diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 51fab1f..92a52f6 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -76,6 +76,20 @@ class dir { getattr read search };
########################################
#
+# devices_ignore_get_generic_pipe_attributes(domain)
+#
+define(`devices_ignore_get_generic_pipe_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 device_t:fifo_file getattr;
+')
+
+define(`devices_ignore_get_generic_pipe_attributes_depend',`
+type device_t;
+class fifo_file getattr;
+')
+
+########################################
+#
# devices_get_generic_block_device_attributes(domain)
#
define(`devices_get_generic_block_device_attributes',`
@@ -86,6 +100,7 @@ allow $1 device_t:blk_file getattr;
define(`devices_get_generic_block_device_attributes_depend',`
type device_t;
+class dir { getattr search read };
class blk_file getattr;
')
@@ -105,6 +120,24 @@ class blk_file getattr;
########################################
#
+# devices_add_generic_character_device(domain)
+#
+define(`devices_add_generic_character_device',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name };
+allow $1 device_t:chr_file create;
+allow $1 self:capability mknod;
+')
+
+define(`devices_add_generic_character_device_depend',`
+type device_t;
+class dir { getattr search read write add_name };
+class chr_file create;
+class capability mknod;
+')
+
+########################################
+#
# devices_get_generic_character_device_attributes(domain)
#
define(`devices_get_generic_character_device_attributes',`
@@ -115,6 +148,7 @@ allow $1 device_t:chr_file getattr;
define(`devices_get_generic_character_device_attributes_depend',`
type device_t;
+class dir { getattr search read };
class chr_file getattr;
')
@@ -420,7 +454,7 @@ class capability sys_rawio;
#
define(`devices_raw_write_memory',`
requires_block_template(`$0'_depend)
-typeattribute $1 memory_raw_write
+typeattribute $1 memory_raw_write;
allow $1 device_t:dir { getattr read search };
allow $1 memory_device_t:chr_file write;
allow $1 self:capability sys_rawio;
@@ -436,6 +470,36 @@ class capability sys_rawio;
########################################
#
+# devices_legacy_raw_read_memory(domain)
+#
+define(`devices_legacy_raw_read_memory',`
+requires_block_template(`$0'_depend)
+devices_raw_read_memory($1)
+allow $1 memory_device_t:chr_file execute;
+')
+
+define(`devices_legacy_raw_read_memory_depend',`
+type device_t, memory_device_t;
+class chr_file execute;
+')
+
+########################################
+#
+# devices_legacy_raw_write_memory(domain)
+#
+define(`devices_legacy_raw_write_memory',`
+requires_block_template(`$0'_depend)
+devices_raw_write_memory($1)
+allow $1 memory_device_t:chr_file execute;
+')
+
+define(`devices_legacy_raw_write_memory_depend',`
+type device_t, memory_device_t;
+class chr_file execute;
+')
+
+########################################
+#
# devices_get_random_data(domain)
#
define(`devices_get_random_data',`
@@ -532,6 +596,21 @@ class chr_file { getattr read write append ioctl };
########################################
#
+# devices_legacy_use_dev_zero(domain)
+#
+define(`devices_legacy_use_dev_zero',`
+requires_block_template(`$0'_depend)
+devices_use_dev_zero($1)
+allow $1 zero_device_t:chr_file execute;
+')
+
+define(`devices_legacy_use_dev_zero_depend',`
+type zero_device_t;
+class chr_file execute;
+')
+
+########################################
+#
# devices_read_realtime_clock(domain)
#
define(`devices_read_realtime_clock',`
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 6f566b9..cd67131 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -942,11 +942,13 @@ type_transition $1 tmpfs_t:file $2;
',`
type_transition $1 tmpfs_t:$3 $2;
')
+allow $2 tmpfs_t:filesystem associate;
')
define(`filesystem_create_private_tmpfs_data_depend',`
type tmpfs_t;
class dir { getattr search read write add_name };
+class filesystem associate;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index b23cbd9..c2fb4bd 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -46,6 +46,8 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
# tmpfs_t is the type for tmpfs filesystems
#
type tmpfs_t, fs_type;
+files_make_file(tmpfs_t)
+
allow tmpfs_t self:filesystem associate;
allow tmpfs_t autofs_t:filesystem associate;
allow tmpfs_t cifs_t:filesystem associate;
