firstboot is leaking a netlink_route socket into iptables. We need to dontaudit

tmpfs_t/devpts_t files can be stored on device_t file system unconfined_mono_t can pass file descriptors to chrome_sandbox, so need transition from all unoconfined users types Hald can connect to user processes over streams xdm_t now changes the brightness level on the system mdadm needs to manage hugetlbfs filesystems
2010-09-01 09:47:50 -04:00 · 2010-09-01 09:47:50 -04:00 · 03527520de
commit 03527520de
parent c6fa935fd5
8 changed files with 12 additions and 2 deletions
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@ -102,6 +102,10 @@ optional_policy(`
 	')
 ')

+optional_policy(`
+	iptables_domtrans(firstboot_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(firstboot_t)
 ')
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@ -159,6 +159,8 @@ ifdef(`distro_suse', `

 /dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)

+/dev/hugepages(/.*)?		<<none>>
+/dev/mqueue(/.*)?		<<none>>
 /dev/pts(/.*)?			<<none>>

 /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@ -185,6 +185,7 @@ fs_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)

 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
 fs_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+dev_associate(devpts_t)

 #
 # devtty_t is the type of /dev/tty.
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@ -226,7 +226,7 @@ optional_policy(`
 ')

 optional_policy(`
-	chrome_role(unconfined_r, unconfined_t)
+	chrome_role(unconfined_r, unconfined_usertype)
 ')

 optional_policy(`
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@ -225,6 +225,7 @@ sysnet_signal_dhcpc(hald_t)

 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_user_home_dirs(hald_t)
+userdom_stream_connect(hald_t)

 netutils_domtrans(hald_t)

--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@ -545,7 +545,7 @@ corenet_dontaudit_tcp_bind_all_ports(xdm_t)

 dev_rwx_zero(xdm_t)
 dev_read_rand(xdm_t)
-dev_read_sysfs(xdm_t)
+dev_rw_sysfs(xdm_t)
 dev_getattr_framebuffer_dev(xdm_t)
 dev_setattr_framebuffer_dev(xdm_t)
 dev_getattr_mouse_dev(xdm_t)
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@ -120,6 +120,7 @@ fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
 fs_manage_nfs_files(fsadm_t)
 fs_manage_cifs_files(fsadm_t)
+fs_rw_hugetlbfs_files(fsadm_t)
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs