diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 28dba7a..55003bc 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -52,7 +52,7 @@ libs_use_ld_so(consoletype_t)
libs_use_shared_libs(consoletype_t)
ifdef(`distro_redhat', `
- fs_use_tmpfs_character_devices(consoletype_t)
+ fs_use_tmpfs_chr_dev(consoletype_t)
')
optional_policy(`authlogin.te', `
@@ -67,6 +67,11 @@ optional_policy(`nis.te',`
nis_use_ypbind(consoletype_t)
')
+optional_policy(`rpm.te',`
+ # Commonly used from postinst scripts
+ rpm_read_pipe(consoletype_t)
+')
+
optional_policy(`userdomain.te',`
userdom_use_unpriv_users_fd(consoletype_t)
')
@@ -94,4 +99,5 @@ allow consoletype_t printconf_t:file r_file_perms;
optional_policy(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
+
') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 11022f8..13cb547 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -158,6 +158,7 @@ rw_dir_create_file(logrotate_t, backup_store_t)
')
allow logrotate_t syslogd_t:unix_dgram_socket sendto;
+allow logrotate_t syslogd_exec_t:file r_file_perms;
dontaudit logrotate_t selinux_config_t:dir search;
') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 05b3046..9b858f6 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -129,6 +129,12 @@ optional_policy(`nis.te',`
nis_use_ypbind(ping_t)
')
+optional_policy(`sysnetwork.te',`
+ optional_policy(`hotplug.te',`
+ hotplug_use_fd(ping_t)
+ ')
+')
+
ifdef(`TODO',`
in_user_role(ping_t)
tunable_policy(`user_ping',`
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index a6729a3..bbe16ed 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -1,9 +1,9 @@
## Policy for the RPM package manager.
########################################
-##
+##
## Execute rpm programs in the rpm domain.
-##
+##
##
## The type of the process performing this action.
##
@@ -27,9 +27,9 @@ interface(`rpm_domtrans',`
')
########################################
-##
+##
## Execute RPM programs in the RPM domain.
-##
+##
##
## The type of the process performing this action.
##
@@ -53,9 +53,9 @@ interface(`rpm_run',`
')
########################################
-##
+##
## Inherit and use file descriptors from RPM.
-##
+##
##
## The type of the process performing this action.
##
@@ -70,9 +70,9 @@ interface(`rpm_use_fd',`
')
########################################
-##
+##
## Read from a RPM pipe.
-##
+##
##
## The type of the process performing this action.
##
@@ -87,9 +87,9 @@ interface(`rpm_read_pipe',`
')
########################################
-##
-## Read RPM package database.
-##
+##
+## Read the RPM package database.
+##
##
## The type of the process performing this action.
##
@@ -108,8 +108,12 @@ interface(`rpm_read_db',`
')
########################################
-#
-# rpm_manage_db(domain)
+##
+## Create, read, write, and delete the RPM package database.
+##
+##
+## The type of the process performing this action.
+##
#
interface(`rpm_manage_db',`
gen_require(`
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index b5fc841..4bfb49b 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -95,6 +95,7 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctl(rpm_t)
+
selinux_get_fs_mount(rpm_t)
selinux_validate_context(rpm_t)
selinux_compute_access_vector(rpm_t)
@@ -128,6 +129,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
+auth_relabel_all_files_except_shadow(rpm_t)
+auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
corecmd_exec_bin(rpm_t)
@@ -162,6 +165,10 @@ optional_policy(`cron.te',`
cron_system_entry(rpm_t,rpm_exec_t)
')
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(rpm_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(rpm_t)
')
@@ -173,9 +180,6 @@ type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpf
dontaudit rpm_t domain:process ptrace;
# read/write/create any files in the system
-allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
-allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
-allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
allow rpm_t ttyfile:chr_file unlink;
@@ -194,23 +198,10 @@ optional_policy(`gnome-pty-helper.te', `
allow rpm_t sysadm_gph_t:fd use;
')
-optional_policy(`mount.te', `
-allow rpm_t mount_t:udp_socket rw_socket_perms;
-')
-
# for kernel package installation
optional_policy(`mount.te', `
allow mount_t rpm_t:fifo_file rw_file_perms;
')
-
-# Commonly used from postinst scripts
-optional_policy(`consoletype.te', `
-allow consoletype_t rpm_t:fifo_file r_file_perms;
-')
-optional_policy(`crond.te', `
-allow crond_t rpm_t:fifo_file r_file_perms;
-')
-
') dnl endif TODO
########################################
@@ -289,6 +280,7 @@ domain_signull_all_domains(rpm_script_t)
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
+files_exec_usr_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
@@ -322,8 +314,6 @@ ifdef(`TODO',`
allow rpm_script_t sysfs_t:dir r_dir_perms;
-can_exec(rpm_script_t,usr_t)
-
optional_policy(`lpd.te', `
can_exec(rpm_script_t,printconf_t)
')
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index ee03894..463a155 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -208,3 +208,19 @@ interface(`usermanage_run_useradd',`
allow useradd_t $3:chr_file rw_term_perms;
')
+########################################
+##
+## Read the crack database.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`usermanage_read_crack_db',`
+ gen_require(`
+ type crack_db_t;
+ class file r_file_perms;
+ ')
+
+ allow $1 crack_db_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 93cb52a..b54f634 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -93,6 +93,10 @@ fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
+# can exec /sbin/unix_chkpwd
+corecmd_search_bin(chfn_t)