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index dce01c9..55d391c 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -8,6 +8,7 @@ define(`kernel_make_userland_entrypoint',`
requires_block_template(`$0'_depend)
allow kernel_t $2:file { getattr read execute };
allow kernel_t $1:process transition;
+allow $1 kernel_t:fd use;
type_transition kernel_t $2:process $1;
dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
')
@@ -418,14 +419,14 @@ class file { getattr read };
define(`kernel_read_system_state',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir { getattr search read };
-allow $1 proc_t:{ lnk_file file } { getattr read };
+allow $1 proc_t:{ lnk_file file } { getattr read ioctl };
')
define(`kernel_read_system_state_depend',`
type proc_t;
class dir { search getattr read };
class lnk_file { getattr read };
-class file { getattr read };
+class file { getattr read ioctl };
')
########################################
@@ -944,30 +945,37 @@ kernel_read_rpc_sysctl_depend
# kernel_modify_all_sysctl(domain)
#
define(`kernel_modify_all_sysctl',`
+kernel_modify_device_sysctl($1)
+kernel_modify_virtual_memory_sysctl($1)
+kernel_modify_network_sysctl($1)
+kernel_modify_unix_sysctl($1)
+kernel_modify_hotplug_sysctl($1)
+kernel_modify_modprobe_sysctl($1)
+kernel_modify_kernel_sysctl($1)
+kernel_modify_filesystem_sysctl($1)
+kernel_modify_irq_sysctl($1)
+kernel_modify_rpc_sysctl($1)
+')
+
+########################################
+##
+##
+## Search the directory containing hardware information.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`kernel_search_hardware_state_dir',`
requires_block_template(`$0'_depend)
-kernel_modify_device_sysctl($1,optional)
-kernel_modify_virtual_memory_sysctl($1,optional)
-kernel_modify_network_sysctl($1,optional)
-kernel_modify_unix_sysctl($1,optional)
-kernel_modify_hotplug_sysctl($1,optional)
-kernel_modify_modprobe_sysctl($1,optional)
-kernel_modify_kernel_sysctl($1,optional)
-kernel_modify_filesystem_sysctl($1,optional)
-kernel_modify_irq_sysctl($1,optional)
-kernel_modify_rpc_sysctl($1,optional)
+allow $1 sysfs_t:dir search;
')
-define(`kernel_modify_all_sysctl_depend',`
-kernel_modify_device_sysctl_depend
-kernel_modify_virtual_memory_sysctl_depend
-kernel_modify_network_sysctl_depend
-kernel_modify_unix_sysctl_depend
-kernel_modify_hotplug_sysctl_depend
-kernel_modify_modprobe_sysctl_depend
-kernel_modify_kernel_sysctl_depend
-kernel_modify_filesystem_sysctl_depend
-kernel_modify_irq_sysctl_depend
-kernel_modify_rpc_sysctl_depend
+define(`kernel_search_hardware_state_dir_depend',`
+type sysfs_t;
+class dir search;
')
########################################
@@ -1145,6 +1153,27 @@ class blk_file { getattr relabelfrom };
')
########################################
+##
+##
+## Search the directory containing USB hardware information.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`kernel_search_usb_hardware_state_dir',`
+requires_block_template(`$0'_depend)
+allow $1 usbfs_t:dir search;
+')
+
+define(`kernel_search_usb_hardware_state_dir_depend',`
+type usbfs_t;
+class dir search;
+')
+
+########################################
#
# kernel_list_usb_hardware(domain)
#
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index cf440f1..099be19 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -98,7 +98,7 @@ class blk_file { getattr read ioctl };
')
########################################
-##
+##
##
## Allow the caller to directly write to a fixed disk.
## This is extremly dangerous as it can bypass the
@@ -125,6 +125,51 @@ class blk_file { getattr write ioctl };
')
########################################
+##
+##
+## Create block devices in /dev with the fixed disk type.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`storage_create_fixed_disk_dev_entry',`
+requires_block_template(`$0'_depend)
+devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
+')
+
+define(`storage_create_fixed_disk_dev_entry_depend',`
+type fixed_disk_device_t;
+')
+
+########################################
+##
+##
+## Manage fixed disk device nodes.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`storage_manage_fixed_disk',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+allow $1 fixed_disk_device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+')
+
+define(`storage_manage_fixed_disk_depend',`
+attribute fixed_disk_raw_read;
+attribute fixed_disk_raw_write;
+type fixed_disk_device_t;
