From 2629c6595a62cc4513776fe6349bb778816a548c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 25 Nov 2005 15:51:50 +0000 Subject: [PATCH] patch from dan to remove rhgb and gph:fd use --- refpolicy/policy/modules/admin/acct.te | 5 -- refpolicy/policy/modules/admin/dmesg.te | 5 -- refpolicy/policy/modules/admin/kudzu.te | 3 - refpolicy/policy/modules/admin/quota.te | 3 - refpolicy/policy/modules/admin/updfstab.te | 5 +- refpolicy/policy/modules/admin/usermanage.if | 26 +++++++ refpolicy/policy/modules/admin/usermanage.te | 69 ++++--------------- refpolicy/policy/modules/services/apache.te | 4 -- refpolicy/policy/modules/services/apm.te | 3 - refpolicy/policy/modules/services/arpwatch.te | 6 -- refpolicy/policy/modules/services/avahi.te | 5 -- refpolicy/policy/modules/services/bind.te | 3 - .../policy/modules/services/bluetooth.te | 6 -- refpolicy/policy/modules/services/canna.te | 4 -- .../policy/modules/services/cpucontrol.te | 12 ---- refpolicy/policy/modules/services/cron.te | 4 -- refpolicy/policy/modules/services/cups.te | 22 ------ refpolicy/policy/modules/services/cyrus.te | 6 -- refpolicy/policy/modules/services/dbus.te | 6 -- refpolicy/policy/modules/services/dhcp.te | 6 -- refpolicy/policy/modules/services/dictd.te | 6 -- refpolicy/policy/modules/services/distcc.te | 6 -- refpolicy/policy/modules/services/dovecot.te | 6 -- refpolicy/policy/modules/services/finger.te | 6 -- refpolicy/policy/modules/services/ftp.te | 6 -- refpolicy/policy/modules/services/gpm.te | 3 - refpolicy/policy/modules/services/hal.te | 4 -- refpolicy/policy/modules/services/howl.te | 6 -- refpolicy/policy/modules/services/inetd.te | 6 -- refpolicy/policy/modules/services/inn.te | 7 -- refpolicy/policy/modules/services/kerberos.te | 10 --- refpolicy/policy/modules/services/ldap.te | 6 -- refpolicy/policy/modules/services/lpd.te | 7 -- refpolicy/policy/modules/services/mysql.te | 3 - .../policy/modules/services/networkmanager.te | 6 -- refpolicy/policy/modules/services/nis.te | 10 --- refpolicy/policy/modules/services/nscd.te | 6 -- refpolicy/policy/modules/services/ntp.te | 3 - refpolicy/policy/modules/services/pegasus.te | 31 ++++----- refpolicy/policy/modules/services/portmap.te | 4 -- .../policy/modules/services/postgresql.te | 3 - refpolicy/policy/modules/services/ppp.te | 9 --- refpolicy/policy/modules/services/privoxy.te | 6 -- refpolicy/policy/modules/services/radius.te | 6 -- refpolicy/policy/modules/services/radvd.te | 6 -- refpolicy/policy/modules/services/rpc.if | 6 -- refpolicy/policy/modules/services/samba.te | 18 ----- refpolicy/policy/modules/services/sasl.te | 7 -- refpolicy/policy/modules/services/sendmail.te | 4 -- refpolicy/policy/modules/services/snmp.te | 4 -- .../policy/modules/services/spamassassin.te | 4 -- refpolicy/policy/modules/services/squid.te | 3 - refpolicy/policy/modules/services/ssh.te | 6 -- refpolicy/policy/modules/services/stunnel.te | 8 +-- refpolicy/policy/modules/services/tftp.te | 6 -- refpolicy/policy/modules/services/zebra.te | 6 -- refpolicy/policy/modules/system/authlogin.if | 30 +++++++- refpolicy/policy/modules/system/authlogin.te | 4 -- refpolicy/policy/modules/system/clock.te | 8 --- refpolicy/policy/modules/system/files.if | 19 +++++ refpolicy/policy/modules/system/hotplug.te | 9 --- refpolicy/policy/modules/system/ipsec.te | 6 -- refpolicy/policy/modules/system/iptables.te | 10 --- refpolicy/policy/modules/system/logging.te | 11 --- refpolicy/policy/modules/system/lvm.te | 12 ---- refpolicy/policy/modules/system/mount.te | 9 --- refpolicy/policy/modules/system/pcmcia.te | 6 -- refpolicy/policy/modules/system/raid.te | 3 - refpolicy/policy/modules/system/sysnetwork.te | 13 ---- refpolicy/policy/modules/system/userdomain.if | 34 +++++++++ refpolicy/policy/modules/system/userdomain.te | 3 +- 71 files changed, 138 insertions(+), 486 deletions(-) diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index 3d8048c0..5ef15eb3 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -99,8 +99,3 @@ optional_policy(`udev',` udev_read_db(acct_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(acct_t) -') -') diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 1d83fe3d..a46294b5 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -70,9 +70,4 @@ ifdef(`targeted_policy',` udev_read_db(dmesg_t) ') - ifdef(`TODO',` - optional_policy(`rhgb',` - rhgb_domain(dmesg_t) - ') - ') dnl endif TODO ') diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index a7a6a82d..0091b4aa 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -152,9 +152,6 @@ optional_policy(`udev',` ifdef(`TODO',` allow kudzu_t modules_conf_t:file unlink; -optional_policy(`rhgb',` - rhgb_domain(kudzu_t) -') optional_policy(`lpd',` allow kudzu_t printconf_t:file { getattr read }; ') diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te index efced031..296d8c20 100644 --- a/refpolicy/policy/modules/admin/quota.te +++ b/refpolicy/policy/modules/admin/quota.te @@ -82,7 +82,4 @@ file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t allow quota_t file_t:file quotaon; allow quota_t proc_t:file getattr; -optional_policy(`rhgb',` - rhgb_domain(quota_t) -') ') dnl end TODO diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 17331c12..bf83e257 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -98,7 +98,7 @@ optional_policy(`dbus',` dbus_send_system_bus_msg(updfstab_t) ') -optional_policy(`hald',` +optional_policy(`hal',` hal_stream_connect(updfstab_t) ') @@ -121,9 +121,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(updfstab_t) -') allow updfstab_t tmpfs_t:dir getattr; ') diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index 14fb0c13..77d92bc5 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -180,6 +180,32 @@ interface(`usermanage_domtrans_admin_passwd',` allow sysadm_passwd_t $1:process sigchld; ') +######################################## +## +## Execute passwd admin functions in the admin +## passwd domain, and allow the specified role +## the admin passwd domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the admin passwd domain. +## +## +## The type of the terminal allow the admin passwd domain to use. +## +# +interface(`usermanage_run_admin_passwd',` + gen_require(` + type sysadm_passwd_t; + ') + + usermanage_domtrans_admin_passwd($1) + role $2 types sysadm_passwd_t; + allow sysadm_passwd_t $3:chr_file rw_term_perms; +') + ######################################## ## ## Execute useradd in the useradd domain. diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 84f7a86b..87514ddc 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.0) +policy_module(usermanage,1.0.1) ######################################## # @@ -136,10 +136,6 @@ optional_policy(`nis',` nis_use_ypbind(chfn_t) ') -ifdef(`TODO',` -ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;') -') dnl endif TODO - ######################################## # # Crack local policy @@ -224,6 +220,7 @@ init_dontaudit_write_script_pid(groupadd_t) domain_use_wide_inherit_fd(groupadd_t) files_manage_etc_files(groupadd_t) +files_relabel_etc_files(groupadd_t) libs_use_ld_so(groupadd_t) libs_use_shared_libs(groupadd_t) @@ -237,6 +234,7 @@ logging_send_syslog_msg(groupadd_t) miscfiles_read_localization(groupadd_t) auth_manage_shadow(groupadd_t) +auth_relabel_shadow(groupadd_t) auth_rw_lastlog(groupadd_t) auth_use_nsswitch(groupadd_t) @@ -259,14 +257,6 @@ optional_policy(`rpm',` rpm_rw_pipe(groupadd_t) ') -ifdef(`TODO',` -# Update /etc/shadow and /etc/passwd -allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto }; - -# Access terminals. -ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;') -') dnl end TODO - ######################################## # # Passwd local policy @@ -310,6 +300,7 @@ term_use_all_user_ttys(passwd_t) term_use_all_user_ptys(passwd_t) auth_manage_shadow(passwd_t) +auth_relabel_shadow(passwd_t) # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) @@ -320,6 +311,7 @@ files_read_etc_runtime_files(passwd_t) files_manage_etc_files(passwd_t) files_search_var(passwd_t) files_dontaudit_search_pids(passwd_t) +files_relabel_etc_files(passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. @@ -335,6 +327,9 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) userdom_use_unpriv_users_fd(passwd_t) +# make sure that getcon succeeds +userdom_getattr_all_userdomains(passwd_t) +userdom_read_all_userdomains_state(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_all_users_home(passwd_t) @@ -343,19 +338,6 @@ optional_policy(`nis',` nis_use_ypbind(passwd_t) ') -ifdef(`TODO',` -# Update /etc/shadow and /etc/passwd -allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; - -# Inherit and use descriptors from login. -ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;') - -# make sure that getcon succeeds -allow passwd_t userdomain:dir search; -allow passwd_t userdomain:file read; -allow passwd_t userdomain:process getattr; -') dnl endif TODO - ######################################## # # Password admin local policy @@ -403,7 +385,10 @@ term_use_all_user_ttys(sysadm_passwd_t) term_use_all_user_ptys(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t) +auth_relabel_shadow(sysadm_passwd_t) +# allow checking if a shell is executable +corecmd_check_exec_shell(sysadm_passwd_t) # allow vipw to exec the editor corecmd_search_sbin(sysadm_passwd_t) corecmd_exec_bin(sysadm_passwd_t) @@ -413,6 +398,7 @@ files_read_usr_files(sysadm_passwd_t) domain_use_wide_inherit_fd(sysadm_passwd_t) files_manage_etc_files(sysadm_passwd_t) +files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups files_dontaudit_search_pids(sysadm_passwd_t) @@ -439,24 +425,6 @@ optional_policy(`nis',` nis_use_ypbind(sysadm_passwd_t) ') -ifdef(`TODO',` -role sysadm_r types sysadm_passwd_t; -domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t) - -# Inherit and use descriptors from