From 049e11af3026b9548f601d86b5c2412405a07f56 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 9 Dec 2005 15:42:39 +0000 Subject: [PATCH] policy-20051208.patch from dan, plus a few adjustments --- refpolicy/Makefile | 7 +--- refpolicy/Rules.modular | 9 ++++ refpolicy/Rules.monolithic | 11 ++++- .../appconfig-targeted-mcs/default_contexts | 5 ++- .../appconfig-targeted-mls/default_contexts | 5 ++- .../appconfig-targeted/default_contexts | 5 ++- refpolicy/policy/modules/admin/su.if | 9 ++-- refpolicy/policy/modules/admin/su.te | 2 +- refpolicy/policy/modules/kernel/filesystem.te | 3 +- refpolicy/policy/modules/services/canna.te | 3 +- refpolicy/policy/modules/services/cups.te | 4 +- refpolicy/policy/modules/services/dbus.te | 4 +- refpolicy/policy/modules/services/ftp.te | 36 ++++++++-------- refpolicy/policy/modules/services/hal.te | 41 +++++++++++-------- refpolicy/policy/modules/services/mta.te | 11 +---- refpolicy/policy/modules/services/sasl.te | 4 +- .../policy/modules/services/spamassassin.te | 4 ++ refpolicy/policy/modules/services/xdm.te | 8 ++-- refpolicy/policy/modules/system/hostname.te | 3 +- refpolicy/policy/modules/system/init.if | 32 --------------- refpolicy/policy/modules/system/libraries.fc | 8 +++- refpolicy/policy/modules/system/libraries.te | 10 ++--- refpolicy/policy/modules/system/locallogin.te | 7 ---- refpolicy/policy/modules/system/mount.te | 3 +- 24 files changed, 109 insertions(+), 125 deletions(-) diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 0e39ad23..91221716 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -137,7 +137,7 @@ M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt) APPCONF := config/appconfig-$(TYPE) APPDIR := $(CONTEXTPATH) -APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media +APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media USER_FILES := $(POLDIR)/users @@ -274,11 +274,6 @@ $(APPDIR)/removable_context: $(APPCONF)/removable_context @mkdir -p $(APPDIR) $(QUIET) install -m 644 $< $@ -$(APPDIR)/customizable_types: policy.conf - @mkdir -p $(APPDIR) - $(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types - $(QUIET) install -m 644 tmp/customizable_types $@ - $(APPDIR)/default_type: $(APPCONF)/default_type @mkdir -p $(APPDIR) $(QUIET) install -m 644 $< $@ diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index a152bae2..d9884367 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -168,6 +168,15 @@ endif @test -d tmp || mkdir -p tmp $(QUIET) m4 $(M4PARAM) $^ > $@ +######################################## +# +# Appconfig files +# +$(APPDIR)/customizable_types: base.conf + @mkdir -p $(APPDIR) + $(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types + $(QUIET) install -m 644 tmp/customizable_types $@ + ######################################## # # Clean the sources diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index 652bece9..0d6aa7dd 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -12,7 +12,7 @@ HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template FC := file_contexts POLVER := policy.$(PV) -APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans +APPFILES += $(INSTALLDIR)/booleans # for monolithic policy use all base and module to create policy ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS)) @@ -226,6 +226,15 @@ check: policy.conf $(FC) longcheck: policy.conf $(FC) $(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res +######################################## +# +# Appconfig files +# +$(APPDIR)/customizable_types: policy.conf + @mkdir -p $(APPDIR) + $(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types + $(QUIET) install -m 644 tmp/customizable_types $@ + ######################################## # # Clean the sources diff --git a/refpolicy/config/appconfig-targeted-mcs/default_contexts b/refpolicy/config/appconfig-targeted-mcs/default_contexts index 1a986434..b3dddce0 100644 --- a/refpolicy/config/appconfig-targeted-mcs/default_contexts +++ b/refpolicy/config/appconfig-targeted-mcs/default_contexts @@ -1,8 +1,9 @@ -system_r:unconfined_t:s0 system_r:unconfined_t:s0 +system_r:crond_t:s0 system_r:unconfined_t:s0 system_r:initrc_t:s0 system_r:unconfined_t:s0 system_r:local_login_t:s0 system_r:unconfined_t:s0 system_r:remote_login_t:s0 system_r:unconfined_t:s0 