+corecmd_search_sbin(chfn_t)
+
domain_use_wide_inherit_fd(chfn_t)
files_manage_etc_files(chfn_t)
@@ -120,10 +124,9 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
-role sysadm_r types chfn_t;
-in_user_role(chfn_t)
-
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
+ifdef(`firstboot.te',`
+domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t)
+')
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
@@ -134,9 +137,6 @@ allow chfn_t shell_exec_t:file execute;
# on user home dir
dontaudit chfn_t { user_home_dir_type user_home_type }:dir search;
-# can exec /sbin/unix_chkpwd
-allow chfn_t { bin_t sbin_t }:dir search;
-
# uses unix_chkpwd for checking passwords
dontaudit chfn_t selinux_config_t:dir search;
') dnl endif TODO
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 2ceb904..b560223 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -79,6 +79,9 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+ allow $1_t $1_gpg_secret_t:file getattr;
+ allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
+
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_raw_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
@@ -95,8 +98,13 @@ template(`gpg_per_userdomain_template',`
fs_getattr_xattr_fs($1_gpg_t)
+ domain_use_wide_inherit_fd($1_gpg_t)
+
files_read_etc_files($1_gpg_t)
files_read_usr_files($1_gpg_t)
+ files_dontaudit_search_var($1_gpg_t)
+ # should not need read access...
+ files_list_home($1_gpg_t)
libs_use_shared_libs($1_gpg_t)
libs_use_ld_so($1_gpg_t)
@@ -135,20 +143,12 @@ template(`gpg_per_userdomain_template',`
ifdef(`TODO',`
- allow $1_t $1_gpg_secret_t:file getattr;
-
access_terminal($1_gpg_t, $1)
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
- # Inherit and use descriptors
- allow $1_gpg_t { privfd $1_t }:fd use;
-
# allow ps to show gpg
can_ps($1_t, $1_gpg_t)
- # should not need read access...
- allow $1_gpg_t home_root_t:dir { read search };
-
# use $1_gpg_secret_t for files it creates
# NB we are doing the type transition for directory creation only!
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
@@ -164,9 +164,6 @@ template(`gpg_per_userdomain_template',`
rw_dir_create_file($1_gpg_t, $1_file_type)
- allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
-
- dontaudit $1_gpg_t var_t:dir search;
') dnl end TODO
########################################
@@ -246,11 +243,26 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow $1_gpg_agent_t self:fifo_file rw_file_perms;
+ # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+ allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
+ allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
+ allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+
+ # allow gpg to connect to the gpg agent
+ allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
+ allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
+ allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
+
+ # Allow the user shell to signal the gpg-agent program.
+ allow $1_t $1_gpg_agent_t:process { signal sigkill };
+
allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
+ corecmd_search_bin($1_gpg_agent_t)
+
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
@@ -280,24 +292,15 @@ template(`gpg_per_userdomain_template',`
# Write to the user domain tty.
access_terminal($1_gpg_agent_t, $1)
- # Allow the user shell to signal the gpg-agent program.
- allow $1_t $1_gpg_agent_t:process { signal sigkill };
# allow ps to show gpg-agent
can_ps($1_t, $1_gpg_agent_t)
allow $1_gpg_agent_t proc_t:dir search;
allow $1_gpg_agent_t proc_t:lnk_file read;
- allow $1_gpg_agent_t device_t:dir r_file_perms;
-
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
- create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
- # gpg connect
- allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
- allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
- can_unix_connect($1_gpg_t, $1_gpg_agent_t)
') dnl endif TODO
##############################
@@ -330,14 +333,20 @@ template(`gpg_per_userdomain_template',`
miscfiles_read_fonts($1_gpg_pinentry_t)
miscfiles_read_localization($1_gpg_pinentry_t)
- ifdef(`TODO',`
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1_gpg_pinentry_t)
+ ')
- allow $1_gpg_agent_t bin_t:dir search;
+ tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files($1_gpg_pinentry_t)
+ ')
+
+ ifdef(`TODO',`
ifdef(`xdm.te', `
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
- can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
+ allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
allow $1_gpg_pinentry_t xdm_t:fd use;
')
@@ -351,16 +360,12 @@ template(`gpg_per_userdomain_template',`
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
tunable_policy(`use_nfs_home_dirs',`
- allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
- allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
- dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
+ dontaudit $1_gpg_pinentry_t nfs_t:dir write;
dontaudit $1_gpg_pinentry_t nfs_t:file write;
')
tunable_policy(`use_samba_home_dirs',`
- allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
- allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
- dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+ dontaudit $1_gpg_pinentry_t cifs_t:dir write;
dontaudit $1_gpg_pinentry_t cifs_t:file write;
')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 7a76bfc..61174bc 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -950,3 +950,21 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
dontaudit $1 reserved_port_type:udp_socket name_bind;
')
+
+########################################
+##
+## Read and write the TUN/TAP virtual network device.