login. -ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;') - -# allow checking if a shell is executable -allow sysadm_passwd_t shell_exec_t:file execute; - -# Update /etc/shadow and /etc/passwd -allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; - -ifdef(`targeted_policy', ` -role system_r types sysadm_passwd_t; -') -') dnl endif TODO - ######################################## # # Useradd local policy @@ -494,6 +462,7 @@ term_use_all_user_ttys(useradd_t) term_use_all_user_ptys(useradd_t) auth_manage_shadow(useradd_t) +auth_relabel_shadow(useradd_t) auth_rw_lastlog(useradd_t) auth_use_nsswitch(useradd_t) @@ -506,6 +475,7 @@ domain_use_wide_inherit_fd(useradd_t) files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) +files_relabel_etc_files(useradd_t) init_use_fd(useradd_t) init_rw_script_pid(useradd_t) @@ -542,14 +512,3 @@ optional_policy(`rpm',` rpm_use_fd(useradd_t) rpm_rw_pipe(useradd_t) ') - -ifdef(`TODO',` -# Update /etc/shadow and /etc/passwd -allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto }; - -# Access terminals. -ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;') - -# /var/mail is a link to /var/spool/mail -allow useradd_t mail_spool_t:lnk_file read; -') dnl end TODO diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 7edc7a3c..d5584967 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -418,10 +418,6 @@ optional_policy(`udev', ` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(httpd_t) -') - can_tcp_connect(web_client_domain, httpd_t) ') dnl end TODO diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index cb041f4f..59e8d3f3 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -230,7 +230,4 @@ optional_policy(`cron',` r_dir_file(apmd_t, hwdata_t) -optional_policy(`rhgb',` - rhgb_domain(apmd_t) -') ') diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te index 49a3b385..74e4d5c7 100644 --- a/refpolicy/policy/modules/services/arpwatch.te +++ b/refpolicy/policy/modules/services/arpwatch.te @@ -114,9 +114,3 @@ optional_policy(`udev',` udev_read_db(arpwatch_t) ') -ifdef(`TODO',` -# TODO from daemon_domain -optional_policy(`rhgb',` - rhgb_domain(arpwatch_t) -') -') diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index ca5e5346..c26bedee 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -108,8 +108,3 @@ optional_policy(`udev',` udev_read_db(avahi_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(avahi_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index e41fed14..f5e2d154 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -181,9 +181,6 @@ ifdef(`TODO',` can_udp_send(domain, named_t) can_udp_send(named_t, domain) can_tcp_connect(domain, named_t) -optional_policy(`rhgb',` - rhgb_domain(named_t) -') ') ######################################## diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 3bed3e61..b17758d2 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -158,12 +158,6 @@ optional_policy(`udev',` udev_read_db(bluetooth_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(bluetooth_t) -') -') dnl end TOOD - ######################################## # # Bluetooth helper local policy diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index 105671cf..afbab294 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -107,10 +107,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(canna_t) -') - optional_policy(`canna',` canna_stream_connect(i18n_input_t) ') diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te index 2a067e0c..02aa8963 100644 --- a/refpolicy/policy/modules/services/cpucontrol.te +++ b/refpolicy/policy/modules/services/cpucontrol.te @@ -73,12 +73,6 @@ optional_policy(`udev',` udev_read_db(cpucontrol_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(cpucontrol_t) -') -') dnl end TODO - ######################################## # # CPU frequency scaling daemons @@ -132,9 +126,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(cpuspeed_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(cpuspeed_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 250af7c0..7f106b97 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -200,10 +200,6 @@ ifdef(`TODO',` # NB The constraints file has some entries for crond_t, this makes it # different from all other domains... -optional_policy(`rhgb',` -rhgb_domain(crond_t) -') - # crond tries to search /root. Not sure why. allow crond_t sysadm_home_dir_t:dir r_dir_perms; diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index b84ecd60..b1a3cf3f 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -226,9 +226,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(cupsd_t) -') allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom }; allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom }; allow cupsd_t kernel_t:tcp_socket recvfrom; @@ -377,13 +374,6 @@ optional_policy(`udev',` udev_read_db(ptal_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(ptal_t) -') -') dnl end TODO - - allow userdomain ptal_t:unix_stream_socket