From 1a82786cc8ae6025bfdfdd3a8da5fd0f80236899 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 10 Sep 2010 10:10:34 -0400 Subject: [PATCH] Allow hugetlbfs_t to be on device_t file system Allow sudo domains to signal user domains Dontaudit xdm_t sending signals to all domains Fix allow_exec* boolean descriptions --- policy/global_tunables | 6 +++--- policy/modules/admin/sudo.if | 1 + policy/modules/kernel/domain.if | 19 +++++++++++++++++++ policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/xserver.te | 1 + 5 files changed, 25 insertions(+), 4 deletions(-) diff --git a/policy/global_tunables b/policy/global_tunables index 56af2265..f85244d2 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false) ## ##

-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") +## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla ##

## gen_tunable(allow_execmem,false) ## ##

-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") +## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t ##

## gen_tunable(allow_execmod,false) ## ##

-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") +## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##

## gen_tunable(allow_execstack,false) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 464a11e5..29931302 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -140,6 +140,7 @@ template(`sudo_role_template',` userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) + userdom_signal_unpriv_users($1_sudo_t) # for some PAM modules and for cwd userdom_search_user_home_content($1_sudo_t) userdom_search_admin_dir($1_sudo_t) diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 09d4b31a..0d8458a3 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -472,6 +472,25 @@ interface(`domain_signal_all_domains',` allow $1 domain:process signal; ') +######################################## +## +## Dontaudit sending general signals to all domains. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`domain_dontaudit_signal_all_domains',` + gen_require(` + attribute domain; + ') + + dontaudit $1 domain:process signal; +') + ######################################## ## ## Send a null signal to all domains. diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 31ebaa78..a09ab475 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -102,7 +102,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); -dev_associate_sysfs(hugetlbfs_t) +dev_associate(hugetlbfs_t) type ibmasmfs_t; fs_type(ibmasmfs_t) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 9b9e0138..5fbf38f1 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -576,6 +576,7 @@ domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) domain_dontaudit_ptrace_all_domains(xdm_t) +domain_dontaudit_signal_all_domains(xdm_t) files_read_etc_files(xdm_t) files_read_var_files(xdm_t)