diff options
author | Chris PeBenito <cpebenito@tresys.com> | 2006-07-28 15:13:58 +0000 |
---|---|---|
committer | Chris PeBenito <cpebenito@tresys.com> | 2006-07-28 15:13:58 +0000 |
commit | 46551033aa876d98b98f9442f8208ab069f18d28 (patch) | |
tree | 7ee7b6344f9f46c1f566fbdf3643982add69baee | |
parent | 81aa67fcc02f04bb2e21d8692b3e20d2e75b5f4d (diff) |
patch from dan Wed, 26 Jul 2006 14:42:46 -0400
86 files changed, 451 insertions, 188 deletions
diff --git a/policy/global_booleans b/policy/global_booleans index 111d004c..844fc781 100644 --- a/policy/global_booleans +++ b/policy/global_booleans @@ -4,6 +4,7 @@ # file should be used. # +ifdef(`strict_policy',` ## <desc> ## <p> ## Enabling secure mode disallows programs, such as @@ -12,6 +13,7 @@ ## </p> ## </desc> gen_bool(secure_mode,false) +') ## <desc> ## <p> diff --git a/policy/global_tunables b/policy/global_tunables index ec5cc933..0cb55b81 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -19,6 +19,14 @@ gen_tunable(allow_cvs_read_shadow,false) ## <desc> ## <p> +## Allow zebra daemon to write it configuration files +## </p> +## </desc> +# +gen_tunable(allow_zebra_write_config,false) + +## <desc> +## <p> ## Allow making the heap executable. ## </p> ## </desc> @@ -89,6 +97,13 @@ gen_tunable(allow_httpd_anon_write,false) ## <desc> ## <p> +## Allow Apache to use mod_auth_pam +## </p> +## </desc> +gen_tunable(allow_httpd_mod_auth_pam,false) + +## <desc> +## <p> ## Allow java executable stack ## </p> ## </desc> @@ -132,12 +147,6 @@ gen_tunable(allow_saslauthd_read_shadow,false) ## </desc> gen_tunable(allow_smbd_anon_write,false) -## <desc> -## <p> -## Allow sysadm to ptrace all processes -## </p> -## </desc> -gen_tunable(allow_ptrace,false) ## <desc> ## <p> @@ -290,13 +299,6 @@ gen_tunable(read_default_t,false) ## <desc> ## <p> -## Allow ssh to run from inetd instead of as a daemon. -## </p> -## </desc> -gen_tunable(run_ssh_inetd,false) - -## <desc> -## <p> ## Allow samba to export user home directories. ## </p> ## </desc> @@ -311,13 +313,6 @@ gen_tunable(samba_share_nfs,false) ## <desc> ## <p> -## Allow spamassassin to do DNS lookups -## </p> -## </desc> -gen_tunable(spamassasin_can_network,false) - -## <desc> -## <p> ## Allow squid to connect to all ports, not just ## HTTP, FTP, and Gopher ports. ## </p> @@ -326,13 +321,6 @@ gen_tunable(squid_connect_any,false) ## <desc> ## <p> -## Allow ssh logins as sysadm_r:sysadm_t -## </p> -## </desc> -gen_tunable(ssh_sysadm_login,false) - -## <desc> -## <p> ## Configure stunnel to be a standalone daemon or ## inetd service. ## </p> @@ -353,6 +341,12 @@ gen_tunable(use_nfs_home_dirs,false) ## </desc> gen_tunable(use_samba_home_dirs,false) +######################################## +# +# Strict policy specific +# + +ifdef(`strict_policy',` ## <desc> ## <p> ## Control users use of ping and traceroute @@ -360,12 +354,6 @@ gen_tunable(use_samba_home_dirs,false) ## </desc> gen_tunable(user_ping,false) -######################################## -# -# Strict policy specific -# - -ifdef(`strict_policy',` ## <desc> ## <p> ## Allow gpg executable stack @@ -382,6 +370,13 @@ gen_tunable(allow_mplayer_execstack,false) ## <desc> ## <p> +## Allow sysadm to ptrace all processes +## </p> +## </desc> +gen_tunable(allow_ptrace,false) + +## <desc> +## <p> ## allow host key based authentication ## </p> ## </desc> @@ -482,6 +477,13 @@ gen_tunable(read_untrusted_content,false) ## <desc> ## <p> +## Allow ssh to run from inetd instead of as a daemon. +## </p> +## </desc> +gen_tunable(run_ssh_inetd,false) + +## <desc> +## <p> ## Allow user spamassassin clients to use the network. ## </p> ## </desc> @@ -489,6 +491,13 @@ gen_tunable(spamassassin_can_network,false) ## <desc> ## <p> +## Allow ssh logins as sysadm_r:sysadm_t +## </p> +## </desc> +gen_tunable(ssh_sysadm_login,false) + +## <desc> +## <p> ## Allow staff_r users to search the sysadm home ## dir and read files (such as ~/.bashrc) ## </p> @@ -160,7 +160,7 @@ mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); mlsconstrain process { ptrace } - ( h1 dom h2 ); + (( h1 dom h2) or ( t1 == mcsptraceall )); mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 41b40272..529bfe2e 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.2.4) +policy_module(bootloader,1.2.5) ######################################## # @@ -48,7 +48,7 @@ logging_log_file(var_log_ksyms_t) # bootloader local policy # -allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; +allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; allow bootloader_t self:process { sigkill sigstop signull signal execmem }; allow bootloader_t self:fifo_file rw_file_perms; @@ -67,6 +67,7 @@ files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file b files_root_filetrans(bootloader_t,bootloader_tmp_t,file) kernel_getattr_core_if(bootloader_t) +kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) kernel_read_software_raid_state(bootloader_t) kernel_read_kernel_sysctls(bootloader_t) @@ -86,7 +87,10 @@ dev_read_sysfs(bootloader_t) dev_read_raw_memory(bootloader_t) fs_getattr_xattr_fs(bootloader_t) +fs_getattr_tmpfs(bootloader_t) fs_read_tmpfs_symlinks(bootloader_t) +#Needed for ia64 +fs_manage_dos_files(bootloader_t) mls_file_read_up(bootloader_t) diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index b03616f3..b875c3f7 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -1,5 +1,5 @@ -policy_module(firstboot,1.1.2) +policy_module(firstboot,1.1.3) gen_require(` class passwd rootok; @@ -106,6 +106,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + hal_dbus_send(firstboot_t) +') + +optional_policy(` nis_use_ypbind(firstboot_t) ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index d5766aa0..d70fa2af 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils,1.1.4) +policy_module(netutils,1.1.5) ######################################## # @@ -211,11 +211,11 @@ sysnet_read_config(traceroute_t) ifdef(`targeted_policy',` term_use_unallocated_ttys(traceroute_t) term_use_generic_ptys(traceroute_t) -') - -tunable_policy(`user_ping',` - term_use_all_user_ttys(traceroute_t) - term_use_all_user_ptys(traceroute_t) +',` + tunable_policy(`user_ping',` + term_use_all_user_ttys(traceroute_t) + term_use_all_user_ptys(traceroute_t) + ') ') optional_policy(` diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index 506215ac..c53929bf 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.1.4) +policy_module(prelink,1.1.5) ######################################## # @@ -48,6 +48,7 @@ corecmd_manage_all_executables(prelink_t) corecmd_relabel_all_executables(prelink_t) corecmd_mmap_all_executables(prelink_t) corecmd_read_sbin_symlinks(prelink_t) +corecmd_read_bin_symlinks(prelink_t) dev_read_urand(prelink_t) diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if index 00f1b98f..9b372183 100644 --- a/policy/modules/admin/rpm.if +++ b/policy/modules/admin/rpm.if @@ -211,7 +211,7 @@ interface(`rpm_read_db',` files_search_var_lib($1) allow $1 rpm_var_lib_t:dir r_dir_perms; - allow $1 rpm_var_lib_t:file { getattr read }; + allow $1 rpm_var_lib_t:file