From 0fd9dc55cf1eb02af53c7861e95c8d0652f0319b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 10 Jun 2005 01:01:13 +0000 Subject: [PATCH] renaming insanity --- refpolicy/policy/modules/admin/consoletype.te | 28 ++--- refpolicy/policy/modules/admin/dmesg.te | 4 +- refpolicy/policy/modules/admin/netutils.te | 74 ++++++------ refpolicy/policy/modules/admin/rpm.te | 74 ++++++------ refpolicy/policy/modules/admin/usermanage.if | 3 +- refpolicy/policy/modules/admin/usermanage.te | 86 ++++++------- refpolicy/policy/modules/apps/gpg.if | 42 +++---- refpolicy/policy/modules/kernel/bootloader.if | 10 +- refpolicy/policy/modules/kernel/bootloader.te | 6 +- refpolicy/policy/modules/kernel/devices.if | 32 +++-- refpolicy/policy/modules/kernel/devices.te | 48 ++++---- refpolicy/policy/modules/kernel/filesystem.if | 32 ++++- refpolicy/policy/modules/kernel/kernel.if | 26 ++-- refpolicy/policy/modules/kernel/kernel.te | 24 ++-- refpolicy/policy/modules/kernel/terminal.if | 38 +++--- refpolicy/policy/modules/services/cron.if | 42 +++---- refpolicy/policy/modules/services/cron.te | 56 ++++----- refpolicy/policy/modules/services/mta.if | 22 ++-- refpolicy/policy/modules/services/mta.te | 24 ++-- .../policy/modules/services/remotelogin.te | 12 +- refpolicy/policy/modules/services/sendmail.te | 28 ++--- refpolicy/policy/modules/system/authlogin.if | 32 ++--- refpolicy/policy/modules/system/authlogin.te | 48 ++++---- refpolicy/policy/modules/system/clock.te | 12 +- .../policy/modules/system/corecommands.if | 5 +- refpolicy/policy/modules/system/domain.if | 2 +- refpolicy/policy/modules/system/files.if | 16 +-- refpolicy/policy/modules/system/files.te | 42 +++---- refpolicy/policy/modules/system/getty.te | 12 +- refpolicy/policy/modules/system/hostname.te | 24 ++-- refpolicy/policy/modules/system/hotplug.te | 26 ++-- refpolicy/policy/modules/system/init.if | 8 +- refpolicy/policy/modules/system/init.te | 60 ++++----- refpolicy/policy/modules/system/iptables.te | 20 +-- refpolicy/policy/modules/system/libraries.if | 7 +- refpolicy/policy/modules/system/libraries.te | 2 +- refpolicy/policy/modules/system/locallogin.te | 36 +++--- refpolicy/policy/modules/system/logging.if | 2 +- refpolicy/policy/modules/system/logging.te | 32 ++--- refpolicy/policy/modules/system/lvm.te | 23 ++-- refpolicy/policy/modules/system/modutils.te | 18 +-- refpolicy/policy/modules/system/mount.te | 42 +++---- refpolicy/policy/modules/system/selinux.te | 82 ++++++------- .../policy/modules/system/selinuxutil.te | 82 ++++++------- refpolicy/policy/modules/system/sysnetwork.if | 2 +- refpolicy/policy/modules/system/sysnetwork.te | 50 ++++---- refpolicy/policy/modules/system/udev.te | 22 ++-- refpolicy/policy/modules/system/userdomain.if | 114 +++++++++--------- refpolicy/policy/modules/system/userdomain.te | 2 +- 49 files changed, 786 insertions(+), 748 deletions(-) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 9ade7b41..a6db3cb5 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -26,18 +26,18 @@ allow consoletype_t self:unix_dgram_socket create_socket_perms; allow consoletype_t self:unix_stream_socket create_stream_socket_perms; allow consoletype_t self:unix_dgram_socket sendto; allow consoletype_t self:unix_stream_socket connectto; -allow consoletype_t self:shm rw_shm_perms; -allow consoletype_t self:sem rw_sem_perms; -allow consoletype_t self:msgq rw_msgq_perms; +allow consoletype_t self:shm create_shm_perms; +allow consoletype_t self:sem create_sem_perms; +allow consoletype_t self:msgq create_msgq_perms; allow consoletype_t self:msg { send receive }; -kernel_use_file_descriptors(consoletype_t) -kernel_ignore_read_system_state(consoletype_t) +kernel_use_fd(consoletype_t) +kernel_dontaudit_read_system_state(consoletype_t) -fs_get_all_fs_attributes(consoletype_t) +fs_getattr_all_fs(consoletype_t) -terminal_use_console(consoletype_t) -terminal_use_general_physical_terminal(consoletype_t) +term_use_console(consoletype_t) +term_use_unallocated_tty(consoletype_t) init_use_file_descriptors(consoletype_t) init_script_use_pseudoterminal(consoletype_t) @@ -77,12 +77,12 @@ optional_policy(`ypbind.te', ` if (allow_ypbind) { can_network(consoletype_t) r_dir_file(consoletype_t,var_yp_t) -corenetwork_bind_tcp_on_general_port(consoletype_t) -corenetwork_bind_udp_on_general_port(consoletype_t) -corenetwork_bind_tcp_on_reserved_port(consoletype_t) -corenetwork_bind_udp_on_reserved_port(consoletype_t) -corenetwork_ignore_bind_tcp_on_all_reserved_ports(consoletype_t) -corenetwork_ignore_bind_udp_on_all_reserved_ports(consoletype_t) +corenet_tcp_bind_generic_port(consoletype_t) +corenet_udp_bind_generic_port(consoletype_t) +corenet_tcp_bind_reserved_port(consoletype_t) +corenet_udp_bind_reserved_port(consoletype_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(consoletype_t) +corenet_dontaudit_udp_bind_all_reserved_ports(consoletype_t) dontaudit consoletype_t self:capability net_bind_service; } else { dontaudit consoletype_t var_yp_t:dir search; diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index e13fb5f4..c559527b 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -27,7 +27,7 @@ kernel_read_ring_buffer(dmesg_t) kernel_clear_ring_buffer(dmesg_t) kernel_change_ring_buffer_level(dmesg_t) -terminal_ignore_use_console(dmesg_t) +term_dontaudit_use_console(dmesg_t) domain_use_widely_inheritable_file_descriptors(dmesg_t) @@ -50,7 +50,7 @@ userdomain_use_admin_terminals(dmesg_t) userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t) ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(dmesg_t) + term_dontaudit_use_unallocated_tty(dmesg_t) terminal_ignore_use_general_pseudoterminal(dmesg_t) files_ignore_read_rootfs_file(dmesg_t) ') diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 9af06176..cbd43f25 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -46,18 +46,18 @@ allow netutils_t netutils_tmp_t:dir create_dir_perms; allow netutils_t netutils_tmp_t:file create_file_perms; files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir }) -corenetwork_sendrecv_tcp_on_all_interfaces(netutils_t) -corenetwork_sendrecv_raw_on_all_interfaces(netutils_t) -corenetwork_sendrecv_udp_on_all_interfaces(netutils_t) -corenetwork_sendrecv_tcp_on_all_nodes(netutils_t) -corenetwork_sendrecv_raw_on_all_nodes(netutils_t) -corenetwork_sendrecv_udp_on_all_nodes(netutils_t) -corenetwork_sendrecv_tcp_on_all_ports(netutils_t) -corenetwork_sendrecv_udp_on_all_ports(netutils_t) -corenetwork_bind_tcp_on_all_nodes(netutils_t) -corenetwork_bind_udp_on_all_nodes(netutils_t) +corenet_tcp_sendrecv_all_if(netutils_t) +corenet_raw_sendrecv_all_if(netutils_t) +corenet_udp_sendrecv_all_if(netutils_t) +corenet_tcp_sendrecv_all_nodes(netutils_t) +corenet_raw_sendrecv_all_nodes(netutils_t) +corenet_udp_sendrecv_all_nodes(netutils_t) +corenet_tcp_sendrecv_all_ports(netutils_t) +corenet_udp_sendrecv_all_ports(netutils_t) +corenet_tcp_bind_all_nodes(netutils_t) +corenet_udp_bind_all_nodes(netutils_t) -fs_get_persistent_fs_attributes(netutils_t) +fs_getattr_xattr_fs(netutils_t) init_use_file_descriptors(netutils_t) init_script_use_pseudoterminal(netutils_t) @@ -104,18 +104,18 @@ allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:udp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; -corenetwork_sendrecv_tcp_on_all_interfaces(ping_t) -corenetwork_sendrecv_udp_on_all_interfaces(ping_t) -corenetwork_sendrecv_raw_on_all_interfaces(ping_t) -corenetwork_sendrecv_raw_on_all_nodes(ping_t) -corenetwork_sendrecv_tcp_on_all_nodes(ping_t) -corenetwork_sendrecv_udp_on_all_nodes(ping_t) -corenetwork_sendrecv_tcp_on_all_ports(ping_t) -corenetwork_sendrecv_udp_on_all_ports(ping_t) -corenetwork_bind_udp_on_all_nodes(ping_t) -corenetwork_bind_tcp_on_all_nodes(ping_t) +corenet_tcp_sendrecv_all_if(ping_t) +corenet_udp_sendrecv_all_if(ping_t) +corenet_raw_sendrecv_all_if(ping_t) +corenet_raw_sendrecv_all_nodes(ping_t) +corenet_tcp_sendrecv_all_nodes(ping_t) +corenet_udp_sendrecv_all_nodes(ping_t) +corenet_tcp_sendrecv_all_ports(ping_t) +corenet_udp_sendrecv_all_ports(ping_t) +corenet_udp_bind_all_nodes(ping_t) +corenet_tcp_bind_all_nodes(ping_t) -fs_ignore_get_persistent_fs_attributes(ping_t) +fs_dontaudit_getattr_xattr_fs(ping_t) domain_use_widely_inheritable_file_descriptors(ping_t) @@ -130,8 +130,8 @@ sysnetwork_read_network_config(ping_t) logging_send_system_log_message(ping_t) if (user_ping) { - terminal_use_all_private_physical_terminals(ping_t) - terminal_use_all_private_pseudoterminals(ping_t) + term_use_all_user_ttys(ping_t) + term_use_all_user_ptys(ping_t) } ifdef(`TODO',` @@ -162,18 +162,18 @@ allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read re kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) -corenetwork_sendrecv_tcp_on_all_interfaces(traceroute_t) -corenetwork_sendrecv_udp_on_all_interfaces(traceroute_t) -corenetwork_sendrecv_raw_on_all_interfaces(traceroute_t) -corenetwork_sendrecv_raw_on_all_nodes(traceroute_t) -corenetwork_sendrecv_tcp_on_all_nodes(traceroute_t) -corenetwork_sendrecv_udp_on_all_nodes(traceroute_t) -corenetwork_sendrecv_tcp_on_all_ports(traceroute_t) -corenetwork_sendrecv_udp_on_all_ports(traceroute_t) -corenetwork_bind_udp_on_all_nodes(traceroute_t) -corenetwork_bind_tcp_on_all_nodes(traceroute_t) +corenet_tcp_sendrecv_all_if(traceroute_t) +corenet_udp_sendrecv_all_if(traceroute_t) +corenet_raw_sendrecv_all_if(traceroute_t) +corenet_raw_sendrecv_all_nodes(traceroute_t) +corenet_tcp_sendrecv_all_nodes(traceroute_t) +corenet_udp_sendrecv_all_nodes(traceroute_t) +corenet_tcp_sendrecv_all_ports(traceroute_t) +corenet_udp_sendrecv_all_ports(traceroute_t) +corenet_udp_bind_all_nodes(traceroute_t) +corenet_tcp_bind_all_nodes(traceroute_t) -fs_ignore_get_persistent_fs_attributes(traceroute_t) +fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_widely_inheritable_file_descriptors(traceroute_t) @@ -193,8 +193,8 @@ devices_get_pseudorandom_data(traceroute_t) files_read_general_application_resources(traceroute_t) if (user_ping) { - terminal_use_all_private_physical_terminals(traceroute_t) - terminal_use_all_private_pseudoterminals(traceroute_t) + term_use_all_user_ttys(traceroute_t) + term_use_all_user_ptys(traceroute_t) } ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 68381648..cab1d85a 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -66,7 +66,7 @@ allow rpm_t self:unix_dgram_socket sendto; allow rpm_t self:unix_stream_socket connectto; allow rpm_t self:udp_socket { connect }; allow rpm_t self:udp_socket create_socket_perms; -allow rpm_t self:tcp_socket rw_stream_socket_perms; +allow rpm_t self:tcp_socket create_stream_socket_perms; allow rpm_t self:shm create_shm_perms; allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; @@ -86,7 +86,7 @@ allow rpm_t rpm_tmpfs_t:file create_file_perms; allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms; allow rpm_t rpm_tmpfs_t:sock_file create_file_perms; allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms; -fs_create_private_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Access /var/lib/rpm files allow rpm_t rpm_var_lib_t:file create_file_perms; @@ -96,35 +96,35 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms; kernel_read_system_state(rpm_t) kernel_read_kernel_sysctl(rpm_t) kernel_get_selinuxfs_mount_point(rpm_t) -kernel_validate_selinux_context(rpm_t) -kernel_compute_selinux_access_vector(rpm_t) -kernel_compute_selinux_create_context(rpm_t) -kernel_compute_selinux_relabel_context(rpm_t) -kernel_compute_selinux_reachable_user_contexts(rpm_t) +kernel_validate_context(rpm_t) +kernel_compute_access_vector(rpm_t) +kernel_compute_create_context(rpm_t) +kernel_compute_relabel_context(rpm_t) +kernel_compute_reachable_user_contexts(rpm_t) -corenetwork_sendrecv_tcp_on_all_interfaces(rpm_t) -corenetwork_sendrecv_raw_on_all_interfaces(rpm_t) -corenetwork_sendrecv_udp_on_all_interfaces(rpm_t) -corenetwork_sendrecv_tcp_on_all_nodes(rpm_t) -corenetwork_sendrecv_raw_on_all_nodes(rpm_t) -corenetwork_sendrecv_udp_on_all_nodes(rpm_t) -corenetwork_sendrecv_tcp_on_all_ports(rpm_t) -corenetwork_sendrecv_udp_on_all_ports(rpm_t) -corenetwork_bind_tcp_on_all_nodes(rpm_t) -corenetwork_bind_udp_on_all_nodes(rpm_t) +corenet_tcp_sendrecv_all_if(rpm_t) +corenet_raw_sendrecv_all_if(rpm_t) +corenet_udp_sendrecv_all_if(rpm_t) +corenet_tcp_sendrecv_all_nodes(rpm_t) +corenet_raw_sendrecv_all_nodes(rpm_t) +corenet_udp_sendrecv_all_nodes(rpm_t) +corenet_tcp_sendrecv_all_ports(rpm_t) +corenet_udp_sendrecv_all_ports(rpm_t) +corenet_tcp_bind_all_nodes(rpm_t) +corenet_udp_bind_all_nodes(rpm_t) devices_get_pseudorandom_data(rpm_t) #devices_manage_all_device_types(rpm_t) #fs_manage_nfs_dir(rpm_t) #fs_manage_nfs_files(rpm_t) -fs_get_all_fs_attributes(rpm_t) +fs_getattr_all_fs(rpm_t) storage_raw_write_fixed_disk(rpm_t) # for installing kernel packages storage_raw_read_fixed_disk(rpm_t) -terminal_list_pseudoterminals(rpm_t) +term_list_ptys(rpm_t) authlogin_ignore_read_shadow_passwords(rpm_t) @@ -242,15 +242,15 @@ allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms; -fs_create_private_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctl(rpm_script_t) kernel_get_selinuxfs_mount_point(rpm_script_t) -kernel_validate_selinux_context(rpm_script_t) -kernel_compute_selinux_access_vector(rpm_script_t) -kernel_compute_selinux_create_context(rpm_script_t) -kernel_compute_selinux_relabel_context(rpm_script_t) -kernel_compute_selinux_reachable_user_contexts(rpm_script_t) +kernel_validate_context(rpm_script_t) +kernel_compute_access_vector(rpm_script_t) +kernel_compute_create_context(rpm_script_t) +kernel_compute_relabel_context(rpm_script_t) +kernel_compute_reachable_user_contexts(rpm_script_t) kernel_read_system_state(rpm_script_t) # ideally we would not need this @@ -260,17 +260,17 @@ devices_manage_all_block_devices(rpm_script_t) devices_manage_all_character_devices(rpm_script_t) fs_manage_nfs_files(rpm_script_t) -fs_get_nfs_fs_attributes(rpm_script_t) +fs_getattr_nfs(rpm_script_t) # why is this not using mount? -fs_get_persistent_fs_attributes(rpm_script_t) -fs_mount_persistent_fs(rpm_script_t) -fs_unmount_persistent_fs(rpm_script_t) +fs_getattr_xattr_fs(rpm_script_t) +fs_mount_xattr_fs(rpm_script_t) +fs_unmount_xattr_fs(rpm_script_t) storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) -terminal_get_general_physical_terminal_attributes(rpm_script_t) -terminal_list_pseudoterminals(rpm_script_t) +term_getattr_unallocated_ttys(rpm_script_t) +term_list_ptys(rpm_script_t) authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t) # ideally we would not need this @@ -309,7 +309,7 @@ selinux_restorecon_transition(rpm_script_t) userdomain_use_all_users_file_descriptors(rpm_script_t) optional_policy(`bootloader.te', ` -bootloader_transition(rpm_script_t) +bootloader_domtrans(rpm_script_t) ') ifdef(`TODO',` @@ -348,11 +348,11 @@ allow sshd_t rpm_script_t:fd use; # really do anything useful. kernel_get_selinuxfs_mount_point(rpmbuild_t) -kernel_validate_selinux_context(rpmbuild_t) -kernel_compute_selinux_access_vector(rpmbuild_t) -kernel_compute_selinux_create_context(rpmbuild_t) -kernel_compute_selinux_relabel_context(rpmbuild_t) -kernel_compute_selinux_reachable_user_contexts(rpmbuild_t) +kernel_validate_context(rpmbuild_t) +kernel_compute_access_vector(rpmbuild_t) +kernel_compute_create_context(rpmbuild_t) +kernel_compute_relabel_context(rpmbuild_t) +kernel_compute_reachable_user_contexts(rpmbuild_t) selinux_read_source_policy(rpmbuild_t) diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index 709277de..e5562523 