From 0f27d98d944ea733ebd56efd1d2106f8ccdf2f2e Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 27 Feb 2006 16:23:39 +0000 Subject: [PATCH] patch from dan Thu, 23 Feb 2006 14:26:05 -0500 --- refpolicy/Makefile | 12 +++++------ refpolicy/policy/modules/admin/logwatch.te | 4 +++- refpolicy/policy/modules/admin/vpn.te | 8 ++++++- refpolicy/policy/modules/apps/java.if | 9 ++------ refpolicy/policy/modules/apps/java.te | 2 +- .../policy/modules/kernel/corecommands.fc | 1 + .../policy/modules/kernel/corecommands.te | 2 +- refpolicy/policy/modules/kernel/devices.fc | 1 + refpolicy/policy/modules/kernel/devices.te | 2 +- refpolicy/policy/modules/kernel/files.te | 9 +++++--- refpolicy/policy/modules/services/apache.fc | 2 +- refpolicy/policy/modules/services/apache.if | 21 +++++++++++++++++++ refpolicy/policy/modules/services/apache.te | 2 +- .../policy/modules/services/automount.te | 9 +++++--- refpolicy/policy/modules/services/cron.te | 5 ++++- refpolicy/policy/modules/services/hal.te | 4 ++-- refpolicy/policy/modules/services/xserver.te | 4 ++-- refpolicy/policy/modules/system/fstools.te | 4 ++-- refpolicy/policy/modules/system/mount.te | 4 ++-- .../policy/modules/system/selinuxutil.te | 20 ++++++++---------- 20 files changed, 79 insertions(+), 46 deletions(-) diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 5e004305..99ffe62e 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -446,14 +446,14 @@ install-headers: $(TUNXML) $(BOOLXML) $(MODDIR)/$$i/metadata.xml \ $(HEADERDIR)/$$i ;\ done - $(verbose) echo "TYPE=$(TYPE)" > $(HEADERDIR)/build.conf - $(verbose) echo "NAME=$(NAME)" >> $(HEADERDIR)/build.conf + $(verbose) echo "TYPE ?= $(TYPE)" > $(HEADERDIR)/build.conf + $(verbose) echo "NAME ?= $(NAME)" >> $(HEADERDIR)/build.conf ifneq "$(DISTRO)" "" - $(verbose) echo "DISTRO=$(DISTRO)" >> $(HEADERDIR)/build.conf + $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(HEADERDIR)/build.conf endif - $(verbose) echo "MONOLITHIC=n" >> $(HEADERDIR)/build.conf - $(verbose) echo "DIRECT_INITRC=$(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf - $(verbose) echo "POLY=$(POLY)" >> $(HEADERDIR)/build.conf + $(verbose) echo "MONOLITHIC ?= n" >> $(HEADERDIR)/build.conf + $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf + $(verbose) echo "POLY ?= $(POLY)" >> $(HEADERDIR)/build.conf $(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile ######################################## diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te index 913ad19f..adace0be 100644 --- a/refpolicy/policy/modules/admin/logwatch.te +++ b/refpolicy/policy/modules/admin/logwatch.te @@ -1,5 +1,5 @@ -policy_module(logwatch,1.0.1) +policy_module(logwatch,1.0.2) ################################# # @@ -71,6 +71,8 @@ miscfiles_read_localization(logwatch_t) selinux_dontaudit_getattr_dir(logwatch_t) +sysnet_dns_name_resolve(logwatch_t) + userdom_dontaudit_search_sysadm_home_dirs(logwatch_t) userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t) diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te index 0c5ee067..42be63bc 100644 --- a/refpolicy/policy/modules/admin/vpn.te +++ b/refpolicy/policy/modules/admin/vpn.te @@ -1,5 +1,5 @@ -policy_module(vpnc,1.1.1) +policy_module(vpnc,1.1.2) ######################################## # @@ -91,6 +91,8 @@ libs_exec_lib_files(vpnc_t) libs_use_ld_so(vpnc_t) libs_use_shared_libs(vpnc_t) +locallogin_use_fd(vpnc_t) + logging_send_syslog_msg(vpnc_t) miscfiles_read_localization(vpnc_t) @@ -106,6 +108,10 @@ userdom_dontaudit_search_all_users_home_content(vpnc_t) optional_policy(`dbus',` dbus_system_bus_client_template(vpnc,vpnc_t) + dbus_send_system_bus(vpnc_t) + optional_policy(`networkmanager',` + networkmanager_dbus_chat(vpnc_t) + ') ') optional_policy(`mount',` diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if index 949ac27e..015f28d5 100644 --- a/refpolicy/policy/modules/apps/java.if +++ b/refpolicy/policy/modules/apps/java.if @@ -57,7 +57,7 @@ template(`java_per_userdomain_template',` # Local policy # - allow $1_javaplugin_t self:process { signal_perms getsched setsched }; + allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem }; allow $1_javaplugin_t self:fifo_file rw_file_perms; allow $1_javaplugin_t self:tcp_socket create_socket_perms; allow $1_javaplugin_t self:udp_socket create_socket_perms; @@ -149,13 +149,8 @@ template(`java_per_userdomain_template',` userdom_manage_user_home_content_sockets($1,$1_javaplugin_t) userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file }) - # libdeploy.so legacy - tunable_policy(`allow_execmem',` - allow $1_javaplugin_t self:process