+##
+##
+## The domain allowed access.
+##
+#
+interface(`corenet_use_tun_tap_device',`
+ gen_require(`
+ type tun_tap_device_t;
+ class chr_file { read write };
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tun_tap_device_t:chr_file { read write };
+')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 0cfeafd..eccb027 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -648,6 +648,25 @@ interface(`dev_manage_all_chr_files',`
########################################
##
+## Read and write the apm bios.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_rw_apm_bios',`
+ gen_require(`
+ type device_t, apm_bios_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 apm_bios_t:chr_file rw_file_perms;
+')
+
+########################################
+##
## Read raw memory devices (e.g. /dev/mem).
##
##
@@ -1671,7 +1690,7 @@ interface(`dev_getattr_sysfs_dir',`
########################################
##
-## Search the directory containing hardware information.
+## Search sysfs.
##
##
## The type of the process performing this action.
@@ -1688,6 +1707,23 @@ interface(`dev_search_sysfs',`
########################################
##
+## Do not audit attempts to search sysfs.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`dev_dontaudit_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ class dir search;
+ ')
+
+ dontaudit $1 sysfs_t:dir search;
+')
+
+########################################
+##
## Allow caller to read hardware state information.
##
##
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 373bc0d..f744595 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1380,7 +1380,7 @@ interface(`fs_create_tmpfs_data',`
## The type of the process performing this action.
##
#
-interface(`fs_use_tmpfs_character_devices',`
+interface(`fs_use_tmpfs_chr_dev',`
gen_require(`
type tmpfs_t;
class dir r_dir_perms;
@@ -1399,7 +1399,7 @@ interface(`fs_use_tmpfs_character_devices',`
## The type of the process performing this action.
##
#
-interface(`fs_relabel_tmpfs_character_devices',`
+interface(`fs_relabel_tmpfs_chr_dev',`
gen_require(`
type tmpfs_t;
class dir r_dir_perms;
@@ -1418,7 +1418,7 @@ interface(`fs_relabel_tmpfs_character_devices',`
## The type of the process performing this action.
##
#
-interface(`fs_use_tmpfs_block_devices',`
+interface(`fs_use_tmpfs_blk_dev',`
gen_require(`
type tmpfs_t;
class dir r_dir_perms;
@@ -1437,7 +1437,7 @@ interface(`fs_use_tmpfs_block_devices',`
## The type of the process performing this action.
##
#
-interface(`fs_relabel_tmpfs_block_devices',`
+interface(`fs_relabel_tmpfs_blk_dev',`
gen_require(`
type tmpfs_t;
class dir r_dir_perms;
@@ -1450,6 +1450,46 @@ interface(`fs_relabel_tmpfs_block_devices',`
########################################
##
+## Read and write, create and delete symbolic
+## links on tmpfs filesystems.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`fs_manage_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ class dir rw_dir_perms;
+ class chr_file create_lnk_perms;
+ ')
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:chr_file create_lnk_perms;
+')
+
+########################################
+##
+## Read and write, create and delete socket
+## files on tmpfs filesystems.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`fs_manage_tmpfs_sockets',`
+ gen_require(`
+ type tmpfs_t;
+ class dir rw_dir_perms;
+ class sock_file create_file_perms;
+ ')
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:sock_file create_file_perms;
+')
+
+########################################
+##
## Read and write, create and delete character
## nodes on tmpfs filesystems.
##
@@ -1457,7 +1497,7 @@ interface(`fs_relabel_tmpfs_block_devices',`
## The type of the process performing this action.
##
#
-interface(`fs_manage_tmpfs_character_devices',`
+interface(`fs_manage_tmpfs_chr_dev',`
gen_require(`
type tmpfs_t;
class dir rw_dir_perms;