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -78,7 +78,8 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',` define(`usermanage_groupadd_transition',` requires_block_template(`$0'_depend) - domain_auto_trans($1,groupadd_t,groupadd_t) + domain_auto_trans($1,groupadd_exec_t,groupadd_t) + allow $1 groupadd_t:fd use; allow groupadd_t $1:fd use; allow groupadd_t $1:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 2cb945c7..b5b77d72 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -67,8 +67,8 @@ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exe allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:fd use; allow chfn_t self:fifo_file rw_file_perms; -allow chfn_t self:unix_dgram_socket create_rw_socket_perms; -allow chfn_t self:unix_stream_socket rwcreate_stream_socket_perms; +allow chfn_t self:unix_dgram_socket create_socket_perms; +allow chfn_t self:unix_stream_socket create_stream_socket_perms; allow chfn_t self:unix_dgram_socket sendto; allow chfn_t self:unix_stream_socket connectto; allow chfn_t self:shm create_shm_perms; @@ -78,16 +78,16 @@ allow chfn_t self:msg { send receive }; kernel_read_system_state(chfn_t) kernel_get_selinuxfs_mount_point(chfn_t) -kernel_validate_selinux_context(chfn_t) -kernel_compute_selinux_access_vector(chfn_t) -kernel_compute_selinux_create_context(chfn_t) -kernel_compute_selinux_relabel_context(chfn_t) -kernel_compute_selinux_reachable_user_contexts(chfn_t) +kernel_validate_context(chfn_t) +kernel_compute_access_vector(chfn_t) +kernel_compute_create_context(chfn_t) +kernel_compute_relabel_context(chfn_t) +kernel_compute_reachable_user_contexts(chfn_t) -terminal_use_all_private_physical_terminals(chfn_t) -terminal_use_all_private_pseudoterminals(chfn_t) +term_use_all_user_ttys(chfn_t) +term_use_all_user_ptys(chfn_t) -fs_get_persistent_fs_attributes(chfn_t) +fs_getattr_xattr_fs(chfn_t) # for SSP devices_get_pseudorandom_data(chfn_t) @@ -163,7 +163,7 @@ kernel_read_system_state(crack_t) # for SSP devices_get_pseudorandom_data(crack_t) -fs_get_persistent_fs_attributes(crack_t) +fs_getattr_xattr_fs(crack_t) files_read_general_system_config(crack_t) files_read_runtime_system_config(crack_t) @@ -211,16 +211,16 @@ allow groupadd_t self:msg { send receive }; # Allow access to context for shadow file kernel_get_selinuxfs_mount_point(groupadd_t) -kernel_validate_selinux_context(groupadd_t) -kernel_compute_selinux_access_vector(groupadd_t) -kernel_compute_selinux_create_context(groupadd_t) -kernel_compute_selinux_relabel_context(groupadd_t) -kernel_compute_selinux_reachable_user_contexts(groupadd_t) +kernel_validate_context(groupadd_t) +kernel_compute_access_vector(groupadd_t) +kernel_compute_create_context(groupadd_t) +kernel_compute_relabel_context(groupadd_t) +kernel_compute_reachable_user_contexts(groupadd_t) -fs_get_persistent_fs_attributes(groupadd_t) +fs_getattr_xattr_fs(groupadd_t) -terminal_use_all_private_physical_terminals(groupadd_t) -terminal_use_all_private_pseudoterminals(groupadd_t) +term_use_all_user_ttys(groupadd_t) +term_use_all_user_ptys(groupadd_t) init_use_file_descriptors(groupadd_t) init_script_read_runtime_data(groupadd_t) @@ -282,20 +282,20 @@ allow passwd_t self:unix_dgram_socket sendto; allow passwd_t self:unix_stream_socket connectto; allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; -allow passwd_t self:msgq create_msgq_perm; +allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; kernel_get_selinuxfs_mount_point(passwd_t) -kernel_validate_selinux_context(passwd_t) -kernel_compute_selinux_access_vector(passwd_t) -kernel_compute_selinux_create_context(passwd_t) -kernel_compute_selinux_relabel_context(passwd_t) -kernel_compute_selinux_reachable_user_contexts(passwd_t) +kernel_validate_context(passwd_t) +kernel_compute_access_vector(passwd_t) +kernel_compute_create_context(passwd_t) +kernel_compute_relabel_context(passwd_t) +kernel_compute_reachable_user_contexts(passwd_t) # for SSP devices_get_pseudorandom_data(passwd_t) -fs_get_persistent_fs_attributes(passwd_t) +fs_getattr_xattr_fs(passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. @@ -378,26 +378,26 @@ allow sysadm_passwd_t self:msg { send receive }; # allow vipw to create temporary files under /var/tmp/vi.recover allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms; -allow sysadm_passwd_t sysadm_passwd_tmp_t:file creat_file_perms; +allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_search_system_state_data_directory(sysadm_passwd_t) kernel_get_selinuxfs_mount_point(sysadm_passwd_t) -kernel_validate_selinux_context(sysadm_passwd_t) -kernel_compute_selinux_access_vector(sysadm_passwd_t) -kernel_compute_selinux_create_context(sysadm_passwd_t) -kernel_compute_selinux_relabel_context(sysadm_passwd_t) -kernel_compute_selinux_reachable_user_contexts(sysadm_passwd_t) +kernel_validate_context(sysadm_passwd_t) +kernel_compute_access_vector(sysadm_passwd_t) +kernel_compute_create_context(sysadm_passwd_t) +kernel_compute_relabel_context(sysadm_passwd_t) +kernel_compute_reachable_user_contexts(sysadm_passwd_t) # for /proc/meminfo kernel_read_system_state(sysadm_passwd_t) # for SSP devices_get_pseudorandom_data(sysadm_passwd_t) -fs_get_persistent_fs_attributes(sysadm_passwd_t) +fs_getattr_xattr_fs(sysadm_passwd_t) -terminal_use_all_private_physical_terminals(sysadm_passwd_t) -terminal_use_all_private_pseudoterminals(sysadm_passwd_t) +term_use_all_user_ttys(sysadm_passwd_t) +term_use_all_user_ptys(sysadm_passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. @@ -475,18 +475,18 @@ allow useradd_t self:msg { send receive }; # Allow access to context for shadow file kernel_get_selinuxfs_mount_point(useradd_t) -kernel_validate_selinux_context(useradd_t) -kernel_compute_selinux_access_vector(useradd_t) -kernel_compute_selinux_create_context(useradd_t) -kernel_compute_selinux_relabel_context(useradd_t) -kernel_compute_selinux_reachable_user_contexts(useradd_t) +kernel_validate_context(useradd_t) +kernel_compute_access_vector(useradd_t) +kernel_compute_create_context(useradd_t) +kernel_compute_relabel_context(useradd_t) +kernel_compute_reachable_user_contexts(useradd_t) # for getting the number of groups kernel_read_kernel_sysctl(useradd_t) -fs_get_persistent_fs_attributes(useradd_t) +fs_getattr_xattr_fs(useradd_t) -terminal_use_all_private_physical_terminals(useradd_t) -terminal_use_all_private_pseudoterminals(useradd_t) +term_use_all_user_ttys(useradd_t) +term_use_all_user_ptys(useradd_t) init_use_file_descriptors(useradd_t) init_script_modify_runtime_data(useradd_t) diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 048d14cd..9999d8c8 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -65,21 +65,21 @@ define(`gpg_per_userdomain_template',` allow $1_gpg_t $1_gpg_secret_t:file create_file_perms; allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms; - corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t) - corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t) - corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t) - corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t) - corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t) - corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t) - corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t) - corenetwork_sendrecv_udp_on_all_ports($1_gpg_t) - corenetwork_bind_tcp_on_all_nodes($1_gpg_t) - corenetwork_bind_udp_on_all_nodes($1_gpg_t) + corenet_tcp_sendrecv_all_if($1_gpg_t) + corenet_raw_sendrecv_all_if($1_gpg_t) + corenet_udp_sendrecv_all_if($1_gpg_t) + corenet_tcp_sendrecv_all_nodes($1_gpg_t) + corenet_raw_sendrecv_all_nodes($1_gpg_t) + corenet_udp_sendrecv_all_nodes($1_gpg_t) + corenet_tcp_sendrecv_all_ports($1_gpg_t) + corenet_udp_sendrecv_all_ports($1_gpg_t) + corenet_tcp_bind_all_nodes($1_gpg_t) + corenet_udp_bind_all_nodes($1_gpg_t) devices_get_random_data($1_gpg_t) devices_get_pseudorandom_data($1_gpg_t) - fs_get_persistent_fs_attributes($1_gpg_t) + fs_getattr_xattr_fs($1_gpg_t) files_read_general_system_config($1_gpg_t) files_read_general_application_resources($1_gpg_t) @@ -175,16 +175,16 @@ define(`gpg_per_userdomain_template',` dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; - corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t) - corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t) - corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t) - corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t) - corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t) - corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t) - corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t) - corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t) - corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t) - corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t) + corenet_tcp_sendrecv_all_if($1_gpg_helper_t) + corenet_raw_sendrecv_all_if($1_gpg_helper_t) + corenet_udp_sendrecv_all_if($1_gpg_helper_t) + corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t) + corenet_udp_sendrecv_all_nodes($1_gpg_helper_t) + corenet_raw_sendrecv_all_nodes($1_gpg_helper_t) + corenet_tcp_sendrecv_all_ports($1_gpg_helper_t) + corenet_udp_sendrecv_all_ports($1_gpg_helper_t) + corenet_tcp_bind_all_nodes($1_gpg_helper_t) + corenet_udp_bind_all_nodes($1_gpg_helper_t) devices_get_pseudorandom_data($1_gpg_helper_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 72ba9471..4e8befcb 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -51,7 +51,7 @@ define(`bootloader_domtrans_depend',` define(`bootloader_run',` requires_block_template(`$0'_depend) - bootloader_transition($1) + bootloader_domtrans($1) role $2 types bootloader_t; allow bootloader_t $3:chr_file rw_file_perms; @@ -85,7 +85,7 @@ define(`bootloader_search_boot_dir_depend',` ') ######################################## -## +## ## ## Do not audit attempts to search the /boot directory. ## @@ -94,13 +94,13 @@ define(`bootloader_search_boot_dir_depend',` ## ## # -define(`bootloader_dontaudit_search_boot_dir',` +define(`bootloader_dontaudit_search_boot',` requires_block_template(`$0'_depend) dontaudit $1 boot_t:dir search; ') -define(`bootloader_dontaudit_search_boot_dir_depend',` +define(`bootloader_dontaudit_search_boot_depend',` type boot_t; class dir search; @@ -195,7 +195,7 @@ define(`bootloader_read_kernel_symbol_table',` requires_block_template(`$0'_depend) allow $1 boot_t:dir r_dir_perms; - allow $1 system_map_t:file f_file_perms; + allow $1 system_map_t:file r_file_perms; ') define(`bootloader_read_kernel_symbol_table_depend',` diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 2d38d24f..71346137 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -88,7 +88,7 @@ allow bootloader_t modules_object_t:dir r_dir_perms; allow bootloader_t modules_object_t:file r_file_perms; allow bootloader_t modules_object_t:lnk_file r_file_perms; -kernel_get_core_interface_attributes(bootloader_t) +kernel_getattr_core(bootloader_t) kernel_read_system_state(bootloader_t) kernel_read_software_raid_state(bootloader_t) kernel_read_kernel_sysctl(bootloader_t) @@ -106,9 +106,9 @@ devices_get_pseudorandom_data(bootloader_t) # for reading BIOS data devices_raw_read_memory(bootloader_t) -fs_get_persistent_fs_attributes(bootloader_t) +fs_getattr_xattr_fs(bootloader_t) -terminal_get_all_private_physical_terminal_attributes(bootloader_t) +term_getattr_all_user_ttys(bootloader_t) init_get_control_channel_attributes(bootloader_t) init_script_use_pseudoterminal(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 5914c54d..542954ca 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -15,7 +15,7 @@ define(`devices_make_device_node',` fs_associate($1) optional_policy(`distro_redhat',` - fs_tmpfs_associate($1) + fs_associate_tmpfs($1) ') ') @@ -103,6 +103,22 @@ define(`devices_add_dev_dir_depend',` class dir { ra_dir_perms create }; ') +######################################## +# +# devices_relabel_dev_dirs(domain) +# +define(`devices_relabel_dev_dirs',` + requires_block_template(`$0'_depend) + + allow $1 device_t:dir { r_dir_perms relabelfrom relabelto }; +') + +define(`devices_relabel_dev_dirs_depend',` + type device_t; + + class dir { r_dir_perms relabelfrom relabelto }; +') + ######################################## # # devices_ignore_get_generic_pipe_attributes(domain) @@ -276,11 +292,11 @@ define(`devices_manage_dev_symbolic_links_depend',` define(`devices_manage_device_nodes',` requires_block_template(`$0'_depend) - allow $1 device_t:dir create_dir_perms; + allow $1 device_t:dir { create_dir_perms relabelfrom relabelto }; allow $1 device_t:sock_file create_file_perms; allow $1 device_t:lnk_file create_lnk_perms; - allow $1 device_t:{ chr_file blk_file } create_file_perms; - allow $1 device_node:{ chr_file blk_file } create_file_perms; + allow $1 device_t:{ chr_file blk_file } { create_file_perms relabelfrom relabelto }; + allow $1 device_node:{ chr_file blk_file } { create_file_perms relabelfrom relabelto }; # these next rules are to satisfy assertions broken by the above lines. # the permissions hopefully can be cut back a lot @@ -298,11 +314,11 @@ define(`devices_manage_device_nodes_depend',` type device_t; - class dir create_dir_perms; + class dir { create_dir_perms relabelfrom relabelto }; class sock_file create_file_perms; class lnk_file create_lnk_perms; - class chr_file create_file_perms; - class blk_file create_file_perms; + class chr_file { create_file_perms relabelfrom relabelto }; + class blk_file { create_file_perms relabelfrom relabelto }; ') ######################################## @@ -369,7 +385,7 @@ define(`devices_create_dev_entry',` type_transition $1 device_t:$3 $2; optional_policy(`distro_redhat',` - fs_tmpfs_associate($2) + fs_associate_tmpfs($2) ') ') diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index a541a812..ec67e7a1 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -11,7 +11,7 @@ attribute memory_raw_write; type device_t; files_make_file(device_t) files_make_mountpoint(device_t) -fs_tmpfs_associate(device_t) +fs_associate_tmpfs(device_t) # Only directories and symlinks should be labeled device_t. # If there are other files with this type, it is wrong. @@ -26,18 +26,18 @@ fs_tmpfs_associate(device_t) # type agp_device_t, device_node; fs_associate(agp_device_t) -fs_tmpfs_associate(agp_device_t) +fs_associate_tmpfs(agp_device_t) # # Type for /dev/apm_bios # type apm_bios_t, device_node; fs_associate(apm_bios_t) -fs_tmpfs_associate(apm_bios_t) +fs_associate_tmpfs(apm_bios_t) type cardmgr_dev_t, device_node; fs_associate(cardmgr_dev_t) -fs_tmpfs_associate(cardmgr_dev_t) +fs_associate_tmpfs(cardmgr_dev_t) # # clock_device_t is the type of @@ -45,36 +45,36 @@ fs_tmpfs_associate(cardmgr_dev_t) # type clock_device_t, device_node; fs_associate(clock_device_t) -fs_tmpfs_associate(clock_device_t) +fs_associate_tmpfs(clock_device_t) # # cpu control devices /dev/cpu/0/* # type cpu_device_t, device_node; fs_associate(cpu_device_t) -fs_tmpfs_associate(cpu_device_t) +fs_associate_tmpfs(cpu_device_t) type dri_device_t, device_node; fs_associate(dri_device_t) -fs_tmpfs_associate(dri_device_t) +fs_associate_tmpfs(dri_device_t) type event_device_t, device_node; fs_associate(event_device_t) -fs_tmpfs_associate(event_device_t) +fs_associate_tmpfs(event_device_t) # # Type for framebuffer /dev/fb/* # type framebuf_device_t, device_node; fs_associate(framebuf_device_t) -fs_tmpfs_associate(framebuf_device_t) +fs_associate_tmpfs(framebuf_device_t) # # Type for /dev/mapper/control # type