From 14c0edc7e9aa3c2f506c3dbe36abc1b5312a4973 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 2 Dec 2008 22:40:49 +0000 Subject: [PATCH] trunk: 2 patches from dan. --- policy/modules/kernel/corecommands.fc | 10 +- policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/files.fc | 1 + policy/modules/kernel/files.if | 134 ++++++++++++++++++++++++++ policy/modules/kernel/files.te | 3 +- 5 files changed, 144 insertions(+), 6 deletions(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 862ae61b..cc9f283f 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -44,6 +44,8 @@ ifdef(`distro_redhat',` /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) +/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -146,6 +148,8 @@ ifdef(`distro_gentoo',` /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -183,10 +187,8 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index eacdfeb9..55ab6f25 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands, 1.10.0) +policy_module(corecommands, 1.10.1) ######################################## # diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 0b7acadd..61aa4321 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -29,6 +29,7 @@ ifdef(`distro_suse',` /boot -d gen_context(system_u:object_r:boot_t,s0) /boot/.* gen_context(system_u:object_r:boot_t,s0) /boot/\.journal <> +/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /boot/lost\+found/.* <> /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index acede285..97a406c1 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -935,6 +935,32 @@ interface(`files_relabel_all_files',` seutil_relabelto_bin_policy($1) ') +######################################## +## +## rw all files on the filesystem, except +## the listed exceptions. +## +## +## +## The type of the domain perfoming this action. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +## +# +interface(`files_rw_all_files',` + gen_require(` + attribute file_type; + ') + + rw_files_pattern($1, { file_type $2 }, { file_type $2 }) +') + ######################################## ## ## Manage all files on the filesystem, except @@ -2742,6 +2768,24 @@ interface(`files_manage_mnt_files',` manage_files_pattern($1, mnt_t, mnt_t) ') +######################################## +## +## read files in /mnt. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_mnt_files',` + gen_require(` + type mnt_t; + ') + + read_files_pattern($1, mnt_t, mnt_t) +') + ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. @@ -3161,6 +3205,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') +######################################## +## +## Remove entries from the tmp directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_tmp_dir_entry',` + gen_require(` + type tmp_t; + ') + + allow $1 tmp_t:dir del_entry_dir_perms; +') + ######################################## ## ## Read files in the tmp directory (/tmp). @@ -3469,6 +3531,42 @@ interface(`files_dontaudit_rw_usr_dirs',` dontaudit $1 usr_t:dir rw_dir_perms; ') +######################################## +## +## Delete generic directories in /usr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_usr_dirs',` + gen_require(` + type usr_t; + ') + + allow $1 usr_t:file delete_dir_perms; +') + +######################################## +## +## Delete generic files in /usr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_usr_files',` + gen_require(` + type usr_t; + ') + + allow $1 usr_t:file delete_file_perms; +') + ######################################## ## ## Get the attributes of files in /usr. @@ -3527,6 +3625,24 @@ interface(`files_exec_usr_files',` read_lnk_files_pattern($1, usr_t, usr_t) ') +######################################## +## +## dontaudit write of /usr files +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_write_usr_files',` + gen_require(` + type usr_t; + ') + + dontaudit $1 usr_t:file write; +') + ######################################## ## ## Create, read, write, and delete files in the /usr directory. @@ -4401,6 +4517,24 @@ interface(`files_list_pids',` list_dirs_pattern($1, var_t, var_run_t) ') +######################################## +## +## Read generic process ID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_generic_pids',` + gen_require(` + type var_t, var_run_t; + ') + + read_files_pattern($1, { var_t var_run_t }, var_run_t) +') + ######################################## ## ## Create an object in the process ID directory, with a private diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index ead13e57..597b12a5 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files, 1.10.0) +policy_module(files, 1.10.1) ######################################## # @@ -174,6 +174,7 @@ files_lock_file(var_lock_t) # type var_run_t; files_pid_file(var_run_t) +files_mountpoint(var_run_t) # # var_spool_t is the type of /var/spool