
+userdomain_read_all_users_data(setfiles_t)
# relabeling rules
kernel_relabel_unlabeled_object(setfiles_t)
@@ -489,10 +472,6 @@ files_manage_all_files_labels(setfiles_t)
authlogin_relabel_to_shadow_passwords(setfiles_t)
ifdef(`TODO',`
-
-domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
-role sysadm_r types setfiles_t;
-
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute };
@@ -501,6 +480,4 @@ allow setfiles_t unlabeled_t:dir read;
allow setfiles_t fs_type:dir r_dir_perms;
-# for config files in a home directory
-allow setfiles_t home_type:file r_file_perms;
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 9a93c8c..28ac0b8 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -18,9 +18,16 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
-########################################
-#
-# sysnetwork_ifconfig_transition(domain)
+#######################################
+##
+##
+## Execute ifconfig in the ifconfig domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`sysnetwork_ifconfig_transition',`
requires_block_template(`$0'_depend)
@@ -37,6 +44,37 @@ class process { transition noatsecure siginh rlimitinh };
')
########################################
+##
+##
+## Execute ifconfig in the ifconfig domain, and
+## allow the specified role the ifconfig domain,
+## and use the caller's terminal.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the ifconfig domain.
+##
+##
+## The type of the terminal allow the ifconfig domain to use.
+##
+##
+##
+#
+define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+sysnetwork_ifconfig_transition($1)
+role $2 types ifconfig_t;
+allow ifconfig_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
+type ifconfig_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
#
# sysnetwork_read_network_config(domain)
#
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 97fdab2..95753f8 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -94,28 +94,28 @@ terminal_ignore_use_all_private_physical_terminals(dhcpc_t)
terminal_ignore_use_all_private_pseudoterminals(dhcpc_t)
terminal_ignore_use_general_physical_terminal(dhcpc_t)
-init_use_file_descriptors(dhcpc_t)
-init_script_use_pseudoterminal(dhcpc_t)
-init_script_modify_runtime_data(dhcpc_t)
+corecommands_execute_general_programs(dhcpc_t)
+corecommands_execute_system_programs(dhcpc_t)
+corecommands_execute_shell(dhcpc_t)
domain_use_widely_inheritable_file_descriptors(dhcpc_t)
files_read_general_system_config(dhcpc_t)
files_read_runtime_system_config(dhcpc_t)
-corecommands_execute_general_programs(dhcpc_t)
-corecommands_execute_system_programs(dhcpc_t)
-corecommands_execute_shell(dhcpc_t)
+init_use_file_descriptors(dhcpc_t)
+init_script_use_pseudoterminal(dhcpc_t)
+init_script_modify_runtime_data(dhcpc_t)
logging_send_system_log_message(dhcpc_t)
libraries_use_dynamic_loader(dhcpc_t)
libraries_use_shared_libraries(dhcpc_t)
-modutils_insmod_transition(dhcpc_t)
-
miscfiles_read_localization(dhcpc_t)
+modutils_insmod_transition(dhcpc_t)
+
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(dhcpc_t)
terminal_ignore_use_general_pseudoterminal(dhcpc_t)
@@ -142,6 +142,10 @@ optional_policy(`udev.te',`
udev_read_database(dhcpc_t)
')
+optional_policy(`userdomain.te',`
+userdomain_use_all_users_file_descriptors(dhcpc_t)
+')
+
#
# dhclient sometimes starts ypbind and ntpd
#
@@ -203,8 +207,6 @@ allow dhcpc_t dhcp_etc_t:file { read getattr };
allow dhcpc_t dhcp_etc_t:lnk_file { getattr read };
allow dhcpc_t dhcp_etc_t:file { getattr read execute execute_no_trans };
-allow dhcpc_t userdomain:fd use;
-
ifdef(`distro_redhat', `
files_execute_system_config_script(dhcpc_t)
allow initrc_t dhcp_etc_t:file rw_file_perms;
@@ -273,6 +275,8 @@ miscfiles_read_localization(ifconfig_t)
selinux_run_init_use_file_descriptors(ifconfig_t)
+userdomain_use_all_users_file_descriptors(ifconfig_t)
+
ifdef(`TODO',`
can_ypbind(ifconfig_t)
@@ -280,10 +284,6 @@ ifdef(`automount.te', `
allow ifconfig_t autofs_t:dir { search getattr };
')
-domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
-role sysadm_r types ifconfig_t;
-allow ifconfig_t userdomain:fd use;