lvm_control_t, device_node; fs_associate(lvm_control_t) -fs_tmpfs_associate(lvm_control_t) +fs_associate_tmpfs(lvm_control_t) # # memory_device_t is the type of /dev/kmem, @@ -82,28 +82,28 @@ fs_tmpfs_associate(lvm_control_t) # type memory_device_t, device_node; fs_associate(memory_device_t) -fs_tmpfs_associate(memory_device_t) +fs_associate_tmpfs(memory_device_t) neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read; neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write }; type misc_device_t, device_node; fs_associate(misc_device_t) -fs_tmpfs_associate(misc_device_t) +fs_associate_tmpfs(misc_device_t) # # A more general type for mouse devices. # type mouse_device_t, device_node; fs_associate(mouse_device_t) -fs_tmpfs_associate(mouse_device_t) +fs_associate_tmpfs(mouse_device_t) # # Type for /dev/cpu/mtrr and /proc/mtrr # type mtrr_device_t, device_node; fs_associate(mtrr_device_t) -fs_tmpfs_associate(mtrr_device_t) +fs_associate_tmpfs(mtrr_device_t) genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0) # @@ -111,7 +111,7 @@ genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0) # type null_device_t, device_node; fs_associate(null_device_t) -fs_tmpfs_associate(null_device_t) +fs_associate_tmpfs(null_device_t) sid devnull context_template(system_u:object_r:null_device_t,s0) # @@ -119,48 +119,48 @@ sid devnull context_template(system_u:object_r:null_device_t,s0) # type power_device_t, device_node; fs_associate(power_device_t) -fs_tmpfs_associate(power_device_t) +fs_associate_tmpfs(power_device_t) type printer_device_t, device_node; fs_associate(printer_device_t) -fs_tmpfs_associate(printer_device_t) +fs_associate_tmpfs(printer_device_t) # # random_device_t is the type of /dev/random # type random_device_t, device_node; fs_associate(random_device_t) -fs_tmpfs_associate(random_device_t) +fs_associate_tmpfs(random_device_t) type scanner_device_t, device_node; fs_associate(scanner_device_t) -fs_tmpfs_associate(scanner_device_t) +fs_associate_tmpfs(scanner_device_t) # # Type for sound devices and mixers # type sound_device_t, device_node; fs_associate(sound_device_t) -fs_tmpfs_associate(sound_device_t) +fs_associate_tmpfs(sound_device_t) # # urandom_device_t is the type of /dev/urandom # type urandom_device_t, device_node; fs_associate(urandom_device_t) -fs_tmpfs_associate(urandom_device_t) +fs_associate_tmpfs(urandom_device_t) type v4l_device_t, device_node; fs_associate(v4l_device_t) -fs_tmpfs_associate(v4l_device_t) +fs_associate_tmpfs(v4l_device_t) type xserver_misc_device_t, device_node; fs_associate(xserver_misc_device_t) -fs_tmpfs_associate(xserver_misc_device_t) +fs_associate_tmpfs(xserver_misc_device_t) # # zero_device_t is the type of /dev/zero. # type zero_device_t, device_node; fs_associate(zero_device_t) -fs_tmpfs_associate(zero_device_t) +fs_associate_tmpfs(zero_device_t) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index d0bfd2a7..8d4b1bd1 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -21,6 +21,30 @@ define(`fs_make_fs_depend',` attribute fs_type; ') +######################################## +## +## +## Transform specified type into a filesystem +## type which does not have extended attribute +## support. +## +## +## The type of the process performing this action. +## +## +# +define(`fs_make_noxattr_fs',` + requires_block_template(`$0'_depend) + + fs_make_fs($1) + + typeattribute $1 noxattrfs; +') + +define(`fs_make_noxattr_fs_depend',` + attribute noxattrfs; +') + ######################################## ## ## @@ -183,13 +207,13 @@ define(`fs_getattr_xattr_fs_depend',` ## ## # -define(`fs_ignore_getattr_xattr_fs',` +define(`fs_dontaudit_getattr_xattr_fs',` requires_block_template(`$0'_depend) dontaudit $1 fs_t:filesystem getattr; ') -define(`fs_ignore_getattr_xattr_fs_depend',` +define(`fs_dontaudit_getattr_xattr_fs_depend',` type fs_t; class filesystem getattr; @@ -1521,7 +1545,7 @@ define(`fs_create_tmpfs_data',` ') ') -define(`fs_create_private_tmpfs_data_depend',` +define(`fs_create_tmpfs_data_depend',` type tmpfs_t; class filesystem associate; @@ -1788,7 +1812,7 @@ define(`fs_get_all_fs_quotas_depend',` ') ######################################## -## +## ## ## Set the quotas of all filesystems. ## diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 33a36df6..4087a5bb 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -29,7 +29,7 @@ define(`kernel_userland_entry',` allow $1 kernel_t:process sigchld; ') -define(`kernel_make_userland_entrypoint_depend',` +define(`kernel_userland_entry_depend',` type kernel_t; class process { transition noatsecure siginh rlimitinh sigchld }; @@ -491,7 +491,7 @@ define(`kernel_compute_reachable_user_contexts',` allow $1 security_t:security compute_user; ') -define(`kernel_compute_selinux_reachable_user_contexts_depend',` +define(`kernel_compute_reachable_user_contexts_depend',` type security_t; class dir { read search getattr }; @@ -1096,7 +1096,7 @@ define(`kernel_read_unix_sysctl_depend',` ## ## # -define(`kernel_modify_unix_sysctl',` +define(`kernel_rw_unix_sysctl',` requires_block_template(`$0'_depend) allow $1 proc_t:dir search; @@ -1105,7 +1105,7 @@ define(`kernel_modify_unix_sysctl',` allow $1 sysctl_net_unix_t:file rw_file_perms; ') -define(`kernel_modify_net_sysctl_depend',` +define(`kernel_rw_net_sysctl_depend',` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; class dir r_dir_perms; @@ -1393,9 +1393,9 @@ define(`kernel_read_rpc_sysctl_depend',` ######################################## # -# kernel_modify_rpc_sysctl(domain) +# kernel_rw_rpc_sysctl(domain) # -define(`kernel_modify_rpc_sysctl',` +define(`kernel_rw_rpc_sysctl',` requires_block_template(`$0'_depend) allow $1 proc_t:dir search; @@ -1404,7 +1404,7 @@ define(`kernel_modify_rpc_sysctl',` allow $1 sysctl_rpc_t:file rw_file_perms; ') -define(`kernel_modify_rpc_sysctl_depend',` +define(`kernel_rw_rpc_sysctl_depend',` type proc_t, proc_net_t, sysctl_rpc_t; class dir r_dir_perms; @@ -1423,8 +1423,8 @@ define(`kernel_modify_rpc_sysctl_depend',` # define(`kernel_read_all_sysctl',` kernel_read_device_sysctl($1) - kernel_read_virtual_memory_sysctl($1) - kernel_read_network_sysctl($1) + kernel_read_vm_sysctl($1) + kernel_read_net_sysctl($1) kernel_read_unix_sysctl($1) kernel_read_hotplug_sysctl($1) kernel_read_modprobe_sysctl($1) @@ -1435,7 +1435,7 @@ define(`kernel_read_all_sysctl',` ') ######################################## -## +## ## ## Read and write all sysctls. ## @@ -1446,8 +1446,8 @@ define(`kernel_read_all_sysctl',` # define(`kernel_rw_all_sysctl',` kernel_rw_device_sysctl($1) - kernel_rw_virtual_memory_sysctl($1) - kernel_rw_network_sysctl($1) + kernel_rw_vm_sysctl($1) + kernel_rw_net_sysctl($1) kernel_rw_unix_sysctl($1) kernel_rw_hotplug_sysctl($1) kernel_rw_modprobe_sysctl($1) @@ -1505,7 +1505,7 @@ define(`kernel_read_hardware_state_depend',` ') ######################################## -## +## ## ## Allow caller to modify hardware state information. ## diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 1aaf7d79..1ec123f9 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -67,15 +67,6 @@ files_make_mountpoint(sysfs_t) fs_make_fs(sysfs_t) genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0) -# -# usbfs_t is the type for /proc/bus/usb -# -type usbfs_t alias usbdevfs_t; -files_make_mountpoint(usbfs_t) -fs_make_fs(usbfs_t) -genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0) -genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0) - # # Procfs types # @@ -153,6 +144,15 @@ genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0) type sysctl_dev_t; genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0) +# +# usbfs_t is the type for /proc/bus/usb +# +type usbfs_t alias usbdevfs_t; +files_make_mountpoint(usbfs_t) +fs_make_noxattr_fs(usbfs_t) +genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0) +genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0) + ######################################## # # kernel local policy @@ -197,10 +197,10 @@ auditallow kernel_t security_t:security load_policy; corenet_raw_sendrecv_all_if(kernel_t) corenet_raw_sendrecv_all_nodes(kernel_t) # Kernel-generated traffic e.g., TCP resets: -corenet_raw_sendrecv_all_ifaces(kernel_t) -corenet_raw_sendrecv_all_nodes(kernel_t) +corenet_tcp_sendrecv_all_if(kernel_t) +corenet_tcp_sendrecv_all_nodes(kernel_t) -terminal_use_console(kernel_t) +term_use_console(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index ff1d9fbf..d379432f 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -41,7 +41,7 @@ define(`term_pty_depend',` define(`term_user_pty',` requires_block_template(`$0'_depend) - termi_pty($1) + term_pty($1) typeattribute $1 server_ptynode; ') @@ -50,11 +50,11 @@ define(`term_user_pty_depend',` ') ######################################## -## +## ## ## Transform specified type into a tty type. ## -## +## ## An object type that will applied to a tty. ## ## @@ -115,7 +115,7 @@ define(`term_create_pty_depend',` ') ######################################## -## +## ## ## Read and write the console, all ## ttys and all ptys. @@ -125,7 +125,7 @@ define(`term_create_pty_depend',` ## ## # -define(`term_use_all_terminals',` +define(`term_use_all_terms',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) @@ -133,7 +133,7 @@ define(`term_use_all_terminals',` allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms; ') -define(`term_use_all_terminals_depend',` +define(`term_use_all_terms_depend',` attribute ttynode, ptynode; type console_device_t, devpts_t, tty_device_t; @@ -378,17 +378,17 @@ define(`term_dontaudit_use_ptmx_depend',` ') ######################################## -## +## ## -## Get the attributes of all pty -## device nodes. +## Get the attributes of all user +## pty device nodes. ## ## ## The type of the process performing this action. ## ## # -define(`term_getattr_all_ptys',` +define(`term_getattr_all_user_ptys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) @@ -462,14 +462,14 @@ define(`term_dontaudit_use_all_user_ptys_depend',` ## ## # -define(`term_gettattr_unallocated_ttys',` +define(`term_getattr_unallocated_ttys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 tty_device_t:chr_file getattr; ') -define(`term_gettattr_unallocated_ttys_depend',` +define(`term_getattr_unallocated_ttys_depend',` type tty_device_t; class chr_file getattr; @@ -486,14 +486,14 @@ define(`term_gettattr_unallocated_ttys_depend',` ## ## # -define(`term_settattr_unallocated_ttys',` +define(`term_setattr_unallocated_ttys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 tty_device_t:chr_file setattr; ') -define(`term_settattr_unallocated_ttys_depend',` +define(`term_setattr_unallocated_ttys_depend',` type tty_device_t; class chr_file setattr; @@ -510,14 +510,14 @@ define(`term_settattr_unallocated_ttys_depend',` ## ## # -define(`term_relabel_unallocated_tty',` +define(`term_relabel_unallocated_ttys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 tty_device_t:chr_file { relabelfrom relabelto }; ') -define(`term_relabel_unallocated_tty_depend',` +define(`term_relabel_unallocated_ttys_depend',` type tty_device_t; class chr_file { relabelfrom relabelto }; @@ -550,7 +550,7 @@ define(`term_reset_tty_labels_depend',` ') ######################################## -## +## ## ## Write to unallocated ttys. ## @@ -559,14 +559,14 @@ define(`term_reset_tty_labels_depend',` ## ## # -define(`term_write_general_tty',` +define(`term_write_unallocated_ttys',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 tty_device_t:chr_file { getattr write }; ') -define(`term_write_general_tty_depend',` +define(`term_write_unallocated_ttys_depend',` type tty_device_t; class chr_file { getattr write }; diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 91b6f8c6..3b22c2e0 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -26,10 +26,10 @@ define(`cron_per_userdomain_template',` # allow $1_crond_t self:capability dac_override; - allow $1_crond_t self:process signal_perms; + allow $1_crond_t self:process { signal_perms setsched }; allow $1_crond_t self:fifo_file rw_file_perms; - allow $1_crond_t self:unix_stream_socket create_socket_perms; - allow $1_crond_t self:unix_dgram_socket create_stream_socket_perms; + allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; + allow $1_crond_t self:unix_dgram_socket create_socket_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are @@ -55,22 +55,22 @@ define(`cron_per_userdomain_template',` kernel_read_kernel_sysctl($1_crond_t) # ps does not need to access /boot when run from cron - bootloader_ignore_search_bootloader_data_directory($1_crond_t) + bootloader_dontaudit_search_boot($1_crond_t) - corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t) - corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t) - corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t) - corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t) - corenetwork_sendrecv_raw_on_all_nodes($1_crond_t) - corenetwork_sendrecv_udp_on_all_nodes($1_crond_t) - corenetwork_sendrecv_tcp_on_all_ports($1_crond_t) - corenetwork_sendrecv_udp_on_all_ports($1_crond_t) - corenetwork_bind_tcp_on_all_nodes($1_crond_t) - corenetwork_bind_udp_on_all_nodes($1_crond_t) + corenet_tcp_sendrecv_all_if($1_crond_t) + corenet_raw_sendrecv_all_if($1_crond_t) + corenet_udp_sendrecv_all_if($1_crond_t) + corenet_tcp_sendrecv_all_nodes($1_crond_t) + corenet_raw_sendrecv_all_nodes($1_crond_t) + corenet_udp_sendrecv_all_nodes($1_crond_t) + corenet_tcp_sendrecv_all_ports($1_crond_t) + corenet_udp_sendrecv_all_ports($1_crond_t) + corenet_tcp_bind_all_nodes($1_crond_t) + corenet_udp_bind_all_nodes($1_crond_t) devices_get_pseudorandom_data($1_crond_t) - fs_get_all_fs_attributes($1_crond_t) + fs_getattr_all_fs($1_crond_t) domain_execute_all_entrypoint_programs($1_crond_t) @@ -153,7 +153,7 @@ define(`cron_per_userdomain_template',` allow $1_crontab_t crond_log_t:file ra_file_perms; - fs_get_persistent_fs_attributes($1_crontab_t) + fs_getattr_xattr_fs($1_crontab_t) domain_use_widely_inheritable_file_descriptors($1_crontab_t) @@ -225,11 +225,11 @@ define(`cron_admin_template',` # Manipulate other users crontab. kernel_get_selinuxfs_mount_point($1_crontab_t) - kernel_validate_selinux_context($1_crontab_t) - kernel_compute_selinux_access_vector($1_crontab_t) - kernel_compute_selinux_create_context($1_crontab_t) - kernel_compute_selinux_relabel_context($1_crontab_t) - kernel_compute_selinux_reachable_user_contexts($1_crontab_t) + kernel_validate_context($1_crontab_t) + kernel_compute_access_vector($1_crontab_t) + kernel_compute_create_context($1_crontab_t) + kernel_compute_relabel_context($1_crontab_t) + kernel_compute_reachable_user_contexts($1_crontab_t) tunable_policy(`fcron_crond', ` # fcron wants an instant update of a crontab change for the administrator diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index d1c045ec..b32fc5db 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -81,17 +81,17 @@ allow crond_t system_cron_spool_t:file r_file_perms; kernel_read_kernel_sysctl(crond_t) kernel_read_hardware_state(crond_t) kernel_get_selinuxfs_mount_point(crond_t) -kernel_validate_selinux_context(crond_t) -kernel_compute_selinux_access_vector(crond_t) -kernel_compute_selinux_create_context(crond_t) -kernel_compute_selinux_relabel_context(crond_t) -kernel_compute_selinux_reachable_user_contexts(crond_t) +kernel_validate_context(crond_t) +kernel_compute_access_vector(crond_t) +kernel_compute_create_context(crond_t) +kernel_compute_relabel_context(crond_t) +kernel_compute_reachable_user_contexts(crond_t) devices_get_pseudorandom_data(crond_t) -fs_get_all_fs_attributes(crond_t) +fs_getattr_all_fs(crond_t) -terminal_ignore_use_console(crond_t) +term_dontaudit_use_console(crond_t) # need