+class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
##
##
## Allow the caller to directly read from a logical volume.
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 4033f2f..df26acd 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -57,6 +57,9 @@ type_change $1 tty_device_t:chr_file $2;
tunable_policy(`distro_debian',`
type_change $1 ttyfile:chr_file $2;
')
+tunable_policy(`distro_redhat',`
+tmpfs_associate($2)
+')
')
define(`terminal_make_physical_terminal_depend',`
@@ -93,12 +96,12 @@ define(`terminal_use_all_terminals',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 devpts_t:dir { getattr search read };
-allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { getattr read write ioctl };
+allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file { getattr read write ioctl };
')
define(`terminal_use_all_terminals_depend',`
attribute ttynode, ptynode;
-type console_device_t, devtty_t, devpts_t;
+type console_device_t, devpts_t, tty_device_t;
class dir { getattr search read };
class chr_file { getattr read write };
')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index b90c7d9..b1ca874 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -404,6 +404,22 @@ class process { transition noatsecure siginh rlimitinh };
#######################################
#
+# authlogin_pam_console_read_runtime_data_dir(domain)
+#
+define(`authlogin_pam_console_read_runtime_data_dir',`
+requires_block_template(`$0'_depend)
+files_search_system_state_data_directory($1)
+files_search_runtime_data_directory($1)
+allow $1 pam_var_console_t:dir { getattr search read };
+')
+
+define(`authlogin_pam_console_read_runtime_data_dir_depend',`
+type pam_var_console_t;
+class dir { getattr search read };
+')
+
+#######################################
+#
# authlogin_pam_console_read_runtime_data(domain)
#
define(`authlogin_pam_console_read_runtime_data',`
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index 91aa8ad..82065f4 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -54,14 +54,14 @@ define(`corecommands_execute_general_programs',`
requires_block_template(`$0'_depend)
allow $1 bin_t:dir { getattr search read };
allow $1 bin_t:lnk_file { getattr read };
-allow $1 bin_t:file { getattr read execute execute_no_trans };
+allow $1 bin_t:file { getattr read ioctl execute execute_no_trans };
')
define(`corecommands_execute_general_programs_depend',`
type bin_t;
class dir { getattr search read };
class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+class file { getattr read ioctl execute execute_no_trans };
')
########################################
@@ -94,20 +94,34 @@ class dir { getattr search read };
########################################
#
+# corecommands_ignore_get_system_programs_attributes(domain)
+#
+define(`corecommands_ignore_get_system_programs_attributes',`
+requires_block_template(`$0'_depend)
+allow $1 sbin_t:file getattr;
+')
+
+define(`corecommands_ignore_get_system_programs_attributes_depend',`
+type sbin_t;
+class file getattr;
+')
+
+########################################
+#
# corecommands_execute_system_programs(domain)
#
define(`corecommands_execute_system_programs',`
requires_block_template(`$0'_depend)
allow $1 sbin_t:dir { getattr search read };
allow $1 sbin_t:lnk_file { getattr read };
-allow $1 sbin_t:file { getattr read execute execute_no_trans };
+allow $1 sbin_t:file { getattr read ioctl execute execute_no_trans };
')
define(`corecommands_execute_system_programs_depend',`
type sbin_t;
class dir { getattr search read };
class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+class file { getattr read ioctl execute execute_no_trans };
')
########################################
@@ -129,6 +143,24 @@ class file { getattr read execute execute_no_trans };
')
########################################
+#
+# corecommands_execute_ls(domain)
+#
+define(`corecommands_execute_ls',`
+requires_block_template(`$0'_depend)
+allow $1 bin_t:dir { getattr search read };
+allow $1 bin_t:lnk_file { getattr read };
+allow $1 ls_exec_t:file { getattr read execute execute_no_trans };
+')
+
+define(`corecommands_execute_shell_depend',`
+type bin_t, ls_exec_t;
+class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')
+
+########################################
##
##
## Execute a shell in the target domain.
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index d727d8f..4ff71ac 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -14,7 +14,7 @@ typeattribute $1 domain;
# allow the domain to read its /proc/pid entries
allow $1 self:dir { getattr search read };
-allow $1 self:{ file lnk_file } { getattr read write };
+allow $1 self:{ file lnk_file } { getattr read write ioctl };
# allow $1 to create child processes in this domain
allow $1 self:process { fork sigchld };
@@ -23,7 +23,7 @@ allow $1 self:process { fork sigchld };
define(`domain_make_base_domain_depend',`
attribute domain;
class dir { getattr search read };
-class file { getattr read write };
+class file { getattr read write ioctl };
class lnk_file { getattr read };
')
@@ -309,17 +309,105 @@ class process getsession;
')
########################################
+##
+##
+## Do not audit attempts to get the attributes
+## of all domains UDP sockets.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`domain_ignore_get_all_domains_udp_socket_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 domain:udp_socket getattr;
+')
+
+define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
+attribute domain;
+class udp_socket getattr;
+')
+
+########################################
+##
+##
+## Do not audit attempts to get the attributes
+## of all domains TCP sockets.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`domain_ignore_get_all_domains_tcp_socket_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 domain:tcp_socket getattr;