@@ -1477,7 +1517,7 @@ interface(`fs_manage_tmpfs_character_devices',`
## The type of the process performing this action.
##
#
-interface(`fs_manage_tmpfs_block_devices',`
+interface(`fs_manage_tmpfs_blk_dev',`
gen_require(`
type tmpfs_t;
class dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index bf07c9e..d128f10 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -132,6 +132,11 @@ optional_policy(`nis.te',`
nis_use_ypbind(crond_t)
')
+optional_policy(`crond.te',`
+ # Commonly used from postinst scripts
+ rpm_read_pipe(crond_t)
+')
+
optional_policy(`udev.te', `
udev_read_db(crond_t)
')
@@ -355,4 +360,7 @@ allow mta_user_agent system_crond_t:fd use;
r_dir_file(system_mail_t, crond_tmp_t)
')
+# for daemon re-start
+allow system_crond_t syslogd_t:lnk_file read;
+
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index b13fd9c..2ecc405 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -257,6 +257,8 @@ miscfiles_read_localization(system_chkpwd_t)
seutil_read_config(system_chkpwd_t)
+userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
+
tunable_policy(`use_dns',`
allow system_chkpwd_t self:udp_socket create_socket_perms;
corenet_udp_sendrecv_all_if(system_chkpwd_t)
@@ -275,8 +277,6 @@ optional_policy(`nis.te',`
ifdef(`TODO',`
can_kerberos(system_chkpwd_t)
can_ldap(system_chkpwd_t)
-
-dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
') dnl end TODO
########################################
@@ -309,10 +309,9 @@ logging_search_logs(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_user_tmp(utempter_t)
-ifdef(`TODO',`
-ifdef(`xdm.te', `
-allow utempter_t xdm_t:fd use;
-allow utempter_t xdm_t:fifo_file { write getattr };
+optional_policy(`xserver.te', `
+ #allow utempter_t xdm_t:fd use;
+ xserver_use_xdm_fd(utempter_t)
+ #allow utempter_t xdm_t:fifo_file { write getattr };
+ xserver_write_xdm_fifo(utempter_t)
')
-
-') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 2675b4a..663d934 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -168,6 +168,25 @@ interface(`domain_dontaudit_use_wide_inherit_fd',`
')
########################################
+##
+## Send a SIGCHLD signal to domains whose file
+## discriptors are widely inheritable.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: this was added because of newrole
+interface(`domain_sigchld_wide_inherit_fd',`
+ gen_require(`
+ attribute privfd;
+ class process signal;
+ ')
+
+ dontaudit $1 privfd:fd use;
+')
+
+########################################
#
# domain_setpriority_all_domains(domain)
#
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 1e285b3..264d7ee 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -815,6 +815,23 @@ interface(`files_list_mnt',`
')
########################################
+##
+## Search the tmp directory (/tmp)
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`files_search_tmp',`
+ gen_require(`
+ type tmp_t;
+ class dir search;
+ ')
+
+ allow $1 tmp_t:dir search;
+')
+
+########################################
#
# files_create_tmp_files(domain,private_type,[object class(es)])
#
@@ -1002,15 +1019,31 @@ interface(`files_manage_urandom_seed',`
########################################
#
+# files_search_generic_locks(domain)
+#
+interface(`files_search_generic_locks',`
+ gen_require(`
+ type var_t;
+ type var_lock_t;
+ class dir search;
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search;
+')
+
+########################################
+#
# files_getattr_generic_locks(domain)
#
interface(`files_getattr_generic_locks',`
gen_require(`
+ type var_t;
type var_lock_t;
class dir r_dir_perms;
class file getattr;
')
+ allow $1 var_t:dir search;
allow $1 var_lock_t:dir r_dir_perms;
allow $1 var_lock_t:file getattr;
')
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 68d95a5..994e546 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -56,7 +56,7 @@ miscfiles_read_localization(hostname_t)
userdom_use_all_user_fd(hostname_t)
ifdef(`distro_redhat', `
- fs_use_tmpfs_character_devices(hostname_t)
+ fs_use_tmpfs_chr_dev(hostname_t)
')
ifdef(`targeted_policy', `
@@ -92,7 +92,7 @@ ifdef(`TODO',`
##daemon_base_domain(hostname, , nosysadm)
##must remembe to go back and take care of the nosysadm part
-allow hostname_t proc_t:dir { read getattr lock search ioctl };
+allow hostname_t proc_t:dir r_dir_perms;
allow hostname_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index a358722..a9d17f5 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -43,7 +43,6 @@ allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