execmem; - ') - tunable_policy(`allow_java_execstack',` - allow $1_javaplugin_t self:process { execmem execstack }; + allow $1_javaplugin_t self:process execstack; allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; diff --git a/refpolicy/policy/modules/apps/java.te b/refpolicy/policy/modules/apps/java.te index caea9aaa..ecf64bb7 100644 --- a/refpolicy/policy/modules/apps/java.te +++ b/refpolicy/policy/modules/apps/java.te @@ -1,5 +1,5 @@ -policy_module(java,1.0.1) +policy_module(java,1.0.2) ######################################## # diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc index 94c7af68..3f791190 100644 --- a/refpolicy/policy/modules/kernel/corecommands.fc +++ b/refpolicy/policy/modules/kernel/corecommands.fc @@ -138,6 +138,7 @@ ifdef(`distro_gentoo',` /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te index 925e754d..330c3c70 100644 --- a/refpolicy/policy/modules/kernel/corecommands.te +++ b/refpolicy/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.2.0) +policy_module(corecommands,1.2.1) ######################################## # diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc index 54bbddf0..55e24159 100644 --- a/refpolicy/policy/modules/kernel/devices.fc +++ b/refpolicy/policy/modules/kernel/devices.fc @@ -13,6 +13,7 @@ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/console -c gen_context(system_u:object_r:console_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index ac5c6039..95e28c2e 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.0.4) +policy_module(devices,1.0.5) ######################################## # diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index 29de9d7a..b1d1756b 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.1.1) +policy_module(files,1.1.2) ######################################## # @@ -74,9 +74,10 @@ sid file gen_context(system_u:object_r:file_t,s0) # home_root_t is the type for the directory where user home directories # are created # -type home_root_t, file_type, mountpoint; #, polyparent +type home_root_t, file_type, mountpoint; fs_associate(home_root_t) fs_associate_noxattr(home_root_t) +files_poly_parent(home_root_t) # # lost_found_t is the type for the lost+found directories. @@ -107,9 +108,10 @@ fs_associate_noxattr(readable_t) # # root_t is the type for rootfs and the root directory. # -type root_t, file_type, mountpoint; #, polyparent +type root_t, file_type, mountpoint; fs_associate(root_t) fs_associate_noxattr(root_t) +files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) genfscon rootfs / gen_context(system_u:object_r:root_t,s0) @@ -125,6 +127,7 @@ fs_associate_noxattr(src_t) # type tmp_t, mountpoint; #, polydir files_tmp_file(tmp_t) +files_poly_parent(tmp_t) # # usr_t is the type for /usr. diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc index 1eb9976f..737fcf61 100644 --- a/refpolicy/policy/modules/services/apache.fc +++ b/refpolicy/policy/modules/services/apache.fc @@ -45,7 +45,7 @@ ifdef(`distro_suse', ` /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) -/var/lib/cacti(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index a4d9ca5f..efb84b4e 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -31,6 +31,7 @@ template(`apache_content_template',` # This type is used for executable scripts files type httpd_$1_script_exec_t; # customizable; + corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t) # The following three are the only areas that @@ -174,6 +175,7 @@ template(`apache_content_template',` dev_read_urand(httpd_$1_script_t) fs_getattr_xattr_fs(httpd_$1_script_t) + fs_read_eventpollfs(httpd_$1_script_t) files_read_etc_runtime_files(httpd_$1_script_t) files_read_usr_files(httpd_$1_script_t) @@ -781,6 +783,25 @@ interface(`apache_append_squirrelmail_data',` allow $1 httpd_squirrelmail_t:file { getattr append }; ') +######################################## +## +## Read apache system content +## +## +## +## Domain to not audit. +## +## +# +interface(`apache_read_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + allow $1 httpd_sys_content_t:dir r_dir_perms; + allow $1 httpd_sys_content_t:file { getattr read }; +') + ######################################## ## ## Search system script state directory. diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 39f988aa..bdd38b4f 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.2.1) +policy_module(apache,1.2.2) # # NOTES: diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index d2d1202c..acf8578c 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.1.3) +policy_module(automount,1.1.4) ######################################## # @@ -28,7 +28,7 @@ files_mountpoint(automount_tmp_t) # Local policy # -allow automount_t self:capability { net_bind_service sys_nice dac_override }; +allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override }; dontaudit automount_t self:capability sys_tty_config; allow automount_t self:process { signal_perms getpgid setpgid setsched }; allow automount_t self:fifo_file rw_file_perms; @@ -83,6 +83,9 @@ corenet_udp_bind_all_nodes(automount_t) corenet_tcp_connect_portmap_port(automount_t) corenet_tcp_connect_all_ports(automount_t) corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t) +# Automount execs showmount when you browse /net. This is required until +# Someone writes a showmount policy +corenet_tcp_bind_reserved_port(automount_t) dev_read_sysfs(automount_t) # for SSP @@ -91,7 +94,7 @@ dev_read_urand(automount_t) domain_use_interactive_fds(automount_t) files_dontaudit_write_var_dirs(automount_t) -files_search_var_lib(automount_t) +files_getattr_all_dirs(automount_t) files_list_mnt(automount_t) files_getattr_home_dir(automount_t) files_read_etc_files(automount_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 370168b8..12725ce6 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.2.2) +policy_module(cron,1.2.3) gen_require(` class passwd rootok; @@ -360,6 +360,9 @@ ifdef(`targeted_policy',` optional_policy(`apache',` # Needed for certwatch apache_exec_modules(system_crond_t) + apache_read_config(system_crond_t) + apache_read_log(system_crond_t) + apache_read_sys_content(system_crond_t) ') optional_policy(`cyrus',` diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 2a40acea..83cc6008 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.2.6) +policy_module(hal,1.2.7) ######################################## # @@ -93,7 +93,7 @@ files_create_boot_flag(hald_t) fs_getattr_all_fs(hald_t) fs_search_all(hald_t) -fs_search_auto_mountpoints(hald_t) +fs_list_auto_mountpoints(hald_t) mls_file_read_up(hald_t) diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index 21a978c8..1f683113 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.0.3) +policy_module(xserver,1.0.4) ######################################## # @@ -425,7 +425,7 @@ ifdef(`strict_policy',` ifdef(`targeted_policy',` allow xdm_xserver_t self:process { execheap execmem }; - unconfined_domain(xdm_xserver_t) + unconfined_domain_noaudit(xdm_xserver_t) unconfined_domtrans(xdm_xserver_t) ') diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 6283ca0e..34bc157f 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools,1.2.2) +policy_module(fstools,1.2.3) ######################################## # @@ -45,7 +45,7 @@ allow fsadm_t fsadm_tmp_t:file create_file_perms; files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) # Enable swapping to files -allow fsadm_t swapfile_t:file { getattr swapon }; +allow fsadm_t swapfile_t:file { read write getattr swapon }; kernel_read_system_state(fsadm_t) kernel_read_kernel_sysctls(fsadm_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index cde1b95b..400a3c0a 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.2.2) +policy_module(mount,1.2.3) ######################################## # @@ -46,7 +46,7 @@ fs_mount_all_fs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) fs_relabelfrom_all_fs(mount_t) -fs_search_auto_mountpoints(mount_t) +fs_list_auto_mountpoints(mount_t) fs_rw_tmpfs_chr_files(mount_t) fs_read_tmpfs_symlinks(mount_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 187e4c4e..b30c1c9f 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.1.6) +policy_module(selinuxutil,1.1.7) gen_require(` bool secure_mode; @@ -178,8 +178,16 @@ allow load_policy_t selinux_config_t:dir r_dir_perms; allow load_policy_t selinux_config_t:file r_file_perms; allow load_policy_t selinux_config_t:lnk_file r_file_perms; +domain_use_interactive_fds(load_policy_t) + +# for mcs.conf +files_read_etc_files(load_policy_t) +files_read_etc_runtime_files(load_policy_t) + fs_getattr_xattr_fs(load_policy_t) +mls_file_read_up(load_policy_t) + selinux_get_fs_mount(load_policy_t) selinux_load_policy(load_policy_t) selinux_set_boolean(load_policy_t) @@ -190,12 +198,6 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) -domain_use_interactive_fds(load_policy_t) - -# for mcs.conf -files_read_etc_files(load_policy_t) -files_read_etc_runtime_files(load_policy_t) - libs_use_ld_so(load_policy_t) libs_use_shared_libs(load_policy_t) @@ -319,10 +321,6 @@ optional_policy(`nscd',` nscd_socket_use(newrole_t) ') -ifdef(`TODO',` -ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') -') dnl ifdef TODO - ######################################## # # Restorecon local policy