+')
+
+define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
+attribute domain;
+class tcp_socket getattr;
+')
+
+########################################
+##
+##
+## Do not audit attempts to get the attributes
+## of all domains unix datagram sockets.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 domain:unix_dgram_socket getattr;
+')
+
+define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
+attribute domain;
+class unix_dgram_socket getattr;
+')
+
+########################################
+##
+##
+## Do not audit attempts to get the attributes
+## of all domains unnamed pipes.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`domain_ignore_get_all_domains_pipe_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 domain:fifo_file getattr;
+')
+
+define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
+attribute domain;
+class fifo_file getattr;
+')
+
+########################################
#
# domain_execute_all_entrypoint_programs(domain)
#
define(`domain_execute_all_entrypoint_programs',`
requires_block_template(`$0'_depend)
-allow $1 entry_type:file { getattr read execute execute_no_trans };
+allow $1 entry_type:file { getattr read ioctl execute execute_no_trans };
')
define(`domain_execute_all_entrypoint_programs_depend',`
attribute entry_type;
-class file { getattr read execute execute_no_trans };
+class file { getattr read ioctl execute execute_no_trans };
')
########################################
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 8ba8291..e3236d7 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -50,12 +50,29 @@ logging_send_system_log_message(hostname_t)
miscfiles_read_localization(hostname_t)
+userdomain_use_all_users_file_descriptors(hostname_t)
+
+tunable_policy(`distro_redhat', `
+filesystem_use_tmpfs_character_devices(hostname_t)
+')
+
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hostname_t)
terminal_ignore_use_general_pseudoterminal(hostname_t)
files_ignore_read_rootfs_file(hostname_t)
')dnl end targeted_policy tunable
+tunable_policy(`use_dns',`
+allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces(hostname_t)
+corenetwork_network_raw_on_all_interfaces(hostname_t)
+corenetwork_network_udp_on_all_nodes(hostname_t)
+corenetwork_network_raw_on_all_nodes(hostname_t)
+corenetwork_bind_udp_on_all_nodes(hostname_t)
+corenetwork_network_udp_on_dns_port(hostname_t)
+sysnetwork_read_network_config(hostname_t)
+')
+
optional_policy(`hotplug.te',`
hotplug_ignore_use_file_descriptors(hostname_t)
')
@@ -81,24 +98,10 @@ allow hostname_t rhgb_t:fd use;
allow hostname_t rhgb_t:fifo_file { read write };
')
-dontaudit hostname_t unpriv_userdomain:fd use;
allow hostname_t autofs_t:dir { search getattr };
##end daemon_base_domain
-##can_resolve(hostname_t)
-ifdef(`use_dns',`
-base_can_network(hostname_t, udp, `dns_port_t')
-allow hostname_t self:udp_socket { connect };
-')
-##end can_resolve
-
-allow hostname_t userdomain:fd use;
-
# for when /usr is not mounted
dontaudit hostname_t file_t:dir search;
-tunable_policy(`distro_redhat', `
-allow hostname_t tmpfs_t:chr_file { ioctl read getattr lock write append };
-')
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 547fa29..06a27f6 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -38,7 +38,8 @@ allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl };
allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl };
allow hotplug_t hotplug_etc_t:lnk_file { getattr read };
-allow hotplug_t { hotplug_exec_t hotplug_etc_t }:file { getattr read execute execute_no_trans };
+allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_trans };
+allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index fca0f60..1d1f5e9 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -37,13 +37,18 @@ allow initrc_t $2:file { getattr read execute };
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
type_transition initrc_t $2:process $1;
allow $1 initrc_t:fd use;
+# backchannels:
+allow $1 initrc_t:process sigchld;
+# cjp: probably for logging
+allow $1 initrc_t:fifo_file { getattr write };
')
define(`init_make_daemon_domain_depend',`
type initrc_t;
class file { getattr read execute };
+class fifo_file { getattr write };
class fd use;
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
role system_r;
')
@@ -61,16 +66,17 @@ allow initrc_t $2:file { getattr read execute };
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
type_transition initrc_t $2:process $1;
allow $1 initrc_t:fd use;
+# backchannels:
allow $1 initrc_t:process sigchld;
# cjp: probably for logging
-allow $1 initrc_t:fifo_file write;
+allow $1 initrc_t:fifo_file { getattr write };
')
define(`init_make_system_domain_depend',`
type initrc_t;
class file { getattr read execute };
class fd use;
-class fifo_file write;
+class fifo_file { getattr write };
class process { transition noatsecure siginh rlimitinh sigchld };
role system_r;
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 1e87cb8..e382d75 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -64,7 +64,7 @@ files_make_temporary_file(initrc_tmp_t)
allow init_t self:fifo_file { read write ioctl };
# Re-exec itself
-allow init_t init_exec_t:file { getattr read execute execute_no_trans };
+allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
@@ -107,7 +107,10 @@ domain_sigstop_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
+files_read_general_system_config(init_t)
files_modify_system_runtime_data(init_t)
+# Run /etc/X11/prefdm:
+files_execute_system_config_script(init_t)
# file descriptors inherited from the rootfs:
files_ignore_modify_rootfs_file(init_t)
files_ignore_modify_rootfs_device(init_t)
@@ -123,6 +126,7 @@ miscfiles_read_localization(init_t)
tunable_policy(`distro_redhat',`
filesystem_use_tmpfs_character_devices(init_t)
+filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
')
