rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

patch from dan Thu, 23 Feb 2006 14:26:05 -0500

Browse Source
This commit is contained in:
Chris PeBenito 2006-02-27 16:23:39 +00:00
parent 675a0ee76d
commit 0f27d98d94
20 changed files with 79 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
refpolicy/Makefile
View File

@ -446,14 +446,14 @@ install-headers: $(TUNXML) $(BOOLXML)
$(MODDIR)/$$i/metadata.xml \ $(MODDIR)/$$i/metadata.xml \
$(HEADERDIR)/$$i ;\ $(HEADERDIR)/$$i ;\
done done
$(verbose) echo "TYPE=$(TYPE)" > $(HEADERDIR)/build.conf $(verbose) echo "TYPE ?= $(TYPE)" > $(HEADERDIR)/build.conf
$(verbose) echo "NAME=$(NAME)" >> $(HEADERDIR)/build.conf $(verbose) echo "NAME ?= $(NAME)" >> $(HEADERDIR)/build.conf
ifneq "$(DISTRO)" "" ifneq "$(DISTRO)" ""
$(verbose) echo "DISTRO=$(DISTRO)" >> $(HEADERDIR)/build.conf $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(HEADERDIR)/build.conf
endif endif
$(verbose) echo "MONOLITHIC=n" >> $(HEADERDIR)/build.conf $(verbose) echo "MONOLITHIC ?= n" >> $(HEADERDIR)/build.conf
$(verbose) echo "DIRECT_INITRC=$(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
$(verbose) echo "POLY=$(POLY)" >> $(HEADERDIR)/build.conf $(verbose) echo "POLY ?= $(POLY)" >> $(HEADERDIR)/build.conf
$(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile $(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile
######################################## ########################################

4
refpolicy/policy/modules/admin/logwatch.te
View File

@ -1,5 +1,5 @@
policy_module(logwatch,1.0.1) policy_module(logwatch,1.0.2)
################################# #################################
# #
@ -71,6 +71,8 @@ miscfiles_read_localization(logwatch_t)
selinux_dontaudit_getattr_dir(logwatch_t) selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_dns_name_resolve(logwatch_t)
userdom_dontaudit_search_sysadm_home_dirs(logwatch_t) userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t) userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)

8
refpolicy/policy/modules/admin/vpn.te
View File

@ -1,5 +1,5 @@
policy_module(vpnc,1.1.1) policy_module(vpnc,1.1.2)
######################################## ########################################
# #
@ -91,6 +91,8 @@ libs_exec_lib_files(vpnc_t)
libs_use_ld_so(vpnc_t) libs_use_ld_so(vpnc_t)
libs_use_shared_libs(vpnc_t) libs_use_shared_libs(vpnc_t)
locallogin_use_fd(vpnc_t)
logging_send_syslog_msg(vpnc_t) logging_send_syslog_msg(vpnc_t)
miscfiles_read_localization(vpnc_t) miscfiles_read_localization(vpnc_t)
@ -106,6 +108,10 @@ userdom_dontaudit_search_all_users_home_content(vpnc_t)
optional_policy(`dbus',` optional_policy(`dbus',`
dbus_system_bus_client_template(vpnc,vpnc_t) dbus_system_bus_client_template(vpnc,vpnc_t)
dbus_send_system_bus(vpnc_t)
optional_policy(`networkmanager',`
networkmanager_dbus_chat(vpnc_t)
')
') ')
optional_policy(`mount',` optional_policy(`mount',`

9
refpolicy/policy/modules/apps/java.if
View File

@ -57,7 +57,7 @@ template(`java_per_userdomain_template',`
# Local policy # Local policy
# #
allow $1_javaplugin_t self:process { signal_perms getsched setsched }; allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
allow $1_javaplugin_t self:fifo_file rw_file_perms; allow $1_javaplugin_t self:fifo_file rw_file_perms;
allow $1_javaplugin_t self:tcp_socket create_socket_perms; allow $1_javaplugin_t self:tcp_socket create_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms; allow $1_javaplugin_t self:udp_socket create_socket_perms;
@ -149,13 +149,8 @@ template(`java_per_userdomain_template',`
userdom_manage_user_home_content_sockets($1,$1_javaplugin_t) userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file }) userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
# libdeploy.so legacy
tunable_policy(`allow_execmem',`
allow $1_javaplugin_t self:process execmem;
')
tunable_policy(`allow_java_execstack',` tunable_policy(`allow_java_execstack',`
allow $1_javaplugin_t self:process { execmem execstack }; allow $1_javaplugin_t self:process execstack;
allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;

2
refpolicy/policy/modules/apps/java.te
View File

@ -1,5 +1,5 @@
policy_module(java,1.0.1) policy_module(java,1.0.2)
######################################## ########################################
# #

1
refpolicy/policy/modules/kernel/corecommands.fc
View File

@ -138,6 +138,7 @@ ifdef(`distro_gentoo',`
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)