connectto; allow userdomain ptal_var_run_t:sock_file write; allow userdomain ptal_var_run_t:dir search; @@ -491,12 +481,6 @@ optional_policy(`udev',` udev_read_db(hplip_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(hplip_t) -') -') dnl end TODO - allow hplip_t devpts_t:dir search; allow hplip_t devpts_t:chr_file { getattr ioctl }; @@ -627,12 +611,6 @@ optional_policy(`udev',` udev_read_db(cupsd_config_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(cupsd_config_t) -') -') dnl end TODO - allow cupsd_config_t devpts_t:dir search; allow cupsd_config_t devpts_t:chr_file { getattr ioctl }; diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te index 0a40f256..fa3c8975 100644 --- a/refpolicy/policy/modules/services/cyrus.te +++ b/refpolicy/policy/modules/services/cyrus.te @@ -140,9 +140,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(cyrus_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(cyrus_t) -') -') diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 71bbbd88..e54be526 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -139,9 +139,3 @@ optional_policy(`sysnetwork',` optional_policy(`udev',` udev_read_db(system_dbusd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(system_dbusd_t) -') -') diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index c13ddbf0..0ad9809c 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -138,9 +138,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(dhcpd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(dhcpd_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te index 60b402b5..c13cf87e 100644 --- a/refpolicy/policy/modules/services/dictd.te +++ b/refpolicy/policy/modules/services/dictd.te @@ -101,9 +101,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(dictd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(dictd_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index 5728da1b..c84cd3ad 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -107,9 +107,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(distccd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(distccd_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 2315bcac..6955ca3c 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -185,9 +185,3 @@ optional_policy(`nis',` optional_policy(`nscd',` nscd_use_socket(dovecot_auth_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(dovecot_t) -') -') diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index a82e455b..6af68c3f 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -131,12 +131,6 @@ optional_policy(`udev',` udev_read_db(fingerd_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(fingerd_t) -') -') - # stop it accessing sub-directories, prevents checking a Maildir for new mail, # have to change this when we create a type for Maildir dontaudit fingerd_t user_home_t:dir search; diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 8b44ff06..1490fb1b 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -220,9 +220,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev', ` udev_read_db(ftpd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(ftpd_t) -') -') diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index 296f97f2..4ff3699f 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -95,7 +95,4 @@ ifdef(`TODO',` # Access the mouse. # cjp: why write? allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms; -optional_policy(`rhgb',` - rhgb_domain(gpm_t) -') ') diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 1a4d53ed..4234aced 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -183,10 +183,6 @@ optional_policy(`updfstab',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(hald_t) -') - allow hald_t device_t:dir create_dir_perms; optional_policy(`hald',` diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index 1a858eaf..5673c90c 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -92,9 +92,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(howl_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(howl_t) -') -') diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 00e089ec..37de5439 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -155,12 +155,6 @@ ifdef(`targeted_policy',` ') ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(inetd_t) -') -') dnl TODO - ######################################## # # inetd child local_policy diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index ba6218ee..cc15668d 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -144,10 +144,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(innd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(innd_t) -') -allow innd_t sysadm_t:unix_dgram_socket sendto; -') diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index 33e41a76..852efe57 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -148,12 +148,6 @@ optional_policy(`udev',` udev_read_db(kadmind_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(kadmind_t) -') -') dnl