files_create_pid(hotplug_t,hotplug_var_run_t)
-
kernel_sigchld(hotplug_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
@@ -116,7 +115,7 @@ ifdef(`distro_redhat', `
optional_policy(`netutils.te', `
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(hotplug_t)
- fs_use_tmpfs_character_devices(hotplug_t)
+ fs_use_tmpfs_chr_dev(hotplug_t)
')
files_getattr_generic_locks(hotplug_t)
')
@@ -156,6 +155,14 @@ optional_policy(`selinux.te',`
')
optional_policy(`sysnetwork.te',`
+ sysnet_domtrans_dhcpc(hotplug_t)
+ sysnet_signal_dhcpc(hotplug_t)
+ sysnet_kill_dhcpc(hotplug_t)
+ sysnet_signull_dhcpc(hotplug_t)
+ sysnet_sigstop_dhcpc(hotplug_t)
+ sysnet_sigchld_dhcpc(hotplug_t)
+ sysnet_read_dhcpc_pid(hotplug_t)
+ sysnet_rw_dhcp_config(hotplug_t)
sysnet_domtrans_ifconfig(hotplug_t)
')
@@ -188,8 +195,7 @@ optional_policy(`hald.te', `
# this block goes to hald:
optional_policy(`hotplug.te',`
- allow hald_t hotplug_etc_t:dir search;
- allow hald_t hotplug_etc_t:file { getattr read };
+ hotplug_read_config(hald_t)
')
optional_policy(`lpd.te', `
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 114b50d..ad80edb 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -130,7 +130,7 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
ifdef(`distro_redhat',`
- fs_use_tmpfs_character_devices(init_t)
+ fs_use_tmpfs_chr_dev(init_t)
fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
')
@@ -326,7 +326,7 @@ ifdef(`distro_redhat',`
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
- fs_use_tmpfs_character_devices(initrc_t)
+ fs_use_tmpfs_chr_dev(initrc_t)
files_create_boot_flag(initrc_t)
@@ -383,6 +383,14 @@ optional_policy(`ssh.te',`
')
')
+optional_policy(`sysnetwork.te',`
+ ifdef(`distro_redhat',`
+ sysnet_rw_dhcp_config(initrc_t)
+ ')
+
+ sysnet_read_dhcpc_state(initrc_t)
+')
+
ifdef(`TODO',`
# Mount and unmount file systems.
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 9243b74..43ce4d0 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -66,6 +66,7 @@ domain_use_wide_inherit_fd(ldconfig_t)
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
+files_search_tmp(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
files_delete_etc_files(ldconfig_t)
@@ -77,8 +78,6 @@ userdom_use_all_user_fd(ldconfig_t)
ifdef(`TODO',`
-allow ldconfig_t tmp_t:dir search;
-
ifdef(`apache.te', `
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
dontaudit ldconfig_t httpd_modules_t:dir search;
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index c8779a8..b125b21 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -68,6 +68,7 @@ dev_dontaudit_getattr_misc(local_login_t)
dev_dontaudit_setattr_misc(local_login_t)
dev_dontaudit_getattr_scanner(local_login_t)
dev_dontaudit_setattr_scanner(local_login_t)
+dev_dontaudit_search_sysfs(local_login_t)
# for SSP/ProPolice
dev_read_urand(local_login_t)
@@ -106,6 +107,7 @@ files_read_etc_files(local_login_t)
files_read_etc_runtime_files(local_login_t)
files_read_usr_files(local_login_t)
files_manage_generic_locks(var_lock_t)
+files_list_mnt(local_login_t)
init_rw_script_pid(local_login_t)
init_dontaudit_use_fd(local_login_t)
@@ -149,6 +151,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(local_login_t)
')
+optional_policy(`usermanage.te',`
+ usermanage_read_crack_db(local_login_t)
+')
+
ifdef(`TODO',`
allow local_login_t bin_t:dir r_dir_perms;
@@ -169,17 +175,16 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
# for when /var/mail is a sym-link
allow local_login_t var_t:lnk_file read;
-dontaudit local_login_t sysfs_t:dir search;
-
-allow local_login_t mnt_t:dir r_dir_perms;
+# Do not audit denied attempts to access devices.
+dontaudit local_login_t device_t:lnk_file { getattr setattr };
+dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
+dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
+dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
# FIXME: what is this for?
optional_policy(`xdm.te', `
allow xdm_t local_login_t:process signull;
-')
-ifdef(`crack.te', `
- allow local_login_t crack_db_t:file r_file_perms;
')
ifdef(`targeted_policy',`
@@ -187,15 +192,6 @@ ifdef(`targeted_policy',`
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
')
-# Do not audit denied attempts to access devices.
-dontaudit local_login_t device_t:lnk_file { getattr setattr };
-dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
-dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
-dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
-
-# Do not audit denied attempts to access /mnt.