system_r:rshd_t:s0 system_r:unconfined_t:s0 -system_r:crond_t:s0 system_r:unconfined_t:s0 system_r:sshd_t:s0 system_r:unconfined_t:s0 system_r:sysadm_su_t:s0 system_r:unconfined_t:s0 +system_r:unconfined_t:s0 system_r:unconfined_t:s0 +system_r:xdm_t:s0 system_r:unconfined_t:s0 diff --git a/refpolicy/config/appconfig-targeted-mls/default_contexts b/refpolicy/config/appconfig-targeted-mls/default_contexts index 1a986434..b3dddce0 100644 --- a/refpolicy/config/appconfig-targeted-mls/default_contexts +++ b/refpolicy/config/appconfig-targeted-mls/default_contexts @@ -1,8 +1,9 @@ -system_r:unconfined_t:s0 system_r:unconfined_t:s0 +system_r:crond_t:s0 system_r:unconfined_t:s0 system_r:initrc_t:s0 system_r:unconfined_t:s0 system_r:local_login_t:s0 system_r:unconfined_t:s0 system_r:remote_login_t:s0 system_r:unconfined_t:s0 system_r:rshd_t:s0 system_r:unconfined_t:s0 -system_r:crond_t:s0 system_r:unconfined_t:s0 system_r:sshd_t:s0 system_r:unconfined_t:s0 system_r:sysadm_su_t:s0 system_r:unconfined_t:s0 +system_r:unconfined_t:s0 system_r:unconfined_t:s0 +system_r:xdm_t:s0 system_r:unconfined_t:s0 diff --git a/refpolicy/config/appconfig-targeted/default_contexts b/refpolicy/config/appconfig-targeted/default_contexts index dee752d0..d91373a7 100644 --- a/refpolicy/config/appconfig-targeted/default_contexts +++ b/refpolicy/config/appconfig-targeted/default_contexts @@ -1,8 +1,9 @@ -system_r:unconfined_t system_r:unconfined_t +system_r:crond_t system_r:unconfined_t system_r:initrc_t system_r:unconfined_t system_r:local_login_t system_r:unconfined_t system_r:remote_login_t system_r:unconfined_t system_r:rshd_t system_r:unconfined_t -system_r:crond_t system_r:unconfined_t system_r:sshd_t system_r:unconfined_t system_r:sysadm_su_t system_r:unconfined_t +system_r:unconfined_t system_r:unconfined_t +system_r:xdm_t system_r:unconfined_t diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 9fd66791..95a87c27 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -43,6 +43,11 @@ template(`su_restricted_domain_template', ` # for SSP dev_read_urand($1_su_t) + files_read_etc_files($1_su_t) + files_read_etc_runtime_files($1_su_t) + files_search_var_lib($1_su_t) + files_dontaudit_getattr_tmp_dir($1_su_t) + selinux_get_fs_mount($1_su_t) selinux_validate_context($1_su_t) selinux_compute_access_vector($1_su_t) @@ -56,10 +61,6 @@ template(`su_restricted_domain_template', ` domain_use_wide_inherit_fd($1_su_t) - files_read_etc_files($1_su_t) - files_read_etc_runtime_files($1_su_t) - files_search_var_lib($1_su_t) - init_dontaudit_use_fd($1_su_t) init_dontaudit_use_script_pty($1_su_t) # Write to utmp. diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te index 65aaf77d..9078ccf7 100644 --- a/refpolicy/policy/modules/admin/su.te +++ b/refpolicy/policy/modules/admin/su.te @@ -1,5 +1,5 @@ -policy_module(su,1.0.1) +policy_module(su,1.1.1) ######################################## # diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index df2bf267..9b0e3ff8 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.0.1) +policy_module(filesystem,1.1.1) ######################################## # @@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0) # Requires that a security xattr handler exist for the filesystem. fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index b119afea..a39ac7f3 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -1,5 +1,5 @@ -policy_module(canna,1.0) +policy_module(canna,1.1.1) ######################################## # @@ -47,7 +47,6 @@ files_create_pid(canna_t, canna_var_run_t, { file sock_file }) kernel_read_kernel_sysctl(canna_t) kernel_read_system_state(canna_t) -kernel_dontaudit_use_fd(canna_t) corenet_tcp_sendrecv_all_if(canna_t) corenet_raw_sendrecv_all_if(canna_t) diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 1ff7d200..05aed4cf 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.0.3) +policy_module(cups,1.1.1) ######################################## # @@ -505,6 +505,8 @@ allow cupsd_config_t cupsd_etc_t:file create_file_perms; allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms; type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t; +allow cupsd_config_t cupsd_log_t:file