trunk: 5 patches from dan.

This commit is contained in:
Chris PeBenito 2007-09-04 18:57:58 +00:00
parent ce2c80f3c6
commit 0a0b8078ca
10 changed files with 88 additions and 23 deletions

View File

@ -1,4 +1,3 @@
#
# /usr
#
/etc/readahead.d(/.*)? gen_context(system_u:object_r:readahead_etc_rw_t,s0)
/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(readahead,1.3.1)
policy_module(readahead,1.3.2)
########################################
#
@ -11,6 +11,9 @@ type readahead_exec_t;
init_daemon_domain(readahead_t,readahead_exec_t)
application_domain(readahead_t,readahead_exec_t)
type readahead_etc_rw_t;
files_pid_file(readahead_etc_rw_t)
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
@ -19,9 +22,12 @@ files_pid_file(readahead_var_run_t)
# Local policy
#
dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
allow readahead_t self:capability { dac_override dac_read_search };
dontaudit readahead_t self:capability sys_tty_config;
allow readahead_t self:process signal_perms;
manage_files_pattern(readahead_t,readahead_etc_rw_t,readahead_etc_rw_t)
manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t)
files_pid_filetrans(readahead_t,readahead_var_run_t,file)
@ -37,7 +43,7 @@ dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t)
dev_dontaudit_getattr_nvram_dev(readahead_t)
storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
domain_use_interactive_fds(readahead_t)
@ -68,6 +74,7 @@ libs_use_ld_so(readahead_t)
libs_use_shared_libs(readahead_t)
logging_send_syslog_msg(readahead_t)
logging_dontaudit_search_audit_config(readahead_t)
miscfiles_read_localization(readahead_t)
@ -80,6 +87,10 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(readahead_t)
')
optional_policy(`
cron_system_entry(readahead_t, readahead_exec_t)
')
optional_policy(`
seutil_sigchld_newrole(readahead_t)
')

View File

@ -278,5 +278,5 @@ interface(`usermanage_read_crack_db',`
type crack_db_t;
')
allow $1 crack_db_t:file read_file_perms;
read_files_pattern($1,crack_db_t,crack_db_t)
')

View File

@ -1,5 +1,5 @@
policy_module(usermanage,1.7.1)
policy_module(usermanage,1.7.2)
########################################
#
@ -191,7 +191,6 @@ allow groupadd_t self:unix_dgram_socket create_socket_perms;
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
allow groupadd_t self:unix_dgram_socket sendto;
allow groupadd_t self:unix_stream_socket connectto;
allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
fs_getattr_xattr_fs(groupadd_t)
fs_search_auto_mountpoints(groupadd_t)
@ -223,6 +222,7 @@ libs_use_shared_libs(groupadd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
miscfiles_read_localization(groupadd_t)
@ -244,6 +244,10 @@ optional_policy(`
dpkg_rw_pipes(groupadd_t)
')
optional_policy(`
nscd_domtrans(groupadd_t)
')
optional_policy(`
rpm_use_fds(groupadd_t)
rpm_rw_pipes(groupadd_t)
@ -254,7 +258,7 @@ optional_policy(`
# Passwd local policy
#
allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
@ -264,7 +268,6 @@ allow passwd_t self:unix_dgram_socket create_socket_perms;
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
allow passwd_t self:unix_stream_socket connectto;
allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
@ -316,6 +319,7 @@ init_dontaudit_rw_utmp(passwd_t)
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
miscfiles_read_localization(passwd_t)
@ -336,6 +340,7 @@ optional_policy(`
optional_policy(`
nscd_socket_use(passwd_t)
nscd_domtrans(passwd_t)
')
########################################
@ -426,6 +431,7 @@ optional_policy(`
optional_policy(`
nscd_socket_use(sysadm_passwd_t)
nscd_domtrans(sysadm_passwd_t)
')
########################################
@ -433,7 +439,7 @@ optional_policy(`
# Useradd local policy
#
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
@ -447,7 +453,6 @@ allow useradd_t self:unix_dgram_socket create_socket_perms;
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
@ -492,6 +497,7 @@ init_rw_utmp(useradd_t)
libs_use_ld_so(useradd_t)
libs_use_shared_libs(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
@ -518,6 +524,10 @@ optional_policy(`
dpkg_rw_pipes(useradd_t)
')
optional_policy(`
nscd_domtrans(useradd_t)
')
optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)

View File

@ -1,5 +1,5 @@
policy_module(loadkeys,1.1.0)
policy_module(loadkeys,1.1.1)
########################################
#
@ -39,7 +39,7 @@ ifdef(`targeted_policy',`
files_read_etc_runtime_files(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_dontaudit_use_unallocated_ttys(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
init_dontaudit_use_script_ptys(loadkeys_t)
@ -49,4 +49,8 @@ ifdef(`targeted_policy',`
locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
')

View File

@ -19,3 +19,23 @@ interface(`setroubleshoot_stream_connect',`
allow $1 setroubleshoot_var_run_t:sock_file write;
allow $1 setroubleshootd_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Dontaudit attempts to connect to setroubleshootd
## over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`setroubleshoot_dontaudit_stream_connect',`
gen_require(`
type setroubleshootd_t, setroubleshoot_var_run_t;
')
dontaudit $1 setroubleshoot_var_run_t:sock_file write;
dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
')

View File

@ -1,5 +1,5 @@
policy_module(setroubleshoot,1.4.0)
policy_module(setroubleshoot,1.4.1)
########################################
#
@ -33,7 +33,6 @@ allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
# database files
allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
@ -76,12 +75,17 @@ files_read_etc_files(setroubleshootd_t)
files_getattr_all_dirs(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
term_dontaudit_use_all_user_ptys(setroubleshootd_t)
term_dontaudit_use_all_user_ttys(setroubleshootd_t)
auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@ -112,7 +116,3 @@ optional_policy(`
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
optional_policy(`
nis_use_ypbind(setroubleshootd_t)
')

View File

@ -315,6 +315,25 @@ interface(`logging_read_audit_config',`
allow $1 auditd_etc_t:dir list_dir_perms;
')
########################################
## <summary>
## dontaudit search of auditd configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_dontaudit_search_audit_config',`
gen_require(`
type auditd_etc_t;
')
dontaudit $1 auditd_etc_t:dir search_dir_perms;
')
########################################
## <summary>
## Allows the domain to open a file in the

View File

@ -1,5 +1,5 @@
policy_module(logging,1.7.2)
policy_module(logging,1.7.3)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(netlabel,1.0.1)
policy_module(netlabel,1.0.2)
########################################
#
@ -21,6 +21,8 @@ allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
kernel_read_network_state(netlabel_mgmt_t)
files_read_etc_files(netlabel_mgmt_t)
libs_use_ld_so(netlabel_mgmt_t)
libs_use_shared_libs(netlabel_mgmt_t)