-
# Access terminals.
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 19e6574..59594ff 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -81,6 +81,7 @@ devices_manage_device_nodes(udev_t)
filesystem_get_all_filesystems_attributes(udev_t)
init_script_read_runtime_data(udev_t)
+init_script_ignore_write_runtime_data(udev_t)
files_read_runtime_system_config(udev_t)
files_read_general_system_config(udev_t)
@@ -102,6 +103,14 @@ logging_send_system_log_message(udev_t)
sysnetwork_ifconfig_transition(udev_t)
+tunable_policy(`distro_redhat',`
+filesystem_manage_tmpfs_block_devices(udev_t)
+filesystem_manage_tmpfs_character_devices(udev_t)
+
+# for arping used for static IP addresses on PCMCIA ethernet
+netutils_transition(udev_t)
+') dnl end ifdef distro_redhat
+
optional_policy(`authlogin.te',`
authlogin_pam_console_read_runtime_data(udev_t)
authlogin_pam_console_transition(udev_t)
@@ -127,10 +136,10 @@ allow udev_t var_lock_t:file getattr;
allow udev_t mnt_t:dir search;
allow udev_t devpts_t:dir { getattr search };
+
allow udev_t sysadm_tty_device_t:chr_file { read write };
# Dontaudits
-dontaudit udev_t initrc_var_run_t:file write;
dontaudit udev_t staff_home_dir_t:dir search;
dontaudit udev_t file_t:dir search;
dontaudit udev_t domain:dir r_dir_perms;
@@ -142,14 +151,9 @@ dbusd_client(system, udev)
# Ifdefs
tunable_policy(`distro_redhat',`
-allow udev_t tmpfs_t:dir rw_dir_perms;
allow udev_t tmpfs_t:sock_file create_file_perms;
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
-allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
-allow udev_t tmpfs_t:dir search;
-
-# for arping used for static IP addresses on PCMCIA ethernet
-netutils_transition(udev_t)
+allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto };
') dnl end ifdef distro_redhat
tunable_policy(`hide_broken_symptoms',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 88eabb2..d53d9fa 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -128,6 +128,8 @@ logging_ignore_get_all_logs_attributes($1_t)
miscfiles_read_localization($1_t)
miscfiles_manage_man_page_cache($1_t)
+selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+
mta_modify_mail_spool($1_t)
if (allow_execmem) {
@@ -376,11 +378,11 @@ type $1_devpts_t; # userpty_type, user_tty_type;
terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
# Type for home directory.
-type $1_home_dir_t; #, home_dir_type, home_type, user_home_dir_type;
+type $1_home_dir_t, home_dir_type, home_type; #, user_home_dir_type;
files_make_file($1_home_dir_t)
# Type for files and directories in the home directory
-type $1_home_t, $1_file_type; #, home_type, user_home_type;
+type $1_home_t, $1_file_type, home_type; #, user_home_type;
files_make_file($1_home_t)
type $1_tmp_t, $1_file_type; #, user_tmpfile
@@ -438,8 +440,16 @@ init_script_read_runtime_data($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_script_ignore_write_runtime_data($1_t)
+# Stop warnings about access to /dev/console
+init_ignore_use_file_descriptors($1_t)
+init_script_ignore_use_file_descriptors($1_t)
+
+miscfiles_read_man_pages($1_t)
selinux_read_config($1_t)
+# Allow users to execute checkpolicy without a domain transition
+# so it can be used without privilege to write real binary policy file
+selinux_checkpolicy_execute($1_t)
if (user_dmesg) {
kernel_read_ring_buffer($1_t)
@@ -454,6 +464,16 @@ if (user_tcp_server) {
corenetwork_bind_tcp_on_general_port($1_t)
}
+# for running depmod as part of the kernel packaging process
+optional_policy(`modutils.te',`
+modutils_read_kernel_module_loading_config($1_t)
+')
+
+optional_policy(`selinux.te',`
+# for when the network connection is killed
+selinux_newrole_ignore_signal($1_t)
+')
+
# Need the following rule to allow users to run vpnc
optional_policy(`xserver.te', `
corenetwork_bind_tcp_on_xserver_port($1_t)
@@ -509,13 +529,6 @@ allow $1_t var_run_t:{ file lnk_file } r_file_perms;
allow $1_t var_lib_t:dir r_dir_perms;
allow $1_t var_lib_t:file { getattr read };
-# for running depmod as part of the kernel packaging process
-allow $1_t modules_conf_t:file { getattr read };
-
-# Read man directories and files.
-allow $1_t man_t:dir r_dir_perms;
-allow $1_t man_t:notdevfile_class_set r_file_perms;
-
# Allow users to rw usb devices
if (user_rw_usb) {
rw_dir_create_file($1_t,usbdevfs_t)
@@ -523,10 +536,6 @@ rw_dir_create_file($1_t,usbdevfs_t)
r_dir_file($1_t,usbdevfs_t)
}
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t device_t:lnk_file r_file_perms;
-
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
@@ -540,10 +549,8 @@ dontaudit $1_t devlog_t:sock_file { read write };
dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
')
-# Stop warnings about access to /dev/console
-dontaudit $1_t init_t:fd use;
-dontaudit $1_t initrc_t:fd use;
allow $1_t initrc_t:fifo_file write;
+
ifdef(`user_can_mount', `
#
# Allow users to mount file systems like floppies and cdrom
@@ -586,7 +593,7 @@ role system_r types $1_t;