end TODO - ######################################## # # Krb5kdc local policy @@ -254,10 +248,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(krb5kdc_t) -') - # Allow user programs to talk to KDC allow krb5kdc_t userdomain:udp_socket recvfrom; allow userdomain krb5kdc_t:udp_socket recvfrom; diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 0f535fff..973a7d3e 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -148,9 +148,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(slapd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(slapd_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index 9c1943b2..976f7541 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -233,10 +233,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(lpd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(lpd_t) -') -') dnl end TODO - diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 39a289ab..6a23c8dd 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -141,9 +141,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(mysqld_t) -') optional_policy(`daemontools',` domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) mysqld_signal(svc_start_t) diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index b225a400..d70bbea6 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -143,12 +143,6 @@ optional_policy(`vpn',` vpn_domtrans(NetworkManager_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(NetworkManager_t) -') -') dnl end TODO - ########################################################### # # Partially converted rules. THESE ARE ONLY TEMPORARY diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 9228e0f7..282ab382 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -130,12 +130,6 @@ optional_policy(`udev',` udev_read_db(ypbind_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(ypbind_t) -') -') dnl end TODO - ######################################## # # ypserv local policy @@ -228,10 +222,6 @@ optional_policy(`udev', ` ') ifdef(`TODO',` -optional_policy(`rhgb', ` -rhgb_domain(ypserv_t) -') - # Read and write /var/yp. ifdef(`rpcd.te', ` allow rpcd_t ypserv_conf_t:file { getattr read }; diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 437c54c3..ff3eedfa 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -133,9 +133,3 @@ optional_policy(`samba',` optional_policy(`udev',` udev_read_db(nscd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(nscd_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 71dfd7fe..2752ca55 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -161,9 +161,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(ntpd_t) -') allow ntpd_t sysadm_t:udp_socket sendto; allow sysadm_t ntpd_t:udp_socket recvfrom; diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index bd8a790d..d55ed993 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -1,5 +1,5 @@ -policy_module(pegasus,1.0.1) +policy_module(pegasus,1.0.2) ######################################## # @@ -13,6 +13,9 @@ init_daemon_domain(pegasus_t,pegasus_exec_t) type pegasus_data_t; files_type(pegasus_data_t) +type pegasus_tmp_t; +files_tmp_file(pegasus_tmp_t) + type pegasus_conf_t; files_type(pegasus_conf_t) @@ -29,30 +32,37 @@ files_pid_file(pegasus_var_run_t) allow pegasus_t self:capability { dac_override net_bind_service audit_write }; dontaudit pegasus_t self:capability sys_tty_config; +allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_file_perms; allow pegasus_t self:unix_dgram_socket create_socket_perms; allow pegasus_t self:unix_stream_socket create_stream_socket_perms; allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow pegasus_t self:tcp_socket create_stream_socket_perms; -allow pegasus_t pegasus_conf_t:dir r_dir_perms; +allow pegasus_t pegasus_conf_t:dir rw_dir_perms; allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink }; allow pegasus_t pegasus_conf_t:lnk_file r_file_perms; allow pegasus_t pegasus_data_t:dir rw_dir_perms; allow pegasus_t pegasus_data_t:file create_file_perms; allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms; +type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t; allow pegasus_t pegasus_mof_t:dir r_dir_perms; allow pegasus_t pegasus_mof_t:file r_file_perms; allow pegasus_t pegasus_mof_t:lnk_file { getattr read }; +allow pegasus_t pegasus_tmp_t:dir create_dir_perms; +allow pegasus_t pegasus_tmp_t:file create_file_perms; +files_create_tmp_files(pegasus_t, pegasus_tmp_t, { file dir }) + allow pegasus_t pegasus_var_run_t:file create_file_perms; -allow pegasus_t pegasus_var_run_t:sock_file { create setattr }; +allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; allow pegasus_t pegasus_var_run_t:dir rw_dir_perms; files_create_pid(pegasus_t,pegasus_var_run_t) kernel_read_kernel_sysctl(pegasus_t) +kernel_read_fs_sysctl(pegasus_t) kernel_read_system_state(pegasus_t) kernel_search_vm_sysctl(pegasus_t) @@ -76,7 +86,7 @@ fs_search_auto_mountpoints(pegasus_t) term_dontaudit_use_console(pegasus_t) auth_use_nsswitch(pegasus_t) -auth_read_shadow(pegasus_t) +auth_domtrans_chk_passwd(pegasus_t) domain_use_wide_inherit_fd(pegasus_t) domain_read_all_domains_state(pegasus_t) @@ -122,16 +132,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(pegasus_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(pegasus_t) -') -') dnl end TODO - -# bad rules -type pegasus_conf_exec_t, entry_type; -files_type(pegasus_conf_exec_t) -allow pegasus_conf_exec_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_conf_exec_t pegasus_conf_t:file create_file_perms; -allow pegasus_conf_exec_t pegasus_conf_t:lnk_file create_lnk_perms; diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index a10db69e..b3c0188f 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -133,10 +133,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(portmap_t) -') - ifdef(`rpcd.te',`can_udp_send(portmap_t, rpcd_t)') allow portmap_t rpcd_t:udp_socket sendto; allow rpcd_t portmap_t:udp_socket recvfrom; diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index b4e17cb2..fad6075c 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -185,9 +185,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(postgresql_t) -') ifdef(`targeted_policy', `', ` bool allow_user_postgresql_connect false; diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 01d68085..3f55df5f 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -316,15 +316,6 @@ optional_policy(`udev',` udev_read_db(pptp_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(pppd_t) -') -optional_policy(`rhgb',` - rhgb_domain(pptp_t) -') -') - ifdef(`postfix.te', ` allow pppd_t postfix_etc_t:dir search; allow pppd_t postfix_etc_t:file r_file_perms; diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index cad3ab7c..f112cb0f 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -95,9 +95,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(privoxy_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(privoxy_t) -') -') diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index 0d808ded..cb797906 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -130,9 +130,3 @@ optional_policy(`snmp',` optional_policy(`udev',` udev_read_db(radiusd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(radiusd_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te index 05926427..b5b07b2e 100644 --- a/refpolicy/policy/modules/services/radvd.te +++ b/refpolicy/policy/modules/services/radvd.te @@ -94,9 +94,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(radvd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(radvd_t) -') -') diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if index 4d92875c..705944db 100644 --- a/refpolicy/policy/modules/services/rpc.if +++ b/refpolicy/policy/modules/services/rpc.if @@ -113,12 +113,6 @@ template(`rpc_domain_template', ` optional_policy(`udev',` udev_read_db($1_t) ') - - ifdef(`TODO',` - optional_policy(`rhgb',` - rhgb_domain($1_t) - ') - ') ') ######################################## diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 193a788a..f4536be7 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -308,12 +308,6 @@ optional_policy(`udev', ` udev_read_db(smbd_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(smbd_t) -') -') dnl end TODO - ifdef(`hide_broken_symptoms', ` gen_require(` type boot_t, default_t, tmpfs_t; @@ -428,12 +422,6 @@ optional_policy(`udev',` udev_read_db(nmbd_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(nmbd_t) -') -') - ######################################## # # smbmount Local policy @@ -640,12 +628,6 @@ optional_policy(`udev',` udev_read_db(winbind_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(winbind_t) -') -') dnl end TODO - ######################################## # # Winbind helper local policy diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index ed6dac64..514a0a2f 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -99,10 +99,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(saslauthd_t) ') - - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(saslauthd_t) -') -') diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 1b19f5b3..593d14fd 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -136,10 +136,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` -rhgb_domain(sendmail_t) -') - allow sendmail_t etc_mail_t:dir rw_dir_perms; allow sendmail_t etc_mail_t:file create_file_perms; # for the start script to run make -C /etc/mail diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 3635a35c..6b194b32 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -149,10 +149,6 @@ can_udp_send(snmpd_t, sysadm_t) optional_policy(`cupsd',` allow snmpd_t cupsd_rw_etc_t:file { getattr read }; ') - -optional_policy(`rhgb',` - rhgb_domain(snmpd_t) -') ') dnl end TODO ifdef(`distro_redhat', ` diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index d246dda2..6ea49194 