r_file_perms; allow $1 rpm_var_lib_t:lnk_file r_file_perms; ') @@ -232,8 +232,8 @@ interface(`rpm_manage_db',` files_search_var_lib($1) allow $1 rpm_var_lib_t:dir rw_dir_perms; - allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; - allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; + allow $1 rpm_var_lib_t:file manage_file_perms; + allow $1 rpm_var_lib_t:lnk_file create_lnk_perms; ') ######################################## diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index a12a0d4f..da38ad56 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.3.9) +policy_module(rpm,1.3.10) ######################################## # diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 54724198..0cc9adcd 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.3.7) +policy_module(usermanage,1.3.8) ######################################## # @@ -260,6 +260,7 @@ optional_policy(` ') optional_policy(` + nscd_exec(groupadd_t) nscd_socket_use(groupadd_t) ') @@ -534,6 +535,7 @@ optional_policy(` ') optional_policy(` + nscd_exec(useradd_t) nscd_socket_use(useradd_t) ') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index e8093651..f27cc838 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.1.12) +policy_module(corenetwork,1.1.13) ######################################## # @@ -62,7 +62,7 @@ network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) network_port(auth, tcp,113,s0) -network_port(bgp, tcp,179,s0, udp,179,s0) +network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) @@ -145,7 +145,7 @@ network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) network_port(xen, tcp,8002,s0) network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0) -network_port(zebra, tcp,2601,s0) +network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0) network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index f83f36fa..e1e67f60 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -19,7 +19,9 @@ /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) +/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) +/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -54,6 +56,7 @@ /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) +/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index a1940b41..6c06c8cd 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.1.14) +policy_module(devices,1.1.15) ######################################## # diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index b3a21ea1..e2c84218 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -11,6 +11,7 @@ ifdef(`distro_redhat',` /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0) /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0) +/\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0) /fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0) /forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0) /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index e3f7b8f7..cf928945 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.12) +policy_module(files,1.2.13) ######################################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 1c08a771..512192a6 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1019,6 +1019,26 @@ interface(`fs_relabelfrom_dos_fs',` ######################################## ## <summary> +## Create, read, write, and delete files +## on a DOS filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_manage_dos_files',` + gen_require(` + type dosfs_t; + ') + + allow $1 dosfs_t:dir rw_dir_perms; + allow $1 dosfs_t:file manage_file_perms; +') + +######################################## +## <summary> ## Read eventpollfs files. ## </summary> ## <desc> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 104b56bf..23753bd2 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.3.12) +policy_module(filesystem,1.3.13) ######################################## # diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index 3caa6f77..ed1e0229 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -6,7 +6,7 @@ ######################################## ## <summary> ## This domain is allowed to sigkill and sigstop -## all domains regardless of their MCS level. +## all domains regardless of their MCS category set. ## </summary> ## <param name="domain"> ## <summary> @@ -24,6 +24,26 @@ interface(`mcs_killall',` ######################################## ## <summary> +## This domain is allowed to ptrace +## all domains regardless of their MCS +## category set. +## </summary> +## <param name="domain"> +## <summary> +## Domain target for user exemption. +## </summary> +## </param> +# +interface(`mcs_ptrace_all',` + gen_require(` + attribute mcsptraceall; + ') + + typeattribute $1 mcsptraceall; +') + +######################################## +## <summary> ## Make specified domain MCS trusted ## for setting any category set for ## the processes it executes. diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 88a6e986..5f8b1f40 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -1,5 +1,5 @@ -policy_module(mcs,1.0.2) +policy_module(mcs,1.0.3) ######################################## # @@ -7,6 +7,7 @@ policy_module(mcs,1.0.2) # attribute mcskillall; +attribute mcsptraceall; attribute mcssetcats; ######################################## diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index c4f9d7e3..f10b677a 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -150,7 +150,11 @@ interface(`selinux_set_enforce_mode',` if(!secure_mode_policyload) { allow $1 security_t:security setenforce; - auditallow $1 security_t:security setenforce; + + ifdef(`distro_rhel4',` + # needed for systems without audit support + auditallow $1 security_t:security setenforce; + ') } ') @@ -177,7 +181,11 @@ interface(`selinux_load_policy',` if(!secure_mode_policyload) { allow $1 security_t:security load_policy; - auditallow $1 security_t:security load_policy; + + ifdef(`distro_rhel4',` + # needed for systems without audit support + auditallow $1 security_t:security load_policy; + ') } ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index b62940e6..d0e27500 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -1,5 +1,5 @@ -policy_module(selinux,1.1.1) +policy_module(selinux,1.1.2) ######################################## # @@ -40,10 +40,9 @@ allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setb if(!secure_mode_policyload) { allow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; - auditallow selinux_unconfined_type security_t:security { load_policy setenforce }; ifdef(`distro_rhel4',` # needed for systems without audit support - auditallow selinux_unconfined_type security_t:security setbool; + auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; ') } diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 30d78686..8d529585 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -21,8 +21,9 @@ /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) -/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) +/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index e78c43c6..59d716ba 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,5 +1,5 @@ -policy_module(storage,1.0.1) +policy_module(storage,1.0.2) ######################################## # diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 67020c07..c92b118c 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.2.7) +policy_module(automount,1.2.8) ######################################## # @@ -36,10 +36,12 @@ allow automount_t self:unix_stream_socket create_socket_perms; allow automount_t self:unix_dgram_socket create_socket_perms; allow automount_t self:tcp_socket create_stream_socket_perms; allow automount_t self:udp_socket create_socket_perms; +allow automount_t self:netlink_route_socket r_netlink_socket_perms; allow automount_t automount_etc_t:file { getattr read }; # because config files can be shell scripts can_exec(automount_t, automount_etc_t) +can_exec(automount_t, automount_exec_t) allow automount_t automount_lock_t:file create_file_perms; files_lock_filetrans(automount_t,automount_lock_t,file) @@ -169,6 +171,12 @@ optional_policy(` ') optional_policy(` + kerberos_read_keytab(automount_t) + kerberos_read_config(automount_t) + kerberos_dontaudit_write_config(automount_t) +') + +optional_policy(` nis_use_ypbind(automount_t) ') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 86a2b046..d1d378f3 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -1,5 +1,5 @@ -policy_module(avahi,1.2.3) +policy_module(avahi,1.2.4) ######################################## # @@ -78,6 +78,7 @@ logging_send_syslog_msg(avahi_t) miscfiles_read_localization(avahi_t) sysnet_read_config(avahi_t) +sysnet_use_ldap(avahi_t) userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_sysadm_home_dirs(avahi_t) diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc index b63564d0..d4ad4d71 100644 --- a/policy/modules/services/bind.fc +++ b/policy/modules/services/bind.fc @@ -28,7 +28,8 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` -/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) /etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) /var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) /var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index e284ddfb..1d2dd9f1 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind,1.1.6) +policy_module(bind,1.1.7) ######################################## # diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 0b67faca..8eefbb5c 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -2,6 +2,27 @@ ######################################## ## <summary> +## Execute bluetooth in the bluetooth domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`bluetooth_domtrans',` + gen_require(` + type bluetooth_t, bluetooth_exec_t; + ') + + domain_auto_trans($1,bluetooth_exec_t,bluetooth_t) + allow bluetooth_t $1:fd use; + allow bluetooth_t $1:fifo_file rw_file_perms; + allow bluetooth_t $1:process sigchld; +') + +######################################## +## <summary> ## Read bluetooth daemon configuration. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 3a780446..dac26bf3 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth,1.2.8) +policy_module(bluetooth,1.2.9) ######################################## # @@ -173,6 +173,7 @@ allow bluetooth_helper_t self:fifo_file rw_file_perms; allow bluetooth_helper_t self:shm create_shm_perms; allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow bluetooth_helper_t self:tcp_socket create_socket_perms; +allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms; allow bluetooth_helper_t bluetooth_t:socket { read write }; @@ -222,6 +223,8 @@ ifdef(`targeted_policy',` userdom_manage_generic_user_home_content_files(bluetooth_helper_t) optional_policy(` + corenet_tcp_connect_xserver_port(bluetooth_helper_t) + xserver_stream_connect_xdm(bluetooth_helper_t) xserver_use_xdm_fds(bluetooth_helper_t) xserver_rw_xdm_pipes(bluetooth_helper_t) diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc index 874f1e58..f9790aac 100644 --- a/policy/modules/services/clamav.fc +++ b/policy/modules/services/clamav.fc @@ -7,9 +7,10 @@ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) +/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamav/clamd\.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) /var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) +/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 3263dbb1..9c9c3fa4 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -35,11 +35,11 @@ interface(`clamav_domtrans',` # interface(`clamav_stream_connect',` gen_require(` - type clamd_t, clamd_sock_t, clamd_var_run_t; + type clamd_t, clamd_var_run_t; ') allow $1 clamd_var_run_t:dir search; - allow $1 clamd_sock_t:sock_file write; + allow $1 clamd_var_run_t:sock_file write; allow $1 clamd_t:unix_stream_socket connectto; ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index 14f06d6b..e79e0144 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,5 +1,5 @@ -policy_module(clamav,1.0.4) +policy_module(clamav,1.0.5) ######################################## # @@ -15,10 +15,6 @@ init_daemon_domain(clamd_t, clamd_exec_t) type clamd_etc_t; files_type(clamd_etc_t) -# named socket type -type clamd_sock_t; -files_type(clamd_sock_t) - # tmp files type clamd_tmp_t; files_tmp_file(clamd_tmp_t) @@ -34,6 +30,7 @@ files_type(clamd_var_lib_t) # pid files type clamd_var_run_t; files_pid_file(clamd_var_run_t) +typealias clamd_var_run_t alias clamd_sock_t; type clamscan_t; type clamscan_exec_t; @@ -67,12 +64,6 @@ allow clamd_t clamd_etc_t:dir r_dir_perms; allow clamd_t clamd_etc_t:file r_file_perms; allow clamd_t clamd_etc_t:lnk_file { getattr read }; -# socket file -allow clamd_t clamd_sock_t:file manage_file_perms; -allow clamd_t clamd_sock_t:sock_file manage_file_perms; -allow clamd_t clamd_sock_t:dir rw_dir_perms; -files_pid_filetrans(clamd_t,clamd_sock_t,sock_file) - # tmp files allow clamd_t clamd_tmp_t:file create_file_perms; allow clamd_t clamd_tmp_t:dir create_dir_perms; @@ -80,14 +71,10 @@ files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir }) # var/lib files for clamd allow clamd_t clamd_var_lib_t:file create_file_perms; -allow clamd_t clamd_var_lib_t:sock_file create_file_perms; allow clamd_t clamd_var_lib_t:dir create_dir_perms; -files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file }) -files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file) # log files allow clamd_t clamd_var_log_t:file create_file_perms; -allow clamd_t clamd_var_log_t:sock_file create_file_perms; allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr }; logging_log_filetrans(clamd_t,clamd_var_log_t,file) @@ -161,10 +148,7 @@ allow freshclam_t clamd_etc_t:lnk_file { getattr read }; # var/lib files together with clamd allow freshclam_t clamd_var_lib_t:file create_file_perms; -allow freshclam_t clamd_var_lib_t:sock_file create_file_perms; allow freshclam_t clamd_var_lib_t:dir create_dir_perms; -files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file }) -files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file) # pidfiles- var/run together with clamd allow freshclam_t clamd_var_run_t:file manage_file_perms; @@ -174,7 +158,6 @@ files_pid_filetrans(freshclam_t,clamd_var_run_t,file) # log files (own logfiles only) allow freshclam_t freshclam_var_log_t:file create_file_perms; -allow freshclam_t freshclam_var_log_t:sock_file create_file_perms; allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr }; allow freshclam_t clamd_var_log_t:dir search; logging_log_filetrans(freshclam_t,freshclam_var_log_t,file) @@ -234,7 +217,6 @@ files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir }) # var/lib files together with clamd allow clamscan_t clamd_var_lib_t:file r_file_perms; -allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms; allow clamscan_t clamd_var_lib_t:dir r_dir_perms; kernel_read_kernel_sysctls(clamscan_t) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index 21dc5dae..6199142f 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -1,5 +1,5 @@ -policy_module(cyrus,1.1.3) +policy_module(cyrus,1.1.4) ######################################## # @@ -41,6 +41,7 @@ allow cyrus_t self:unix_dgram_socket sendto; allow cyrus_t self:unix_stream_socket connectto; allow cyrus_t self:tcp_socket create_stream_socket_perms; allow cyrus_t self:udp_socket create_socket_perms; +allow cyrus_t self:netlink_route_socket r_netlink_socket_perms; allow cyrus_t cyrus_tmp_t:dir create_dir_perms; allow cyrus_t cyrus_tmp_t:file create_file_perms; @@ -123,6 +124,10 @@ optional_policy(` ') optional_policy(` + ldap_stream_connect(cyrus_t) +') + +optional_policy(` nis_use_ypbind(cyrus_t) ') diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc index a6a0023c..48ba5809 100644 --- a/policy/modules/services/dovecot.fc +++ b/policy/modules/services/dovecot.fc @@ -28,6 +28,8 @@ ifdef(`distro_redhat', ` # /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) + /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 166d4dca..642e3cea 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.2.4) +policy_module(dovecot,1.2.5) ######################################## # @@ -9,6 +9,12 @@ type dovecot_t; type dovecot_exec_t; init_daemon_domain(dovecot_t,dovecot_exec_t) +type dovecot_auth_t; +type dovecot_auth_exec_t; +domain_type(dovecot_auth_t) +domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) +role system_r types dovecot_auth_t; + type dovecot_cert_t; files_type(dovecot_cert_t) @@ -21,15 +27,13 @@ files_type(dovecot_passwd_t) type dovecot_spool_t; files_type(dovecot_spool_t) +# /var/lib/dovecot holds SSL parameters file +type dovecot_var_lib_t; +files_type(dovecot_var_lib_t) + type dovecot_var_run_t; files_pid_file(dovecot_var_run_t) -type dovecot_auth_t; -type dovecot_auth_exec_t; -domain_type(dovecot_auth_t) -domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) -role system_r types dovecot_auth_t; - ######################################## # # dovecot local policy @@ -161,6 +165,11 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write io allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; +# Allow dovecot to create and read SSL parameters file +allow dovecot_t dovecot_var_lib_t:dir rw_dir_perms; +allow dovecot_t dovecot_var_lib_t:file manage_file_perms; +files_search_var_lib(dovecot_t) + allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms; kernel_read_all_sysctls(dovecot_auth_t) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index fb09648f..df7e7f2d 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp,1.2.6) +policy_module(ftp,1.2.7) ######################################## # @@ -50,6 +50,7 @@ allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:udp_socket create_socket_perms; +allow ftpd_t self:netlink_route_socket r_netlink_socket_perms; allow ftpd_t ftpd_etc_t:file r_file_perms; @@ -206,6 +207,12 @@ tunable_policy(`ftpd_is_daemon',` ') optional_policy(` + tunable_policy(`ftp_home_dir',` + apache_search_sys_content(ftpd_t) + ') +') + +optional_policy(` corecmd_exec_shell(ftpd_t) files_read_usr_files(ftpd_t) diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 47786ad8..8c7a8720 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.3.10) +policy_module(hal,1.3.11) ######################################## # @@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t) # # execute openvt which needs setuid -allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; +allow hald_t self:capability { audit_write chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; dontaudit hald_t self:capability sys_tty_config; allow hald_t self:process signal_perms; allow hald_t self:fifo_file rw_file_perms; @@ -153,6 +153,10 @@ ifdef(`targeted_policy', ` ') optional_policy(` + bootloader_domtrans(hald_t) +') + +optional_policy(` # For /usr/libexec/hald-addon-acpi # writes to /var/run/acpid.socket apm_stream_connect(hald_t) @@ -163,6 +167,10 @@ optional_policy(` ') optional_policy(` + bluetooth_domtrans(hald_t) +') + +optional_policy(` clock_domtrans(hald_t) ') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index d4c00505..eb533087 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -1,5 +1,5 @@ -policy_module(inetd,1.1.4) +policy_module(inetd,1.1.5) ######################################## # @@ -218,8 +218,10 @@ miscfiles_read_localization(inetd_child_t) sysnet_read_config(inetd_child_t) -tunable_policy(`run_ssh_inetd',` - corenet_tcp_bind_ssh_port(inetd_t) +ifdef(`strict_policy',` + tunable_policy(`run_ssh_inetd',` + corenet_tcp_bind_ssh_port(inetd_t) + ') ') optional_policy(` diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc index 8ee84ac0..d7401475 100644 --- a/policy/modules/services/ldap.fc +++ b/policy/modules/services/ldap.fc @@ -6,6 +6,7 @@ /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) +/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if index 45b3bd95..03b9d837 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -57,3 +57,24 @@ interface(`ldap_use',` allow slapd_t $1:tcp_socket { acceptfrom recvfrom }; kernel_tcp_recvfrom($1) ') + + +######################################## +## <summary> +## Connect to slapd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ldap_stream_connect',` + gen_require(` + type slapd_t, slapd_var_run_t; + ') + + files_search_pids($1) + allow $1 slapd_var_run_t:sock_file write; + allow $1 slapd_t:unix_stream_socket connectto; +') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index 315dffb4..6731b765 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -1,5 +1,5 @@ -policy_module(ldap,1.2.3) +policy_module(ldap,1.2.4) ######################################## # diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index fd149e43..3d997fa2 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -62,6 +62,7 @@ template(`lpd_per_userdomain_template',` allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms; allow $1_lpr_t self:tcp_socket create_socket_perms; allow $1_lpr_t self:udp_socket create_socket_perms; + allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms; # lpr can run in lightweight mode, without a local print spooler. allow $1_lpr_t lpd_var_run_t:dir search; @@ -109,7 +110,9 @@ template(`lpd_per_userdomain_template',` allow lpd_t $1_print_spool_t:file