policy-20051208.patch from dan, plus a few adjustments

This commit is contained in:
Chris PeBenito 2005-12-09 15:42:39 +00:00
parent b64a0ebc5e
commit 049e11af30
24 changed files with 109 additions and 125 deletions

View File

@ -137,7 +137,7 @@ M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
APPCONF := config/appconfig-$(TYPE)
APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
USER_FILES := $(POLDIR)/users
@ -274,11 +274,6 @@ $(APPDIR)/removable_context: $(APPCONF)/removable_context
@mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@
$(APPDIR)/customizable_types: policy.conf
@mkdir -p $(APPDIR)
$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
$(QUIET) install -m 644 tmp/customizable_types $@
$(APPDIR)/default_type: $(APPCONF)/default_type
@mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@

View File

@ -168,6 +168,15 @@ endif
@test -d tmp || mkdir -p tmp
$(QUIET) m4 $(M4PARAM) $^ > $@
########################################
#
# Appconfig files
#
$(APPDIR)/customizable_types: base.conf
@mkdir -p $(APPDIR)
$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
$(QUIET) install -m 644 tmp/customizable_types $@
########################################
#
# Clean the sources

View File

@ -12,7 +12,7 @@ HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
FC := file_contexts
POLVER := policy.$(PV)
APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans
APPFILES += $(INSTALLDIR)/booleans
# for monolithic policy use all base and module to create policy
ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS))
@ -226,6 +226,15 @@ check: policy.conf $(FC)
longcheck: policy.conf $(FC)
$(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res
########################################
#
# Appconfig files
#
$(APPDIR)/customizable_types: policy.conf
@mkdir -p $(APPDIR)
$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
$(QUIET) install -m 644 tmp/customizable_types $@
########################################
#
# Clean the sources

View File

@ -1,8 +1,9 @@
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0
system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:sshd_t:s0 system_r:unconfined_t:s0
system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:xdm_t:s0 system_r:unconfined_t:s0

View File

@ -1,8 +1,9 @@
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0
system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:sshd_t:s0 system_r:unconfined_t:s0
system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:xdm_t:s0 system_r:unconfined_t:s0

View File

@ -1,8 +1,9 @@
system_r:unconfined_t system_r:unconfined_t
system_r:crond_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
system_r:local_login_t system_r:unconfined_t
system_r:remote_login_t system_r:unconfined_t
system_r:rshd_t system_r:unconfined_t
system_r:crond_t system_r:unconfined_t
system_r:sshd_t system_r:unconfined_t
system_r:sysadm_su_t system_r:unconfined_t
system_r:unconfined_t system_r:unconfined_t
system_r:xdm_t system_r:unconfined_t

View File

@ -43,6 +43,11 @@ template(`su_restricted_domain_template', `
# for SSP
dev_read_urand($1_su_t)
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
files_dontaudit_getattr_tmp_dir($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_access_vector($1_su_t)
@ -56,10 +61,6 @@ template(`su_restricted_domain_template', `
domain_use_wide_inherit_fd($1_su_t)
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
init_dontaudit_use_fd($1_su_t)
init_dontaudit_use_script_pty($1_su_t)
# Write to utmp.

View File

@ -1,5 +1,5 @@
policy_module(su,1.0.1)
policy_module(su,1.1.1)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(filesystem,1.0.1)
policy_module(filesystem,1.1.1)
########################################
#
@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);

View File

@ -1,5 +1,5 @@
policy_module(canna,1.0)
policy_module(canna,1.1.1)
########################################
#
@ -47,7 +47,6 @@ files_create_pid(canna_t, canna_var_run_t, { file sock_file })
kernel_read_kernel_sysctl(canna_t)
kernel_read_system_state(canna_t)
kernel_dontaudit_use_fd(canna_t)
corenet_tcp_sendrecv_all_if(canna_t)
corenet_raw_sendrecv_all_if(canna_t)

View File

@ -1,5 +1,5 @@
policy_module(cups,1.0.3)
policy_module(cups,1.1.1)
########################################
#
@ -505,6 +505,8 @@ allow cupsd_config_t cupsd_etc_t:file create_file_perms;
allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms;
type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t;
allow cupsd_config_t cupsd_log_t:file rw_file_perms;
allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;

View File

@ -1,5 +1,5 @@
policy_module(dbus,1.0.2)
policy_module(dbus,1.1.1)
gen_require(`
class dbus { send_msg acquire_svc };
@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t)
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr signal_perms };
allow system_dbusd_t self:process { getattr signal_perms setcap };
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };

View File

@ -1,5 +1,5 @@
policy_module(ftp,1.0.2)
policy_module(ftp,1.1.1)
########################################
#
@ -71,8 +71,11 @@ kernel_read_system_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
corecmd_exec_bin(ftpd_t)
corecmd_exec_sbin(ftpd_t)
# Execute /bin/ls (can comment this out for proftpd)
# also may need rules to allow tar etc...
corecmd_exec_ls(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
@ -89,25 +92,24 @@ corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)
term_dontaudit_use_console(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
corecmd_exec_bin(ftpd_t)
corecmd_exec_sbin(ftpd_t)
# Execute /bin/ls (can comment this out for proftpd)
# also may need rules to allow tar etc...
corecmd_exec_ls(ftpd_t)
domain_use_wide_inherit_fd(ftpd_t)
files_search_etc(ftpd_t)
files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib_dir(ftpd_t)
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
term_dontaudit_use_console(ftpd_t)
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
init_use_fd(ftpd_t)
init_use_script_pty(ftpd_t)

View File

@ -1,5 +1,5 @@
policy_module(hal,1.0.4)
policy_module(hal,1.1.1)
########################################
#
@ -23,11 +23,13 @@ files_pid_file(hald_var_run_t)
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process signal_perms;
# vbetool requires execmem
allow hald_t self:process { execmem signal_perms };
allow hald_t self:fifo_file rw_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:tcp_socket create_stream_socket_perms;
allow hald_t self:udp_socket create_socket_perms;
@ -47,6 +49,9 @@ kernel_read_network_state(hald_t)
kernel_read_kernel_sysctl(hald_t)
kernel_write_proc_file(hald_t)
corecmd_exec_bin(hald_t)
corecmd_exec_sbin(hald_t)
corenet_tcp_sendrecv_all_if(hald_t)
corenet_udp_sendrecv_all_if(hald_t)
corenet_raw_sendrecv_all_if(hald_t)
@ -59,7 +64,6 @@ corenet_non_ipsec_sendrecv(hald_t)
corenet_tcp_bind_all_nodes(hald_t)
corenet_udp_bind_all_nodes(hald_t)
dev_read_sysfs(hald_t)
dev_rw_usbfs(hald_t)
dev_read_urand(hald_t)
dev_read_input(hald_t)
@ -68,6 +72,20 @@ dev_rw_printer(hald_t)
dev_read_lvm_control(hald_t)
dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_file(hald_t)
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
domain_use_wide_inherit_fd(hald_t)
domain_exec_all_entry_files(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
files_rw_etc_runtime_files(hald_t)
files_search_mnt(hald_t)
files_search_var_lib(hald_t)
files_read_usr_files(hald_t)
# hal is now execing pm-suspend
files_create_boot_flag(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
@ -87,19 +105,6 @@ storage_raw_write_fixed_disk(hald_t)
term_dontaudit_use_console(hald_t)
corecmd_exec_bin(hald_t)
corecmd_exec_sbin(hald_t)
domain_use_wide_inherit_fd(hald_t)
domain_exec_all_entry_files(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
files_rw_etc_runtime_files(hald_t)
files_search_mnt(hald_t)
files_search_var_lib(hald_t)
files_read_usr_files(hald_t)
init_use_fd(hald_t)
init_use_script_pty(hald_t)
@ -171,6 +176,10 @@ optional_policy(`nscd',`
nscd_use_socket(hald_t)
')
optional_policy(`ntp',`
ntp_domtrans(hald_t)
')
optional_policy(`pcmcia',`
pcmcia_manage_pid(hald_t)
pcmcia_manage_runtime_chr(hald_t)

View File

@ -1,5 +1,5 @@
policy_module(mta,1.0.4)
policy_module(mta,1.1.1)
########################################
#
@ -57,15 +57,6 @@ init_use_script_pty(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
ifdef(`hide_broken_symptoms',`
# Red Hat systems seem to have a stray
# fds open from the initrd
ifdef(`distro_redhat',`
kernel_dontaudit_use_fd(system_mail_t)
storage_dontaudit_read_fixed_disk(system_mail_t)
')
')
ifdef(`targeted_policy',`
typealias system_mail_t alias sysadm_mail_t;

View File

@ -18,6 +18,7 @@ files_pid_file(saslauthd_var_run_t)
# Local policy
#
allow saslauthd_t self:capability setuid;
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process signal_perms;
allow saslauthd_t self:fifo_file { read write };
@ -56,9 +57,10 @@ auth_use_nsswitch(saslauthd_t)
domain_use_wide_inherit_fd(saslauthd_t)
files_read_etc_files(saslauthd_t)
files_read_etc_runtime_files(saslauthd_t)
files_dontaudit_read_etc_runtime_files(saslauthd_t)
files_search_var_lib(saslauthd_t)
files_dontaudit_getattr_home_dir(saslauthd_t)
files_dontaudit_getattr_tmp_dir(saslauthd_t)
init_use_fd(saslauthd_t)
init_use_script_pty(saslauthd_t)

