diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index 7c184022..0e7427fd 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -128,7 +128,7 @@ corenet_tcp_sendrecv_all_ports(amanda_t) corenet_udp_sendrecv_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) -dev_getattr_all_blk_files(amanda_t) +dev_getattr_all_chr_files(amanda_t) fs_getattr_xattr_fs(amanda_t) fs_list_all(amanda_t) diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 38c90f91..126957c0 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -1043,6 +1043,6 @@ interface(`corenet_unconfined',` # Bind to any network address. # cjp: rawip_socket doesnt make any sense - allow $1 port_type:{ tcp_socket udp_socket } name_bind; + allow $1 port_type:{ tcp_socket udp_socket rawip_socket } name_bind; allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; ') diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 60fe250b..c988ce0c 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -544,7 +544,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` attribute device_node; ') - allow $1 device_node:blk_file getattr; + dontaudit $1 device_node:blk_file getattr; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 76417fba..39b9e4e3 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -217,11 +217,9 @@ files_read_usr_files(kernel_t) mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) -ifdef(`TODO',` -ifdef(`targeted_policy', ` -unconfined_domain(kernel_t) +ifdef(`targeted_policy',` + unconfined_domain_template(kernel_t) ') -') dnl end TODO ######################################## # diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te index cfdc3534..58e53b80 100644 --- a/refpolicy/policy/modules/services/comsat.te +++ b/refpolicy/policy/modules/services/comsat.te @@ -48,7 +48,9 @@ corenet_tcp_sendrecv_all_nodes(comsat_t) corenet_udp_sendrecv_all_nodes(comsat_t) corenet_raw_sendrecv_all_nodes(comsat_t) corenet_tcp_sendrecv_all_ports(comsat_t) +corenet_udp_sendrecv_all_ports(comsat_t) corenet_tcp_bind_all_nodes(comsat_t) +corenet_udp_bind_all_nodes(comsat_t) dev_read_urand(comsat_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 10d17a8b..37feaf29 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -35,7 +35,11 @@ files_type(crontab_exec_t) type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) -type system_crond_t; +ifdef(`targeted_policy',` + typealias crond_t alias system_crond_t; +',` + type system_crond_t; +') init_daemon_domain(system_crond_t,anacron_exec_t) corecmd_shell_entry_type(system_crond_t) role system_r types system_crond_t; diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index f7245dd6..f8169bd1 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -194,8 +194,9 @@ corenet_raw_sendrecv_all_if(inetd_child_t) corenet_tcp_sendrecv_all_nodes(inetd_child_t) corenet_udp_sendrecv_all_nodes(inetd_child_t) corenet_raw_sendrecv_all_nodes(inetd_child_t) -corenet_tcp_bind_all_nodes(inetd_child_t) corenet_tcp_sendrecv_all_ports(inetd_child_t) +corenet_udp_sendrecv_all_ports(inetd_child_t) +corenet_tcp_bind_all_nodes(inetd_child_t) dev_read_urand(inetd_child_t) diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index 36c4d1c9..6c6eb3f9 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -34,7 +34,7 @@ allow innd_t self:process { setsched signal_perms }; allow innd_t self:fifo_file rw_file_perms; allow innd_t self:tcp_socket create_stream_socket_perms; allow innd_t self:udp_socket create_socket_perms; -allow innd_t self:unix_dgram_socket create_socket_perms; +allow innd_t self:unix_dgram_socket { sendto create_socket_perms }; allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow innd_t innd_etc_t:file r_file_perms; @@ -43,7 +43,7 @@ allow innd_t innd_etc_t:lnk_file { getattr read }; can_exec(innd_t, innd_exec_t) -allow innd_t innd_log_t:file { create ra_file_perms }; +allow innd_t innd_log_t:file manage_file_perms; allow innd_t innd_log_t:dir { setattr ra_dir_perms }; logging_create_log(innd_t,innd_log_t) diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index 4cfa05f8..09981a87 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -126,10 +126,11 @@ ifdef(`TODO',` optional_policy(`rhgb.te',` rhgb_domain(pegasus_t) ') +') dnl end TODO -#type pegasus_conf_exec_t, exec_type; +# bad rules +type pegasus_conf_exec_t, entry_type; files_type(pegasus_conf_exec_t) allow pegasus_conf_exec_t pegasus_conf_t:dir rw_dir_perms; allow pegasus_conf_exec_t pegasus_conf_t:file create_file_perms; allow pegasus_conf_exec_t pegasus_conf_t:lnk_file create_lnk_perms; -') dnl end TODO diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 2a168599..ccc472a2 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -80,11 +80,19 @@ interface(`domain_type',` ldap_use($1) ') - # this seems highly questionable: + # these 3 seem highly questionable: optional_policy(`rpm.te',` rpm_use_fd($1) rpm_read_pipe($1) ') + + optional_policy(`selinux.te',` + selinux_dontaudit_search_fs($1) + ') + + optional_policy(`selinuxutil.te',` + seutil_dontaudit_read_config($1) + ') ') ######################################## diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index a003f2db..f6b418f2 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -7,6 +7,10 @@ policy_module(files,1.0) # attribute file_type; + +# cjp: should handle this different +allow file_type self:filesystem associate; + attribute lockfile; attribute mountpoint; attribute pidfile; diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 9bf10584..8623dd5c 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -89,16 +89,16 @@ interface(`init_daemon_domain',` # _t at the end of the domain type. If there is no _t # at the end of the type, it returns empty! bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false; - if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { + if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { + can_exec(initrc_t,$2) + can_exec(direct_run_init,$2) + } else { domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; - dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; - } else { - can_exec(initrc_t,$2) - can_exec(direct_run_init,$2) + allow initrc_t $1:process { noatsecure siginh rlimitinh }; } ',` domain_auto_trans(initrc_t,$2,$1) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 77a1e1a4..f1d1a39b 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -78,6 +78,8 @@ init_dontaudit_use_fd(auditctl_t) locallogin_dontaudit_use_fd(auditctl_t) +logging_send_syslog_msg(auditctl_t) + ifdef(`TODO',` role secadm_r types auditctl_t; role sysadm_r types auditctl_t; @@ -110,6 +112,7 @@ allow auditd_t auditd_log_t:file create_file_perms; allow auditd_t var_log_t:dir search; allow auditd_t auditd_var_run_t:file create_file_perms; +allow auditd_t auditd_var_run_t:dir rw_dir_perms; files_create_pid(auditd_t,auditd_var_run_t) kernel_read_kernel_sysctl(auditd_t) @@ -143,7 +146,9 @@ libs_use_shared_libs(auditd_t) miscfiles_read_localization(auditd_t) -mls_file_read_up(klogd_t) +mls_file_read_up(auditd_t) + +seutil_dontaudit_read_config(auditd_t) userdom_dontaudit_use_unpriv_user_fd(auditd_t) userdom_dontaudit_search_sysadm_home_dir(auditd_t)