link_file_perms; kernel_tcp_recvfrom($1_lpr_t) + kernel_read_kernel_sysctls($1_lpr_t) + corenet_non_ipsec_sendrecv($1_lpr_t) corenet_tcp_sendrecv_generic_if($1_lpr_t) corenet_udp_sendrecv_generic_if($1_lpr_t) corenet_tcp_sendrecv_all_nodes($1_lpr_t) @@ -119,8 +122,8 @@ template(`lpd_per_userdomain_template',` corenet_tcp_connect_all_ports($1_lpr_t) corenet_sendrecv_all_client_packets($1_lpr_t) - # for /dev/null - dev_list_all_dev_nodes($1_lpr_t) + dev_read_rand($1_lpr_t) + dev_read_urand($1_lpr_t) domain_use_interactive_fds($1_lpr_t) @@ -149,6 +152,8 @@ template(`lpd_per_userdomain_template',` userdom_read_user_tmp_symlinks($1,$1_lpr_t) # Write to the user domain tty. userdom_use_user_terminals($1,$1_lpr_t) + userdom_read_user_home_content_files($1,$1_lpr_t) + userdom_read_user_tmp_files($1,$1_lpr_t) tunable_policy(`read_default_t',` files_list_default($1_lpr_t) @@ -158,8 +163,6 @@ template(`lpd_per_userdomain_template',` tunable_policy(`read_untrusted_content',` #list and read user specific untrusted content - files_list_home($1_lpr_t) - userdom_list_user_home_dirs($1,$1_lpr_t) userdom_read_user_untrusted_content_files($1,$1_lpr_t) #list and read user specific temporary untrusted content @@ -186,6 +189,7 @@ template(`lpd_per_userdomain_template',` cups_tcp_connect($1_lpr_t) cups_read_config($2) cups_tcp_connect($2) + cups_stream_connect($1_lpr_t) ') optional_policy(` @@ -199,14 +203,6 @@ template(`lpd_per_userdomain_template',` optional_policy(` nis_use_ypbind($1_lpr_t) ') - - ifdef(`TODO',` - optional_policy(` - allow $1_lpr_t xdm_t:fd use; - allow $1_lpr_t xdm_var_run_t:dir search; - allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl }; - ') - ') dnl end TODO ') ####################################### diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index c2eedbd5..0006d343 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd,1.2.4) +policy_module(lpd,1.2.5) ######################################## # diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index f5ccc551..70e5b77d 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -1,5 +1,5 @@ -policy_module(mailman,1.1.5) +policy_module(mailman,1.1.6) ######################################## # @@ -30,12 +30,16 @@ mailman_domain_template(queue) # Mailman CGI local policy # -# cjp: the template invocation for queue should be +# cjp: the template invocation for cgi should be # in the below optional policy; however, there are no # optionals for file contexts yet, so it is promoted # to global scope until such facilities exist. optional_policy(` + allow mailman_cgi_t self:netlink_route_socket r_netlink_socket_perms; + + dev_read_urand(mailman_cgi_t) + allow mailman_cgi_t mailman_archive_t:dir create_dir_perms; allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms; allow mailman_cgi_t mailman_archive_t:file create_file_perms; @@ -52,6 +56,10 @@ optional_policy(` apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) apache_search_sys_script_state(mailman_cgi_t) + + optional_policy(` + nscd_socket_use(mailman_cgi_t) + ') ') ######################################## diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index a5fd29be..d9edc35b 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -1,5 +1,5 @@ -policy_module(nis,1.1.5) +policy_module(nis,1.1.6) ######################################## # @@ -86,6 +86,7 @@ corenet_udp_bind_generic_port(ypbind_t) corenet_tcp_bind_reserved_port(ypbind_t) corenet_udp_bind_reserved_port(ypbind_t) corenet_tcp_bind_all_rpc_ports(ypbind_t) +corenet_udp_bind_all_rpc_ports(ypbind_t) corenet_tcp_connect_all_ports(ypbind_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if index 0625b2dd..84ea4949 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -44,6 +44,25 @@ interface(`nscd_domtrans',` ######################################## ## <summary> +## Allow the specified domain to execute nscd +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_exec',` + gen_require(` + type nscd_exec_t; + ') + + can_exec($1,nscd_exec_t) +') + +######################################## +## <summary> ## Use NSCD services by connecting using ## a unix stream socket. ## </summary> diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index 94ab0507..9b679d0a 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd,1.2.6) +policy_module(nscd,1.2.7) gen_require(` class nscd all_nscd_perms; diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 8277b366..512ce2de 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -1,5 +1,5 @@ -policy_module(openvpn,1.0.2) +policy_module(openvpn,1.0.3) ######################################## # @@ -33,6 +33,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow openvpn_t self:udp_socket create_socket_perms; allow openvpn_t self:tcp_socket create_socket_perms; +allow openvpn_t self:netlink_route_socket r_netlink_socket_perms; allow openvpn_t openvpn_etc_t:dir r_dir_perms; allow openvpn_t openvpn_etc_t:file r_file_perms; @@ -67,12 +68,15 @@ corenet_udp_bind_openvpn_port(openvpn_t) corenet_sendrecv_openvpn_server_packets(openvpn_t) corenet_rw_tun_tap_dev(openvpn_t) +dev_search_sysfs(openvpn_t) dev_read_rand(openvpn_t) dev_read_urand(openvpn_t) files_read_etc_files(openvpn_t) files_read_etc_runtime_files(openvpn_t) +init_use_fds(openvpn_t) + libs_use_ld_so(openvpn_t) libs_use_shared_libs(openvpn_t) @@ -80,10 +84,12 @@ logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) +sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(openvpn_t) + # Need to interact with terminals if config option "auth-user-pass" is used + term_use_generic_ptys(openvpn_t) ') optional_policy(` diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 8a1dd9f4..7fb0b17d 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.2.9) +policy_module(postfix,1.2.10) ######################################## # @@ -160,7 +160,7 @@ files_read_usr_files(postfix_master_t) init_use_script_ptys(postfix_master_t) -miscfiles_dontaudit_search_man_pages(postfix_master_t) +miscfiles_read_man_pages(postfix_master_t) seutil_sigchld_newrole(postfix_master_t) # postfix does a "find" on startup for some reason - keep it quiet @@ -591,5 +591,9 @@ files_read_usr_files(postfix_smtpd_t) mta_read_aliases(postfix_smtpd_t) optional_policy(` + postgrey_stream_connect(postfix_smtpd_t) +') + +optional_policy(` sasl_connect(postfix_smtpd_t) ') diff --git a/policy/modules/services/postgrey.fc b/policy/modules/services/postgrey.fc index 74c88dcb..f04d5ba9 100644 --- a/policy/modules/services/postgrey.fc +++ b/policy/modules/services/postgrey.fc @@ -3,6 +3,7 @@ /usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0) -/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) - /var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0) + +/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) +/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if index f5cae306..90f7a87a 100644 --- a/policy/modules/services/postgrey.if +++ b/policy/modules/services/postgrey.if @@ -1 +1,21 @@ ## <summary>Postfix grey-listing server</summary> + +######################################## +## <summary> +## Write