rw_file_perms; + allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms; allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms; allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms; diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 64d25a99..75bdf437 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus,1.0.2) +policy_module(dbus,1.1.1) gen_require(` class dbus { send_msg acquire_svc }; @@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t) # cjp: dac_override should probably go in a distro_debian allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; -allow system_dbusd_t self:process { getattr signal_perms }; +allow system_dbusd_t self:process { getattr signal_perms setcap }; allow system_dbusd_t self:fifo_file { read write }; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 1a83d1c9..0b90109a 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp,1.0.2) +policy_module(ftp,1.1.1) ######################################## # @@ -71,8 +71,11 @@ kernel_read_system_state(ftpd_t) dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t) -fs_search_auto_mountpoints(ftpd_t) -fs_getattr_all_fs(ftpd_t) +corecmd_exec_bin(ftpd_t) +corecmd_exec_sbin(ftpd_t) +# Execute /bin/ls (can comment this out for proftpd) +# also may need rules to allow tar etc... +corecmd_exec_ls(ftpd_t) corenet_tcp_sendrecv_all_if(ftpd_t) corenet_udp_sendrecv_all_if(ftpd_t) @@ -89,25 +92,24 @@ corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_generic_port(ftpd_t) corenet_tcp_connect_all_ports(ftpd_t) -term_dontaudit_use_console(ftpd_t) - -auth_domtrans_chk_passwd(ftpd_t) -# Append to /var/log/wtmp. -auth_append_login_records(ftpd_t) -#kerberized ftp requires the following -auth_write_login_records(ftpd_t) - -corecmd_exec_bin(ftpd_t) -corecmd_exec_sbin(ftpd_t) -# Execute /bin/ls (can comment this out for proftpd) -# also may need rules to allow tar etc... -corecmd_exec_ls(ftpd_t) - domain_use_wide_inherit_fd(ftpd_t) files_search_etc(ftpd_t) files_read_etc_files(ftpd_t) files_read_etc_runtime_files(ftpd_t) +files_search_var_lib_dir(ftpd_t) + +fs_search_auto_mountpoints(ftpd_t) +fs_getattr_all_fs(ftpd_t) + +term_dontaudit_use_console(ftpd_t) + +auth_use_nsswitch(ftpd_t) +auth_domtrans_chk_passwd(ftpd_t) +# Append to /var/log/wtmp. +auth_append_login_records(ftpd_t) +#kerberized ftp requires the following +auth_write_login_records(ftpd_t) init_use_fd(ftpd_t) init_use_script_pty(ftpd_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 8f5a8f3a..9bb932ae 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.0.4) +policy_module(hal,1.1.1) ######################################## # @@ -23,11 +23,13 @@ files_pid_file(hald_var_run_t) allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; dontaudit hald_t self:capability sys_tty_config; -allow hald_t self:process signal_perms; +# vbetool requires execmem +allow hald_t self:process { execmem signal_perms }; allow hald_t self:fifo_file rw_file_perms; allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow hald_t self:unix_dgram_socket create_socket_perms; allow hald_t self:netlink_route_socket r_netlink_socket_perms; +allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; allow hald_t self:tcp_socket create_stream_socket_perms; allow hald_t self:udp_socket create_socket_perms; @@ -47,6 +49,9 @@ kernel_read_network_state(hald_t) kernel_read_kernel_sysctl(hald_t) kernel_write_proc_file(hald_t) +corecmd_exec_bin(hald_t) +corecmd_exec_sbin(hald_t) + corenet_tcp_sendrecv_all_if(hald_t) corenet_udp_sendrecv_all_if(hald_t) corenet_raw_sendrecv_all_if(hald_t) @@ -59,7 +64,6 @@ corenet_non_ipsec_sendrecv(hald_t) corenet_tcp_bind_all_nodes(hald_t) corenet_udp_bind_all_nodes(hald_t) -dev_read_sysfs(hald_t) dev_rw_usbfs(hald_t) dev_read_urand(hald_t) dev_read_input(hald_t) @@ -68,6 +72,20 @@ dev_rw_printer(hald_t) dev_read_lvm_control(hald_t) dev_getattr_all_chr_files(hald_t) dev_manage_generic_chr_file(hald_t) +# hal is now execing pm-suspend +dev_rw_sysfs(hald_t) + +domain_use_wide_inherit_fd(hald_t) +domain_exec_all_entry_files(hald_t) + +files_exec_etc_files(hald_t) +files_read_etc_files(hald_t) +files_rw_etc_runtime_files(hald_t) +files_search_mnt(hald_t) +files_search_var_lib(hald_t) +files_read_usr_files(hald_t) +# hal is now execing pm-suspend +files_create_boot_flag(hald_t) fs_getattr_all_fs(hald_t) fs_search_all(hald_t) @@ -87,19 +105,6 @@ storage_raw_write_fixed_disk(hald_t) term_dontaudit_use_console(hald_t) -corecmd_exec_bin(hald_t) -corecmd_exec_sbin(hald_t) - -domain_use_wide_inherit_fd(hald_t) -domain_exec_all_entry_files(hald_t) - -files_exec_etc_files(hald_t) -files_read_etc_files(hald_t) -files_rw_etc_runtime_files(hald_t) -files_search_mnt(hald_t) -files_search_var_lib(hald_t) -files_read_usr_files(hald_t) - init_use_fd(hald_t) init_use_script_pty(hald_t) @@ -171,6 +176,10 @@ optional_policy(`nscd',` nscd_use_socket(hald_t) ') +optional_policy(`ntp',` + ntp_domtrans(hald_t) +') + optional_policy(`pcmcia',` pcmcia_manage_pid(hald_t) pcmcia_manage_runtime_chr(hald_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 810d7113..ea663961 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta,1.0.4) +policy_module(mta,1.1.1) ######################################## # @@ -57,15 +57,6 @@ init_use_script_pty(system_mail_t) userdom_use_sysadm_terms(system_mail_t) -ifdef(`hide_broken_symptoms',` - # Red Hat systems seem to have a stray - # fds open from the initrd - ifdef(`distro_redhat',` - kernel_dontaudit_use_fd(system_mail_t) - storage_dontaudit_read_fixed_disk(system_mail_t) - ') -') - ifdef(`targeted_policy',` typealias system_mail_t alias sysadm_mail_t; diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index c81a934a..f1b37d4b 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -18,6 +18,7 @@ files_pid_file(saslauthd_var_run_t) # Local policy # +allow saslauthd_t self:capability setuid; dontaudit saslauthd_t self:capability sys_tty_config; allow saslauthd_t self:process signal_perms; allow saslauthd_t self:fifo_file { read write }; @@ -56,9 +57,10 @@ auth_use_nsswitch(saslauthd_t) domain_use_wide_inherit_fd(saslauthd_t) files_read_etc_files(saslauthd_t) -files_read_etc_runtime_files(saslauthd_t) +files_dontaudit_read_etc_runtime_files(saslauthd_t) files_search_var_lib(saslauthd_t) files_dontaudit_getattr_home_dir(saslauthd_t) +files_dontaudit_getattr_tmp_dir(saslauthd_t) init_use_fd(saslauthd_t) init_use_script_pty(saslauthd_t) diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index ba7b4673..3c6bdb97 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -73,6 +73,10 @@ corenet_non_ipsec_sendrecv(spamd_t) corenet_tcp_bind_all_nodes(spamd_t) corenet_udp_bind_all_nodes(spamd_t) corenet_tcp_bind_spamd_port(spamd_t) +# spamassassin 3.1 needs this for its +# DnsResolver.pm module which binds to +# random ports >= 1024. +corenet_udp_bind_generic_port(spamd_t) dev_read_sysfs(spamd_t) dev_read_urand(spamd_t) diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te index f38050e2..6f12feb5 100644 --- a/refpolicy/policy/modules/services/xdm.te +++ b/refpolicy/policy/modules/services/xdm.te @@ -6,11 +6,7 @@ policy_module(xdm,1.0.1) # Declarations # -ifdef(`targeted_policy',` - unconfined_alias_domain(xdm_t) -',` - type xdm_t; -') +type xdm_t; # real declaration moved to mls until # range_transition works in loadable modules @@ -78,7 +74,9 @@ selinux_compute_user_contexts(xdm_t) files_read_etc_runtime_files(xdm_t) ifdef(`targeted_policy',` + allow xdm_t self:process execmem; unconfined_domain_template(xdm_t) + unconfined_domtrans(xdm_t) ',` allow xdm_t xdm_lock_t:file create_file_perms; files_create_lock(xdm_t,xdm_lock_t) diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 12002825..bfc5fdbb 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -1,5 +1,5 @@ -policy_module(hostname,1.0) +policy_module(hostname,1.1.1) ######################################## # @@ -22,7 +22,6 @@ allow hostname_t self:capability sys_admin; allow hostname_t self:unix_stream_socket create_stream_socket_perms; dontaudit hostname_t self:capability sys_tty_config; -kernel_dontaudit_use_fd(hostname_t) kernel_list_proc(hostname_t) kernel_read_proc_symlinks(hostname_t) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 7c08d2cb..38ab2980 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -31,18 +31,6 @@ interface(`init_domain',` allow init_t $1:fd use; allow $1 init_t:fifo_file rw_file_perms; allow $1 init_t:process sigchld; - - # Red Hat systems seem to have stray - # fds open from the initrd - ifdef(`hide_broken_symptoms',` - # Red Hat systems seem to have a stray - # fds open from the initrd - ifdef(`distro_redhat',` - kernel_dontaudit_use_fd($1) - storage_dontaudit_read_fixed_disk($1) - files_dontaudit_read_root_file($1) - ') - ') ') ######################################## @@ -82,16 +70,6 @@ interface(`init_daemon_domain',` typeattribute $2 direct_init_entry; ') - ifdef(`hide_broken_symptoms',` - # Red Hat systems seem to have a stray - # fds open from the initrd - ifdef(`distro_redhat',` - kernel_dontaudit_use_fd($1) - storage_dontaudit_read_fixed_disk($1) - files_dontaudit_read_root_file($1) - ') - ') - ifdef(`targeted_policy',` # this regex is a hack, since it assumes there is a # _t at the end of the domain type. If there is no _t @@ -163,16 +141,6 @@ interface(`init_system_domain',` allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; - - ifdef(`hide_broken_symptoms',` - # Red Hat systems seem to have a stray - # fds open from the initrd - ifdef(`distro_redhat',` - kernel_dontaudit_use_fd($1) - storage_dontaudit_read_fixed_disk($1) - files_dontaudit_read_root_file($1) - ') - ') ') ######################################## diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index 28c16701..95104c1f 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -62,7 +62,8 @@ ifdef(`distro_redhat',` /usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0) /usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0) -/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0) +/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0) +/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0) /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0) /usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) @@ -103,7 +104,6 @@ ifdef(`distro_redhat',` /usr/lib/valgrind/hp2ps -- gen_context(system_u:object_r:texrel_shlib_t,s0) /usr/lib/valgrind/stage2 -- gen_context(system_u:object_r:texrel_shlib_t,s0) /usr/lib/valgrind/vg.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) -/usr/lib/.*/libxpcom_core.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) /usr/lib/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0) /usr/lib/.*/program/libsts645li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) /usr/lib/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) @@ -113,6 +113,10 @@ ifdef(`distro_redhat',` /usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) /usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) +/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) +/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) +/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) +/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) # Fedora Extras packages: ladspa, imlib2, ocaml /usr/lib/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0) diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 7ba90872..79ac4684 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.0.1) +policy_module(libraries,1.1.1) ######################################## # @@ -42,12 +42,8 @@ ifdef(`targeted_policy',` # texrel_shlib_t is the type of shared objects in the system lib # directories, which require text relocation. # -ifdef(`targeted_policy',` - typealias lib_t alias texrel_shlib_t; -',` - type texrel_shlib_t; - files_type(texrel_shlib_t) -') +type texrel_shlib_t; +files_type(texrel_shlib_t) ######################################## # diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index a2116d1a..b5cd6a12 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -168,13 +168,6 @@ userdom_use_unpriv_users_fd(local_login_t) # Search for mail spool file. mta_getattr_spool(local_login_t) -# Red Hat systems seem to have a stray -# fd open from the initrd -ifdef(`distro_redhat',` - kernel_dontaudit_use_fd(local_login_t) - files_dontaudit_read_root_file(local_login_t) -') - ifdef(`targeted_policy',` unconfined_domain_template(local_login_t) unconfined_shell_domtrans(local_login_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 9c724baa..a3668f8a 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.0.1) +policy_module(mount,1.1.1) ######################################## # @@ -26,7 +26,6 @@ allow mount_t mount_tmp_t:dir create_dir_perms; files_create_tmp_files(mount_t,mount_tmp_t,{ file dir }) kernel_read_system_state(mount_t) -kernel_dontaudit_use_fd(mount_t) corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t) corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)