auth_chkpwd to check for locked accounts. authlogin_check_password_transition(crond_t) @@ -125,7 +125,7 @@ tunable_policy(`fcron_crond', ` ') ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(crond_t) + term_dontaudit_use_unallocated_tty(crond_t) terminal_ignore_use_general_pseudoterminal(crond_t) files_ignore_read_rootfs_file(crond_t) ') @@ -184,7 +184,7 @@ allow system_crond_t rpm_log_t:file create_file_perms; # allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; -allow system_crond_t self:process signal_perms; +allow system_crond_t self:process { signal_perms setsched }; allow system_crond_t self:fifo_file rw_file_perms; allow system_crond_t self:passwd rootok; @@ -215,7 +215,7 @@ allow system_crond_t system_crond_lock_t:file create_file_perms; files_create_private_lock_file(system_crond_t,system_crond_lock_t) # write temporary files -allow system_crond_t system_crond_tmp_t:file createfile_perms; +allow system_crond_t system_crond_tmp_t:file create_file_perms; files_create_private_tmp_data(system_crond_t,system_crond_tmp_t) # write temporary files in crond tmp dir: @@ -235,25 +235,25 @@ kernel_read_system_state(system_crond_t) kernel_read_software_raid_state(system_crond_t) # ps does not need to access /boot when run from cron -bootloader_ignore_search_bootloader_data_directory(system_crond_t) +bootloader_dontaudit_search_boot(system_crond_t) -corenetwork_sendrecv_tcp_on_all_interfaces(system_crond_t) -corenetwork_sendrecv_raw_on_all_interfaces(system_crond_t) -corenetwork_sendrecv_udp_on_all_interfaces(system_crond_t) -corenetwork_sendrecv_tcp_on_all_nodes(system_crond_t) -corenetwork_sendrecv_raw_on_all_nodes(system_crond_t) -corenetwork_sendrecv_udp_on_all_nodes(system_crond_t) -corenetwork_sendrecv_tcp_on_all_ports(system_crond_t) -corenetwork_sendrecv_udp_on_all_ports(system_crond_t) -corenetwork_bind_tcp_on_all_nodes(system_crond_t) -corenetwork_bind_udp_on_all_nodes(system_crond_t) +corenet_tcp_sendrecv_all_if(system_crond_t) +corenet_raw_sendrecv_all_if(system_crond_t) +corenet_udp_sendrecv_all_if(system_crond_t) +corenet_tcp_sendrecv_all_nodes(system_crond_t) +corenet_raw_sendrecv_all_nodes(system_crond_t) +corenet_udp_sendrecv_all_nodes(system_crond_t) +corenet_tcp_sendrecv_all_ports(system_crond_t) +corenet_udp_sendrecv_all_ports(system_crond_t) +corenet_tcp_bind_all_nodes(system_crond_t) +corenet_udp_bind_all_nodes(system_crond_t) devices_get_all_block_device_attributes(system_crond_t) devices_get_all_character_device_attributes(system_crond_t) devices_get_pseudorandom_data(system_crond_t) -fs_get_all_fs_attributes(system_crond_t) -fs_get_all_file_attributes(system_crond_t) +fs_getattr_all_fs(system_crond_t) +fs_getattr_all_files(system_crond_t) init_use_file_descriptors(system_crond_t) init_script_use_file_descriptors(system_crond_t) @@ -296,11 +296,11 @@ if (cron_can_relabel) { selinux_setfiles_transition(system_crond_t) } else { kernel_get_selinuxfs_mount_point(system_crond_t) - kernel_validate_selinux_context(system_crond_t) - kernel_compute_selinux_access_vector(system_crond_t) - kernel_compute_selinux_create_context(system_crond_t) - kernel_compute_selinux_relabel_context(system_crond_t) - kernel_compute_selinux_reachable_user_contexts(system_crond_t) + kernel_validate_context(system_crond_t) + kernel_compute_access_vector(system_crond_t) + kernel_compute_create_context(system_crond_t) + kernel_compute_relabel_context(system_crond_t) + kernel_compute_reachable_user_contexts(system_crond_t) selinux_read_file_contexts(system_crond_t) } diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 953a730b..f68b7268 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -33,8 +33,8 @@ define(`mta_per_userdomain_template',` allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms; # Transition from the user domain to the derived domain. - can_exec($1_t, sendmail_exec_t) domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t) + allow $1_t sendmail_exec_t:lnk_file { getattr read }; allow $1_t $1_mail_t:fd use; allow $1_mail_t $1_t:fd use; @@ -43,12 +43,12 @@ define(`mta_per_userdomain_template',` kernel_read_kernel_sysctl($1_mail_t) - corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t) - corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t) - corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t) - corenetwork_sendrecv_raw_on_all_nodes($1_mail_t) - corenetwork_sendrecv_tcp_on_all_ports($1_mail_t) - corenetwork_bind_tcp_on_all_nodes($1_mail_t) + corenet_tcp_sendrecv_all_if($1_mail_t) + corenet_raw_sendrecv_all_if($1_mail_t) + corenet_tcp_sendrecv_all_nodes($1_mail_t) + corenet_raw_sendrecv_all_nodes($1_mail_t) + corenet_tcp_sendrecv_all_ports($1_mail_t) + corenet_tcp_bind_all_nodes($1_mail_t) domain_use_widely_inheritable_file_descriptors($1_mail_t) @@ -67,10 +67,10 @@ define(`mta_per_userdomain_template',` tunable_policy(`use_dns',` allow $1_mail_t self:udp_socket create_socket_perms; - corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t) - corenetwork_sendrecv_udp_on_all_nodes($1_mail_t) - corenetwork_bind_udp_on_all_nodes($1_mail_t) - corenetwork_sendrecv_udp_on_dns_port($1_mail_t) + corenet_udp_sendrecv_all_if($1_mail_t) + corenet_udp_sendrecv_all_nodes($1_mail_t) + corenet_udp_bind_all_nodes($1_mail_t) + corenet_udp_sendrecv_dns_port($1_mail_t) ') optional_policy(`procmail.te',` diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index bd69abaf..b269e188 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -41,7 +41,7 @@ init_make_system_domain(system_mail_t,sendmail_exec_t) # allow system_mail_t self:capability { setuid setgid chown }; -allow system_mail_t self:process { signal_perms setrlinit }; +allow system_mail_t self:process { signal_perms setrlimit }; allow system_mail_t self:tcp_socket create_socket_perms; @@ -53,16 +53,16 @@ kernel_read_kernel_sysctl(system_mail_t) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) -corenetwork_sendrecv_tcp_on_all_interfaces(system_mail_t) -corenetwork_sendrecv_raw_on_all_interfaces(system_mail_t) -corenetwork_sendrecv_tcp_on_all_nodes(system_mail_t) -corenetwork_sendrecv_raw_on_all_nodes(system_mail_t) -corenetwork_bind_tcp_on_all_nodes(system_mail_t) -corenetwork_sendrecv_tcp_on_all_ports(system_mail_t) +corenet_tcp_sendrecv_all_if(system_mail_t) +corenet_raw_sendrecv_all_if(system_mail_t) +corenet_tcp_sendrecv_all_nodes(system_mail_t) +corenet_raw_sendrecv_all_nodes(system_mail_t) +corenet_tcp_bind_all_nodes(system_mail_t) +corenet_tcp_sendrecv_all_ports(system_mail_t) devices_get_pseudorandom_data(system_mail_t) -fs_get_persistent_fs_attributes(system_mail_t) +fs_getattr_xattr_fs(system_mail_t) init_script_use_pseudoterminal(system_mail_t) @@ -84,10 +84,10 @@ sysnetwork_read_network_config(system_mail_t) tunable_policy(`use_dns',` allow system_mail_t self:udp_socket create_socket_perms; - corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t) - corenetwork_sendrecv_udp_on_all_nodes(system_mail_t) - corenetwork_bind_udp_on_all_nodes(system_mail_t) - corenetwork_sendrecv_udp_on_dns_port(system_mail_t) + corenet_udp_sendrecv_all_if(system_mail_t) + corenet_udp_sendrecv_all_nodes(system_mail_t) + corenet_udp_bind_all_nodes(system_mail_t) + corenet_udp_sendrecv_dns_port(system_mail_t) ') optional_policy(`procmail.te',` diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index c1ba3525..936d2e32 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -44,16 +44,16 @@ files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir }) kernel_read_system_state(remote_login_t) kernel_read_kernel_sysctl(remote_login_t) kernel_get_selinuxfs_mount_point(remote_login_t) -kernel_validate_selinux_context(remote_login_t) -kernel_compute_selinux_access_vector(remote_login_t) -kernel_compute_selinux_create_context(remote_login_t) -kernel_compute_selinux_relabel_context(remote_login_t) -kernel_compute_selinux_reachable_user_contexts(remote_login_t) +kernel_validate_context(remote_login_t) +kernel_compute_access_vector(remote_login_t) +kernel_compute_create_context(remote_login_t) +kernel_compute_relabel_context(remote_login_t) +kernel_compute_reachable_user_contexts(remote_login_t) # for SSP/ProPolice devices_get_pseudorandom_data(remote_login_t) -fs_get_persistent_fs_attributes(remote_login_t) +fs_getattr_xattr_fs(remote_login_t) init_script_modify_runtime_data(remote_login_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 0af0e482..e33d4daf 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -42,23 +42,23 @@ files_create_daemon_runtime_data(sendmail_t,sendmail_var_run_t) kernel_read_kernel_sysctl(sendmail_t) kernel_read_hardware_state(sendmail_t) -corenetwork_sendrecv_tcp_on_all_interfaces(sendmail_t) -corenetwork_sendrecv_raw_on_all_interfaces(sendmail_t) -corenetwork_sendrecv_udp_on_all_interfaces(sendmail_t) -corenetwork_sendrecv_tcp_on_all_nodes(sendmail_t) -corenetwork_sendrecv_raw_on_all_nodes(sendmail_t) -corenetwork_sendrecv_udp_on_all_nodes(sendmail_t) -corenetwork_sendrecv_tcp_on_all_ports(sendmail_t) -corenetwork_sendrecv_udp_on_all_ports(sendmail_t) -corenetwork_bind_tcp_on_all_nodes(sendmail_t) -corenetwork_bind_udp_on_all_nodes(sendmail_t) -corenetwork_bind_tcp_on_smtp_port(sendmail_t) +corenet_tcp_sendrecv_all_if(sendmail_t) +corenet_raw_sendrecv_all_if(sendmail_t) +corenet_udp_sendrecv_all_if(sendmail_t) +corenet_tcp_sendrecv_all_nodes(sendmail_t) +corenet_raw_sendrecv_all_nodes(sendmail_t) +corenet_udp_sendrecv_all_nodes(sendmail_t) +corenet_tcp_sendrecv_all_ports(sendmail_t) +corenet_udp_sendrecv_all_ports(sendmail_t) +corenet_tcp_bind_all_nodes(sendmail_t) +corenet_udp_bind_all_nodes(sendmail_t) +corenet_tcp_bind_smtp_port(sendmail_t) devices_get_pseudorandom_data(sendmail_t) -fs_get_all_fs_attributes(sendmail_t) +fs_getattr_all_fs(sendmail_t) -terminal_ignore_use_console(sendmail_t) +term_dontaudit_use_console(sendmail_t) init_use_file_descriptors(sendmail_t) init_script_use_pseudoterminal(sendmail_t) @@ -89,7 +89,7 @@ mta_manage_mail_spool(sendmail_t) sysnetwork_read_network_config(sendmail_t) ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(sendmail_t) + term_dontaudit_use_unallocated_tty(sendmail_t) terminal_ignore_use_general_pseudoterminal(sendmail_t) files_ignore_read_rootfs_file(sendmail_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 3858b84b..4c80d386 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -40,7 +40,7 @@ define(`authlogin_per_userdomain_template',` # is_selinux_enabled kernel_read_system_state($1_chkpwd_t) - fs_ignore_get_persistent_fs_attributes($1_chkpwd_t) + fs_dontaudit_getattr_xattr_fs($1_chkpwd_t) domain_use_widely_inheritable_file_descriptors($1_chkpwd_t) @@ -62,7 +62,7 @@ define(`authlogin_per_userdomain_template',` #can_ldap($1_chkpwd_t) # Transition from the user domain to this domain. - domain_auto_trans($1,chkpwd_exec_t,$1_chkpwd_t) + domain_auto_trans($1_t,chkpwd_exec_t,$1_chkpwd_t) allow $1_chkpwd_t $1_t:fd use; allow $1_t $1_chkpwd_t:fd use; @@ -78,12 +78,12 @@ define(`authlogin_per_userdomain_template',` tunable_policy(`use_dns',` allow $1_chkpwd_t self:udp_socket create_socket_perms; - corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t) - corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t) - corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t) - corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t) - corenetwork_bind_udp_on_all_nodes($1_chkpwd_t) - corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t) + corenet_udp_sendrecv_all_if($1_chkpwd_t) + corenet_raw_sendrecv_all_if($1_chkpwd_t) + corenet_udp_sendrecv_all_nodes($1_chkpwd_t) + corenet_raw_sendrecv_all_nodes($1_chkpwd_t) + corenet_udp_bind_all_nodes($1_chkpwd_t) + corenet_udp_sendrecv_dns_port($1_chkpwd_t) sysnetwork_read_network_config($1_chkpwd_t) ') @@ -207,12 +207,12 @@ define(`authlogin_check_password_transition',` tunable_policy(`use_dns',` allow $1 self:udp_socket create_socket_perms; - corenetwork_sendrecv_udp_on_all_interfaces($1) - corenetwork_sendrecv_raw_on_all_interfaces($1) - corenetwork_sendrecv_udp_on_all_nodes($1) - corenetwork_sendrecv_raw_on_all_nodes($1) - corenetwork_bind_udp_on_all_nodes($1) - corenetwork_sendrecv_udp_on_dns_port($1) + corenet_udp_sendrecv_all_if($1) + corenet_raw_sendrecv_all_if($1) + corenet_udp_sendrecv_all_nodes($1) + corenet_raw_sendrecv_all_nodes($1) + corenet_udp_bind_all_nodes($1) + corenet_udp_sendrecv_dns_port($1) sysnetwork_read_network_config($1) ') ') @@ -505,7 +505,7 @@ define(`authlogin_pam_transition_add_role_use_terminal_depend',` define(`authlogin_pam_execute',` requires_block_template(`$0'_depend) - can_exec($1,pam_exec_file_t) + can_exec($1,pam_exec_t) ') define(`authlogin_pam_execute_depend',` @@ -652,7 +652,7 @@ define(`authlogin_pam_console_manage_runtime_data',` files_search_system_state_data_directory($1) files_search_runtime_data_directory($1) allow $1 pam_var_console_t:dir rw_dir_perms; -B allow $1 pam_var_console_t:file create_file_perms; + allow $1 pam_var_console_t:file create_file_perms; allow $1 pam_var_console_t:lnk_file create_lnk_perms; ') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index b4ea9a40..e530bf8d 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -93,8 +93,8 @@ files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) -terminal_use_all_private_physical_terminals(pam_t) -terminal_use_all_private_pseudoterminals(pam_t) +term_use_all_user_ttys(pam_t) +term_use_all_user_ptys(pam_t) init_script_ignore_modify_runtime_data(pam_t) @@ -139,17 +139,17 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms; kernel_read_kernel_sysctl(pam_console_t) kernel_read_system_state(pam_console_t) kernel_read_hardware_state(pam_console_t) -kernel_use_file_descriptors(pam_console_t) +kernel_use_fd(pam_console_t) # Allow to set attributes on /dev entries -storage_get_fixed_disk_attributes(pam_console_t) -storage_set_fixed_disk_attributes(pam_console_t) -storage_get_removable_device_attributes(pam_console_t) +storage_getattr_fixed_disk(pam_console_t) +storage_setattr_fixed_disk(pam_console_t) +storage_getattr_removable_device(pam_console_t) storage_set_removable_device_attributes(pam_console_t) -terminal_use_console(pam_console_t) -terminal_get_general_physical_terminal_attributes(pam_console_t) -terminal_set_general_physical_terminal_attributes(pam_console_t) +term_use_console(pam_console_t) +term_getattr_unallocated_ttys(pam_console_t) +term_setattr_unallocated_ttys(pam_console_t) init_use_file_descriptors(pam_console_t) init_use_file_descriptors(pam_console_t) @@ -175,7 +175,7 @@ ifdef(`direct_sysadm_daemon', ` ') ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(pam_console_t) + term_dontaudit_use_unallocated_tty(pam_console_t) terminal_ignore_use_general_pseudoterminal(pam_console_t) files_ignore_read_rootfs_file(pam_console_t) ') @@ -236,9 +236,9 @@ allow system_chkpwd_t shadow_t:file { getattr read }; # is_selinux_enabled kernel_read_system_state(system_chkpwd_t) -fs_ignore_get_persistent_fs_attributes(system_chkpwd_t) +fs_dontaudit_getattr_xattr_fs(system_chkpwd_t) -terminal_use_general_physical_terminal(system_chkpwd_t) +term_use_unallocated_tty(system_chkpwd_t) files_read_general_system_config(system_chkpwd_t) # for nscd @@ -255,12 +255,12 @@ selinux_read_config(system_chkpwd_t) tunable_policy(`use_dns',` allow system_chkpwd_t self:udp_socket