diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 28dba7a..55003bc 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -52,7 +52,7 @@ libs_use_ld_so(consoletype_t) libs_use_shared_libs(consoletype_t) ifdef(`distro_redhat', ` - fs_use_tmpfs_character_devices(consoletype_t) + fs_use_tmpfs_chr_dev(consoletype_t) ') optional_policy(`authlogin.te', ` @@ -67,6 +67,11 @@ optional_policy(`nis.te',` nis_use_ypbind(consoletype_t) ') +optional_policy(`rpm.te',` + # Commonly used from postinst scripts + rpm_read_pipe(consoletype_t) +') + optional_policy(`userdomain.te',` userdom_use_unpriv_users_fd(consoletype_t) ') @@ -94,4 +99,5 @@ allow consoletype_t printconf_t:file r_file_perms; optional_policy(`firstboot.te', ` allow consoletype_t firstboot_t:fifo_file write; ') + ') dnl end TODO diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 11022f8..13cb547 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -158,6 +158,7 @@ rw_dir_create_file(logrotate_t, backup_store_t) ') allow logrotate_t syslogd_t:unix_dgram_socket sendto; +allow logrotate_t syslogd_exec_t:file r_file_perms; dontaudit logrotate_t selinux_config_t:dir search; ') dnl end TODO diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 05b3046..9b858f6 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -129,6 +129,12 @@ optional_policy(`nis.te',` nis_use_ypbind(ping_t) ') +optional_policy(`sysnetwork.te',` + optional_policy(`hotplug.te',` + hotplug_use_fd(ping_t) + ') +') + ifdef(`TODO',` in_user_role(ping_t) tunable_policy(`user_ping',` diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index a6729a3..bbe16ed 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -1,9 +1,9 @@ ## Policy for the RPM package manager. ######################################## -## +## ## Execute rpm programs in the rpm domain. -## +## ## ## The type of the process performing this action. ## @@ -27,9 +27,9 @@ interface(`rpm_domtrans',` ') ######################################## -## +## ## Execute RPM programs in the RPM domain. -## +## ## ## The type of the process performing this action. ## @@ -53,9 +53,9 @@ interface(`rpm_run',` ') ######################################## -## +## ## Inherit and use file descriptors from RPM. -## +## ## ## The type of the process performing this action. ## @@ -70,9 +70,9 @@ interface(`rpm_use_fd',` ') ######################################## -## +## ## Read from a RPM pipe. -## +## ## ## The type of the process performing this action. ## @@ -87,9 +87,9 @@ interface(`rpm_read_pipe',` ') ######################################## -## -## Read RPM package database. -## +## +## Read the RPM package database. +## ## ## The type of the process performing this action. ## @@ -108,8 +108,12 @@ interface(`rpm_read_db',` ') ######################################## -# -# rpm_manage_db(domain) +## +## Create, read, write, and delete the RPM package database. +## +## +## The type of the process performing this action. +## # interface(`rpm_manage_db',` gen_require(` diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index b5fc841..4bfb49b 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -95,6 +95,7 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms; kernel_read_system_state(rpm_t) kernel_read_kernel_sysctl(rpm_t) + selinux_get_fs_mount(rpm_t) selinux_validate_context(rpm_t) selinux_compute_access_vector(rpm_t) @@ -128,6 +129,8 @@ storage_raw_read_fixed_disk(rpm_t) term_list_ptys(rpm_t) +auth_relabel_all_files_except_shadow(rpm_t) +auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) corecmd_exec_bin(rpm_t) @@ -162,6 +165,10 @@ optional_policy(`cron.te',` cron_system_entry(rpm_t,rpm_exec_t) ') +optional_policy(`mount.te',` + mount_send_nfs_client_request(rpm_t) +') + optional_policy(`nis.te',` nis_use_ypbind(rpm_t) ') @@ -173,9 +180,6 @@ type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpf dontaudit rpm_t domain:process ptrace; # read/write/create any files in the system -allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto }; -allow rpm_t { file_type - shadow_t }:dir create_dir_perms; -allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; allow rpm_t ttyfile:chr_file unlink; @@ -194,23 +198,10 @@ optional_policy(`gnome-pty-helper.te', ` allow rpm_t sysadm_gph_t:fd use; ') -optional_policy(`mount.te', ` -allow rpm_t mount_t:udp_socket rw_socket_perms; -') - # for kernel package installation optional_policy(`mount.te', ` allow mount_t rpm_t:fifo_file rw_file_perms; ') - -# Commonly used from postinst scripts -optional_policy(`consoletype.te', ` -allow consoletype_t rpm_t:fifo_file r_file_perms; -') -optional_policy(`crond.te', ` -allow crond_t rpm_t:fifo_file r_file_perms; -') - ') dnl endif TODO ######################################## @@ -289,6 +280,7 @@ domain_signull_all_domains(rpm_script_t) files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) +files_exec_usr_files(rpm_script_t) init_domtrans_script(rpm_script_t) @@ -322,8 +314,6 @@ ifdef(`TODO',` allow rpm_script_t sysfs_t:dir