# Run the shell in the sysadm_t domain for single-user mode.
@@ -170,19 +174,19 @@ allow initrc_t self:passwd rootok;
# Allow IPC with self
allow initrc_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
+allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
allow initrc_t self:fifo_file { getattr read write ioctl };
-
allow initrc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
allow initrc_t init_t:fd use;
+allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans };
+
allow initrc_t initrc_state_t:dir { create read getattr lock setattr ioctl unlink rename search add_name remove_name reparent write rmdir };
allow initrc_t initrc_state_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
-allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
-
allow initrc_t initrc_var_run_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_daemon_runtime_data(initrc_t,initrc_var_run_t)
@@ -249,15 +253,29 @@ terminal_reset_physical_terminal_labels(initrc_t)
authlogin_modify_login_records(initrc_t)
authlogin_modify_last_login_log(initrc_t)
+authlogin_pam_read_runtime_data(initrc_t)
+authlogin_pam_remove_runtime_data(initrc_t)
+authlogin_pam_console_read_runtime_data_dir(initrc_t)
corecommands_execute_general_programs(initrc_t)
corecommands_execute_system_programs(initrc_t)
corecommands_execute_shell(initrc_t)
+corecommands_execute_ls(initrc_t)
domain_kill_all_domains(initrc_t)
+domain_signal_all_domains(initrc_t)
+domain_signull_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
+domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_process_state(initrc_t)
domain_get_all_domains_session_id(initrc_t)
domain_use_widely_inheritable_file_descriptors(initrc_t)
+# for lsof which is used by alsa shutdown:
+domain_ignore_get_all_domains_udp_socket_attributes(initrc_t)
+domain_ignore_get_all_domains_tcp_socket_attributes(initrc_t)
+domain_ignore_get_all_domains_unix_dgram_socket_attributes(initrc_t)
+domain_ignore_get_all_domains_pipe_attributes(initrc_t)
files_get_all_file_attributes(initrc_t)
files_remove_all_tmp_data(initrc_t)
@@ -297,7 +315,7 @@ userdomain_read_all_users_data(initrc_t)
userdomain_use_admin_terminals(initrc_t)
tunable_policy(`distro_debian', `
-filesystem_tmpfs_associate(initrc_var_run_t)
+filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
')
tunable_policy(`distro_redhat',`
@@ -308,18 +326,23 @@ kernel_set_selinux_enforcement_mode(initrc_t)
bootloader_create_runtime_data(initrc_t)
bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
+# These seem to be from the initrd:
+kernel_use_file_descriptors(initrc_t)
+# during device initialization:
+devices_legacy_use_dev_zero(initrc_t)
+devices_legacy_raw_read_memory(initrc_t)
+devices_legacy_raw_write_memory(initrc_t)
+storage_raw_read_fixed_disk(initrc_t)
+storage_raw_write_fixed_disk(initrc_t)
+
filesystem_use_tmpfs_character_devices(initrc_t)
files_create_boot_flag(initrc_t)
# readahead asks for these
mta_read_mail_aliases(initrc_t)
-') dnl end distro_redhat
-optional_policy(`authlogin.te',`
-authlogin_pam_read_runtime_data(initrc_t)
-authlogin_pam_remove_runtime_data(initrc_t)
-')
+') dnl end distro_redhat
optional_policy(`hotplug.te',`
kernel_read_usb_hardware_state(initrc_t)
@@ -328,6 +351,12 @@ hotplug_read_config(initrc_t)
modutils_read_kernel_module_dependencies(initrc_t)
')
+optional_policy(`lvm.te',`
+#allow initrc_t lvm_control_t:chr_file unlink;
+devices_read_lvm_control_channel(initrc_t)
+devices_add_generic_character_device(initrc_t)
+')
+
optional_policy(`rhgb.te',`
corecommands_make_shell_entrypoint(initrc_t)
')
@@ -345,8 +374,6 @@ kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
ifdef(`TODO',`
-allow initrc_t pam_var_console_t:dir r_dir_perms;