-dontaudit local_login_t mnt_t:dir r_dir_perms;
-
optional_policy(`gpm.te',`
allow local_login_t gpmctl_t:sock_file { getattr setattr };
')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 134e411..f9b3922 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -247,6 +247,10 @@ ifdef(`klogd.te', `', `
kernel_change_ring_buffer_level(syslogd_t)
')
+ifdef(`direct_sysadm_daemon',`
+ userdom_dontaudit_use_sysadm_terms(syslogd_t)
+')
+
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(syslogd_t)
term_dontaudit_use_generic_pty(syslogd_t)
@@ -275,9 +279,6 @@ dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
rhgb_domain(syslogd_t)
')
-tunable_policy(`direct_sysadm_daemon',`
- dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
-')
ifdef(`distro_suse', `
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
@@ -287,15 +288,6 @@ ifdef(`distro_suse', `
# log to the xconsole
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
-ifdef(`crond.te', `
- # for daemon re-start
- allow system_crond_t syslogd_t:lnk_file read;
-')
-
-ifdef(`logrotate.te', `
- allow logrotate_t syslogd_exec_t:file r_file_perms;
-')
-
#
# Special case to handle crashes
#
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 78d6f0f..28e47aa 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -141,6 +141,7 @@ miscfiles_read_localization(lvm_t)
seutil_read_config(lvm_t)
seutil_read_file_contexts(lvm_t)
+seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
ifdef(`distro_redhat',`
@@ -164,8 +165,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-allow lvm_t default_context_t:dir search;
-
dontaudit lvm_t var_run_t:dir getattr;
optional_policy(`gnome-pty-helper.te', `
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 02f2833..7ac91ac 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -67,6 +67,7 @@ dev_read_urand(insmod_t)
dev_rw_agp_dev(insmod_t)
dev_read_snd_dev(insmod_t)
dev_write_snd_dev(insmod_t)
+dev_rw_apm_bios(insmod_t)
fs_getattr_xattr_fs(insmod_t)
@@ -105,8 +106,6 @@ optional_policy(`mount.te',`
ifdef(`TODO',`
-allow insmod_t apm_bios_t:chr_file { read write };
-
ifdef(`xserver.te', `
allow insmod_t xserver_log_t:file getattr;
')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index ee701ab..2b31bed 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -77,7 +77,7 @@ miscfiles_read_localization(mount_t)
userdom_use_all_user_fd(mount_t)
ifdef(`distro_redhat',`
- fs_use_tmpfs_character_devices(mount_t)
+ fs_use_tmpfs_chr_dev(mount_t)
allow mount_t tmpfs_t:dir mounton;
optional_policy(`authlogin.te',`
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index b1e394c..3c7b4ef 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -474,6 +474,25 @@ interface(`seutil_read_config',`
')
########################################
+##
+## Search the policy directory with default_context files.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`seutil_search_default_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t;
+ class dir search;
+ ')
+
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search;
+')
+
+
+########################################
#
# seutil_read_default_contexts(domain)
#
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 75db193..bc04250 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -212,11 +212,14 @@ term_relabel_all_user_ptys(newrole_t)
auth_domtrans_chk_passwd(newrole_t)
domain_use_wide_inherit_fd(newrole_t)
+# for when the user types "exec newrole" at the command line:
+domain_sigchld_wide_inherit_fd(newrole_t)
# Write to utmp.
init_rw_script_pid(newrole_t)
files_read_etc_files(newrole_t)
+files_read_var_files(newrole_t)
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@@ -240,13 +243,6 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
-# for when the user types "exec newrole" at the command line
-allow newrole_t privfd:process sigchld;
-
-# Read /var.
-allow newrole_t var_t:dir r_dir_perms;
-allow newrole_t var_t:notdevfile_class_set r_file_perms;
-
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
# for some PAM modules and for cwd
@@ -303,10 +299,10 @@ files_list_all_dirs(restorecon_t)
auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', `
- fs_use_tmpfs_character_devices(restorecon_t)
- fs_use_tmpfs_block_devices(restorecon_t)
- fs_relabel_tmpfs_block_devices(restorecon_t)
- fs_relabel_tmpfs_character_devices(restorecon_t)
+ fs_use_tmpfs_chr_dev(restorecon_t)
+ fs_use_tmpfs_blk_dev(restorecon_t)
+ fs_relabel_tmpfs_blk_dev(restorecon_t)
+ fs_relabel_tmpfs_chr_dev(restorecon_t)
')
optional_policy(`hotplug.te',`
@@ -323,6 +319,10 @@ allow restorecon_t fs_type:dir r_dir_perms;
allow restorecon_t device_t:file { read write };
allow restorecon_t kernel_t:fifo_file { read write };
+
+tunable_policy(`hide_broken_symptoms',`
+dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
+')
') dnl endif TODO
#################################
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 05ae1f2..373dcc2 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -25,6 +25,162 @@ interface(`sysnet_domtrans_dhcpc',`
allow dhcpc_t $1:process sigchld;
')
+########################################
+##
+## Send a SIGCHLD signal to the dhcp client.