create_socket_perms; - corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t) - corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t) - corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t) - corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t) - corenetwork_bind_udp_on_all_nodes(system_chkpwd_t) - corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t) + corenet_udp_sendrecv_all_if(system_chkpwd_t) + corenet_raw_sendrecv_all_if(system_chkpwd_t) + corenet_udp_sendrecv_all_nodes(system_chkpwd_t) + corenet_raw_sendrecv_all_nodes(system_chkpwd_t) + corenet_udp_bind_all_nodes(system_chkpwd_t) + corenet_udp_sendrecv_dns_port(system_chkpwd_t) sysnetwork_read_network_config(system_chkpwd_t) ') @@ -278,15 +278,15 @@ dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms; # allow utempter_t self:capability setgid; -allow utempter_t self:unix_stream_socket rw_stream_socket_perms; +allow utempter_t self:unix_stream_socket create_stream_socket_perms; allow utempter_t wtmp_t:file rw_file_perms; -terminal_get_all_private_physical_terminal_attributes(utempter_t) -terminal_get_all_private_pseudoterminal_attributes(utempter_t) -terminal_ignore_use_all_private_physical_terminals(utempter_t) -terminal_ignore_use_all_private_pseudoterminals(utempter_t) -terminal_ignore_use_pseudoterminal_multiplexer(utempter_t) +term_getattr_all_user_ttys(utempter_t) +term_getattr_all_user_ptys(utempter_t) +term_dontaudit_use_all_user_ttys(utempter_t) +term_dontaudit_use_all_user_ptys(utempter_t) +term_dontaudit_use_ptmx(utempter_t) init_script_modify_runtime_data(utempter_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 030050fb..52373b05 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -34,12 +34,12 @@ kernel_read_hardware_state(hwclock_t) devices_modify_realtime_clock(hwclock_t) -fs_get_persistent_fs_attributes(hwclock_t) +fs_getattr_xattr_fs(hwclock_t) -terminal_ignore_use_console(hwclock_t) -terminal_use_general_physical_terminal(hwclock_t) -terminal_use_all_private_physical_terminals(hwclock_t) -terminal_use_all_private_pseudoterminals(hwclock_t) +term_dontaudit_use_console(hwclock_t) +term_use_unallocated_tty(hwclock_t) +term_use_all_user_ttys(hwclock_t) +term_use_all_user_ptys(hwclock_t) init_use_file_descriptors(hwclock_t) init_script_use_pseudoterminal(hwclock_t) @@ -58,7 +58,7 @@ logging_send_system_log_message(hwclock_t) miscfiles_read_localization(hwclock_t) ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(hwclock_t) + term_dontaudit_use_unallocated_tty(hwclock_t) terminal_ignore_use_general_pseudoterminal(hwclock_t) files_ignore_read_rootfs_file(hwclock_t) ') diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 1580e9bd..579d489d 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -200,9 +200,8 @@ define(`corecommands_shell_explicit_transition',` allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; - allow $1 shell_exec_t:file rx_file_perms - allow $1 $2:process transition; - dontaudit $1 $2:process { noatsecure siginh rlimitinh }; + + domain_trans($1,shell_exec_t,$2) allow $1 $2:fd use; allow $2 $1:fd use; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 84e1214f..2a2cd31e 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -38,7 +38,7 @@ define(`domain_make_domain',` # Use trusted objects in /dev devices_use_dev_null($1) devices_use_dev_zero($1) - terminal_use_controlling_terminal($1) + term_use_controlling_term($1) # read the root directory files_read_root_dir($1) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 509f4426..4b633c37 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -9,7 +9,7 @@ define(`files_make_file',` requires_block_template(`$0'_depend) fs_associate($1) - fs_noxattr_associate($1) + fs_associate_noxattr($1) typeattribute $1 file_type; ') @@ -92,7 +92,7 @@ define(`files_make_tmpfs_file',` requires_block_template(`$0'_depend) files_make_file($1) - fs_tmpfs_associate($1) + fs_associate_tmpfs($1) typeattribute $1 tmpfsfile; ') @@ -938,7 +938,7 @@ define(`files_manage_pseudorandom_saved_seed',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; - allow $1 var_lib_t:dir rw_file_perms; + allow $1 var_lib_t:dir rw_dir_perms; allow $1 var_lib_t:file { getattr create read write setattr unlink }; ') @@ -992,7 +992,7 @@ define(`files_manage_system_lock_files_depend',` define(`files_remove_all_lock_files',` requires_block_template(`$0'_depend) - allow $1 lockfile:dir rw_file_perms; + allow $1 lockfile:dir rw_dir_perms; allow $1 lockfile:file { getattr unlink }; ') @@ -1271,15 +1271,15 @@ define(`files_manage_system_spools',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; - allow $1 var_spool_t:dir rw_file_perms; - allow $1 var_spool_t:file { getattr create read write append unlink setattr }; + allow $1 var_spool_t:dir rw_dir_perms; + allow $1 var_spool_t:file create_file_perms; ') define(`files_manage_system_spools_depend',` type var_t, var_spool_t; - class dir rw_file_perms; - class file { getattr create read write append unlink setattr }; + class dir rw_dir_perms; + class file create_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index ede923c5..3f2c476c 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -13,14 +13,14 @@ attribute tmpfsfile; # other than the generic /.* specification. type default_t, file_type, mountpoint; fs_associate(default_t) -fs_noxattr_associate(default_t) +fs_associate_noxattr(default_t) # # etc_t is the type of the system etc directories. # type etc_t, file_type; fs_associate(etc_t) -fs_noxattr_associate(etc_t) +fs_associate_noxattr(etc_t) # # etc_runtime_t is the type of various @@ -29,7 +29,7 @@ fs_noxattr_associate(etc_t) # type etc_runtime_t, file_type; fs_associate(etc_runtime_t) -fs_noxattr_associate(etc_runtime_t) +fs_associate_noxattr(etc_runtime_t) # # file_t is the default type of a file that has not yet been @@ -38,8 +38,8 @@ fs_noxattr_associate(etc_runtime_t) # type file_t, file_type, mountpoint; fs_associate(file_t) -fs_noxattr_associate(file_t) -kernel_make_root_fs_mountpoint(file_t) +fs_associate_noxattr(file_t) +kernel_rootfs_mountpoint(file_t) sid file context_template(system_u:object_r:file_t,s0) # @@ -48,41 +48,41 @@ sid file context_template(system_u:object_r:file_t,s0) # type home_root_t, file_type, mountpoint; fs_associate(home_root_t) -fs_noxattr_associate(home_root_t) +fs_associate_noxattr(home_root_t) # # lost_found_t is the type for the lost+found directories. # type lost_found_t, file_type; fs_associate(lost_found_t) -fs_noxattr_associate(lost_found_t) +fs_associate_noxattr(lost_found_t) # # mnt_t is the type for mount points such as /mnt/cdrom # type mnt_t, file_type, mountpoint; fs_associate(mnt_t) -fs_noxattr_associate(mnt_t) +fs_associate_noxattr(mnt_t) type no_access_t, file_type; fs_associate(no_access_t) -fs_noxattr_associate(no_access_t) +fs_associate_noxattr(no_access_t) type poly_t, file_type; fs_associate(poly_t) -fs_noxattr_associate(poly_t) +fs_associate_noxattr(poly_t) type readable_t, file_type; fs_associate(readable_t) -fs_noxattr_associate(readable_t) +fs_associate_noxattr(readable_t) # # root_t is the type for rootfs and the root directory. # type root_t, file_type, mountpoint; fs_associate(root_t) -fs_noxattr_associate(root_t) -kernel_make_root_fs_mountpoint(root_t) +fs_associate_noxattr(root_t) +kernel_rootfs_mountpoint(root_t) genfscon rootfs / context_template(system_u:object_r:root_t,s0) # @@ -90,42 +90,42 @@ genfscon rootfs / context_template(system_u:object_r:root_t,s0) # type src_t, file_type; fs_associate(src_t) -fs_noxattr_associate(src_t) +fs_associate_noxattr(src_t) # # tmp_t is the type of the temporary directories # type tmp_t, file_type, tmpfile, mountpoint; fs_associate(tmp_t) -fs_noxattr_associate(tmp_t) +fs_associate_noxattr(tmp_t) # # usr_t is the type for /usr. # type usr_t, file_type, mountpoint; fs_associate(usr_t) -fs_noxattr_associate(usr_t) +fs_associate_noxattr(usr_t) # # var_t is the type of /var # type var_t, file_type, mountpoint; fs_associate(var_t) -fs_noxattr_associate(var_t) +fs_associate_noxattr(var_t) # # var_lib_t is the type of /var/lib # type var_lib_t, file_type; fs_associate(var_lib_t) -fs_noxattr_associate(var_lib_t) +fs_associate_noxattr(var_lib_t) # # var_lock_t is tye type of /var/lock # type var_lock_t, file_type, lockfile; fs_associate(var_lock_t) -fs_noxattr_associate(var_lock_t) +fs_associate_noxattr(var_lock_t) # # var_run_t is the type of /var/run, usually @@ -133,11 +133,11 @@ fs_noxattr_associate(var_lock_t) # type var_run_t, file_type, pidfile; fs_associate(var_run_t) -fs_noxattr_associate(var_run_t) +fs_associate_noxattr(var_run_t) # # var_spool_t is the type of /var/spool # type var_spool_t, file_type; fs_associate(var_spool_t) -fs_noxattr_associate(var_spool_t) +fs_associate_noxattr(var_spool_t) diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index b2052ba0..aafc77da 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -45,14 +45,14 @@ allow getty_t getty_log_t:file { getattr append setattr }; kernel_read_hardware_state(getty_t) # for error condition handling -fs_get_persistent_fs_attributes(getty_t) +fs_getattr_xattr_fs(getty_t) # Chown, chmod, read and write ttys. -terminal_use_all_private_physical_terminals(getty_t) -terminal_use_general_physical_terminal(getty_t) -terminal_set_all_private_physical_terminal_attributes(getty_t) -terminal_set_general_physical_terminal_attributes(getty_t) -terminal_set_console_attributes(getty_t) +term_use_all_user_ttys(getty_t) +term_use_unallocated_tty(getty_t) +term_setattr_all_user_ttys(getty_t) +term_setattr_unallocated_ttys(getty_t) +term_setattr_console(getty_t) authlogin_modify_login_records(getty_t) diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index f4b34391..3353e179 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -27,15 +27,15 @@ sysnetwork_read_network_config(hostname_t) kernel_read_kernel_sysctl(hostname_t) kernel_read_hardware_state(hostname_t) -kernel_ignore_use_file_descriptors(hostname_t) +kernel_dontaudit_use_fd(hostname_t) files_read_general_system_config(hostname_t) files_ignore_search_system_state_data_directory(hostname_t) -fs_get_persistent_fs_attributes(hostname_t) +fs_getattr_xattr_fs(hostname_t) -terminal_ignore_use_console(hostname_t) -terminal_use_all_private_physical_terminals(hostname_t) -terminal_use_all_private_pseudoterminals(hostname_t) +term_dontaudit_use_console(hostname_t) +term_use_all_user_ttys(hostname_t) +term_use_all_user_ptys(hostname_t) init_use_file_descriptors(hostname_t) init_script_use_pseudoterminal(hostname_t) @@ -59,19 +59,19 @@ ifdef(`distro_redhat', ` ') ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(hostname_t) + term_dontaudit_use_unallocated_tty(hostname_t) terminal_ignore_use_general_pseudoterminal(hostname_t) files_ignore_read_rootfs_file(hostname_t) ') tunable_policy(`use_dns',` allow hostname_t self:udp_socket create_socket_perms; - corenetwork_sendrecv_udp_on_all_interfaces(hostname_t) - corenetwork_sendrecv_raw_on_all_interfaces(hostname_t) - corenetwork_sendrecv_udp_on_all_nodes(hostname_t) - corenetwork_sendrecv_raw_on_all_nodes(hostname_t) - corenetwork_bind_udp_on_all_nodes(hostname_t) - corenetwork_sendrecv_udp_on_dns_port(hostname_t) + corenet_udp_sendrecv_all_if(hostname_t) + corenet_raw_sendrecv_all_if(hostname_t) + corenet_udp_sendrecv_all_nodes(hostname_t) + corenet_raw_sendrecv_all_nodes(hostname_t) + corenet_udp_bind_all_nodes(hostname_t) + corenet_udp_sendrecv_dns_port(hostname_t) sysnetwork_read_network_config(hostname_t) ') diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index f9fab4c8..d4fd7a79 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -8,7 +8,7 @@ policy_module(hotplug, 1.0) type hotplug_t; type hotplug_exec_t; -kernel_make_userland_entrypoint(hotplug_t,hotplug_exec_t) +kernel_userland_entry(hotplug_t,hotplug_exec_t) init_make_system_domain(hotplug_t,hotplug_exec_t) type hotplug_etc_t; #, usercanread; @@ -29,7 +29,7 @@ dontaudit hotplug_t self:capability { dac_override dac_read_search }; allow hotplug_t self:process { getsession getattr }; -allow hotplug_t self:fifo_file r_file_perms; +allow hotplug_t self:fifo_file rw_file_perms; allow hotplug_t self:udp_socket create_socket_perms; allow hotplug_t self:tcp_socket connected_stream_socket_perms; @@ -46,27 +46,27 @@ files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t) kernel_read_system_state(hotplug_t) kernel_read_kernel_sysctl(hotplug_t) kernel_read_hardware_state(hotplug_t) -kernel_read_network_sysctl(hotplug_t) +kernel_read_net_sysctl(hotplug_t) kernel_read_usb_hardware_state(hotplug_t) bootloader_read_kernel_modules(hotplug_t) -corenetwork_sendrecv_tcp_on_all_interfaces(hotplug_t) -corenetwork_sendrecv_raw_on_all_interfaces(hotplug_t) -corenetwork_sendrecv_tcp_on_all_nodes(hotplug_t) -corenetwork_sendrecv_raw_on_all_nodes(hotplug_t) -corenetwork_sendrecv_tcp_on_all_ports(hotplug_t) -corenetwork_bind_tcp_on_all_nodes(hotplug_t) +corenet_tcp_sendrecv_all_if(hotplug_t) +corenet_raw_sendrecv_all_if(hotplug_t) +corenet_tcp_sendrecv_all_nodes(hotplug_t) +corenet_raw_sendrecv_all_nodes(hotplug_t) +corenet_tcp_sendrecv_all_ports(hotplug_t) +corenet_tcp_bind_all_nodes(hotplug_t) # for SSP devices_get_pseudorandom_data(hotplug_t) -fs_get_all_fs_attributes(hotplug_t) +fs_getattr_all_fs(hotplug_t) -storage_set_fixed_disk_attributes(hotplug_t) +storage_setattr_fixed_disk(hotplug_t) storage_set_removable_device_attributes(hotplug_t) -terminal_ignore_use_console(hotplug_t) +term_dontaudit_use_console(hotplug_t) corecommands_execute_general_programs(hotplug_t) corecommands_execute_shell(hotplug_t) @@ -118,7 +118,7 @@ ifdef(`distro_redhat', ` ') ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(hotplug_t) + term_dontaudit_use_unallocated_tty(hotplug_t) terminal_ignore_use_general_pseudoterminal(hotplug_t) files_ignore_read_rootfs_file(hotplug_t) ') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index ab4a6df6..cce8df34 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -26,7 +26,7 @@ define(`init_make_init_domain',` # Red Hat systems seem to have a stray # fd open from the initrd optional_policy(`distro_redhat',` - kernel_ignore_use_file_descriptors($1) + kernel_dontaudit_use_fd($1) files_ignore_read_rootfs_file($1) ') ') @@ -65,7 +65,7 @@ define(`init_make_daemon_domain',` # Red Hat systems seem to have a stray # fd open from the initrd optional_policy(`distro_redhat',` - kernel_ignore_use_file_descriptors($1) + kernel_dontaudit_use_fd($1) files_ignore_read_rootfs_file($1) ') ') @@ -106,7 +106,7 @@ define(`init_make_system_domain',` # Red Hat systems seem to have a stray # fd open from the initrd optional_policy(`distro_redhat',` - kernel_ignore_use_file_descriptors($1) + kernel_dontaudit_use_fd($1) files_ignore_read_rootfs_file($1) ') ') @@ -409,7 +409,7 @@ define(`init_script_get_process_group_depend',` define(`init_script_use_pseudoterminal',` requires_block_template(`$0'_depend) - terminal_list_pseudoterminals($1) + term_list_ptys($1) allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 38a46895..62d0ce25 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -17,7 +17,7 @@ role system_r types init_t; # init_exec_t is the type of the init program. # type init_exec_t; -kernel_make_userland_entrypoint(init_t,init_exec_t) +kernel_userland_entry(init_t,init_exec_t) domain_make_entrypoint_file(init_t,init_exec_t) # @@ -43,8 +43,8 @@ domain_make_entrypoint_file(initrc_t,initrc_exec_t) type initrc_devpts_t; fs_associate(initrc_devpts_t) -fs_noxattr_associate(initrc_devpts_t) -terminal_make_pseudoterminal(initrc_devpts_t) +fs_associate_noxattr(initrc_devpts_t) +term_pty(initrc_devpts_t) type