to postgrey socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to talk to postgrey +## </summary> +## </param> +# +interface(`postgrey_stream_connect',` + gen_require(` + type postgrey_var_run_t, postgrey_t; + ') + + allow $1 postgrey_t:unix_stream_socket connectto; + allow $1 postgrey_var_run_t:sock_file write; + files_search_pids($1) +') diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te index b794ca6a..93c74828 100644 --- a/policy/modules/services/postgrey.te +++ b/policy/modules/services/postgrey.te @@ -1,5 +1,5 @@ -policy_module(postgrey,1.0.1) +policy_module(postgrey,1.0.2) ######################################## # @@ -38,6 +38,7 @@ allow postgrey_t postgrey_var_lib_t:dir rw_dir_perms; files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file) allow postgrey_t postgrey_var_run_t:file create_file_perms; +allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms; allow postgrey_t postgrey_var_run_t:dir rw_dir_perms; files_pid_filetrans(postgrey_t,postgrey_var_run_t,file) diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index 29eefaea..812f9cdd 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.2.4) +policy_module(procmail,1.2.5) ######################################## # @@ -35,6 +35,7 @@ corenet_tcp_sendrecv_all_nodes(procmail_t) corenet_udp_sendrecv_all_nodes(procmail_t) corenet_tcp_sendrecv_all_ports(procmail_t) corenet_udp_sendrecv_all_ports(procmail_t) +corenet_udp_bind_all_nodes(procmail_t) corenet_tcp_connect_spamd_port(procmail_t) corenet_sendrecv_spamd_client_packets(procmail_t) diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc index 576f54f1..a9ce21df 100644 --- a/policy/modules/services/radius.fc +++ b/policy/modules/services/radius.fc @@ -3,6 +3,7 @@ /etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) /etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) +/etc/raddb/db.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index 4f61a75f..6767c839 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -1,5 +1,5 @@ -policy_module(radius,1.1.1) +policy_module(radius,1.1.2) ######################################## # @@ -13,6 +13,9 @@ init_daemon_domain(radiusd_t,radiusd_exec_t) type radiusd_etc_t; files_config_file(radiusd_etc_t) +type radiusd_etc_rw_t; +files_type(radiusd_etc_rw_t) + type radiusd_log_t; logging_log_file(radiusd_log_t) @@ -39,6 +42,11 @@ allow radiusd_t radiusd_etc_t:dir r_dir_perms; allow radiusd_t radiusd_etc_t:lnk_file { getattr read }; files_search_etc(radiusd_t) +allow radiusd_t radiusd_etc_rw_t:dir create_dir_perms; +allow radiusd_t radiusd_etc_rw_t:file create_file_perms; +allow radiusd_t radiusd_etc_rw_t:lnk_file create_lnk_perms; +type_transition radiusd_t radiusd_etc_t:{ dir file lnk_file } radiusd_etc_rw_t; + allow radiusd_t radiusd_log_t:file create_file_perms; allow radiusd_t radiusd_log_t:dir create_dir_perms; logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir }) diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index 18d90dc8..5d1ebea5 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -1,5 +1,5 @@ -policy_module(remotelogin,1.2.0) +policy_module(remotelogin,1.2.1) ######################################## # @@ -37,6 +37,7 @@ allow remote_login_t self:shm create_shm_perms; allow remote_login_t self:sem create_sem_perms; allow remote_login_t self:msgq create_msgq_perms; allow remote_login_t self:msg { send receive }; +allow remote_login_t self:key write; allow remote_login_t remote_login_tmp_t:dir create_dir_perms; allow remote_login_t remote_login_tmp_t:file create_file_perms; diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 5577c67f..37ae73ef 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba,1.2.8) +policy_module(samba,1.2.9) ################################# # @@ -186,11 +186,12 @@ allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow smbd_t self:netlink_route_socket r_netlink_socket_perms; allow smbd_t samba_etc_t:dir rw_dir_perms; allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -allow smbd_t samba_log_t:dir ra_dir_perms; +allow smbd_t samba_log_t:dir { ra_dir_perms setattr }; dontaudit smbd_t samba_log_t:dir remove_name; allow smbd_t samba_log_t:file { create ra_file_perms }; @@ -313,6 +314,7 @@ tunable_policy(`samba_share_nfs',` optional_policy(` cups_read_rw_config(smbd_t) + cups_stream_connect(smbd_t) ') optional_policy(` @@ -365,7 +367,7 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file) allow nmbd_t samba_etc_t:dir { search getattr }; allow nmbd_t samba_etc_t:file { getattr read }; -allow nmbd_t samba_log_t:dir ra_dir_perms; +allow nmbd_t samba_log_t:dir { ra_dir_perms setattr }; allow nmbd_t samba_log_t:file { create ra_file_perms }; allow nmbd_t samba_var_t:dir rw_dir_perms; diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index a1480f4c..c6d21dfb 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -1,5 +1,5 @@ -policy_module(squid,1.1.3) +policy_module(squid,1.1.4) ######################################## # @@ -80,8 +80,10 @@ corenet_udp_sendrecv_all_ports(squid_t) corenet_tcp_bind_all_nodes(squid_t) corenet_udp_bind_all_nodes(squid_t) corenet_tcp_bind_http_cache_port(squid_t) +corenet_udp_bind_http_cache_port(squid_t) corenet_tcp_bind_ftp_port(squid_t) corenet_tcp_bind_gopher_port(squid_t) +corenet_udp_bind_gopher_port(squid_t) corenet_tcp_connect_ftp_port(squid_t) corenet_tcp_connect_gopher_port(squid_t) corenet_tcp_connect_http_port(squid_t) @@ -176,9 +178,6 @@ optional_policy(` ') ifdef(`TODO',` -ifdef(`apache.te',` -can_tcp_connect(squid_t, httpd_t) -') #squid requires the following when run in diskd mode, the recommended setting allow squid_t tmpfs_t:file { read write }; ') dnl end TODO diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index ef79d3fb..00899343 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -71,6 +71,7 @@ template(`ssh_basic_client_template',` allow $1_ssh_t self:msgq create_msgq_perms; allow $1_ssh_t self:msg { send receive }; allow $1_ssh_t self:tcp_socket create_socket_perms; + allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms; # for rsync allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index c8113fbb..15ec28ff 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.3.6) +policy_module(ssh,1.3.7) ######################################## # diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 4df1189f..4c998cd5 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -1,5 +1,5 @@ -policy_module(tftp,1.1.1) +policy_module(tftp,1.1.2) ######################################## # @@ -78,6 +78,7 @@ logging_send_syslog_msg(tftpd_t) miscfiles_read_localization(tftpd_t) sysnet_read_config(tftpd_t) +sysnet_use_ldap(tftpd_t) userdom_dontaudit_use_unpriv_user_fds(tftpd_t) userdom_dontaudit_use_sysadm_ttys(tftpd_t) diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te index 5752f5dd..2a4da55f 100644 --- a/policy/modules/services/xfs.te +++ b/policy/modules/services/xfs.te @@ -1,5 +1,5 @@ -policy_module(xfs,1.0.3) +policy_module(xfs,1.0.4) ######################################## # @@ -46,6 +46,8 @@ corecmd_list_bin(xfs_t) corecmd_list_sbin(xfs_t) dev_read_sysfs(xfs_t) +dev_read_urand(xfs_t) +dev_read_rand(xfs_t) fs_getattr_all_fs(xfs_t) fs_search_auto_mountpoints(xfs_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index e0b85114..6868bb68 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -317,7 +317,6 @@ template(`xserver_per_userdomain_template',` ') ifdef(`TODO',` - allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; allow $1_t xdm_xserver_t:unix_stream_socket connectto; ifdef(`xdm.te', ` @@ -1126,6 +1125,7 @@ interface(`xserver_stream_connect_xdm_xserver',` ') files_search_tmp($1) + allow $1 xdm_xserver_tmp_t:dir search_dir_perms; allow $1 xdm_xserver_tmp_t:sock_file write; allow $1 xdm_xserver_t:unix_stream_socket connectto; ') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 5bc23568..86b30cc2 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.1.10) +policy_module(xserver,1.1.11) ######################################## # @@ -88,6 +88,7 @@ allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow xdm_t self:unix_dgram_socket create_socket_perms; allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; +allow xdm_t self:key write; # Supress permission check on .ICE-unix dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; @@ -331,7 +332,7 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` - consoletype_domtrans(xdm_t) + consoletype_exec(xdm_t) ') optional_policy(` diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index 3d331a37..2cc306e0 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -1,5 +1,5 @@ -policy_module(zebra,1.2.2) +policy_module(zebra,1.2.3) ######################################## # @@ -72,8 +72,10 @@ corenet_tcp_sendrecv_all_ports(zebra_t) corenet_udp_sendrecv_all_ports(zebra_t) corenet_tcp_bind_all_nodes(zebra_t) corenet_udp_bind_all_nodes(zebra_t) +corenet_tcp_bind_bgp_port(zebra_t) corenet_tcp_bind_zebra_port(zebra_t) corenet_udp_bind_router_port(zebra_t) +corenet_tcp_connect_bgp_port(zebra_t) corenet_sendrecv_zebra_server_packets(zebra_t) corenet_sendrecv_router_server_packets(zebra_t) @@ -116,6 +118,11 @@ ifdef(`targeted_policy', ` unconfined_sigchld(zebra_t) ') +tunable_policy(`allow_zebra_write_config',` + allow zebra_t zebra_conf_t:dir write; + allow zebra_t zebra_conf_t:file write; +') + optional_policy(` ldap_use(zebra_t) ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 7e6ca34d..18d1fe85 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.3.8) +policy_module(authlogin,1.3.9) ######################################## # @@ -193,6 +193,7 @@ term_use_all_user_ptys(pam_console_t) term_setattr_console(pam_console_t) term_getattr_unallocated_ttys(pam_console_t) term_setattr_unallocated_ttys(pam_console_t) +term_use_unallocated_ttys(pam_console_t) auth_use_nsswitch(pam_console_t) diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc index f55036c7..dcd5ba62 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,3 +1,4 @@ +/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 73a8fe08..8d24711b 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools,1.3.2) +policy_module(fstools,1.3.3) ######################################## # diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc index b7783093..ff413c7d 100644 --- a/policy/modules/system/getty.fc +++ b/policy/modules/system/getty.fc @@ -9,3 +9,4 @@ /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) /var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0) +/var/spool/voice -- gen_context(system_u:object_r:getty_var_run_t,s0) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index aaac7527..e6a67456 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -1,5 +1,5 @@ -policy_module(getty,1.1.2) +policy_module(getty,1.1.3) ######################################## # @@ -37,7 +37,7 @@ files_pid_file(getty_var_run_t) # # Use capabilities. -allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid }; +allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid getsession signal_perms }; @@ -90,6 +90,7 @@ corecmd_search_sbin(getty_t) files_rw_generic_pids(getty_t) files_read_etc_runtime_files(getty_t) files_read_etc_files(getty_t) +files_search_spool(getty_t) init_rw_utmp(getty_t) init_use_script_ptys(getty_t) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index 14bad2df..cddc6c9f 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -1,5 +1,5 @@ -policy_module(hotplug,1.2.1) +policy_module(hotplug,1.2.2) ######################################## # @@ -136,7 +136,7 @@ ifdef(`targeted_policy', ` term_dontaudit_use_generic_ptys(hotplug_t) optional_policy(` - consoletype_domtrans(hotplug_t) + consoletype_exec(hotplug_t) ') ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 65cf3de4..431483b8 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.3.17) +policy_module(init,1.3.18) gen_require(` class passwd rootok; @@ -286,6 +286,9 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) +# initrc_t needs to do a pidof which requires ptrace +mcs_ptrace_all(initrc_t) + selinux_get_enforce_mode(initrc_t) storage_getattr_fixed_disk_dev(initrc_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 11ce8ae2..054f2bb1 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -198,7 +198,7 @@ ifdef(`distro_redhat',` # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 03ce1fa0..a1dd7d39 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.3.9) +policy_module(libraries,1.3.10) ######################################## # diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 6a16f92d..296b6d9c 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.2.3) +policy_module(locallogin,1.2.4) ######################################## # @@ -51,6 +51,7 @@ allow local_login_t self:shm create_shm_perms; allow local_login_t self:sem create_sem_perms; allow local_login_t self:msgq create_msgq_perms; allow local_login_t self:msg { send receive }; +allow local_login_t self:key write; allow local_login_t local_login_lock_t:file create_file_perms; files_lock_filetrans(local_login_t,local_login_lock_t,file) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 32bf6573..4efe47f2 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -165,7 +165,8 @@ interface(`logging_manage_audit_config',` ') files_search_etc($1) - allow $1 auditd_etc_t:file create_file_perms; + allow $1 auditd_etc_t:dir rw_dir_perms; + allow $1 auditd_etc_t:file manage_file_perms; ') ######################################## @@ -287,6 +288,7 @@ interface(`logging_read_audit_config',` ') files_search_etc($1) + allow $1 auditd_etc_t:dir r_dir_perms; allow $1 auditd_etc_t:file r_file_perms; ') @@ -308,7 +310,7 @@ interface(`logging_search_logs',` ') files_search_var($1) - allow $1 var_log_t:dir search; + allow $1 var_log_t:dir search_dir_perms; ') ####################################### @@ -326,7 +328,7 @@ interface(`logging_dontaudit_search_logs',` type var_log_t; ') - dontaudit $1 var_log_t:dir search; + dontaudit $1 var_log_t:dir search_dir_perms; ') ####################################### diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 74aee442..f209df68 