+##
+##
+## The domain sending the SIGCHLD.
+##
+#
+interface(`sysnet_sigchld_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ class process sigchld;
+ ')
+
+ allow $1 dhcpc_t:process sigchld;
+')
+
+########################################
+##
+## Send a kill signal to the dhcp client.
+##
+##
+## The domain sending the SIGKILL.
+##
+#
+interface(`sysnet_kill_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ class process sigkill;
+ ')
+
+ allow $1 dhcpc_t:process sigkill;
+')
+
+########################################
+##
+## Send a SIGSTOP signal to the dhcp client.
+##
+##
+## The domain sending the SIGSTOP.
+##
+#
+interface(`sysnet_sigstop_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ class process sigstop;
+ ')
+
+ allow $1 dhcpc_t:process sigstop;
+')
+
+########################################
+##
+## Send a null signal to the dhcp client.
+##
+##
+## The domain sending the null signal.
+##
+#
+interface(`sysnet_signull_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ class process signull;
+ ')
+
+ allow $1 dhcpc_t:process signull;
+')
+
+########################################
+##
+## Send a generic signal to the dhcp client.
+##
+##
+## The domain sending the signal.
+##
+#
+interface(`sysnet_signal_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ class process signal;
+ ')
+
+ allow $1 dhcpc_t:process signal;
+')
+
+########################################
+##
+## Read and write dhcp configuration files.
+##
+##
+## The domain allowed access.
+##
+#
+interface(`sysnet_rw_dhcp_config',`
+ gen_require(`
+ type dhcp_etc_t;
+ class file { getattr read };
+ ')
+
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:file { getattr read };
+')
+
+########################################
+##
+## Read dhcp client state files.
+##
+##
+## The domain allowed access.
+##
+#
+interface(`sysnet_read_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ class file { getattr read };
+ ')
+
+ allow $1 dhcpc_state_t:file { getattr read };
+')
+
+#######################################
+##
+## Allow network init to read network config files.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`sysnet_read_config',`
+ gen_require(`
+ type net_conf_t;
+ class file r_file_perms;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file r_file_perms;
+')
+
+#######################################
+##
+## Read the dhcp client pid file.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`sysnet_read_dhcpc_pid',`
+ gen_require(`
+ type dhcpc_var_run_t;
+ class file { getattr read };
+ ')
+
+ files_list_pids($1)
+ allow $1 dhcpc_var_run_t:file { getattr read };
+')
+
#######################################
##
## Execute ifconfig in the ifconfig domain.
@@ -77,22 +233,3 @@ interface(`sysnet_run_ifconfig',`
role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file rw_term_perms;
')
-
-#######################################
-##
-## Allow network init to read network config files.
-##
-##
-## The type of the process performing this action.
-##
-#
-interface(`sysnet_read_config',`
- gen_require(`
- type net_conf_t;
- class file r_file_perms;
- ')
-
- files_search_etc($1)
- allow $1 net_conf_t:file r_file_perms;
-')
-
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 2d4057a..2ed834f 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -194,38 +194,26 @@ domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
')
-ifdef(`hotplug.te', `
-domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
-allow hotplug_t dhcpc_t:process signal_perms;
-allow hotplug_t dhcpc_var_run_t:file { getattr read };
-allow hotplug_t dhcp_etc_t:file rw_file_perms;
-allow dhcpc_t hotplug_etc_t:dir { getattr search };
-ifdef(`distro_redhat', `
-logging_syslogd_transition(dhcpc_t)
+
+optional_policy(`hotplug.te', `
+ allow dhcpc_t hotplug_etc_t:dir { getattr search };
+
+ ifdef(`distro_redhat', `
+ logging_syslogd_transition(dhcpc_t)
+ ')
')
-')dnl end hotplug.te
# for the dhcp client to run ping to check IP addresses
optional_policy(`netutils.te',`
netutils_domtrans_ping(dhcpc_t)
- optional_policy(`hotplug.te',`
- allow ping_t hotplug_t:fd use;
- ')
-
ifdef(`cardmgr.te',`
allow ping_t cardmgr_t:fd use;
')
')
-ifdef(`distro_redhat', `
-allow initrc_t dhcp_etc_t:file rw_file_perms;
-')
-
allow dhcpc_t var_lib_t:dir search;
-
allow dhcpc_t home_root_t:dir search;
-allow initrc_t dhcpc_state_t:file { getattr read };
dontaudit dhcpc_t var_lock_t:dir search;
dontaudit dhcpc_t selinux_config_t:dir search;
dontaudit dhcpc_t domain:dir getattr;
@@ -265,6 +253,8 @@ kernel_read_network_state(ifconfig_t)