initrc_var_run_t; files_make_daemon_runtime_file(initrc_var_run_t) @@ -79,21 +79,21 @@ allow init_t init_var_run_t:file { create getattr read append write setattr unli files_create_daemon_runtime_data(init_t,init_var_run_t) allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; -fs_tmpfs_associate(initctl_t) +fs_associate_tmpfs(initctl_t) devices_create_dev_entry(init_t,initctl_t,fifo_file) # Modify utmp. -allow init_t initrc_var_run_t:file rw_file_perms; +allow init_t initrc_var_run_t:file { rw_file_perms setattr }; # Run init scripts. domain_auto_trans(init_t,initrc_exec_t,initrc_t) -kernel_set_selinux_boolean(init_t) +kernel_set_boolean(init_t) kernel_read_system_state(init_t) kernel_read_hardware_state(init_t) kernel_share_state(init_t) -terminal_use_all_terminals(init_t) +term_use_all_terms(init_t) corecommands_chroot(init_t) corecommands_execute_general_programs(init_t) @@ -129,7 +129,7 @@ miscfiles_read_localization(init_t) ifdef(`distro_redhat',` fs_use_tmpfs_character_devices(init_t) - fs_create_private_tmpfs_data(init_t,initctl_t,fifo_file) + fs_create_tmpfs_data(init_t,initctl_t,fifo_file) ') optional_policy(`authlogin.te',` @@ -181,26 +181,26 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_hardware_state(initrc_t) -kernel_modify_hardware_config_option(initrc_t) +kernel_rw_hardware_config_option(initrc_t) kernel_read_all_sysctl(initrc_t) -kernel_modify_all_sysctl(initrc_t) +kernel_rw_all_sysctl(initrc_t) kernel_get_selinux_enforcement_mode(initrc_t) kernel_list_usb_hardware(initrc_t) # for lsof which is used by alsa shutdown: -kernel_ignore_get_message_interface_attributes(initrc_t) +kernel_dontaudit_getattr_message_if(initrc_t) bootloader_read_kernel_symbol_table(initrc_t) -corenetwork_sendrecv_tcp_on_all_interfaces(initrc_t) -corenetwork_sendrecv_raw_on_all_interfaces(initrc_t) -corenetwork_sendrecv_udp_on_all_interfaces(initrc_t) -corenetwork_sendrecv_tcp_on_all_nodes(initrc_t) -corenetwork_sendrecv_raw_on_all_nodes(initrc_t) -corenetwork_sendrecv_udp_on_all_nodes(initrc_t) -corenetwork_sendrecv_tcp_on_all_ports(initrc_t) -corenetwork_sendrecv_udp_on_all_ports(initrc_t) -corenetwork_bind_tcp_on_all_nodes(initrc_t) -corenetwork_bind_udp_on_all_nodes(initrc_t) +corenet_tcp_sendrecv_all_if(initrc_t) +corenet_raw_sendrecv_all_if(initrc_t) +corenet_udp_sendrecv_all_if(initrc_t) +corenet_tcp_sendrecv_all_nodes(initrc_t) +corenet_raw_sendrecv_all_nodes(initrc_t) +corenet_udp_sendrecv_all_nodes(initrc_t) +corenet_tcp_sendrecv_all_ports(initrc_t) +corenet_udp_sendrecv_all_ports(initrc_t) +corenet_tcp_bind_all_nodes(initrc_t) +corenet_udp_bind_all_nodes(initrc_t) devices_get_random_data(initrc_t) devices_get_pseudorandom_data(initrc_t) @@ -221,14 +221,14 @@ fs_register_binary_executable_type(initrc_t) fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) -fs_get_all_fs_attributes(initrc_t) +fs_getattr_all_fs(initrc_t) -storage_get_fixed_disk_attributes(initrc_t) -storage_set_fixed_disk_attributes(initrc_t) +storage_getattr_fixed_disk(initrc_t) +storage_setattr_fixed_disk(initrc_t) storage_set_removable_device_attributes(initrc_t) -terminal_use_all_terminals(initrc_t) -terminal_reset_physical_terminal_labels(initrc_t) +term_use_all_terms(initrc_t) +term_reset_tty_labels(initrc_t) authlogin_modify_login_records(initrc_t) authlogin_modify_last_login_log(initrc_t) @@ -296,7 +296,7 @@ userdomain_read_all_users_data(initrc_t) userdomain_use_admin_terminals(initrc_t) ifdef(`distro_debian', ` - fs_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir) + fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir) ') ifdef(`distro_redhat',` @@ -305,10 +305,10 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd - kernel_ignore_use_file_descriptors(initrc_t) + kernel_dontaudit_use_fd(initrc_t) files_ignore_read_rootfs_file(initrc_t) - kernel_set_selinux_enforcement_mode(initrc_t) + kernel_set_enforcement_mode(initrc_t) # Create and read /boot/kernel.h and /boot/System.map. # Redhat systems typically create this file at boot time. @@ -354,7 +354,7 @@ optional_policy(`rhgb.te',` optional_policy(`rpm.te',` # bash tries to access a block device in the initrd - kernel_ignore_get_unlabeled_block_device_attributes(initrc_t) + kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t) # for a bug in rm files_ignore_write_all_daemon_runtime_data(initrc_t) diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 15566454..35762203 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -42,11 +42,11 @@ kernel_read_network_state(iptables_t) kernel_read_hardware_state(iptables_t) kernel_read_kernel_sysctl(iptables_t) kernel_read_modprobe_sysctl(iptables_t) -kernel_use_file_descriptors(iptables_t) +kernel_use_fd(iptables_t) -fs_get_persistent_fs_attributes(iptables_t) +fs_getattr_xattr_fs(iptables_t) -terminal_ignore_use_console(iptables_t) +term_dontaudit_use_console(iptables_t) domain_use_widely_inheritable_file_descriptors(iptables_t) @@ -73,12 +73,12 @@ userdomain_use_all_users_file_descriptors(iptables_t) tunable_policy(`use_dns',` allow iptables_t self:udp_socket create_socket_perms; - corenetwork_sendrecv_udp_on_all_interfaces(iptables_t) - corenetwork_sendrecv_raw_on_all_interfaces(iptables_t) - corenetwork_sendrecv_udp_on_all_nodes(iptables_t) - corenetwork_sendrecv_raw_on_all_nodes(iptables_t) - corenetwork_bind_udp_on_all_nodes(iptables_t) - corenetwork_sendrecv_udp_on_dns_port(iptables_t) + corenet_udp_sendrecv_all_if(iptables_t) + corenet_raw_sendrecv_all_if(iptables_t) + corenet_udp_sendrecv_all_nodes(iptables_t) + corenet_raw_sendrecv_all_nodes(iptables_t) + corenet_udp_bind_all_nodes(iptables_t) + corenet_udp_sendrecv_dns_port(iptables_t) sysnetwork_read_network_config(iptables_t) ') @@ -97,7 +97,7 @@ optional_policy(`udev.te', ` ') ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(iptables_t) + term_dontaudit_use_unallocated_tty(iptables_t) terminal_ignore_use_general_pseudoterminal(iptables_t) files_ignore_read_rootfs_file(iptables_t) diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 4a9f6927..df3a2b81 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -14,10 +14,7 @@ define(`libraries_ldconfig_transition',` requires_block_template(`$0'_depend) - allow $1 ldconfig_exec_t:file rx_file_perms; - allow $1 ldconfig_t:process transition; - type_transition $1 ldconfig_exec_t:process ldconfig_t; - dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1,ldconfig_exec_t,ldconfig_t) allow $1 ldconfig_t:fd use; allow ldconfig_t $1:fd use; @@ -215,7 +212,7 @@ define(`libraries_execute_library_scripts',` requires_block_template(`$0'_depend) allow $1 lib_t:dir r_dir_perms; - allow $1 lib_t:lnk_file r_file_perms + allow $1 lib_t:lnk_file r_file_perms; allow $1 lib_t:file { getattr read execute execute_no_trans }; ') diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 879c01d6..7dea9149 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -60,7 +60,7 @@ allow ldconfig_t { shlib_t texrel_shlib_t }:file rx_file_perms; kernel_read_system_state(ldconfig_t) -fs_get_persistent_fs_attributes(ldconfig_t) +fs_getattr_xattr_fs(ldconfig_t) domain_use_widely_inheritable_file_descriptors(ldconfig_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 9f1d4d85..1abe4073 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -54,21 +54,21 @@ files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) kernel_read_kernel_sysctl(local_login_t) kernel_get_selinuxfs_mount_point(local_login_t) -kernel_validate_selinux_context(local_login_t) -kernel_compute_selinux_access_vector(local_login_t) -kernel_compute_selinux_create_context(local_login_t) -kernel_compute_selinux_relabel_context(local_login_t) -kernel_compute_selinux_reachable_user_contexts(local_login_t) +kernel_validate_context(local_login_t) +kernel_compute_access_vector(local_login_t) +kernel_compute_create_context(local_login_t) +kernel_compute_relabel_context(local_login_t) +kernel_compute_reachable_user_contexts(local_login_t) # for SSP/ProPolice devices_get_pseudorandom_data(local_login_t) -terminal_use_all_private_physical_terminals(local_login_t) -terminal_use_general_physical_terminal(local_login_t) -terminal_relabel_general_physical_terminal(local_login_t) -terminal_relabel_all_private_physical_terminals(local_login_t) -terminal_set_all_private_physical_terminal_attributes(local_login_t) -terminal_set_general_physical_terminal_attributes(local_login_t) +term_use_all_user_ttys(local_login_t) +term_use_unallocated_tty(local_login_t) +term_relabel_unallocated_ttys(local_login_t) +term_relabel_all_user_ttys(local_login_t) +term_setattr_all_user_ttys(local_login_t) +term_setattr_unallocated_ttys(local_login_t) authlogin_check_password_transition(local_login_t) authlogin_ignore_read_shadow_passwords(local_login_t) @@ -109,7 +109,7 @@ mta_get_mail_spool_attributes(local_login_t) # Red Hat systems seem to have a stray # fd open from the initrd optional_policy(`distro_redhat',` - kernel_ignore_use_file_descriptors(local_login_t) + kernel_dontaudit_use_fd(local_login_t) files_ignore_read_rootfs_file(local_login_t) ') @@ -205,7 +205,7 @@ allow sulogin_t self:unix_dgram_socket sendto; allow sulogin_t self:unix_stream_socket connectto; allow sulogin_t self:shm create_shm_perms; allow sulogin_t self:sem create_sem_perms; -allow sulogin_t self:msgq createmsgq_perms; +allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) @@ -241,11 +241,11 @@ ifdef(`sulogin_no_pam', ` ', ` allow sulogin_t self:process setexec; kernel_get_selinuxfs_mount_point(sulogin_t) - kernel_validate_selinux_context(sulogin_t) - kernel_compute_selinux_access_vector(sulogin_t) - kernel_compute_selinux_create_context(sulogin_t) - kernel_compute_selinux_relabel_context(sulogin_t) - kernel_compute_selinux_reachable_user_contexts(sulogin_t) + kernel_validate_context(sulogin_t) + kernel_compute_access_vector(sulogin_t) + kernel_compute_create_context(sulogin_t) + kernel_compute_relabel_context(sulogin_t) + kernel_compute_reachable_user_contexts(sulogin_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index a5ee8975..6578e284 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -55,7 +55,7 @@ define(`logging_send_system_log_message',` allow $1 self:unix_stream_socket create_socket_perms; # cjp: this should most likely be removed: - terminal_use_console($1) + term_use_console($1) ') define(`logging_send_system_log_message_depend',` diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index a0a1d9ae..23b11f4b 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -61,9 +61,9 @@ files_create_daemon_runtime_data(auditd_t,auditd_var_run_t) kernel_read_kernel_sysctl(auditd_t) kernel_read_hardware_state(auditd_t) -fs_get_all_fs_attributes(auditd_t) +fs_getattr_all_fs(auditd_t) -terminal_ignore_use_console(auditd_t) +term_dontaudit_use_console(auditd_t) init_use_file_descriptors(auditd_t) init_script_use_pseudoterminal(auditd_t) @@ -80,7 +80,7 @@ libraries_use_shared_libraries(auditd_t) miscfiles_read_localization(auditd_t) ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(auditd_t) + term_dontaudit_use_unallocated_tty(auditd_t) terminal_ignore_use_general_pseudoterminal(auditd_t) files_ignore_read_rootfs_file(auditd_t) ') @@ -132,7 +132,7 @@ bootloader_read_kernel_symbol_table(klogd_t) devices_raw_read_memory(klogd_t) -fs_get_all_fs_attributes(klogd_t) +fs_getattr_all_fs(klogd_t) files_create_daemon_runtime_data(klogd_t,klogd_var_run_t) files_read_runtime_system_config(klogd_t) @@ -191,24 +191,24 @@ kernel_read_kernel_sysctl(syslogd_t) devices_create_dev_entry(syslogd_t,devlog_t,sock_file) -terminal_ignore_use_console(syslogd_t) +term_dontaudit_use_console(syslogd_t) # Allow syslog to a terminal -terminal_write_general_physical_terminal(syslogd_t) +term_write_unallocated_ttys(syslogd_t) # for sending messages to logged in users init_script_read_runtime_data(syslogd_t) init_script_ignore_write_runtime_data(syslogd_t) -terminal_write_all_private_physical_terminals(syslogd_t) +term_write_all_user_ttys(syslogd_t) -corenetwork_sendrecv_raw_on_all_interfaces(syslogd_t) -corenetwork_sendrecv_udp_on_all_interfaces(syslogd_t) -corenetwork_sendrecv_raw_on_all_nodes(syslogd_t) -corenetwork_sendrecv_udp_on_all_nodes(syslogd_t) -corenetwork_sendrecv_udp_on_all_ports(syslogd_t) -corenetwork_bind_udp_on_all_nodes(syslogd_t) -corenetwork_bind_udp_on_syslogd_port(syslogd_t) +corenet_raw_sendrecv_all_if(syslogd_t) +corenet_udp_sendrecv_all_if(syslogd_t) +corenet_raw_sendrecv_all_nodes(syslogd_t) +corenet_udp_sendrecv_all_nodes(syslogd_t) +corenet_udp_sendrecv_all_ports(syslogd_t) +corenet_udp_bind_all_nodes(syslogd_t) +corenet_udp_bind_syslogd_port(syslogd_t) -fs_get_all_fs_attributes(syslogd_t) +fs_getattr_all_fs(syslogd_t) init_use_file_descriptors(syslogd_t) init_script_use_pseudoterminal(syslogd_t) @@ -244,7 +244,7 @@ ifdef(`klogd.te', `', ` ') ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(syslogd_t) + term_dontaudit_use_unallocated_tty(syslogd_t) terminal_ignore_use_general_pseudoterminal(syslogd_t) files_ignore_read_rootfs_file(syslogd_t) ') diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 5e1e0fff..cce38a10 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -55,7 +55,7 @@ allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms; can_exec(lvm_t, lvm_exec_t) # Creating lock files -allow lvm_t lvm_lock_t:dir ra_dir_perms; +allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:file create_file_perms; files_create_private_lock_file(lvm_t,lvm_lock_t) @@ -70,11 +70,11 @@ files_create_private_config(lvm_t,lvm_metadata_t,file) kernel_read_system_state(lvm_t) kernel_get_selinuxfs_mount_point(lvm_t) -kernel_validate_selinux_context(lvm_t) -kernel_compute_selinux_access_vector(lvm_t) -kernel_compute_selinux_create_context(lvm_t) -kernel_compute_selinux_relabel_context(lvm_t) -kernel_compute_selinux_reachable_user_contexts(lvm_t) +kernel_validate_context(lvm_t) +kernel_compute_access_vector(lvm_t) +kernel_compute_create_context(lvm_t) +kernel_compute_relabel_context(lvm_t) +kernel_compute_reachable_user_contexts(lvm_t) kernel_read_kernel_sysctl(lvm_t) kernel_read_hardware_state(lvm_t) # Read /sys/block. Device mapper metadata is kept there. @@ -82,13 +82,14 @@ kernel_read_hardware_state(sysfs_t) # Read system variables in /proc/sys kernel_read_kernel_sysctl(lvm_t) # it has no reason to need this -kernel_ignore_get_core_interface_attributes(lvm_t) +kernel_dontaudit_getattr_core(lvm_t) devices_add_generic_character_device(lvm_t) devices_get_random_data(lvm_t) devices_get_pseudorandom_data(lvm_t) devices_use_lvm_control_channel(lvm_t) devices_manage_dev_symbolic_links(lvm_t) +devices_relabel_dev_dirs(lvm_t) devices_manage_generic_block_device(lvm_t) # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... @@ -97,9 +98,9 @@ devices_ignore_get_all_block_device_attributes(lvm_t) devices_ignore_get_generic_character_device_attributes(lvm_t) devices_ignore_get_generic_block_device_attributes(lvm_t) devices_ignore_get_generic_pipe_attributes(lvm_t) -terminal_ignore_get_all_private_physical_terminal_attributes(lvm_t) +term_dontaudit_getattr_all_user_ttys(lvm_t) -fs_get_persistent_fs_attributes(lvm_t) +fs_getattr_xattr_fs(lvm_t) # LVM creates block devices in /dev/mapper or /dev/ # depending on its version @@ -141,14 +142,14 @@ ifdef(`distro_redhat',` ') ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(lvm_t) + term_dontaudit_use_unallocated_tty(lvm_t) terminal_ignore_use_general_pseudoterminal(lvm_t) files_ignore_read_rootfs_file(lvm_t) ') optional_policy(`bootloader.te',` - bootloader_modify_temporary_data(lvm_t) + bootloader_rw_tmp_file(lvm_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 