r_dir_perms; -can_exec(rpm_script_t,usr_t) - optional_policy(`lpd.te', ` can_exec(rpm_script_t,printconf_t) ') diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index ee03894..463a155 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -208,3 +208,19 @@ interface(`usermanage_run_useradd',` allow useradd_t $3:chr_file rw_term_perms; ') +######################################## +## +## Read the crack database. +## +## +## The type of the process performing this action. +## +# +interface(`usermanage_read_crack_db',` + gen_require(` + type crack_db_t; + class file r_file_perms; + ') + + allow $1 crack_db_t:file r_file_perms; +') diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 93cb52a..b54f634 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -93,6 +93,10 @@ fs_search_auto_mountpoints(chfn_t) # for SSP dev_read_urand(chfn_t) +# can exec /sbin/unix_chkpwd +corecmd_search_bin(chfn_t) +corecmd_search_sbin(chfn_t) + domain_use_wide_inherit_fd(chfn_t) files_manage_etc_files(chfn_t) @@ -120,10 +124,9 @@ optional_policy(`nis.te',` ') ifdef(`TODO',` -role sysadm_r types chfn_t; -in_user_role(chfn_t) - -domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t) +ifdef(`firstboot.te',` +domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t) +') ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;') @@ -134,9 +137,6 @@ allow chfn_t shell_exec_t:file execute; # on user home dir dontaudit chfn_t { user_home_dir_type user_home_type }:dir search; -# can exec /sbin/unix_chkpwd -allow chfn_t { bin_t sbin_t }:dir search; - # uses unix_chkpwd for checking passwords dontaudit chfn_t selinux_config_t:dir search; ') dnl endif TODO diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 2ceb904..b560223 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -79,6 +79,9 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_t $1_gpg_secret_t:file create_file_perms; allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms; + allow $1_t $1_gpg_secret_t:file getattr; + allow $1_t $1_gpg_secret_t:dir rw_dir_perms; + corenet_tcp_sendrecv_all_if($1_gpg_t) corenet_raw_sendrecv_all_if($1_gpg_t) corenet_udp_sendrecv_all_if($1_gpg_t) @@ -95,8 +98,13 @@ template(`gpg_per_userdomain_template',` fs_getattr_xattr_fs($1_gpg_t) + domain_use_wide_inherit_fd($1_gpg_t) + files_read_etc_files($1_gpg_t) files_read_usr_files($1_gpg_t) + files_dontaudit_search_var($1_gpg_t) + # should not need read access... + files_list_home($1_gpg_t) libs_use_shared_libs($1_gpg_t) libs_use_ld_so($1_gpg_t) @@ -135,20 +143,12 @@ template(`gpg_per_userdomain_template',` ifdef(`TODO',` - allow $1_t $1_gpg_secret_t:file getattr; - access_terminal($1_gpg_t, $1) ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') - # Inherit and use descriptors - allow $1_gpg_t { privfd $1_t }:fd use; - # allow ps to show gpg can_ps($1_t, $1_gpg_t) - # should not need read access... - allow $1_gpg_t home_root_t:dir { read search }; - # use $1_gpg_secret_t for files it creates # NB we are doing the type transition for directory creation only! # so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as @@ -164,9 +164,6 @@ template(`gpg_per_userdomain_template',` rw_dir_create_file($1_gpg_t, $1_file_type) - allow $1_t $1_gpg_secret_t:dir rw_dir_perms; - - dontaudit $1_gpg_t var_t:dir search; ') dnl end TODO ######################################## @@ -246,11 +243,26 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; allow $1_gpg_agent_t self:fifo_file rw_file_perms; + # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) + allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms; + allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms; + allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms; + + # allow gpg to connect to the gpg agent + allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; + allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; + allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto; + + # Allow the user shell to signal the gpg-agent program. + allow $1_t $1_gpg_agent_t:process { signal sigkill }; + allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms; allow $1_t $1_gpg_agent_tmp_t:file create_file_perms; allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms; files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) + corecmd_search_bin($1_gpg_agent_t) + # Transition from the user domain to the derived domain. domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) @@ -280,24 +292,15 @@ template(`gpg_per_userdomain_template',` # Write to the user domain tty. access_terminal($1_gpg_agent_t, $1) - # Allow the user shell to signal the gpg-agent program. - allow $1_t $1_gpg_agent_t:process { signal sigkill }; # allow ps to show gpg-agent can_ps($1_t, $1_gpg_agent_t) allow $1_gpg_agent_t proc_t:dir search; allow $1_gpg_agent_t proc_t:lnk_file read; - allow $1_gpg_agent_t device_t:dir r_file_perms; - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; - create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) - # gpg