kernel_dontaudit_search_sysctl_dir(ifconfig_t)
kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
+corenet_use_tun_tap_device(ifconfig_t)
+
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -298,10 +288,12 @@ ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
-allow ifconfig_t tun_tap_device_t:chr_file { read write };
-
optional_policy(`rhgb.te', `
rhgb_domain(ifconfig_t)
')
+tunable_policy(`hide_broken_symptoms',`
+dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
+')
+
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 1e28308..046d9f9 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -94,6 +94,8 @@ files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dir(udev_t)
+files_getattr_generic_locks(udev_t)
+files_search_mnt(udev_t)
init_use_fd(udev_t)
init_read_script_pid(udev_t)
@@ -117,8 +119,12 @@ seutil_domtrans_restorecon(udev_t)
sysnet_domtrans_ifconfig(udev_t)
ifdef(`distro_redhat',`
- fs_manage_tmpfs_block_devices(udev_t)
- fs_manage_tmpfs_character_devices(udev_t)
+ fs_manage_tmpfs_symlinks(udev_t)
+ fs_manage_tmpfs_sockets(udev_t)
+ fs_manage_tmpfs_blk_dev(udev_t)
+ fs_manage_tmpfs_chr_dev(udev_t)
+ fs_relabel_tmpfs_blk_dev(udev_t)
+ fs_relabel_tmpfs_chr_dev(udev_t)
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
@@ -142,12 +148,6 @@ optional_policy(`sysnetwork.te',`
')
ifdef(`TODO',`
-
-allow udev_t var_lock_t:dir search;
-allow udev_t var_lock_t:file getattr;
-
-allow udev_t mnt_t:dir search;
-
allow udev_t devpts_t:dir { getattr search };
allow udev_t sysadm_tty_device_t:chr_file { read write };
@@ -159,17 +159,6 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
dbusd_client(system, udev)
-ifdef(`distro_redhat',`
-allow udev_t tmpfs_t:sock_file create_file_perms;
-allow udev_t tmpfs_t:lnk_file create_lnk_perms;
-allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto };
-')
-
-tunable_policy(`hide_broken_symptoms',`
-dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
-dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
-')
-
optional_policy(`xdm.te',`
allow udev_t xdm_var_run_t:file { getattr read };
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index fd54566..95e6300 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -122,6 +122,8 @@ template(`base_user_template',`
kernel_get_sysvipc_info($1_t)
# Find CDROM devices:
kernel_read_device_sysctl($1_t)
+
+ dev_rw_power_management($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -172,6 +174,7 @@ template(`base_user_template',`
files_exec_etc_files($1_t)
files_read_usr_src_files($1_t)
+ files_search_generic_locks($1_t)
# Caused by su - init scripts
init_dontaudit_use_script_pty($1_t)
@@ -242,9 +245,6 @@ template(`base_user_template',`
#
dontaudit $1_t usr_t:file setattr;
- # Access the power device.
- allow $1_t power_device_t:chr_file rw_file_perms;
-
# Check to see if cdrom is mounted
allow $1_t mnt_t:dir { getattr search };
@@ -296,7 +296,9 @@ template(`base_user_template',`
create_dir_file($1_t, noexattrfile)
create_dir_file($1_t, removable_t)
# Write floppies
- allow $1_t removable_device_t:blk_file rw_file_perms;
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ # cjp: what does this have to do with removable devices?
allow $1_t usbtty_device_t:chr_file write;
',`
r_dir_file($1_t, noexattrfile)
@@ -312,12 +314,8 @@ template(`base_user_template',`
r_dir_file($1_t, tetex_data_t)
can_exec($1_t, tetex_data_t)
- # Run programs developed by other users in the same domain.
-
can_resmgrd_connect($1_t)
- allow $1_t var_lock_t:dir search;
-
# Grant permissions to access the system DBus
ifdef(`dbusd.te', `
dbusd_client(system, $1)
@@ -442,7 +440,7 @@ template(`unpriv_user_template', `
typeattribute $1_tmp_t user_tmpfile;
- #typeattribute $1_tty_device_t user_tty_type;
+ typeattribute $1_tty_device_t user_ttynode;
##############################
#
@@ -1105,3 +1103,20 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
dontaudit $1 unpriv_userdomain:fd use;
')
+########################################
+##
+## Do not audit attempts to use unprivileged
+## user ttys.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`userdom_dontaudit_use_unpriv_user_tty',`
+ gen_require(`
+ attribute user_ttynode;
+ class chr_file rw_file_perms;
+ ')
+
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 36f3763..116761e 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -23,6 +23,9 @@ attribute privhome;
# all unprivileged users tmp files
attribute user_tmpfile;
+# all unprivileged users ttys
+attribute user_ttynode;
+
# all user domains
attribute userdomain;