2
refpolicy/policy/modules/kernel/corecommands.te
View File

@ -1,5 +1,5 @@
policy_module(corecommands,1.2.0) policy_module(corecommands,1.2.1)
######################################## ########################################
# #

1
refpolicy/policy/modules/kernel/devices.fc
View File

@ -13,6 +13,7 @@
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/console -c gen_context(system_u:object_r:console_device_t,s0) /dev/console -c gen_context(system_u:object_r:console_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)

2
refpolicy/policy/modules/kernel/devices.te
View File

@ -1,5 +1,5 @@
policy_module(devices,1.0.4) policy_module(devices,1.0.5)
######################################## ########################################
# #

9
refpolicy/policy/modules/kernel/files.te
View File

@ -1,5 +1,5 @@
policy_module(files,1.1.1) policy_module(files,1.1.2)
######################################## ########################################
# #
@ -74,9 +74,10 @@ sid file gen_context(system_u:object_r:file_t,s0)
# home_root_t is the type for the directory where user home directories # home_root_t is the type for the directory where user home directories
# are created # are created
# #
type home_root_t, file_type, mountpoint; #, polyparent type home_root_t, file_type, mountpoint;
fs_associate(home_root_t) fs_associate(home_root_t)
fs_associate_noxattr(home_root_t) fs_associate_noxattr(home_root_t)
files_poly_parent(home_root_t)
# #
# lost_found_t is the type for the lost+found directories. # lost_found_t is the type for the lost+found directories.
@ -107,9 +108,10 @@ fs_associate_noxattr(readable_t)
# #
# root_t is the type for rootfs and the root directory. # root_t is the type for rootfs and the root directory.
# #
type root_t, file_type, mountpoint; #, polyparent type root_t, file_type, mountpoint;
fs_associate(root_t) fs_associate(root_t)
fs_associate_noxattr(root_t) fs_associate_noxattr(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t) kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0) genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
@ -125,6 +127,7 @@ fs_associate_noxattr(src_t)
# #
type tmp_t, mountpoint; #, polydir type tmp_t, mountpoint; #, polydir
files_tmp_file(tmp_t) files_tmp_file(tmp_t)
files_poly_parent(tmp_t)
# #
# usr_t is the type for /usr. # usr_t is the type for /usr.

2
refpolicy/policy/modules/services/apache.fc
View File

@ -45,7 +45,7 @@ ifdef(`distro_suse', `
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)

21
refpolicy/policy/modules/services/apache.if
View File

@ -31,6 +31,7 @@ template(`apache_content_template',`
# This type is used for executable scripts files # This type is used for executable scripts files
type httpd_$1_script_exec_t; # customizable; type httpd_$1_script_exec_t; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t) domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
# The following three are the only areas that # The following three are the only areas that
@ -174,6 +175,7 @@ template(`apache_content_template',`
dev_read_urand(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t) fs_getattr_xattr_fs(httpd_$1_script_t)
fs_read_eventpollfs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t) files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t) files_read_usr_files(httpd_$1_script_t)
@ -781,6 +783,25 @@ interface(`apache_append_squirrelmail_data',`
allow $1 httpd_squirrelmail_t:file { getattr append }; allow $1 httpd_squirrelmail_t:file { getattr append };
') ')
########################################
## <summary>
## Read apache system content
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_read_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
allow $1 httpd_sys_content_t:dir r_dir_perms;
allow $1 httpd_sys_content_t:file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Search system script state directory. ## Search system script state directory.

2
refpolicy/policy/modules/services/apache.te
View File

@ -1,5 +1,5 @@
policy_module(apache,1.2.1) policy_module(apache,1.2.2)
# #
# NOTES: # NOTES:

9
refpolicy/policy/modules/services/automount.te
View File

@ -1,5 +1,5 @@
policy_module(automount,1.1.3) policy_module(automount,1.1.4)
######################################## ########################################
# #
@ -28,7 +28,7 @@ files_mountpoint(automount_tmp_t)
# Local policy # Local policy
# #
allow automount_t self:capability { net_bind_service sys_nice dac_override }; allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
dontaudit automount_t self:capability sys_tty_config; dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched }; allow automount_t self:process { signal_perms getpgid setpgid setsched };
allow automount_t self:fifo_file rw_file_perms; allow automount_t self:fifo_file rw_file_perms;
@ -83,6 +83,9 @@ corenet_udp_bind_all_nodes(automount_t)
corenet_tcp_connect_portmap_port(automount_t) corenet_tcp_connect_portmap_port(automount_t)
corenet_tcp_connect_all_ports(automount_t) corenet_tcp_connect_all_ports(automount_t)
corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t) corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
# Automount execs showmount when you browse /net. This is required until
# Someone writes a showmount policy
corenet_tcp_bind_reserved_port(automount_t)
dev_read_sysfs(automount_t) dev_read_sysfs(automount_t)
# for SSP # for SSP
@ -91,7 +94,7 @@ dev_read_urand(automount_t)
domain_use_interactive_fds(automount_t) domain_use_interactive_fds(automount_t)
files_dontaudit_write_var_dirs(automount_t) files_dontaudit_write_var_dirs(automount_t)
files_search_var_lib(automount_t) files_getattr_all_dirs(automount_t)
files_list_mnt(automount_t) files_list_mnt(automount_t)
files_getattr_home_dir(automount_t) files_getattr_home_dir(automount_t)
files_read_etc_files(automount_t) files_read_etc_files(automount_t)