connect - allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; - allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; - can_unix_connect($1_gpg_t, $1_gpg_agent_t) ') dnl endif TODO ############################## @@ -330,14 +333,20 @@ template(`gpg_per_userdomain_template',` miscfiles_read_fonts($1_gpg_pinentry_t) miscfiles_read_localization($1_gpg_pinentry_t) - ifdef(`TODO',` + tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files($1_gpg_pinentry_t) + ') - allow $1_gpg_agent_t bin_t:dir search; + tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files($1_gpg_pinentry_t) + ') + + ifdef(`TODO',` ifdef(`xdm.te', ` allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; - can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) + allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto; allow $1_gpg_pinentry_t xdm_t:fd use; ') @@ -351,16 +360,12 @@ template(`gpg_per_userdomain_template',` dontaudit $1_gpg_pinentry_t $1_home_t:file write; tunable_policy(`use_nfs_home_dirs',` - allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; - allow $1_gpg_pinentry_t nfs_t:file r_file_perms; - dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; + dontaudit $1_gpg_pinentry_t nfs_t:dir write; dontaudit $1_gpg_pinentry_t nfs_t:file write; ') tunable_policy(`use_samba_home_dirs',` - allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; - allow $1_gpg_pinentry_t cifs_t:file r_file_perms; - dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; + dontaudit $1_gpg_pinentry_t cifs_t:dir write; dontaudit $1_gpg_pinentry_t cifs_t:file write; ') diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 7a76bfc..61174bc 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -950,3 +950,21 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` dontaudit $1 reserved_port_type:udp_socket name_bind; ') + +######################################## +## +## Read and write the TUN/TAP virtual network device. +## +## +## The domain allowed access. +## +# +interface(`corenet_use_tun_tap_device',` + gen_require(` + type tun_tap_device_t; + class chr_file { read write }; + ') + + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file { read write }; +') diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 0cfeafd..eccb027 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -648,6 +648,25 @@ interface(`dev_manage_all_chr_files',` ######################################## ## +## Read and write the apm bios. +## +## +## Domain allowed access. +## +# +interface(`dev_rw_apm_bios',` + gen_require(` + type device_t, apm_bios_t; + class dir r_dir_perms; + class chr_file rw_file_perms; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 apm_bios_t:chr_file rw_file_perms; +') + +######################################## +## ## Read raw memory devices (e.g. /dev/mem). ## ## @@ -1671,7 +1690,7 @@ interface(`dev_getattr_sysfs_dir',` ######################################## ## -## Search the directory containing hardware information. +## Search sysfs. ## ## ## The type of the process performing this action. @@ -1688,6 +1707,23 @@ interface(`dev_search_sysfs',` ######################################## ## +## Do not audit attempts to search sysfs. +## +## +## The type of the process performing this action. +## +# +interface(`dev_dontaudit_search_sysfs',` + gen_require(` + type sysfs_t; + class dir search; + ') + + dontaudit $1 sysfs_t:dir search; +') + +######################################## +## ## Allow caller to read hardware state information. ## ## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 373bc0d..f744595 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1380,7 +1380,7 @@ interface(`fs_create_tmpfs_data',` ## The type of the process performing this action. ## # -interface(`fs_use_tmpfs_character_devices',` +interface(`fs_use_tmpfs_chr_dev',` gen_require(` type tmpfs_t; class dir r_dir_perms; @@ -1399,7 +1399,7 @@ interface(`fs_use_tmpfs_character_devices',` ## The type of the process performing this action. ## # -interface(`fs_relabel_tmpfs_character_devices',` +interface(`fs_relabel_tmpfs_chr_dev',` gen_require(` type tmpfs_t; class dir r_dir_perms; @@ -1418,7 +1418,7 @@ interface(`fs_relabel_tmpfs_character_devices',` ## The type of the process performing this action. ## # -interface(`fs_use_tmpfs_block_devices',` +interface(`fs_use_tmpfs_blk_dev',` gen_require(` type tmpfs_t; class dir r_dir_perms; @@ -1437,7 +1437,7 @@ interface(`fs_use_tmpfs_block_devices',` ## The type of the process performing this action. ## # -interface(`fs_relabel_tmpfs_block_devices',` +interface(`fs_relabel_tmpfs_blk_dev',` gen_require(` type tmpfs_t; class dir r_dir_perms; @@ -1450,6 +1450,46 @@ interface(`fs_relabel_tmpfs_block_devices',` ######################################## ## +## Read and write, create and delete symbolic +## links on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +# +interface(`fs_manage_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + class dir rw_dir_perms; + class chr_file create_lnk_perms; + ') + + allow $1 tmpfs_t:dir rw_dir_perms; + allow $1 tmpfs_t:chr_file create_lnk_perms; +') + +######################################## +## +## Read and write, create and delete socket +## files on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +# +interface(`fs_manage_tmpfs_sockets',` + gen_require(` + type tmpfs_t; + class dir rw_dir_perms; + class sock_file create_file_perms; + ') + + allow $1 tmpfs_t:dir rw_dir_perms; + allow $1 tmpfs_t:sock_file create_file_perms; +') + +######################################## +## ## Read and write, create and delete character ## nodes on tmpfs filesystems. ## @@ -1457,7 +1497,7 @@ interface(`fs_relabel_tmpfs_block_devices',` ## The type of the process performing this action. ## # -interface(`fs_manage_tmpfs_character_devices',` +interface(`fs_manage_tmpfs_chr_dev',` gen_require(` type tmpfs_t; class dir rw_dir_perms; @@ -1477,7 +1517,7 @@ interface(`fs_manage_tmpfs_character_devices',` ## The type of the process performing this action. ## # -interface(`fs_manage_tmpfs_block_devices',` +interface(`fs_manage_tmpfs_blk_dev',` gen_require(` type tmpfs_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index bf07c9e..d128f10 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -132,6 +132,11 @@ optional_policy(`nis.te',` nis_use_ypbind(crond_t) ') +optional_policy(`crond.te',` + # Commonly used from postinst scripts + rpm_read_pipe(crond_t) +') + optional_policy(`udev.te', ` udev_read_db(crond_t) ') @@ -355,4 +360,7 @@ allow mta_user_agent system_crond_t:fd use; r_dir_file(system_mail_t, crond_tmp_t) ') +# for daemon re-start +allow system_crond_t syslogd_t:lnk_file read; + ') dnl end TODO diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index b13fd9c..2ecc405 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -257,6 +257,8 @@ miscfiles_read_localization(system_chkpwd_t) seutil_read_config(system_chkpwd_t) +userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t) + tunable_policy(`use_dns',` allow system_chkpwd_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_all_if(system_chkpwd_t) @@ -275,8 +277,6 @@ optional_policy(`nis.te',` ifdef(`TODO',` can_kerberos(system_chkpwd_t) can_ldap(system_chkpwd_t) - -dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms; ') dnl end TODO ######################################## @@ -309,10 +309,9 @@ logging_search_logs(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_unpriv_user_tmp(utempter_t) -ifdef(`TODO',` -ifdef(`xdm.te', ` -allow utempter_t xdm_t:fd use; -allow utempter_t xdm_t:fifo_file { write getattr }; +optional_policy(`xserver.te', ` + #allow utempter_t xdm_t:fd use; + xserver_use_xdm_fd(utempter_t) + #allow utempter_t xdm_t:fifo_file { write getattr }; + xserver_write_xdm_fifo(utempter_t) ') - -') dnl endif TODO diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 2675b4a..663d934 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -168,6 +168,25 @@ interface(`domain_dontaudit_use_wide_inherit_fd',` ') ######################################## +## +## Send a SIGCHLD signal to domains whose file +## discriptors are widely inheritable. +## +## +## Domain allowed access. +## +# +# cjp: this was added because of newrole +interface(`domain_sigchld_wide_inherit_fd',` + gen_require(` + attribute privfd; + class process signal; + ') + + dontaudit $1 privfd:fd use; +') + +######################################## # # domain_setpriority_all_domains(domain) # diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 1e285b3..264d7ee 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -815,6 +815,23 @@ interface(`files_list_mnt',` ') ######################################## +## +## Search the tmp directory (/tmp) +## +## +## The type of the process performing this action. +## +# +interface(`files_search_tmp',` + gen_require(` + type tmp_t; + class dir search; + ') + + allow $1 tmp_t:dir search; +') + +######################################## # # files_create_tmp_files(domain,private_type,[object class(es)]) # @@ -1002,15 +1019,31 @@ interface(`files_manage_urandom_seed',` ######################################## # +# files_search_generic_locks(domain) +# +interface(`files_search_generic_locks',` + gen_require(` + type var_t; + type var_lock_t; + class dir search; + ') + + allow $1 { var_t var_lock_t }:dir search; +') + +######################################## +# # files_getattr_generic_locks(domain) # interface(`files_getattr_generic_locks',` gen_require(` + type var_t; type var_lock_t; class dir r_dir_perms; class file getattr; ') + allow $1 var_t:dir search; allow $1 var_lock_t:dir r_dir_perms; allow $1 var_lock_t:file getattr; ') diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 68d95a5..994e546 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -56,7 +56,7 @@ miscfiles_read_localization(hostname_t) userdom_use_all_user_fd(hostname_t) ifdef(`distro_redhat', ` - fs_use_tmpfs_character_devices(hostname_t) + fs_use_tmpfs_chr_dev(hostname_t) ') ifdef(`targeted_policy', ` @@ -92,7 +92,7 @@ ifdef(`TODO',` ##daemon_base_domain(hostname, , nosysadm) ##must remembe to go back and take care of the nosysadm part -allow hostname_t proc_t:dir { read getattr lock search ioctl }; +allow hostname_t proc_t:dir r_dir_perms; allow hostname_t proc_t:lnk_file read; optional_policy(`rhgb.te', ` diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index a358722..a9d17f5 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -43,7 +43,6 @@ allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans }; allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink }; files_create_pid(hotplug_t,hotplug_var_run_t) - kernel_sigchld(hotplug_t) kernel_read_system_state(hotplug_t) kernel_read_kernel_sysctl(hotplug_t) @@ -116,7 +115,7 @@ ifdef(`distro_redhat', ` optional_policy(`netutils.te', ` # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(hotplug_t) - fs_use_tmpfs_character_devices(hotplug_t) + fs_use_tmpfs_chr_dev(hotplug_t) ') files_getattr_generic_locks(hotplug_t) ') @@ -156,6 +155,14 @@ optional_policy(`selinux.te',` ') optional_policy(`sysnetwork.te',` + sysnet_domtrans_dhcpc(hotplug_t) + sysnet_signal_dhcpc(hotplug_t) + sysnet_kill_dhcpc(hotplug_t) + sysnet_signull_dhcpc(hotplug_t) + sysnet_sigstop_dhcpc(hotplug_t) + sysnet_sigchld_dhcpc(hotplug_t) + sysnet_read_dhcpc_pid(hotplug_t) + sysnet_rw_dhcp_config(hotplug_t) sysnet_domtrans_ifconfig(hotplug_t) ') @@ -188,8 +195,7 @@ optional_policy(`hald.te', ` # this block goes to hald: optional_policy(`hotplug.te',` - allow hald_t hotplug_etc_t:dir search; - allow hald_t hotplug_etc_t:file { getattr read }; + hotplug_read_config(hald_t) ') optional_policy(`lpd.te', ` diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 114b50d..ad80edb 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -130,7 +130,7 @@ seutil_read_config(init_t) miscfiles_read_localization(init_t) ifdef(`distro_redhat',` - fs_use_tmpfs_character_devices(init_t) + fs_use_tmpfs_chr_dev(init_t) fs_create_tmpfs_data(init_t,initctl_t,fifo_file) ') @@ -326,7 +326,7 @@ ifdef(`distro_redhat',` storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) - fs_use_tmpfs_character_devices(initrc_t) + fs_use_tmpfs_chr_dev(initrc_t) files_create_boot_flag(initrc_t) @@ -383,6 +383,14 @@ optional_policy(`ssh.te',` ') ') +optional_policy(`sysnetwork.te',` + ifdef(`distro_redhat',` + sysnet_rw_dhcp_config(initrc_t) + ') + + sysnet_read_dhcpc_state(initrc_t) +') + ifdef(`TODO',` # Mount and unmount file systems. diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 9243b74..43ce4d0 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -66,6 +66,7 @@ domain_use_wide_inherit_fd(ldconfig_t) files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) +files_search_tmp(ldconfig_t) # for when /etc/ld.so.cache is mislabeled: files_delete_etc_files(ldconfig_t) @@ -77,8 +78,6 @@ userdom_use_all_user_fd(ldconfig_t) ifdef(`TODO',` -allow ldconfig_t tmp_t:dir search; - ifdef(`apache.te', ` # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway dontaudit ldconfig_t httpd_modules_t:dir search; diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index c8779a8..b125b21 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -68,6 +68,7 @@ dev_dontaudit_getattr_misc(local_login_t) dev_dontaudit_setattr_misc(local_login_t) dev_dontaudit_getattr_scanner(local_login_t) dev_dontaudit_setattr_scanner(local_login_t) +dev_dontaudit_search_sysfs(local_login_t) # for SSP/ProPolice dev_read_urand(local_login_t) @@ -106,6 +107,7 @@ files_read_etc_files(local_login_t) files_read_etc_runtime_files(local_login_t) files_read_usr_files(local_login_t) files_manage_generic_locks(var_lock_t) +files_list_mnt(local_login_t) init_rw_script_pid(local_login_t) init_dontaudit_use_fd(local_login_t) @@ -149,6 +151,10 @@ optional_policy(`nis.te',` nis_use_ypbind(local_login_t) ') +optional_policy(`usermanage.te',` + usermanage_read_crack_db(local_login_t) +') + ifdef(`TODO',` allow local_login_t bin_t:dir r_dir_perms; @@ -169,17 +175,16 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms; # for when /var/mail is a sym-link allow local_login_t var_t:lnk_file read; -dontaudit local_login_t sysfs_t:dir search; - -allow local_login_t mnt_t:dir r_dir_perms; +# Do not audit denied attempts to access devices. +dontaudit local_login_t device_t:lnk_file { getattr setattr }; +dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; +dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; +dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; # FIXME: what is this for? optional_policy(`xdm.te', ` allow xdm_t local_login_t:process signull; -') -ifdef(`crack.te', ` - allow local_login_t crack_db_t:file r_file_perms; ') ifdef(`targeted_policy',` @@ -187,15 +192,6 @@ ifdef(`targeted_policy',` domain_auto_trans(local_login_t, shell_exec_t, unconfined_t) ') -# Do not audit denied attempts to access devices. -dontaudit local_login_t device_t:lnk_file { getattr setattr }; -dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; -dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; -dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; - -# Do not audit denied attempts to access /mnt. -dontaudit local_login_t mnt_t:dir r_dir_perms; - optional_policy(`gpm.te',` allow local_login_t gpmctl_t:sock_file { getattr setattr }; ') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 134e411..f9b3922 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -247,6 +247,10 @@ ifdef(`klogd.te', `', ` kernel_change_ring_buffer_level(syslogd_t) ') +ifdef(`direct_sysadm_daemon',` + userdom_dontaudit_use_sysadm_terms(syslogd_t) +') + ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(syslogd_t) term_dontaudit_use_generic_pty(syslogd_t) @@ -275,9 +279,6 @@ dontaudit syslogd_t sysadm_home_dir_t:dir search; optional_policy(`rhgb.te', ` rhgb_domain(syslogd_t) ') -tunable_policy(`direct_sysadm_daemon',` - dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms; -') ifdef(`distro_suse', ` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel @@ -287,15 +288,6 @@ ifdef(`distro_suse', ` # log to the xconsole allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; -ifdef(`crond.te', ` - # for daemon re-start - allow system_crond_t syslogd_t:lnk_file read; -') - -ifdef(`logrotate.te', ` - allow logrotate_t syslogd_exec_t:file r_file_perms; -') - # # Special case to handle crashes # diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 78d6f0f..28e47aa 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -141,6 +141,7 @@ miscfiles_read_localization(lvm_t) seutil_read_config(lvm_t) seutil_read_file_contexts(lvm_t) +seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) ifdef(`distro_redhat',` @@ -164,8 +165,6 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` -allow lvm_t default_context_t:dir search; - dontaudit lvm_t var_run_t:dir getattr; optional_policy(`gnome-pty-helper.te', ` diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 02f2833..7ac91ac 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -67,6 +67,7 @@ dev_read_urand(insmod_t) dev_rw_agp_dev(insmod_t) dev_read_snd_dev(insmod_t) dev_write_snd_dev(insmod_t) +dev_rw_apm_bios(insmod_t) fs_getattr_xattr_fs(insmod_t) @@ -105,8 +106,6 @@ optional_policy(`mount.te',` ifdef(`TODO',` -allow insmod_t apm_bios_t:chr_file { read write }; - ifdef(`xserver.te', ` allow insmod_t xserver_log_t:file getattr; ') diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index ee701ab..2b31bed 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -77,7 +77,7 @@ miscfiles_read_localization(mount_t) userdom_use_all_user_fd(mount_t) ifdef(`distro_redhat',` - fs_use_tmpfs_character_devices(mount_t) + fs_use_tmpfs_chr_dev(mount_t) allow mount_t tmpfs_t:dir mounton; optional_policy(`authlogin.te',` diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index b1e394c..3c7b4ef 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -474,6 +474,25 @@ interface(`seutil_read_config',` ') ######################################## +## +## Search the policy directory with default_context files. +## +## +## The type of the process performing this action. +## +# +interface(`seutil_search_default_contexts',` + gen_require(` + type selinux_config_t, default_context_t; + class dir search; + ') + + files_search_etc($1) + allow $1 { selinux_config_t default_context_t }:dir search; +') + + +######################################## # # seutil_read_default_contexts(domain) # diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 75db193..bc04250 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -212,11 +212,14 @@ term_relabel_all_user_ptys(newrole_t) auth_domtrans_chk_passwd(newrole_t) domain_use_wide_inherit_fd(newrole_t) +# for when the user types "exec newrole" at the command line: +domain_sigchld_wide_inherit_fd(newrole_t) # Write to utmp. init_rw_script_pid(newrole_t) files_read_etc_files(newrole_t) +files_read_var_files(newrole_t) libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) @@ -240,13 +243,6 @@ optional_policy(`nis.te',` ') ifdef(`TODO',` -# for when the user types "exec newrole" at the command line -allow newrole_t privfd:process sigchld; - -# Read /var. -allow newrole_t var_t:dir r_dir_perms; -allow newrole_t var_t:notdevfile_class_set r_file_perms; - ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') # for some PAM modules and for cwd @@ -303,10 +299,10 @@ files_list_all_dirs(restorecon_t) auth_relabelto_shadow(restorecon_t) ifdef(`distro_redhat', ` - fs_use_tmpfs_character_devices(restorecon_t) - fs_use_tmpfs_block_devices(restorecon_t) - fs_relabel_tmpfs_block_devices(restorecon_t) - fs_relabel_tmpfs_character_devices(restorecon_t) + fs_use_tmpfs_chr_dev(restorecon_t) + fs_use_tmpfs_blk_dev(restorecon_t) + fs_relabel_tmpfs_blk_dev(restorecon_t) + fs_relabel_tmpfs_chr_dev(restorecon_t) ') optional_policy(`hotplug.te',` @@ -323,6 +319,10 @@ allow restorecon_t fs_type:dir r_dir_perms; allow restorecon_t device_t:file { read write }; allow restorecon_t kernel_t:fifo_file { read write }; + +tunable_policy(`hide_broken_symptoms',` +dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; +') ') dnl endif TODO ################################# diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 05ae1f2..373dcc2 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -25,6 +25,162 @@ interface(`sysnet_domtrans_dhcpc',` allow dhcpc_t $1:process sigchld; ') +######################################## +## +## Send a SIGCHLD signal to the dhcp client. +## +## +## The domain sending the SIGCHLD. +## +# +interface(`sysnet_sigchld_dhcpc',` + gen_require(` + type dhcpc_t; + class process sigchld; + ') + + allow $1 dhcpc_t:process sigchld; +') + +######################################## +## +## Send a kill signal to the dhcp client. +## +## +## The domain sending the SIGKILL. +## +# +interface(`sysnet_kill_dhcpc',` + gen_require(` + type dhcpc_t; + class process sigkill; + ') + + allow $1 dhcpc_t:process sigkill; +') + +######################################## +## +## Send a SIGSTOP signal to the dhcp client. +## +## +## The domain sending the SIGSTOP. +## +# +interface(`sysnet_sigstop_dhcpc',` + gen_require(` + type dhcpc_t; + class process sigstop; + ') + + allow $1 dhcpc_t:process sigstop; +') + +######################################## +## +## Send a null signal to the dhcp client. +## +## +## The domain sending the null signal. +## +# +interface(`sysnet_signull_dhcpc',` + gen_require(` + type dhcpc_t; + class process signull; + ') + + allow $1 dhcpc_t:process signull; +') + +######################################## +## +## Send a generic signal to the dhcp client. +## +## +## The domain sending the signal. +## +# +interface(`sysnet_signal_dhcpc',` + gen_require(` + type dhcpc_t; + class process signal; + ') + + allow $1 dhcpc_t:process signal; +') + +######################################## +## +## Read and write dhcp configuration files. +## +## +## The domain allowed access. +## +# +interface(`sysnet_rw_dhcp_config',` + gen_require(` + type dhcp_etc_t; + class file { getattr read }; + ') + + files_search_etc($1) + allow $1 dhcp_etc_t:file { getattr read }; +') + +######################################## +## +## Read dhcp client state files. +## +## +## The domain allowed access. +## +# +interface(`sysnet_read_dhcpc_state',` + gen_require(` + type dhcpc_state_t; + class file { getattr read }; + ') + + allow $1 dhcpc_state_t:file { getattr read }; +') + +####################################### +## +## Allow network init to read network config files. +## +## +## The type of the process performing this action. +## +# +interface(`sysnet_read_config',` + gen_require(` + type net_conf_t; + class file r_file_perms; + ') + + files_search_etc($1) + allow $1 net_conf_t:file r_file_perms; +') + +####################################### +## +## Read the dhcp client pid file. +## +## +## The type of the process performing this action. +## +# +interface(`sysnet_read_dhcpc_pid',` + gen_require(` + type dhcpc_var_run_t; + class file { getattr read }; + ') + + files_list_pids($1) + allow $1 dhcpc_var_run_t:file { getattr read }; +') + ####################################### ## ## Execute ifconfig in the ifconfig domain. @@ -77,22 +233,3 @@ interface(`sysnet_run_ifconfig',` role $2 types ifconfig_t; allow ifconfig_t $3:chr_file rw_term_perms; ') - -####################################### -## -## Allow network init to read network config files. -## -## -## The type of the process performing this action. -## -# -interface(`sysnet_read_config',` - gen_require(` - type net_conf_t; - class file r_file_perms; - ') - - files_search_etc($1) - allow $1 net_conf_t:file r_file_perms; -') - diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 2d4057a..2ed834f 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -194,38 +194,26 @@ domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) allow cardmgr_t dhcpc_var_run_t:file { getattr read }; allow cardmgr_t dhcpc_t:process signal_perms; ') -ifdef(`hotplug.te', ` -domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t) -allow hotplug_t dhcpc_t:process signal_perms; -allow hotplug_t dhcpc_var_run_t:file { getattr read }; -allow hotplug_t dhcp_etc_t:file rw_file_perms; -allow dhcpc_t hotplug_etc_t:dir { getattr search }; -ifdef(`distro_redhat', ` -logging_syslogd_transition(dhcpc_t) + +optional_policy(`hotplug.te', ` + allow dhcpc_t hotplug_etc_t:dir { getattr search }; + + ifdef(`distro_redhat', ` + logging_syslogd_transition(dhcpc_t) + ') ') -')dnl end hotplug.te # for the dhcp client to run ping to check IP addresses optional_policy(`netutils.te',` netutils_domtrans_ping(dhcpc_t) - optional_policy(`hotplug.te',` - allow ping_t hotplug_t:fd use; - ') - ifdef(`cardmgr.te',` allow ping_t cardmgr_t:fd use; ') ') -ifdef(`distro_redhat', ` -allow initrc_t dhcp_etc_t:file rw_file_perms; -') - allow dhcpc_t var_lib_t:dir search; - allow dhcpc_t home_root_t:dir search; -allow initrc_t