#; dnl end of sysadm_t type declaration
# Type and access for pty devices.
-type $1_devpts_t;
+type $1_devpts_t, admin_terminal;
terminal_make_pseudoterminal($1_devpts_t)
type $1_home_t, $1_file_type; #, home_type;
@@ -598,7 +605,7 @@ files_make_file($1_home_t)
type $1_tmp_t, $1_file_type;
files_make_temporary_file($1_tmp_t)
-type $1_tty_device_t;
+type $1_tty_device_t, admin_terminal;
terminal_make_physical_terminal($1_t,$1_tty_device_t)
##############################
@@ -675,6 +682,8 @@ terminal_use_all_private_physical_terminals($1_t)
domain_set_all_domains_priorities($1_t)
+files_execute_system_source_code_scripts($1_t)
+
init_use_control_channel($1_t)
logging_send_system_log_message($1_t)
@@ -690,6 +699,10 @@ selinux_manage_source_policy($1_t)
# But presently necessary for installing the file_contexts file.
selinux_manage_binary_policy($1_t)
+optional_policy(`cron.te',`
+cron_admin_template($1)
+')
+
ifdef(`TODO',`
# Let admin stat the shadow file.
@@ -727,9 +740,6 @@ allow $1_t ptyfile:chr_file getattr;
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
can_exec($1_t, staff_home_t)
-# Run programs from /usr/src.
-can_exec($1_t, src_t)
-
# Run admin programs that require different permissions in their own domain.
# These rules were moved into the appropriate program domain file.
@@ -764,16 +774,6 @@ allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
allow $1_gph_t user_home_type:file create_file_perms;
')
-# Manipulate other users crontab.
-can_getsecurity(sysadm_crontab_t)
-
-ifdef(`crond.te', `
-allow $1_crond_t var_log_t:file r_file_perms;
-')
-
-# Allow our crontab domain to unlink a user cron spool file.
-ifdef(`crontab.te',`allow $1_crontab_t user_cron_spool_t:file unlink;')
-
# for the administrator to run TCP servers directly
allow $1_t kernel_t:tcp_socket recvfrom;
@@ -794,7 +794,55 @@ allow $1_t eventpollfs_t:file getattr;
') dnl endif TODO
')
+########################################
+##
+##
+## Read and write administrative users
+## physical and pseudo terminals.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
+define(`userdomain_use_admin_terminals',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+terminal_list_pseudoterminals($1)
+allow $1 admin_terminal:chr_file { getattr read write ioctl };
+')
+
+define(`userdomain_use_admin_terminals_depend',`
+attribute admin_terminal;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+##
+##
+## Inherit the file descriptors from all user domains
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`userdomain_read_all_users_data',`
+requires_block_template(`$0'_depend)
+files_list_home_directories($1)
+allow $1 home_type:dir { getattr search read };
+allow $1 home_type:file { getattr read };
+')
+
+define(`userdomain_read_all_users_data_depend',`
+attribute home_type;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
##
##
## Inherit the file descriptors from all user domains
@@ -815,4 +863,47 @@ attribute userdomain;
class fd use;
')
+########################################
+##
+##
+## Inherit the file descriptors from all user domains.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`userdomain_use_all_unprivileged_users_file_descriptors',`
+requires_block_template(`$0'_depend)
+allow $1 unpriv_userdomain:fd use;
+')
+
+define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
+attribute unpriv_userdomain;
+class fd use;
+')
+
+########################################
+##
+##
+## Do not audit attempts to inherit the
+## file descriptors from all user domains.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`
+requires_block_template(`$0'_depend)
+dontaudit $1 unpriv_userdomain:fd use;
+')
+
+define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',`
+attribute unpriv_userdomain;
+class fd use;
+')
+
##
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index e530c6c..9a64b81 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -7,6 +7,15 @@ policy_module(userdomain,1.0)
# Declarations
#
+# admin users terminals (tty and pty)
+attribute admin_terminal;
+
+# users home directory
+attribute home_dir_type;
+
+# users home directory contents
+attribute home_type;
+
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
@@ -66,7 +75,6 @@ bool user_tcp_server false;
# Allow w to display everyone
bool user_ttyfile_stat false;
-admin_domain_template(sysadm)
user_domain_template(staff)
user_domain_template(user)
@@ -77,8 +85,51 @@ user_domain_template(user)
#allow privhome home_root_t:dir { getattr search };
+# Add/remove user home directories
+#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+
+########################################
+#
+# Sysadm local policy
+#
+
+admin_domain_template(sysadm)
+
# for su
allow sysadm_t userdomain:fd use;
-# Add/remove user home directories
-#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+optional_policy(`iptables.te',`
+iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`lvm.te',`
+lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`modutils.te',`
+modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`mount.te',`
+mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`selinux.te',`
+selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+optional_policy(`targeted_policy',`',`
+selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+')
+
+optional_policy(`sysnetwork.te',`
+sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`clock.te',`
+clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')