-
# Mount and unmount file systems.
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
@@ -373,7 +400,6 @@ allow initrc_t { etc_t device_t }:dir setattr;
# for storing state under /dev/shm
allow initrc_t tmpfs_t:dir setattr;
-file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
')dnl end distro_debian
@@ -382,13 +408,16 @@ tunable_policy(`distro_redhat', `
allow initrc_t var_lib_nfs_t:file { getattr read };
')dnl end distro_redhat
+tunable_policy(`targeted_policy', `
+domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+domain_trans(initrc_t, shell_exec_t, unconfined_t)
+') dnl endif targeted policy
+
#
# Shutting down xinet causes these
#
# Rsync
dontaudit initrc_t mail_spool_t:lnk_file read;
-
-# for lsof which is used by alsa shutdown
-dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 23b6ea8..9600fa0 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -57,11 +57,20 @@ class chr_file { getattr read write ioctl };
')
########################################
-#
-# libraries_use_dynamic_loader(domain)
+##
+##
+## Use the dynamic link/loader for automatic loading
+## of shared libraries.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`libraries_use_dynamic_loader',`
requires_block_template(`$0'_depend)
+files_read_general_system_config_directory($1)
allow $1 lib_t:dir { getattr search read };
allow $1 lib_t:lnk_file { getattr read };
allow $1 ld_so_t:lnk_file { getattr read };
@@ -77,25 +86,44 @@ class file { getattr read execute };
')
########################################
-#
-# libraries_legacy_use_dynamic_loader(domain)
+##
+##
+## Use the dynamic link/loader for automatic loading
+## of shared libraries with legacy support.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`libraries_legacy_use_dynamic_loader',`
requires_block_template(`$0'_depend)
-libraries_use_dynamic_loader($1,optional)
+libraries_use_dynamic_loader($1)
allow $1 ld_so_t:file execmod;
allow $1 ld_so_cache_t:file execute;
')
define(`libraries_legacy_use_dynamic_loader_depend',`
-libraries_use_dynamic_loader_depend
type ld_so_t, ld_so_cache_t;
class file { execute execmod };
')
########################################
-#
-# libraries_execute_dynamic_loader(domain)
+##
+##
+## Execute the dynamic link/loader in the caller's
+## domain. This is commonly needed for the
+## /usr/bin/ldd program. Note: this can be used
+## to execute any binary that the caller can
+## read, even if the caller does not have execute
+## permissions.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`libraries_execute_dynamic_loader',`
requires_block_template(`$0'_depend)
@@ -113,11 +141,20 @@ class file { getattr read execute execute_no_trans };
')
########################################
-#
-# libraries_modify_dynamic_loader_cache(domain)
+##
+##
+## Modify the dynamic link/loader's cached listing
+## of shared libraries.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`libraries_modify_dynamic_loader_cache',`
requires_block_template(`$0'_depend)
+files_read_general_system_config_directory($1)
allow $1 ld_so_cache_t:file { getattr read write };
')
@@ -127,8 +164,65 @@ class file { getattr read write };
')
########################################
+##
+##
+## Read files in the library directories, such
+## as static libraries.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
-# libraries_use_shared_libraries(domain)
+define(`libraries_read_library_resources',`
+requires_block_template(`$0'_depend)
+allow $1 lib_t:dir { getattr read search };
+allow $1 lib_t:{ file lnk_file } { getattr read };
+')
+
+define(`libraries_read_library_resources_depend',`
+type lib_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read };
+')
+
+########################################
+##
+##
+## Execute library scripts in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`libraries_execute_library_scripts',`
+requires_block_template(`$0'_depend)
+allow $1 lib_t:dir { getattr read search };
+allow $1 lib_t:lnk_file { getattr read };
+allow $1 lib_t:file { getattr read execute execute_no_trans };
+')
+
+define(`libraries_execute_library_scripts_depend',`
+type lib_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')
+
+########################################
+##
+##
+## Load and execute functions from shared libraries.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`libraries_use_shared_libraries',`
requires_block_template(`$0'_depend)
@@ -147,8 +241,16 @@ class file { getattr read execute };
')
########################################
-#
-# libraries_legacy_use_shared_libraries(domain)
+##
+##
+## Load and execute functions from shared libraries,
+## with legacy support.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`libraries_legacy_use_shared_libraries',`
requires_block_template(`$0'_depend)
@@ -161,39 +263,4 @@ type shlib_t, texrel_shlib_t;
class file execmod;
')
-########################################
-#
-# libraries_read_library_resources(domain)
-#
-define(`libraries_read_library_resources',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir { getattr read search };
-allow $1 lib_t:{ file lnk_file } { getattr read };
-')
-
-define(`libraries_read_library_resources_depend',`
-type lib_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read };
-')
-
-########################################
-#
-# libraries_execute_library_scripts(domain)
-#
-define(`libraries_execute_library_scripts',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir { getattr read search };