dhcpc_state_t:file { getattr read }; dontaudit dhcpc_t var_lock_t:dir search; dontaudit dhcpc_t selinux_config_t:dir search; dontaudit dhcpc_t domain:dir getattr; @@ -265,6 +253,8 @@ kernel_read_network_state(ifconfig_t) kernel_dontaudit_search_sysctl_dir(ifconfig_t) kernel_dontaudit_search_network_sysctl_dir(ifconfig_t) +corenet_use_tun_tap_device(ifconfig_t) + fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -298,10 +288,12 @@ ifdef(`TODO',` ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') -allow ifconfig_t tun_tap_device_t:chr_file { read write }; - optional_policy(`rhgb.te', ` rhgb_domain(ifconfig_t) ') +tunable_policy(`hide_broken_symptoms',` +dontaudit ifconfig_t udev_t:unix_dgram_socket { read write }; +') + ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 1e28308..046d9f9 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -94,6 +94,8 @@ files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) files_exec_etc_files(udev_t) files_dontaudit_search_isid_type_dir(udev_t) +files_getattr_generic_locks(udev_t) +files_search_mnt(udev_t) init_use_fd(udev_t) init_read_script_pid(udev_t) @@ -117,8 +119,12 @@ seutil_domtrans_restorecon(udev_t) sysnet_domtrans_ifconfig(udev_t) ifdef(`distro_redhat',` - fs_manage_tmpfs_block_devices(udev_t) - fs_manage_tmpfs_character_devices(udev_t) + fs_manage_tmpfs_symlinks(udev_t) + fs_manage_tmpfs_sockets(udev_t) + fs_manage_tmpfs_blk_dev(udev_t) + fs_manage_tmpfs_chr_dev(udev_t) + fs_relabel_tmpfs_blk_dev(udev_t) + fs_relabel_tmpfs_chr_dev(udev_t) # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) @@ -142,12 +148,6 @@ optional_policy(`sysnetwork.te',` ') ifdef(`TODO',` - -allow udev_t var_lock_t:dir search; -allow udev_t var_lock_t:file getattr; - -allow udev_t mnt_t:dir search; - allow udev_t devpts_t:dir { getattr search }; allow udev_t sysadm_tty_device_t:chr_file { read write }; @@ -159,17 +159,6 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; dbusd_client(system, udev) -ifdef(`distro_redhat',` -allow udev_t tmpfs_t:sock_file create_file_perms; -allow udev_t tmpfs_t:lnk_file create_lnk_perms; -allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto }; -') - -tunable_policy(`hide_broken_symptoms',` -dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; -dontaudit ifconfig_t udev_t:unix_dgram_socket { read write }; -') - optional_policy(`xdm.te',` allow udev_t xdm_var_run_t:file { getattr read }; ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index fd54566..95e6300 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -122,6 +122,8 @@ template(`base_user_template',` kernel_get_sysvipc_info($1_t) # Find CDROM devices: kernel_read_device_sysctl($1_t) + + dev_rw_power_management($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -172,6 +174,7 @@ template(`base_user_template',` files_exec_etc_files($1_t) files_read_usr_src_files($1_t) + files_search_generic_locks($1_t) # Caused by su - init scripts init_dontaudit_use_script_pty($1_t) @@ -242,9 +245,6 @@ template(`base_user_template',` # dontaudit $1_t usr_t:file setattr; - # Access the power device. - allow $1_t power_device_t:chr_file rw_file_perms; - # Check to see if cdrom is mounted allow $1_t mnt_t:dir { getattr search }; @@ -296,7 +296,9 @@ template(`base_user_template',` create_dir_file($1_t, noexattrfile) create_dir_file($1_t, removable_t) # Write floppies - allow $1_t removable_device_t:blk_file rw_file_perms; + storage_raw_read_removable_device($1_t) + storage_raw_write_removable_device($1_t) + # cjp: what does this have to do with removable devices? allow $1_t usbtty_device_t:chr_file write; ',` r_dir_file($1_t, noexattrfile) @@ -312,12 +314,8 @@ template(`base_user_template',` r_dir_file($1_t, tetex_data_t) can_exec($1_t, tetex_data_t) - # Run programs developed by other users in the same domain. - can_resmgrd_connect($1_t) - allow $1_t var_lock_t:dir search; - # Grant permissions to access the system DBus ifdef(`dbusd.te', ` dbusd_client(system, $1) @@ -442,7 +440,7 @@ template(`unpriv_user_template', ` typeattribute $1_tmp_t user_tmpfile; - #typeattribute $1_tty_device_t user_tty_type; + typeattribute $1_tty_device_t user_ttynode; ############################## # @@ -1105,3 +1103,20 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',` dontaudit $1 unpriv_userdomain:fd use; ') +######################################## +## +## Do not audit attempts to use unprivileged +## user ttys. +## +## +## The type of the process performing this action. +## +# +interface(`userdom_dontaudit_use_unpriv_user_tty',` + gen_require(` + attribute user_ttynode; + class chr_file rw_file_perms; + ') + + dontaudit $1 user_ttynode:chr_file rw_file_perms; +') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 36f3763..116761e 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -23,6 +23,9 @@ attribute privhome; # all unprivileged users tmp files attribute user_tmpfile; +# all unprivileged users ttys +attribute user_ttynode; + # all user domains attribute userdomain;