58061125..95272687 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -16,7 +16,7 @@ files_make_file(modules_dep_t) type insmod_t; type insmod_exec_t; -kernel_make_userland_entrypoint(insmod_t,insmod_exec_t) +kernel_userland_entry(insmod_t,insmod_exec_t) init_make_system_domain(insmod_t,insmod_exec_t) role system_r types insmod_t; @@ -51,11 +51,11 @@ can_exec(insmod_t, insmod_exec_t) kernel_load_module(insmod_t) kernel_read_system_state(insmod_t) -kernel_search_hardware_state_dir(insmod_t) -kernel_search_usb_hardware_state_dir(insmod_t) +kernel_search_sysfs(insmod_t) +kernel_search_usbfs(insmod_t) # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctl(insmod_t) -kernel_modify_kernel_sysctl(insmod_t) +kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctl(insmod_t) bootloader_read_kernel_modules(insmod_t) @@ -66,7 +66,7 @@ devices_write_mtrr(insmod_t) devices_get_pseudorandom_data(insmod_t) devices_direct_agp_access(insmod_t) -fs_get_persistent_fs_attributes(insmod_t) +fs_getattr_xattr_fs(insmod_t) corecommands_execute_general_programs(insmod_t) corecommands_execute_system_programs(insmod_t) @@ -131,9 +131,9 @@ bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t) kernel_read_system_state(depmod_t) -fs_get_persistent_fs_attributes(depmod_t) +fs_getattr_xattr_fs(depmod_t) -terminal_use_console(depmod_t) +term_use_console(depmod_t) bootloader_read_kernel_symbol_table(depmod_t) bootloader_read_kernel_modules(depmod_t) @@ -191,9 +191,9 @@ kernel_read_system_state(update_modules_t) devices_get_pseudorandom_data(update_modules_t) -fs_get_persistent_fs_attributes(update_modules_t) +fs_getattr_xattr_fs(update_modules_t) -terminal_use_console(update_modules_t) +term_use_console(update_modules_t) init_use_file_descriptors(depmod_t) init_script_use_file_descriptors(depmod_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index e9d961ad..3b4617da 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -16,12 +16,13 @@ allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown allow mount_t mount_tmp_t:file create_file_perms; allow mount_t mount_tmp_t:dir create_dir_perms; +files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir }) kernel_read_system_state(mount_t) -kernel_ignore_use_file_descriptors(mount_t) +kernel_dontaudit_use_fd(mount_t) -corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t) -corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t) +corenet_dontaudit_udp_bind_all_reserved_ports(mount_t) devices_get_all_block_device_attributes(mount_t) devices_list_device_nodes(mount_t) @@ -31,13 +32,13 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) -fs_get_persistent_fs_attributes(mount_t) +fs_getattr_xattr_fs(mount_t) fs_mount_all_fs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) -fs_relabelfrom_persistent_fs(mount_t) +fs_relabelfrom_xattr_fs(mount_t) -terminal_use_console(mount_t) +term_use_console(mount_t) # required for mount.smbfs corecommands_execute_system_programs(mount_t) @@ -46,7 +47,6 @@ corecommands_execute_general_programs(mount_t) domain_use_widely_inheritable_file_descriptors(mount_t) files_search_all_directories(mount_t) -files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir }) files_read_general_system_config(mount_t) files_manage_runtime_system_config(mount_t) files_mount_on_all_mountpoints(mount_t) @@ -85,20 +85,20 @@ optional_policy(`portmap.te', ` #allow portmap_t mount_t:udp_socket { sendto recvfrom }; #allow mount_t portmap_t:udp_socket { sendto recvfrom }; #allow mount_t rpc_pipefs_t:dir search; - corenetwork_sendrecv_tcp_on_all_interfaces(mount_t) - corenetwork_sendrecv_raw_on_all_interfaces(mount_t) - corenetwork_sendrecv_udp_on_all_interfaces(mount_t) - corenetwork_sendrecv_tcp_on_all_nodes(mount_t) - corenetwork_sendrecv_raw_on_all_nodes(mount_t) - corenetwork_sendrecv_udp_on_all_nodes(mount_t) - corenetwork_sendrecv_tcp_on_all_ports(mount_t) - corenetwork_sendrecv_udp_on_all_ports(mount_t) - corenetwork_bind_tcp_on_all_nodes(mount_t) - corenetwork_bind_udp_on_all_nodes(mount_t) - corenetwork_bind_tcp_on_general_port(mount_t) - corenetwork_bind_udp_on_general_port(mount_t) - corenetwork_bind_tcp_on_reserved_port(mount_t) - corenetwork_bind_udp_on_reserved_port(mount_t) + corenet_tcp_sendrecv_all_if(mount_t) + corenet_raw_sendrecv_all_if(mount_t) + corenet_udp_sendrecv_all_if(mount_t) + corenet_tcp_sendrecv_all_nodes(mount_t) + corenet_raw_sendrecv_all_nodes(mount_t) + corenet_udp_sendrecv_all_nodes(mount_t) + corenet_tcp_sendrecv_all_ports(mount_t) + corenet_udp_sendrecv_all_ports(mount_t) + corenet_tcp_bind_all_nodes(mount_t) + corenet_udp_bind_all_nodes(mount_t) + corenet_tcp_bind_generic_port(mount_t) + corenet_udp_bind_generic_port(mount_t) + corenet_tcp_bind_reserved_port(mount_t) + corenet_udp_bind_reserved_port(mount_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 5dc7688a..9a9ceb55 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -111,9 +111,9 @@ allow checkpolicy_t policy_src_t:file r_file_perms; allow checkpolicy_t policy_src_t:lnk_file r_file_perms; allow checkpolicy_t selinux_config_t:dir search; -fs_get_persistent_fs_attributes(checkpolicy_t) +fs_getattr_xattr_fs(checkpolicy_t) -terminal_use_console(checkpolicy_t) +term_use_console(checkpolicy_t) domain_use_widely_inheritable_file_descriptors(checkpolicy_t) @@ -150,13 +150,13 @@ allow load_policy_t selinux_config_t:file r_file_perms; allow load_policy_t selinux_config_t:lnk_file r_file_perms; kernel_get_selinuxfs_mount_point(load_policy_t) -kernel_load_selinux_policy(load_policy_t) -kernel_set_selinux_boolean(load_policy_t) +kernel_load_policy(load_policy_t) +kernel_set_boolean(load_policy_t) -fs_get_persistent_fs_attributes(load_policy_t) +fs_getattr_xattr_fs(load_policy_t) -terminal_use_console(load_policy_t) -terminal_list_pseudoterminals(load_policy_t) +term_use_console(load_policy_t) +term_list_ptys(load_policy_t) init_script_use_file_descriptors(load_policy_t) init_script_use_pseudoterminal(load_policy_t) @@ -197,18 +197,18 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) kernel_get_selinuxfs_mount_point(newrole_t) -kernel_validate_selinux_context(newrole_t) -kernel_compute_selinux_access_vector(newrole_t) -kernel_compute_selinux_create_context(newrole_t) -kernel_compute_selinux_relabel_context(newrole_t) -kernel_compute_selinux_reachable_user_contexts(newrole_t) +kernel_validate_context(newrole_t) +kernel_compute_access_vector(newrole_t) +kernel_compute_create_context(newrole_t) +kernel_compute_relabel_context(newrole_t) +kernel_compute_reachable_user_contexts(newrole_t) devices_get_pseudorandom_data(newrole_t) -fs_get_persistent_fs_attributes(newrole_t) +fs_getattr_xattr_fs(newrole_t) -terminal_use_all_private_physical_terminals(newrole_t) -terminal_use_all_private_pseudoterminals(newrole_t) +term_use_all_user_ttys(newrole_t) +term_use_all_user_ptys(newrole_t) authlogin_check_password_transition(newrole_t) @@ -278,18 +278,18 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; -kernel_use_file_descriptors(restorecon_t) +kernel_use_fd(restorecon_t) kernel_read_system_state(restorecon_t) kernel_get_selinuxfs_mount_point(restorecon_t) -kernel_validate_selinux_context(restorecon_t) -kernel_compute_selinux_access_vector(restorecon_t) -kernel_compute_selinux_create_context(restorecon_t) -kernel_compute_selinux_relabel_context(restorecon_t) -kernel_compute_selinux_reachable_user_contexts(restorecon_t) +kernel_validate_context(restorecon_t) +kernel_compute_access_vector(restorecon_t) +kernel_compute_create_context(restorecon_t) +kernel_compute_relabel_context(restorecon_t) +kernel_compute_reachable_user_contexts(restorecon_t) -fs_get_persistent_fs_attributes(restorecon_t) +fs_getattr_xattr_fs(restorecon_t) -terminal_use_general_physical_terminal(restorecon_t) +term_use_unallocated_tty(restorecon_t) init_use_file_descriptors(restorecon_t) init_script_use_pseudoterminal(restorecon_t) @@ -311,7 +311,7 @@ optional_policy(`hotplug.te',` ') # relabeling rules -kernel_relabel_unlabeled_object(restorecon_t) +kernel_relabel_unlabeled(restorecon_t) devices_manage_all_devices_labels(restorecon_t) files_relabel_all_files(restorecon_t) files_read_all_directories(restorecon_t) @@ -343,11 +343,11 @@ allow restorecon_t kernel_t:fifo_file { read write }; # kernel_get_selinuxfs_mount_point(run_init_t) -kernel_validate_selinux_context(run_init_t) -kernel_compute_selinux_access_vector(run_init_t) -kernel_compute_selinux_create_context(run_init_t) -kernel_compute_selinux_relabel_context(run_init_t) -kernel_compute_selinux_reachable_user_contexts(run_init_t) +kernel_validate_context(run_init_t) +kernel_compute_access_vector(run_init_t) +kernel_compute_create_context(run_init_t) +kernel_compute_relabel_context(run_init_t) +kernel_compute_reachable_user_contexts(run_init_t) ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; @@ -360,11 +360,11 @@ ifdef(`targeted_policy',`',` # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; - fs_get_persistent_fs_attributes(run_init_t) + fs_getattr_xattr_fs(run_init_t) devices_ignore_list_device_nodes(run_init_t) - terminal_ignore_list_pseudoterminals(run_init_t) + term_dontaudit_list_ptys(run_init_t) authlogin_check_password_transition(run_init_t) authlogin_ignore_read_shadow_passwords(run_init_t) @@ -414,17 +414,17 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t kernel_read_system_state(setfiles_t) kernel_get_selinuxfs_mount_point(setfiles_t) -kernel_validate_selinux_context(setfiles_t) -kernel_compute_selinux_access_vector(setfiles_t) -kernel_compute_selinux_create_context(setfiles_t) -kernel_compute_selinux_relabel_context(setfiles_t) -kernel_compute_selinux_reachable_user_contexts(setfiles_t) +kernel_validate_context(setfiles_t) +kernel_compute_access_vector(setfiles_t) +kernel_compute_create_context(setfiles_t) +kernel_compute_relabel_context(setfiles_t) +kernel_compute_reachable_user_contexts(setfiles_t) -fs_get_persistent_fs_attributes(setfiles_t) +fs_getattr_xattr_fs(setfiles_t) -terminal_use_all_private_physical_terminals(setfiles_t) -terminal_use_all_private_pseudoterminals(setfiles_t) -terminal_use_general_physical_terminal(setfiles_t) +term_use_all_user_ttys(setfiles_t) +term_use_all_user_ptys(setfiles_t) +term_use_unallocated_tty(setfiles_t) init_use_file_descriptors(setfiles_t) init_script_use_file_descriptors(setfiles_t) @@ -447,7 +447,7 @@ userdomain_use_all_users_file_descriptors(setfiles_t) userdomain_read_all_users_data(setfiles_t) # relabeling rules -kernel_relabel_unlabeled_object(setfiles_t) +kernel_relabel_unlabeled(setfiles_t) devices_manage_all_devices_labels(setfiles_t) files_read_all_directories(setfiles_t) files_relabel_all_files(setfiles_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 5dc7688a..9a9ceb55 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -111,9 +111,9 @@ allow checkpolicy_t policy_src_t:file r_file_perms; allow checkpolicy_t policy_src_t:lnk_file r_file_perms; allow checkpolicy_t selinux_config_t:dir search; -fs_get_persistent_fs_attributes(checkpolicy_t) +fs_getattr_xattr_fs(checkpolicy_t) -terminal_use_console(checkpolicy_t) +term_use_console(checkpolicy_t) domain_use_widely_inheritable_file_descriptors(checkpolicy_t) @@ -150,13 +150,13 @@ allow load_policy_t selinux_config_t:file r_file_perms; allow load_policy_t selinux_config_t:lnk_file r_file_perms; kernel_get_selinuxfs_mount_point(load_policy_t) -kernel_load_selinux_policy(load_policy_t) -kernel_set_selinux_boolean(load_policy_t) +kernel_load_policy(load_policy_t) +kernel_set_boolean(load_policy_t) -fs_get_persistent_fs_attributes(load_policy_t) +fs_getattr_xattr_fs(load_policy_t) -terminal_use_console(load_policy_t) -terminal_list_pseudoterminals(load_policy_t) +term_use_console(load_policy_t) +term_list_ptys(load_policy_t) init_script_use_file_descriptors(load_policy_t) init_script_use_pseudoterminal(load_policy_t) @@ -197,18 +197,18 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) kernel_get_selinuxfs_mount_point(newrole_t) -kernel_validate_selinux_context(newrole_t) -kernel_compute_selinux_access_vector(newrole_t) -kernel_compute_selinux_create_context(newrole_t) -kernel_compute_selinux_relabel_context(newrole_t) -kernel_compute_selinux_reachable_user_contexts(newrole_t) +kernel_validate_context(newrole_t) +kernel_compute_access_vector(newrole_t) +kernel_compute_create_context(newrole_t) +kernel_compute_relabel_context(newrole_t) +kernel_compute_reachable_user_contexts(newrole_t) devices_get_pseudorandom_data(newrole_t) -fs_get_persistent_fs_attributes(newrole_t) +fs_getattr_xattr_fs(newrole_t) -terminal_use_all_private_physical_terminals(newrole_t) -terminal_use_all_private_pseudoterminals(newrole_t) +term_use_all_user_ttys(newrole_t) +term_use_all_user_ptys(newrole_t) authlogin_check_password_transition(newrole_t) @@ -278,18 +278,18 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; -kernel_use_file_descriptors(restorecon_t) +kernel_use_fd(restorecon_t) kernel_read_system_state(restorecon_t) kernel_get_selinuxfs_mount_point(restorecon_t) -kernel_validate_selinux_context(restorecon_t) -kernel_compute_selinux_access_vector(restorecon_t) -kernel_compute_selinux_create_context(restorecon_t) -kernel_compute_selinux_relabel_context(restorecon_t) -kernel_compute_selinux_reachable_user_contexts(restorecon_t) +kernel_validate_context(restorecon_t) +kernel_compute_access_vector(restorecon_t) +kernel_compute_create_context(restorecon_t) +kernel_compute_relabel_context(restorecon_t) +kernel_compute_reachable_user_contexts(restorecon_t) -fs_get_persistent_fs_attributes(restorecon_t) +fs_getattr_xattr_fs(restorecon_t) -terminal_use_general_physical_terminal(restorecon_t) +term_use_unallocated_tty(restorecon_t) init_use_file_descriptors(restorecon_t) init_script_use_pseudoterminal(restorecon_t) @@ -311,7 +311,7 @@ optional_policy(`hotplug.te',` ') # relabeling rules -kernel_relabel_unlabeled_object(restorecon_t) +kernel_relabel_unlabeled(restorecon_t) devices_manage_all_devices_labels(restorecon_t) files_relabel_all_files(restorecon_t) files_read_all_directories(restorecon_t) @@ -343,11 +343,11 @@ allow restorecon_t kernel_t:fifo_file { read write }; # kernel_get_selinuxfs_mount_point(run_init_t) -kernel_validate_selinux_context(run_init_t) -kernel_compute_selinux_access_vector(run_init_t) -kernel_compute_selinux_create_context(run_init_t) -kernel_compute_selinux_relabel_context(run_init_t) -kernel_compute_selinux_reachable_user_contexts(run_init_t) +kernel_validate_context(run_init_t) +kernel_compute_access_vector(run_init_t) +kernel_compute_create_context(run_init_t) +kernel_compute_relabel_context(run_init_t) +kernel_compute_reachable_user_contexts(run_init_t) ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; @@ -360,11 +360,11 @@ ifdef(`targeted_policy',`',` # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; - fs_get_persistent_fs_attributes(run_init_t) + fs_getattr_xattr_fs(run_init_t) devices_ignore_list_device_nodes(run_init_t) - terminal_ignore_list_pseudoterminals(run_init_t) + term_dontaudit_list_ptys(run_init_t) authlogin_check_password_transition(run_init_t) authlogin_ignore_read_shadow_passwords(run_init_t) @@ -414,17 +414,17 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t