From 1f8a8bbbbd7eb0d86fa46aaf4a41f96c867997ec Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 21 Oct 2005 22:56:41 +0000 Subject: [PATCH] more sediff fixes --- refpolicy/policy/modules/kernel/kernel.te | 2 +- refpolicy/policy/modules/kernel/terminal.if | 4 ++-- refpolicy/policy/modules/services/dhcp.te | 2 +- refpolicy/policy/modules/services/inn.te | 2 +- refpolicy/policy/modules/system/files.if | 19 +++++++++++++++++++ refpolicy/policy/modules/system/init.if | 4 ++-- refpolicy/policy/modules/system/init.te | 1 + 7 files changed, 27 insertions(+), 7 deletions(-) diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 0d0f6c78..76417fba 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -29,7 +29,7 @@ type kernel_t, can_load_kernmodule; domain_base_type(kernel_t) mls_rangetrans_source(kernel_t) role system_r types kernel_t; -sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127) +sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127) # # DebugFS diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index b9f496de..aae3f7e4 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -17,6 +17,7 @@ interface(`term_pty',` type devpts_t; ') + files_type($1) allow $1 devpts_t:filesystem associate; typeattribute $1 ptynode; ') @@ -514,10 +515,9 @@ interface(`term_use_all_user_ptys',` interface(`term_dontaudit_use_all_user_ptys',` gen_require(` attribute ptynode; - class chr_file { read write }; ') - dontaudit $1 ptynode:chr_file { read write }; + dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; ') ######################################## diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index 6673f768..0d1cec94 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -24,7 +24,7 @@ files_pid_file(dhcpd_var_run_t) # Local policy # -dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; +dontaudit dhcpd_t self:capability { net_raw net_admin sys_tty_config }; allow dhcpd_t self:process signal_perms; allow dhcpd_t self:fifo_file { read write getattr }; allow dhcpd_t self:unix_dgram_socket create_socket_perms; diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index 0ef9c9a5..36c4d1c9 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -30,7 +30,7 @@ files_type(news_spool_t) # allow innd_t self:capability { dac_override kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; -allow innd_t self:process setsched; +allow innd_t self:process { setsched signal_perms }; allow innd_t self:fifo_file rw_file_perms; allow innd_t self:tcp_socket create_stream_socket_perms; allow innd_t self:udp_socket create_socket_perms; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 5098412a..90d5c0d4 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -325,6 +325,25 @@ interface(`files_getattr_all_files',` allow $1 file_type:file getattr; ') +######################################## +## +## Get the attributes of all sockets +## with the type of a file. +## +## +## Domain allowed access. +## +# +# cjp: added for initrc_t/distro_redhat. I +# do not think it has any effect. +interface(`files_getattr_all_file_type_sockets',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:socket_class_set getattr; +') + ######################################## ## ## Do not audit attempts to get the attributes diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 9c27daef..f9e57233 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -92,10 +92,10 @@ interface(`init_daemon_domain',` if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; - allow initrc_t $1:process { noatsecure siginh rlimitinh }; allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; + dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; } else { can_exec(initrc_t,$2) can_exec(direct_run_init,$2) @@ -103,10 +103,10 @@ interface(`init_daemon_domain',` ',` domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; - allow initrc_t $1:process { noatsecure siginh rlimitinh }; allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; + dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; ') optional_policy(`nscd.te',` diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index a4351784..92351e30 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -418,6 +418,7 @@ ifdef(`distro_redhat',` fs_use_tmpfs_chr_dev(initrc_t) files_create_boot_flag(initrc_t) + files_getattr_all_file_type_sockets(initrc_t) # readahead asks for these mta_read_aliases(initrc_t)