-allow $1 lib_t:lnk_file { getattr read };
-allow $1 lib_t:file { getattr read execute execute_no_trans };
-')
-
-define(`libraries_execute_library_scripts_depend',`
-type lib_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
-')
-
##
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index bc1746a..6ca7a36 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -85,6 +85,7 @@ kernel_read_kernel_sysctl(lvm_t)
# it has no reason to need this
kernel_ignore_get_core_interface_attributes(lvm_t)
+devices_add_generic_character_device(lvm_t)
devices_get_random_data(lvm_t)
devices_get_pseudorandom_data(lvm_t)
devices_use_lvm_control_channel(lvm_t)
@@ -95,11 +96,21 @@ devices_ignore_get_all_character_device_attributes(lvm_t)
devices_ignore_get_all_block_device_attributes(lvm_t)
devices_ignore_get_generic_character_device_attributes(lvm_t)
devices_ignore_get_generic_block_device_attributes(lvm_t)
+devices_ignore_get_generic_pipe_attributes(lvm_t)
terminal_ignore_get_all_private_physical_terminal_attributes(lvm_t)
filesystem_get_persistent_filesystem_attributes(lvm_t)
+# LVM creates block devices in /dev/mapper or /dev/
+# depending on its version
+# LVM(2) needs to create directores (/dev/mapper, /dev/)
+# and links from /dev/ to /dev/mapper/-
+storage_create_fixed_disk_dev_entry(lvm_t)
+# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
+storage_manage_fixed_disk(lvm_t)
+
corecommands_search_system_programs_directory(lvm_t)
+corecommands_ignore_get_system_programs_attributes(lvm_t)
domain_use_widely_inheritable_file_descriptors(lvm_t)
@@ -140,24 +151,12 @@ ifdef(`TODO',`
allow lvm_t autofs_t:dir { search getattr };
-# LVM creates block devices in /dev/mapper or /dev/
-# depending on its version
-# LVM(2) needs to create directores (/dev/mapper, /dev/)
-# and links from /dev/ to /dev/mapper/-
allow lvm_t device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
-type_transition lvm_t device_t:blk_file fixed_disk_device_t;
-
-# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
-allow lvm_t fixed_disk_device_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
allow lvm_t default_context_t:dir search;
allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
allow lvm_t device_t:lnk_file { relabelfrom relabelto };
-# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dontaudit lvm_t device_t:fifo_file getattr;
-
-dontaudit lvm_t sbin_t:file getattr;
dontaudit lvm_t var_run_t:dir getattr;
# for when /usr is not mounted
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index dfd3d84..b124ce3 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -15,7 +15,7 @@
#
define(`modutils_read_kernel_module_dependencies',`
requires_block_template(`$0'_depend)
-bootloader_list_kernel_modules($1,optional)
+bootloader_list_kernel_modules($1)
allow $1 modules_dep_t:file { getattr read };
')
@@ -23,7 +23,6 @@ define(`modutils_read_kernel_module_dependencies_depend',`
type modules_dep_t;
class file { getattr create read write setattr unlink };
class dir { search read write add_name remove_name };
-bootloader_list_kernel_modules_depend
')
########################################
@@ -51,7 +50,8 @@ class file { getattr create read write setattr unlink };
########################################
##
##
-## Execute insmod in the insmod domain.
+## Execute insmod in the insmod domain. Has a
+## sigchld backchannel.
##
##
## The type of the process performing this action.
@@ -65,12 +65,14 @@ allow $1 insmod_exec_t:file { getattr read execute };
allow $1 insmod_t:process transition;
type_transition $1 insmod_exec_t:process insmod_t;
dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
+# backchannel:
+allow insmod_t $1:process sigchld;
')
define(`modutils_insmod_transition_depend',`
type insmod_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
')
########################################
@@ -78,7 +80,8 @@ class process { transition noatsecure siginh rlimitinh };
##
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
-## and use the caller's terminal.
+## and use the caller's terminal. Has a sigchld
+## backchannel.
##
##
## The type of the process performing this action.
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index d5e20d1..dab29e7 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -52,6 +52,8 @@ allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
+kernel_search_hardware_state_dir(insmod_t)
+kernel_search_usb_hardware_state_dir(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctl(insmod_t)
kernel_modify_kernel_sysctl(insmod_t)
@@ -67,6 +69,13 @@ devices_direct_agp_access(insmod_t)
filesystem_get_persistent_filesystem_attributes(insmod_t)
+corecommands_execute_general_programs(insmod_t)
+corecommands_execute_system_programs(insmod_t)
+corecommands_execute_shell(insmod_t)
+
+domain_signal_all_domains(insmod_t)
+domain_use_widely_inheritable_file_descriptors(insmod_t)
+
files_read_runtime_system_config(insmod_t)
files_read_general_system_config(insmod_t)
files_read_general_application_resources(insmod_t)
@@ -79,28 +88,20 @@ init_use_file_descriptors(insmod_t)
init_script_use_file_descriptors(insmod_t)
init_script_use_pseudoterminal(insmod_t)
-domain_signal_all_domains(insmod_t)
-domain_use_widely_inheritable_file_descriptors(insmod_t)
-
libraries_use_dynamic_loader(insmod_t)
libraries_use_shared_libraries(insmod_t)
-corecommands_execute_general_programs(insmod_t)