kernel_read_system_state(setfiles_t) kernel_get_selinuxfs_mount_point(setfiles_t) -kernel_validate_selinux_context(setfiles_t) -kernel_compute_selinux_access_vector(setfiles_t) -kernel_compute_selinux_create_context(setfiles_t) -kernel_compute_selinux_relabel_context(setfiles_t) -kernel_compute_selinux_reachable_user_contexts(setfiles_t) +kernel_validate_context(setfiles_t) +kernel_compute_access_vector(setfiles_t) +kernel_compute_create_context(setfiles_t) +kernel_compute_relabel_context(setfiles_t) +kernel_compute_reachable_user_contexts(setfiles_t) -fs_get_persistent_fs_attributes(setfiles_t) +fs_getattr_xattr_fs(setfiles_t) -terminal_use_all_private_physical_terminals(setfiles_t) -terminal_use_all_private_pseudoterminals(setfiles_t) -terminal_use_general_physical_terminal(setfiles_t) +term_use_all_user_ttys(setfiles_t) +term_use_all_user_ptys(setfiles_t) +term_use_unallocated_tty(setfiles_t) init_use_file_descriptors(setfiles_t) init_script_use_file_descriptors(setfiles_t) @@ -447,7 +447,7 @@ userdomain_use_all_users_file_descriptors(setfiles_t) userdomain_read_all_users_data(setfiles_t) # relabeling rules -kernel_relabel_unlabeled_object(setfiles_t) +kernel_relabel_unlabeled(setfiles_t) devices_manage_all_devices_labels(setfiles_t) files_read_all_directories(setfiles_t) files_relabel_all_files(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 32ed63b7..534e5f58 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -14,7 +14,7 @@ define(`sysnetwork_dhcpc_transition',` requires_block_template(`$0'_depend) - domain_auto_trans($1, dhcp_exec_t, dhcp_t) + domain_auto_trans($1, dhcpc_exec_t, dhcpc_t) allow $1 dhcpc_t:fd use; allow dhcpc_t $1:fd use; diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index f7a12810..32211a69 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -77,7 +77,7 @@ files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir }) can_exec(dhcpc_t, dhcpc_exec_t) # transition to ifconfig -domain_auto_trans(dhcp_t, ifconfig_exec_t, ifconfig_t) +domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t) allow dhcpc_t ifconfig_t:fd use; allow ifconfig_t dhcpc_t:fd use; allow ifconfig_t dhcpc_t:fifo_file rw_file_perms; @@ -87,29 +87,29 @@ kernel_read_system_state(dhcpc_t) kernel_read_network_state(dhcpc_t) kernel_read_kernel_sysctl(dhcpc_t) kernel_read_hardware_state(dhcpc_t) -kernel_use_file_descriptors(dhcpc_t) +kernel_use_fd(dhcpc_t) -corenetwork_sendrecv_tcp_on_all_interfaces(dhcpc_t) -corenetwork_sendrecv_raw_on_all_interfaces(dhcpc_t) -corenetwork_sendrecv_udp_on_all_interfaces(dhcpc_t) -corenetwork_sendrecv_tcp_on_all_nodes(dhcpc_t) -corenetwork_sendrecv_raw_on_all_nodes(dhcpc_t) -corenetwork_sendrecv_udp_on_all_nodes(dhcpc_t) -corenetwork_sendrecv_tcp_on_all_ports(dhcpc_t) -corenetwork_sendrecv_udp_on_all_ports(dhcpc_t) -corenetwork_bind_tcp_on_all_nodes(dhcpc_t) -corenetwork_bind_udp_on_all_nodes(dhcpc_t) -corenetwork_bind_udp_on_dhcpc_port(dhcpc_t) +corenet_tcp_sendrecv_all_if(dhcpc_t) +corenet_raw_sendrecv_all_if(dhcpc_t) +corenet_udp_sendrecv_all_if(dhcpc_t) +corenet_tcp_sendrecv_all_nodes(dhcpc_t) +corenet_raw_sendrecv_all_nodes(dhcpc_t) +corenet_udp_sendrecv_all_nodes(dhcpc_t) +corenet_tcp_sendrecv_all_ports(dhcpc_t) +corenet_udp_sendrecv_all_ports(dhcpc_t) +corenet_tcp_bind_all_nodes(dhcpc_t) +corenet_udp_bind_all_nodes(dhcpc_t) +corenet_udp_bind_dhcpc_port(dhcpc_t) # for SSP devices_get_pseudorandom_data(dhcpc_t) -fs_get_all_fs_attributes(dhcpc_t) +fs_getattr_all_fs(dhcpc_t) -terminal_ignore_use_console(dhcpc_t) -terminal_ignore_use_all_private_physical_terminals(dhcpc_t) -terminal_ignore_use_all_private_pseudoterminals(dhcpc_t) -terminal_ignore_use_general_physical_terminal(dhcpc_t) +term_dontaudit_use_console(dhcpc_t) +term_dontaudit_use_all_user_ttys(dhcpc_t) +term_dontaudit_use_all_user_ptys(dhcpc_t) +term_dontaudit_use_unallocated_tty(dhcpc_t) corecommands_execute_general_programs(dhcpc_t) corecommands_execute_system_programs(dhcpc_t) @@ -138,7 +138,7 @@ ifdef(`distro_redhat', ` ') ifdef(`targeted_policy', ` - terminal_ignore_use_general_physical_terminal(dhcpc_t) + term_dontaudit_use_unallocated_tty(dhcpc_t) terminal_ignore_use_general_pseudoterminal(dhcpc_t) files_ignore_read_rootfs_file(dhcpc_t) @@ -259,16 +259,16 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:tcp_socket { create ioctl }; files_read_general_system_config(ifconfig_t); -kernel_use_file_descriptors(ifconfig_t) +kernel_use_fd(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -kernel_ignore_search_sysctl_dir(ifconfig_t) -kernel_ignore_search_network_sysctl_dir(ifconfig_t) +kernel_dontaudit_search_sysctl_dir(ifconfig_t) +kernel_dontaudit_search_network_sysctl_dir(ifconfig_t) -fs_get_persistent_fs_attributes(ifconfig_t) +fs_getattr_xattr_fs(ifconfig_t) -terminal_ignore_use_all_private_physical_terminals(ifconfig_t) -terminal_ignore_use_all_private_pseudoterminals(ifconfig_t) +term_dontaudit_use_all_user_ttys(ifconfig_t) +term_dontaudit_use_all_user_ptys(ifconfig_t) domain_use_widely_inheritable_file_descriptors(ifconfig_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index da53514e..98e80fc2 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -9,7 +9,7 @@ policy_module(udev,1.0) type udev_t; # nscd_client_domain type udev_exec_t; type udev_helper_exec_t; -kernel_make_userland_entrypoint(udev_t,udev_exec_t) +kernel_userland_entry(udev_t,udev_exec_t) kernel_make_object_identity_change_constraint_exception(udev_t) domain_make_entrypoint_file(udev_t,udev_helper_exec_t) domain_make_file_descriptors_widely_inheritable(udev_t) @@ -60,27 +60,27 @@ allow udev_t udev_etc_t:file r_file_perms; allow udev_t udev_tbl_t:file create_file_perms; devices_create_dev_entry(udev_t,udev_tbl_t,file) -allow udev_t udev_var_run_t : dir rw_file_perms; -allow udev_t udev_var_run_t : file create_file_perms; +allow udev_t udev_var_run_t:dir rw_dir_perms; +allow udev_t udev_var_run_t:file create_file_perms; kernel_read_system_state(udev_t) -kernel_get_core_interface_attributes(udev_t) -kernel_use_file_descriptors(udev_t) +kernel_getattr_core(udev_t) +kernel_use_fd(udev_t) kernel_read_device_sysctl(udev_t) kernel_read_hotplug_sysctl(udev_t) kernel_read_modprobe_sysctl(udev_t) kernel_read_kernel_sysctl(udev_t) kernel_read_hardware_state(udev_t) kernel_get_selinuxfs_mount_point(udev_t) -kernel_validate_selinux_context(udev_t) -kernel_compute_selinux_access_vector(udev_t) -kernel_compute_selinux_create_context(udev_t) -kernel_compute_selinux_relabel_context(udev_t) -kernel_compute_selinux_reachable_user_contexts(udev_t) +kernel_validate_context(udev_t) +kernel_compute_access_vector(udev_t) +kernel_compute_create_context(udev_t) +kernel_compute_relabel_context(udev_t) +kernel_compute_reachable_user_contexts(udev_t) devices_manage_device_nodes(udev_t) -fs_get_all_fs_attributes(udev_t) +fs_getattr_all_fs(udev_t) corecommands_execute_general_programs(udev_t) corecommands_execute_system_programs(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index c7e0fc1b..d97db4b7 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -19,7 +19,7 @@ define(`base_user_domain',` # user pseudoterminal type $1_devpts_t; - terminal_make_user_pseudoterminal($1_t,$1_devpts_t) + term_user_pty($1_t,$1_devpts_t) # type for contents of home directory type $1_home_t, $1_file_type, home_type; @@ -36,7 +36,7 @@ define(`base_user_domain',` files_make_tmpfs_file($1_tmpfs_t) type $1_tty_device_t; - terminal_make_physical_terminal($1_t,$1_tty_device_t) + term_tty($1_t,$1_tty_device_t) ############################## # @@ -50,7 +50,7 @@ define(`base_user_domain',` allow $1_t self:fd use; allow $1_t self:fifo_file rw_file_perms; allow $1_t self:unix_dgram_socket create_socket_perms; - allow $1_t self:unix_stream_socket rw_stream_socket_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:unix_dgram_socket sendto; allow $1_t self:unix_stream_socket connectto; allow $1_t self:shm create_shm_perms; @@ -88,7 +88,7 @@ define(`base_user_domain',` allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms; allow $1_t $1_tmpfs_t:sock_file create_file_perms; allow $1_t $1_tmpfs_t:fifo_file create_file_perms; - fs_create_private_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) + fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; @@ -108,20 +108,20 @@ define(`base_user_domain',` # Find CDROM devices: kernel_read_device_sysctl($1_t) # GNOME checks for usb and other devices: - kernel_modify_usb_hardware_config_option($1_t) + kernel_rw_usb_hardware_config_option($1_t) - corenetwork_sendrecv_tcp_on_all_interfaces($1_t) - corenetwork_sendrecv_raw_on_all_interfaces($1_t) - corenetwork_sendrecv_udp_on_all_interfaces($1_t) - corenetwork_sendrecv_tcp_on_all_nodes($1_t) - corenetwork_sendrecv_raw_on_all_nodes($1_t) - corenetwork_sendrecv_udp_on_all_nodes($1_t) - corenetwork_sendrecv_tcp_on_all_ports($1_t) - corenetwork_sendrecv_udp_on_all_ports($1_t) - corenetwork_bind_tcp_on_all_nodes($1_t) - corenetwork_bind_udp_on_all_nodes($1_t) + corenet_tcp_sendrecv_all_if($1_t) + corenet_raw_sendrecv_all_if($1_t) + corenet_udp_sendrecv_all_if($1_t) + corenet_tcp_sendrecv_all_nodes($1_t) + corenet_raw_sendrecv_all_nodes($1_t) + corenet_udp_sendrecv_all_nodes($1_t) + corenet_tcp_sendrecv_all_ports($1_t) + corenet_udp_sendrecv_all_ports($1_t) + corenet_tcp_bind_all_nodes($1_t) + corenet_udp_bind_all_nodes($1_t) # allow port_t name binding for UDP because it is not very usable otherwise - corenetwork_bind_udp_on_general_port($1_t) + corenet_udp_bind_generic_port($1_t) devices_get_input_event($1_t) devices_read_misc($1_t) @@ -137,10 +137,10 @@ define(`base_user_domain',` devices_ignore_use_direct_rendering_interface($1_t) fs_get_all_fs_quotas($1_t) - fs_get_all_fs_attributes($1_t) + fs_getattr_all_fs($1_t) # for eject - storage_get_fixed_disk_attributes($1_t) + storage_getattr_fixed_disk($1_t) authlogin_read_login_records($1_t) authlogin_ignore_write_login_records($1_t) @@ -180,21 +180,21 @@ define(`base_user_domain',` } if (use_nfs_home_dirs) { - fs_manage_nfs_directories($1_t) + fs_manage_nfs_dirs($1_t) fs_manage_nfs_files($1_t) - fs_manage_nfs_symbolic_links($1_t) + fs_manage_nfs_symlinks($1_t) fs_manage_nfs_named_sockets($1_t) fs_manage_nfs_named_pipes($1_t) fs_execute_nfs_files($1_t) } if (use_samba_home_dirs) { - fs_manage_windows_network_directories($1_t) - fs_manage_windows_network_files($1_t) - fs_manage_windows_network_symbolic_links($1_t) - fs_manage_windows_network_named_sockets($1_t) - fs_manage_windows_network_named_pipes($1_t) - fs_execute_windows_network_files($1_t) + fs_manage_cifs_dirs($1_t) + fs_manage_cifs_files($1_t) + fs_manage_cifs_symlinks($1_t) + fs_manage_cifs_named_sockets($1_t) + fs_manage_cifs_named_pipes($1_t) + fs_execute_cifs_files($1_t) } if (user_direct_mouse) { @@ -202,7 +202,7 @@ define(`base_user_domain',` } if (user_ttyfile_stat) { - terminal_get_all_private_physical_terminal_attributes($1_t) + term_getattr_all_user_ttys($1_t) } optional_policy(`usermanage.te',` @@ -427,7 +427,7 @@ define(`user_domain_template', ` # allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; - terminal_create_private_pseudoterminal($1_t,$1_devpts_t) + term_create_pty($1_t,$1_devpts_t) # Rules used to associate a homedir as a mountpoint allow $1_home_t self:filesystem associate; @@ -457,7 +457,7 @@ define(`user_domain_template', ` bootloader_read_kernel_symbol_table($1_t) # port access is audited even if dac would not have allowed it, so dontaudit it here - corenetwork_ignore_bind_tcp_on_all_reserved_ports($1_t) + corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) files_read_general_system_config($1_t) files_list_home_directories($1_t) @@ -481,14 +481,14 @@ define(`user_domain_template', ` if (user_dmesg) { kernel_read_ring_buffer($1_t) } else { - kernel_ignore_read_ring_buffer($1_t) + kernel_dontaudit_read_ring_buffer($1_t) } # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols if (user_tcp_server) { - corenetwork_bind_tcp_on_general_port($1_t) + corenet_tcp_bind_generic_port($1_t) } # for running depmod as part of the kernel packaging process @@ -643,7 +643,7 @@ define(`admin_domain_template',` allow $1_t self:tcp_socket { acceptfrom connectto recvfrom }; allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; - terminal_create_private_pseudoterminal($1_t,$1_devpts_t) + term_create_pty($1_t,$1_devpts_t) allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:file create_file_perms; @@ -655,47 +655,47 @@ define(`admin_domain_template',` kernel_read_system_state($1_t) kernel_read_network_state($1_t) kernel_read_software_raid_state($1_t) - kernel_get_core_interface_attributes($1_t) - kernel_get_message_interface_attributes($1_t) + kernel_getattr_core($1_t) + kernel_getattr_message_if($1_t) kernel_change_ring_buffer_level($1_t) kernel_clear_ring_buffer($1_t) kernel_read_ring_buffer($1_t) kernel_get_sysvipc_info($1_t) - kernel_modify_all_sysctl($1_t) - kernel_set_selinux_enforcement_mode($1_t) - kernel_set_selinux_boolean($1_t) - kernel_set_selinux_security_parameters($1_t) + kernel_rw_all_sysctl($1_t) + kernel_set_enforcement_mode($1_t) + kernel_set_boolean($1_t) + kernel_set_security_parameters($1_t) # Get security policy decisions: kernel_get_selinuxfs_mount_point($1_t) - kernel_validate_selinux_context($1_t) - kernel_compute_selinux_access_vector($1_t) - kernel_compute_selinux_create_context($1_t) - kernel_compute_selinux_relabel_context($1_t) - kernel_compute_selinux_reachable_user_contexts($1_t) + kernel_validate_context($1_t) + kernel_compute_access_vector($1_t) + kernel_compute_create_context($1_t) + kernel_compute_relabel_context($1_t) + kernel_compute_reachable_user_contexts($1_t) # signal unlabeled processes: - kernel_kill_unlabeled_process($1_t) - kernel_signal_unlabeled_process($1_t) - kernel_sigstop_unlabeled_process($1_t) - kernel_signull_unlabeled_process($1_t) - kernel_sigchld_unlabeled_process($1_t) + kernel_kill_unlabeled($1_t) + kernel_signal_unlabeled($1_t) + kernel_sigstop_unlabeled($1_t) + kernel_signull_unlabeled($1_t) + kernel_sigchld_unlabeled($1_t) - corenetwork_bind_tcp_on_general_port($1_t) + corenet_tcp_bind_generic_port($1_t) devices_get_generic_block_device_attributes($1_t) devices_get_generic_character_device_attributes($1_t) devices_get_all_block_device_attributes($1_t) devices_get_all_character_device_attributes($1_t) - fs_get_all_fs_attributes($1_t) - fs_set_all_fs_quotas($1_t) + fs_getattr_all_fs($1_t) + fs_set_all_quotas($1_t) storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) - terminal_use_console($1_t) - terminal_use_general_physical_terminal($1_t) - terminal_use_all_private_pseudoterminals($1_t) - terminal_use_all_private_physical_terminals($1_t) + term_use_console($1_t) + term_use_unallocated_tty($1_t) + term_use_all_user_ptys($1_t) + term_use_all_user_ttys($1_t) # Manage almost all files authlogin_manage_all_files_except_shadow($1_t) @@ -862,7 +862,7 @@ define(`userdomain_use_admin_terminals',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) - terminal_list_pseudoterminals($1) + term_list_ptys($1) allow $1 admin_terminal:chr_file { getattr read write ioctl }; ') @@ -932,7 +932,7 @@ define(`userdomain_read_all_users_data',` files_list_home_directories($1) allow $1 home_type:dir r_dir_perms; - allow $1 home_type:file r_file_perm; + allow $1 home_type:file r_file_perms; ') define(`userdomain_read_all_users_data_depend',` diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 877af674..a3b414f6 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -122,7 +122,7 @@ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) allow sysadm_t userdomain:fd use; optional_policy(`bootloader.te',` - bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + bootloader_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`clock.te',`