View File

@ -73,6 +73,10 @@ corenet_non_ipsec_sendrecv(spamd_t)
corenet_tcp_bind_all_nodes(spamd_t)
corenet_udp_bind_all_nodes(spamd_t)
corenet_tcp_bind_spamd_port(spamd_t)
# spamassassin 3.1 needs this for its
# DnsResolver.pm module which binds to
# random ports >= 1024.
corenet_udp_bind_generic_port(spamd_t)
dev_read_sysfs(spamd_t)
dev_read_urand(spamd_t)

View File

@ -6,11 +6,7 @@ policy_module(xdm,1.0.1)
# Declarations
#
ifdef(`targeted_policy',`
unconfined_alias_domain(xdm_t)
',`
type xdm_t;
')
# real declaration moved to mls until
# range_transition works in loadable modules
@ -78,7 +74,9 @@ selinux_compute_user_contexts(xdm_t)
files_read_etc_runtime_files(xdm_t)
ifdef(`targeted_policy',`
allow xdm_t self:process execmem;
unconfined_domain_template(xdm_t)
unconfined_domtrans(xdm_t)
',`
allow xdm_t xdm_lock_t:file create_file_perms;
files_create_lock(xdm_t,xdm_lock_t)

View File

@ -1,5 +1,5 @@
policy_module(hostname,1.0)
policy_module(hostname,1.1.1)
########################################
#
@ -22,7 +22,6 @@ allow hostname_t self:capability sys_admin;
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
dontaudit hostname_t self:capability sys_tty_config;
kernel_dontaudit_use_fd(hostname_t)
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)

View File

@ -31,18 +31,6 @@ interface(`init_domain',`
allow init_t $1:fd use;
allow $1 init_t:fifo_file rw_file_perms;
allow $1 init_t:process sigchld;
# Red Hat systems seem to have stray
# fds open from the initrd
ifdef(`hide_broken_symptoms',`
# Red Hat systems seem to have a stray
# fds open from the initrd
ifdef(`distro_redhat',`
kernel_dontaudit_use_fd($1)
storage_dontaudit_read_fixed_disk($1)
files_dontaudit_read_root_file($1)
')
')
')
########################################
@ -82,16 +70,6 @@ interface(`init_daemon_domain',`
typeattribute $2 direct_init_entry;
')
ifdef(`hide_broken_symptoms',`
# Red Hat systems seem to have a stray
# fds open from the initrd
ifdef(`distro_redhat',`
kernel_dontaudit_use_fd($1)
storage_dontaudit_read_fixed_disk($1)
files_dontaudit_read_root_file($1)
')
')
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
@ -163,16 +141,6 @@ interface(`init_system_domain',`
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
ifdef(`hide_broken_symptoms',`
# Red Hat systems seem to have a stray
# fds open from the initrd
ifdef(`distro_redhat',`
kernel_dontaudit_use_fd($1)
storage_dontaudit_read_fixed_disk($1)
files_dontaudit_read_root_file($1)
')
')
')
########################################

View File

@ -62,7 +62,8 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
@ -103,7 +104,6 @@ ifdef(`distro_redhat',`
/usr/lib/valgrind/hp2ps -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/valgrind/stage2 -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/valgrind/vg.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/.*/libxpcom_core.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/.*/program/libsts645li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
@ -113,6 +113,10 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
# Fedora Extras packages: ladspa, imlib2, ocaml
/usr/lib/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.0.1)
policy_module(libraries,1.1.1)
########################################
#
@ -42,12 +42,8 @@ ifdef(`targeted_policy',`
# texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
ifdef(`targeted_policy',`
typealias lib_t alias texrel_shlib_t;
',`
type texrel_shlib_t;
files_type(texrel_shlib_t)
')
########################################
#

View File

@ -168,13 +168,6 @@ userdom_use_unpriv_users_fd(local_login_t)
# Search for mail spool file.
mta_getattr_spool(local_login_t)
# Red Hat systems seem to have a stray
# fd open from the initrd
ifdef(`distro_redhat',`
kernel_dontaudit_use_fd(local_login_t)
files_dontaudit_read_root_file(local_login_t)
')
ifdef(`targeted_policy',`
unconfined_domain_template(local_login_t)
unconfined_shell_domtrans(local_login_t)

View File

@ -1,5 +1,5 @@
policy_module(mount,1.0.1)
policy_module(mount,1.1.1)
########################################
#
@ -26,7 +26,6 @@ allow mount_t mount_tmp_t:dir create_dir_perms;
files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
kernel_read_system_state(mount_t)
kernel_dontaudit_use_fd(mount_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)