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -146,10 +146,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(spamd_t) -') - optional_policy(`amavis', ` # for bayes tokens allow spamd_t var_lib_t:dir { getattr search }; diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index f449403b..f4cc464f 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -177,9 +177,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(squid_t) -') ifdef(`apache.te',` can_tcp_connect(squid_t, httpd_t) ') diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index c9d3bfab..d7b84d79 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -255,10 +255,4 @@ ifdef(`targeted_policy',`',` optional_policy(`udev',` udev_read_db(ssh_keygen_t) ') - - ifdef(`TODO',` - optional_policy(`rhgb',` - rhgb_domain(ssh_keygen_t) - ') - ') ') diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index d6c71682..f274d294 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -113,13 +113,7 @@ ifdef(`distro_gentoo', ` optional_policy(`udev',` udev_read_db(stunnel_t) ') - - ifdef(`TODO',` - optional_policy(`rhgb',` - rhgb_domain(stunnel_t) - ') - ') dnl end TODO -', ` +',` allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; dev_read_urand(stunnel_t) diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index 77e87162..af3268fd 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -104,9 +104,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev', ` udev_read_db(tftpd_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(tftpd_t) -') -') diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index 42a145ab..7a5b4bed 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -131,9 +131,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(zebra_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(zebra_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 4fcad8db..ed33f9f2 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -368,14 +368,18 @@ interface(`auth_manage_shadow',` ') ####################################### -# -# auth_relabelto_shadow(domain) +## +## Relabel to the shadow +## password file type. +## +## +## Domain allowed access. +## # interface(`auth_relabelto_shadow',` gen_require(` attribute can_relabelto_shadow_passwords; type shadow_t; - class file relabelto; ') files_search_etc($1) @@ -383,6 +387,26 @@ interface(`auth_relabelto_shadow',` typeattribute $1 can_relabelto_shadow_passwords; ') +####################################### +## +## Relabel from and to the shadow +## password file type. +## +## +## Domain allowed access. +## +# +interface(`auth_relabel_shadow',` + gen_require(` + attribute can_relabelto_shadow_passwords; + type shadow_t; + ') + + files_search_etc($1) + allow $1 shadow_t:file { relabelfrom relabelto }; + typeattribute $1 can_relabelto_shadow_passwords; +') + ####################################### ## ## Append to the login failure log. diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 20996690..eea835ae 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -253,10 +253,6 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(pam_console_t) -') - ifdef(`xdm.te', ` allow pam_console_t xdm_var_run_t:file { getattr read }; ') diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 9c1a4bc2..f56f1619 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -87,11 +87,3 @@ optional_policy(`udev',` optional_policy(`userdomain',` userdom_dontaudit_use_unpriv_user_fd(hwclock_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` -rhgb_domain(hwclock_t) -') - -optional_policy(`gnome-pty-helper', `allow hwclock_t sysadm_gph_t:fd use;') -') dnl end TODO diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 9a9a8201..c43fa98c 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -894,9 +894,11 @@ interface(`files_mounton_all_mountpoints',` gen_require(` attribute mountpoint; class dir { getattr search mounton }; + class file { getattr mounton }; ') allow $1 mountpoint:dir { getattr search mounton }; + allow $1 mountpoint:file { getattr mounton }; ') ######################################## @@ -1333,6 +1335,23 @@ interface(`files_exec_etc_files',` ') +####################################### +## +## Relabel from and to generic files in /etc. +## +## +## Domain allowed access. +## +# +interface(`files_relabel_etc_files',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:dir list_dir_perms; + allow $1 etc_t:file { relabelfrom relabelto }; +') + ######################################## # # files_create_boot_flag(domain) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index c0d61995..19287631 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -203,12 +203,3 @@ optional_policy(`udev',` optional_policy(`updfstab',` updfstab_domtrans(hotplug_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` -rhgb_domain(hotplug_t) -') - -dontaudit hotplug_t { init_t kernel_t }:file read; - -') dnl end TODO diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index 89b7b65d..cc6d402b 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -141,12 +141,6 @@ optional_policy(`udev',` udev_read_db(ipsec_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(ipsec_t) -') -') - ######################################## # # ipsec_mgmt Local policy diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 85e6ef59..c1ea3db3 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -102,13 +102,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(iptables_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb',` -rhgb_domain(iptables_t) -') - -optional_policy(`gnome-pty-helper',` - allow iptables_t sysadm_gph_t:fd use; -') -') dnl ifdef TODO diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index e30e46c7..309379c2 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -175,12 +175,6 @@ optional_policy(`udev',` udev_read_db(auditd_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` -rhgb_domain(auditd_t) -') -') dnl endif TODO - ######################################## # # klogd local policy @@ -380,12 +374,7 @@ optional_policy(`udev',` ') ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(syslogd_t) -') - allow syslogd_t tmpfs_t:dir search; -dontaudit syslogd_t unlabeled_t:file { getattr read }; dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; # log to the xconsole diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 3fe62a3b..6fadbbcb 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -117,12 +117,6 @@ optional_policy(`udev',` udev_read_db(clvmd_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(clvmd_t) -') -') dnl end TODO - ######################################## # # LVM Local policy @@ -270,11 +264,5 @@ ifdef(`TODO',` allow lvm_t var_t:dir { search getattr }; allow lvm_t ramfs_t:filesystem unmount; -optional_policy(`gnome-pty-helper',` - allow lvm_t sysadm_gph_t:fd use; -') -optional_policy(`rhgb',` -rhgb_domain(lvm_t) -') dontaudit lvm_t xconsole_device_t:fifo_file getattr; ') dnl end TODO diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 391eaab0..82ae9be6 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -141,13 +141,4 @@ ifdef(`TODO',` # for when /etc/mtab loses its type allow mount_t file_t:file unlink; - -ifdef(`gnome-pty-helper.te', ` -allow mount_t sysadm_gph_t:fd use; -') - -optional_policy(`rhgb',` -rhgb_domain(mount_t) -') - ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index a415bd8c..2a63867b 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -147,12 +147,6 @@ optional_policy(`udev',` udev_read_db(cardmgr_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` - rhgb_domain(cardmgr_t) -') -') dnl end TODO - # Create device files in /tmp. # cjp: why is this created all over the place? allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms; diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index 96a96d44..1611c40a 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -88,7 +88,4 @@ ifdef(`TODO',` dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr }; allow mdadm_t var_t:dir getattr; -optional_policy(`rhgb',` - rhgb_domain(mdadm_t) -') ') dnl TODO diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 59e2632f..8347a597 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -244,12 +244,6 @@ optional_policy(`userdomain',` userdom_use_all_user_fd(dhcpc_t) ') -ifdef(`TODO',` -optional_policy(`rhgb',` -rhgb_domain(dhcpc_t) -') -') dnl endif TODO - ######################################## # # Ifconfig local policy @@ -343,10 +337,3 @@ optional_policy(`nis',` optional_policy(`ppp',` ppp_use_fd(ifconfig_t) ') - -ifdef(`TODO',` -ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') -optional_policy(`rhgb',` -rhgb_domain(ifconfig_t) -') -') dnl endif TODO diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 7b553393..b6530703 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -2476,6 +2476,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',` ') ') +######################################## +## +## Read the process state of all user domains. +## +## +## Domain allowed access. +## +# +interface(`userdom_read_all_userdomains_state',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:dir search_dir_perms; + allow $1 userdomain:file r_file_perms; + kernel_search_proc($1) +') + +######################################## +## +## Get the attributes of all user domains. +## +## +## Domain allowed access. +## +# +interface(`userdom_getattr_all_userdomains',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process getattr; +') + ######################################## ## ## Inherit the file descriptors from all user domains diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index d7927f39..c7950a83 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.0.1) +policy_module(userdomain,1.0.2) ######################################## # @@ -295,6 +295,7 @@ ifdef(`targeted_policy',` ') optional_policy(`usermanage',` + usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) ')