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.3.7) +policy_module(logging,1.3.8) ######################################## # @@ -140,7 +140,7 @@ term_dontaudit_use_console(auditd_t) # Probably want a transition, and a new auditd_helper app corecmd_exec_sbin(auditd_t) corecmd_exec_bin(auditd_t) - +corecmd_exec_shell(auditd_t) domain_use_interactive_fds(auditd_t) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 5aca3d07..5c4a37d8 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm,1.3.4) +policy_module(lvm,1.3.5) ######################################## # @@ -125,7 +125,7 @@ optional_policy(` # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid -allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio }; +allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio }; dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. @@ -200,6 +200,7 @@ dev_create_generic_dirs(lvm_t) fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) +fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) fs_dontaudit_read_removable_files(lvm_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index aada0130..94889002 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,8 +1,10 @@ -policy_module(selinuxutil,1.2.9) +policy_module(selinuxutil,1.2.10) -gen_require(` - bool secure_mode; +ifdef(`strict_policy',` + gen_require(` + bool secure_mode; + ') ') ######################################## @@ -104,6 +106,7 @@ domain_system_change_exemption(run_init_t) type semanage_t; domain_type(semanage_t) +domain_interactive_fd(semanage_t) type semanage_exec_t; domain_entry_file(semanage_t, semanage_exec_t) @@ -423,18 +426,17 @@ optional_policy(` allow restorecond_t self:capability { dac_override dac_read_search fowner }; allow restorecond_t self:fifo_file rw_file_perms; +allow restorecond_t self:netlink_route_socket r_netlink_socket_perms; allow restorecond_t restorecond_var_run_t:file create_file_perms; files_pid_filetrans(restorecond_t,restorecond_var_run_t, file) -auth_relabel_all_files_except_shadow(restorecond_t ) -auth_read_all_files_except_shadow(restorecond_t) -fs_relabelfrom_noxattr_fs(restorecond_t) - kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) +fs_relabelfrom_noxattr_fs(restorecond_t) +fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) fs_list_inotifyfs(restorecond_t) @@ -447,7 +449,11 @@ selinux_compute_user_contexts(restorecond_t) term_dontaudit_use_generic_ptys(restorecond_t) +auth_relabel_all_files_except_shadow(restorecond_t ) +auth_read_all_files_except_shadow(restorecond_t) + init_use_fds(restorecond_t) +init_dontaudit_use_script_ptys(restorecond_t) libs_use_ld_so(restorecond_t) libs_use_shared_libs(restorecond_t) @@ -456,6 +462,12 @@ logging_send_syslog_msg(restorecond_t) miscfiles_read_localization(restorecond_t) +optional_policy(` + # restorecond watches for users logging in, + # so it getspwnam when a user logs in to find his homedir + nis_use_ypbind(restorecond_t) +') + ################################# # # Run_init local policy @@ -538,6 +550,7 @@ allow semanage_t self:capability { dac_override audit_write }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow semanage_t self:netlink_route_socket r_netlink_socket_perms; allow semanage_t policy_config_t:file { read write }; @@ -567,10 +580,15 @@ selinux_set_boolean(semanage_t) term_use_all_terms(semanage_t) +# Running genhomedircon requires this for finding all users +auth_use_nsswitch(semanage_t) + libs_use_ld_so(semanage_t) libs_use_shared_libs(semanage_t) libs_use_lib_files(semanage_t) +locallogin_use_fds(semanage_t) + logging_send_syslog_msg(semanage_t) miscfiles_read_localization(semanage_t) @@ -590,7 +608,7 @@ seutil_get_semanage_read_lock(semanage_t) userdom_search_sysadm_home_dirs(semanage_t) ifdef(`targeted_policy',` -# Handle pp files created in homedir and /tmp + # Handle pp files created in homedir and /tmp files_read_generic_tmp_files(semanage_t) userdom_read_generic_user_home_content_files(semanage_t) ') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 4ef391e2..41ae3d84 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,5 +1,5 @@ -policy_module(setrans,1.0.1) +policy_module(setrans,1.0.2) ######################################## # @@ -68,3 +68,7 @@ logging_send_syslog_msg(setrans_t) miscfiles_read_localization(setrans_t) seutil_read_config(setrans_t) + +optional_policy(` + rpm_use_script_fds(setrans_t) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 2404432b..fb019814 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -1,5 +1,5 @@ -policy_module(sysnetwork,1.1.8) +policy_module(sysnetwork,1.1.9) ######################################## # @@ -277,6 +277,7 @@ allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; +allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; allow ifconfig_t self:tcp_socket { create ioctl }; files_read_etc_files(ifconfig_t); diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 06dec28e..785bc3ca 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.3.3) +policy_module(udev,1.3.4) ######################################## # @@ -39,9 +39,9 @@ files_pid_file(udev_var_run_t) # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_file_perms; diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index d651278b..37d36199 100644 --- a/policy/modules/system/unconfined.fc +++ b/policy/modules/system/unconfined.fc @@ -9,4 +9,5 @@ ifdef(`targeted_policy',` /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlay/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/xine -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index ea38ab70..36d1bf31 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -52,9 +52,10 @@ interface(`unconfined_domain_noaudit',` allow $1 self:process execmem; ') - tunable_policy(`allow_execmem && allow_execstack',` - # Allow making the stack executable via mprotect. - allow $1 self:process execstack; + tunable_policy(`allow_execstack',` + # Allow making the stack executable via mprotect; + # execstack implies execmem; + allow $1 self:process { execstack execmem }; # auditallow $1 self:process execstack; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 887ac687..790aa311 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.3.12) +policy_module(unconfined,1.3.13) ######################################## # @@ -56,10 +56,6 @@ ifdef(`targeted_policy',` ') optional_policy(` - amanda_domtrans_recover(unconfined_t) - ') - - optional_policy(` apache_domtrans_helper(unconfined_t) ') @@ -72,6 +68,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + bootloader_domtrans(unconfined_t) + ') + + optional_policy(` init_dbus_chat_script(unconfined_t) dbus_stub(unconfined_t) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 4f80cc0e..720cfa75 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -1,5 +1,5 @@ -policy_module(xen,1.0.7) +policy_module(xen,1.0.8) ######################################## # @@ -171,7 +171,7 @@ xen_stream_connect_xenstore(xend_t) netutils_domtrans(xend_t) optional_policy(` - consoletype_domtrans(xend_t) + consoletype_exec(xend_t) ') ######################################## |