-corecommands_execute_system_programs(insmod_t)
-corecommands_execute_shell(insmod_t)
+logging_send_system_log_message(insmod_t)
+logging_search_system_log_directory(insmod_t)
miscfiles_read_localization(insmod_t)
-logging_send_system_log_message(insmod_t)
-
optional_policy(`mount.te',`
mount_transition(insmod_t)
')
ifdef(`TODO',`
-allow insmod_t { var_t var_log_t }:dir search;
-
allow insmod_t apm_bios_t:chr_file { read write };
allow insmod_t sound_device_t:chr_file { read ioctl write };
@@ -109,8 +110,8 @@ ifdef(`xserver.te', `
allow insmod_t xserver_log_t:file getattr;
')
-allow insmod_t sysfs_t:dir search;
-allow insmod_t usbfs_t:dir search;
+# why is this needed? insmod cannot mounton any dir
+# and it also transitions to mount
allow insmod_t usbfs_t:filesystem mount;
# for when /var is not mounted early in the boot
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 96f0f0c..88e543e 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -350,10 +350,7 @@ kernel_compute_selinux_create_context(run_init_t)
kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
-tunable_policy(`targeted_policy',`
-# targeted/unconfined stuff
-',`
-
+tunable_policy(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
@@ -398,13 +395,6 @@ logging_send_system_log_message(run_init_t)
ifdef(`TODO',`
-tunable_policy(`targeted_policy', `
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-') dnl endif targeted policy
-
tunable_policy(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 96f0f0c..88e543e 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -350,10 +350,7 @@ kernel_compute_selinux_create_context(run_init_t)
kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
-tunable_policy(`targeted_policy',`
-# targeted/unconfined stuff
-',`
-
+tunable_policy(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
@@ -398,13 +395,6 @@ logging_send_system_log_message(run_init_t)
ifdef(`TODO',`
-tunable_policy(`targeted_policy', `
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-') dnl endif targeted policy
-
tunable_policy(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 8c377ac..b1db4f2 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -268,6 +268,7 @@ init_script_use_pseudoterminal(ifconfig_t)
libraries_use_dynamic_loader(ifconfig_t)
libraries_use_shared_libraries(ifconfig_t)
+libraries_read_library_resources(ifconfig_t)
logging_send_system_log_message(ifconfig_t)
@@ -294,8 +295,6 @@ allow ifconfig_t tun_tap_device_t:chr_file { read write };
# see the denials.
dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
-allow ifconfig_t lib_t:file { getattr read };
-
optional_policy(`rhgb.te', `
allow ifconfig_t rhgb_t:process sigchld;
allow ifconfig_t rhgb_t:fd use;
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index c5bf242..cab73b6 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -10,12 +10,15 @@ allow $1 udev_exec_t:file { getattr read execute };
allow $1 udev_t:process transition;
type_transition $1 udev_exec_t:process udev_t;
dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
+# backchannels:
+allow udev_t $1:fd use;
+allow udev_t $1:process sigchld;
')
define(`udev_transition_depend',`
type udev_t, udev_exec_t;
class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
')
########################################
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index b26e85f..3e332f1 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -49,6 +49,8 @@ allow udev_t self:msgq { associate getattr setattr create destroy read write enq
allow udev_t self:msg { send receive };
allow udev_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow udev_t udev_exec_t:file { getattr read write ioctl execute execute_no_trans };
+
allow udev_t udev_helper_exec_t:dir { read getattr lock search ioctl };
# read udev config
@@ -80,12 +82,6 @@ devices_manage_device_nodes(udev_t)
filesystem_get_all_filesystems_attributes(udev_t)
-init_script_read_runtime_data(udev_t)
-init_script_ignore_write_runtime_data(udev_t)
-
-files_read_runtime_system_config(udev_t)
-files_read_general_system_config(udev_t)
-
corecommands_execute_general_programs(udev_t)
corecommands_execute_system_programs(udev_t)
corecommands_execute_shell(udev_t)
@@ -93,19 +89,28 @@ corecommands_execute_shell(udev_t)
domain_execute_all_entrypoint_programs(udev_t)
domain_ignore_read_all_domains_process_dirs(udev_t)
-# Security
-selinux_read_config(udev_t)
-selinux_read_default_contexts(udev_t)
-selinux_read_file_contexts(udev_t)
-selinux_restorecon_transition(udev_t)
+files_read_runtime_system_config(udev_t)
+files_read_general_system_config(udev_t)
+files_execute_system_config_script(udev_t)
-modutils_insmod_transition(udev_t)
+init_use_file_descriptors(udev_t)
+init_script_read_runtime_data(udev_t)
+init_script_ignore_write_runtime_data(udev_t)
libraries_use_dynamic_loader(udev_t)
libraries_use_shared_libraries(udev_t)
logging_send_system_log_message(udev_t)
+miscfiles_read_localization(udev_t)
+
+modutils_insmod_transition(udev_t)
+
+selinux_read_config(udev_t)
+selinux_read_default_contexts(udev_t)
+selinux_read_file_contexts(udev_t)
+selinux_restorecon_transition(udev_t)
+
sysnetwork_ifconfig_transition(udev_t)
tunable_policy(`distro_redhat',`
@@ -141,7 +146,6 @@ allow udev_t var_lock_t:file getattr;
allow udev_t mnt_t:dir search;
allow udev_t devpts_t:dir { getattr search };
-
allow udev_t sysadm_tty_device_t:chr_file { read write };
# Dontaudits