5
refpolicy/policy/modules/services/cron.te
View File

@ -1,5 +1,5 @@
policy_module(cron,1.2.2) policy_module(cron,1.2.3)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;
@ -360,6 +360,9 @@ ifdef(`targeted_policy',`
optional_policy(`apache',` optional_policy(`apache',`
# Needed for certwatch # Needed for certwatch
apache_exec_modules(system_crond_t) apache_exec_modules(system_crond_t)
apache_read_config(system_crond_t)
apache_read_log(system_crond_t)
apache_read_sys_content(system_crond_t)
') ')
optional_policy(`cyrus',` optional_policy(`cyrus',`

4
refpolicy/policy/modules/services/hal.te
View File

@ -1,5 +1,5 @@
policy_module(hal,1.2.6) policy_module(hal,1.2.7)
######################################## ########################################
# #
@ -93,7 +93,7 @@ files_create_boot_flag(hald_t)
fs_getattr_all_fs(hald_t) fs_getattr_all_fs(hald_t)
fs_search_all(hald_t) fs_search_all(hald_t)
fs_search_auto_mountpoints(hald_t) fs_list_auto_mountpoints(hald_t)
mls_file_read_up(hald_t) mls_file_read_up(hald_t)

4
refpolicy/policy/modules/services/xserver.te
View File

@ -1,5 +1,5 @@
policy_module(xserver,1.0.3) policy_module(xserver,1.0.4)
######################################## ########################################
# #
@ -425,7 +425,7 @@ ifdef(`strict_policy',`
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
allow xdm_xserver_t self:process { execheap execmem }; allow xdm_xserver_t self:process { execheap execmem };
unconfined_domain(xdm_xserver_t) unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t) unconfined_domtrans(xdm_xserver_t)
') ')

4
refpolicy/policy/modules/system/fstools.te
View File

@ -1,5 +1,5 @@
policy_module(fstools,1.2.2) policy_module(fstools,1.2.3)
######################################## ########################################
# #
@ -45,7 +45,7 @@ allow fsadm_t fsadm_tmp_t:file create_file_perms;
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
# Enable swapping to files # Enable swapping to files
allow fsadm_t swapfile_t:file { getattr swapon }; allow fsadm_t swapfile_t:file { read write getattr swapon };
kernel_read_system_state(fsadm_t) kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t) kernel_read_kernel_sysctls(fsadm_t)

4
refpolicy/policy/modules/system/mount.te
View File

@ -1,5 +1,5 @@
policy_module(mount,1.2.2) policy_module(mount,1.2.3)
######################################## ########################################
# #
@ -46,7 +46,7 @@ fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t) fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t) fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t) fs_relabelfrom_all_fs(mount_t)
fs_search_auto_mountpoints(mount_t) fs_list_auto_mountpoints(mount_t)
fs_rw_tmpfs_chr_files(mount_t) fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t) fs_read_tmpfs_symlinks(mount_t)

20
refpolicy/policy/modules/system/selinuxutil.te
View File

@ -1,5 +1,5 @@
policy_module(selinuxutil,1.1.6) policy_module(selinuxutil,1.1.7)
gen_require(` gen_require(`
bool secure_mode; bool secure_mode;
@ -178,8 +178,16 @@ allow load_policy_t selinux_config_t:dir r_dir_perms;
allow load_policy_t selinux_config_t:file r_file_perms; allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms; allow load_policy_t selinux_config_t:lnk_file r_file_perms;
domain_use_interactive_fds(load_policy_t)
# for mcs.conf
files_read_etc_files(load_policy_t)
files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t) fs_getattr_xattr_fs(load_policy_t)
mls_file_read_up(load_policy_t)
selinux_get_fs_mount(load_policy_t) selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t) selinux_load_policy(load_policy_t)
selinux_set_boolean(load_policy_t) selinux_set_boolean(load_policy_t)
@ -190,12 +198,6 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t) init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t) init_use_script_ptys(load_policy_t)
domain_use_interactive_fds(load_policy_t)
# for mcs.conf
files_read_etc_files(load_policy_t)
files_read_etc_runtime_files(load_policy_t)
libs_use_ld_so(load_policy_t) libs_use_ld_so(load_policy_t)
libs_use_shared_libs(load_policy_t) libs_use_shared_libs(load_policy_t)
@ -319,10 +321,6 @@ optional_policy(`nscd',`
nscd_socket_use(newrole_t) nscd_socket_use(newrole_t)
') ')
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
') dnl ifdef TODO
######################################## ########################################
# #
# Restorecon local policy # Restorecon local policy