diff --git a/refpolicy/config/appconfig-strict-mls/default_type b/refpolicy/config/appconfig-strict-mls/default_type index 09ff05b7..c3315fee 100644 --- a/refpolicy/config/appconfig-strict-mls/default_type +++ b/refpolicy/config/appconfig-strict-mls/default_type @@ -2,3 +2,4 @@ sysadm_r:sysadm_t secadm_r:secadm_t staff_r:staff_t user_r:user_t +auditadm_r:auditadm_t diff --git a/refpolicy/policy/modules/admin/prelink.fc b/refpolicy/policy/modules/admin/prelink.fc index b94700c6..729f75a1 100644 --- a/refpolicy/policy/modules/admin/prelink.fc +++ b/refpolicy/policy/modules/admin/prelink.fc @@ -3,6 +3,6 @@ /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) -/var/lib/misc/prelink\.* -- gen_context(system_u:object_r:prelink_cache_t,s0) +/var/lib/misc/prelink\..* -- gen_context(system_u:object_r:prelink_cache_t,s0) /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index f8bc84db..3f18fca5 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.1.2) +policy_module(prelink,1.1.3) ######################################## # diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 3d17e7e4..b7d32b64 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.3.7) +policy_module(rpm,1.3.8) ######################################## # @@ -341,9 +341,9 @@ ifdef(`targeted_policy',` optional_policy(` mono_domtrans(rpm_script_t) ') -',` + optional_policy(` - bootloader_domtrans(rpm_script_t) + unconfined_domtrans(rpm_script_t) ') ') @@ -357,6 +357,10 @@ tunable_policy(`allow_execmem',` allow rpm_script_t self:process execmem; ') +optional_policy(` + bootloader_domtrans(rpm_script_t) +') + optional_policy(` nis_use_ypbind(rpm_script_t) ') diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index 50a988fc..4b309ea0 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -1,5 +1,5 @@ -policy_module(webalizer,1.2.1) +policy_module(webalizer,1.2.2) ######################################## # @@ -44,6 +44,7 @@ allow webalizer_t self:unix_stream_socket create_stream_socket_perms; allow webalizer_t self:unix_dgram_socket sendto; allow webalizer_t self:unix_stream_socket connectto; allow webalizer_t self:tcp_socket connected_stream_socket_perms; +allow webalizer_t self:udp_socket { connect connected_socket_perms }; allow webalizer_t self:netlink_route_socket r_netlink_socket_perms; allow webalizer_t webalizer_etc_t:file { getattr read }; diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 17d90fa2..aeeccb6c 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.3.8) +policy_module(filesystem,1.3.9) ######################################## # @@ -23,7 +23,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0) # Requires that a security xattr handler exist for the filesystem. fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); @@ -174,6 +174,7 @@ genfscon afs / gen_context(system_u:object_r:nfs_t,s0) genfscon hfs / gen_context(system_u:object_r:nfs_t,s0) genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) +genfscon gfs / gen_context(system_u:object_r:nfs_t,s0) ######################################## # diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 3e9fc748..b58eb797 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.3.10) +policy_module(kernel,1.3.11) ######################################## # @@ -28,6 +28,7 @@ role user_r; ifdef(`enable_mls',` role secadm_r; + role auditadm_r; ') # diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index adc123fc..9d364af8 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.2.5) +policy_module(automount,1.2.6) ######################################## # @@ -30,7 +30,7 @@ files_mountpoint(automount_tmp_t) allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override }; dontaudit automount_t self:capability sys_tty_config; -allow automount_t self:process { signal_perms getpgid setpgid setsched }; +allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; allow automount_t self:fifo_file rw_file_perms; allow automount_t self:unix_stream_socket create_socket_perms; allow automount_t self:unix_dgram_socket create_socket_perms; @@ -58,9 +58,11 @@ allow automount_t automount_var_run_t:dir rw_dir_perms; files_pid_filetrans(automount_t,automount_var_run_t,file) kernel_read_kernel_sysctls(automount_t) +kernel_read_irq_sysctls(automount_t) kernel_read_fs_sysctls(automount_t) kernel_read_proc_symlinks(automount_t) kernel_read_system_state(automount_t) +kernel_read_network_state(automount_t) kernel_list_proc(automount_t) files_search_boot(automount_t) @@ -92,6 +94,7 @@ dev_read_sysfs(automount_t) dev_read_urand(automount_t) domain_use_interactive_fds(automount_t) +domain_dontaudit_read_all_domains_state(automount_t) files_dontaudit_write_var_dirs(automount_t) files_getattr_all_dirs(automount_t) @@ -104,11 +107,14 @@ files_getattr_isid_type_dirs(automount_t) files_getattr_default_dirs(automount_t) # because config files can be shell scripts files_exec_etc_files(automount_t) +files_mounton_mnt(automount_t) fs_getattr_all_fs(automount_t) fs_getattr_all_dirs(automount_t) fs_search_auto_mountpoints(automount_t) fs_manage_auto_mountpoints(automount_t) +fs_unmount_autofs(automount_t) +fs_mount_autofs(automount_t) term_dontaudit_use_console(automount_t) term_dontaudit_getattr_pty_dirs(automount_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 9984e94c..3b48afb2 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.3.8) +policy_module(cron,1.3.9) gen_require(` class passwd rootok; @@ -353,6 +353,7 @@ ifdef(`targeted_policy',` tunable_policy(`cron_can_relabel',` seutil_domtrans_setfiles(system_crond_t) + seutil_domtrans_restorecon(system_crond_t) ',` selinux_get_fs_mount(system_crond_t) selinux_validate_context(system_crond_t) diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 924ce5dd..0918d8a7 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.3.7) +policy_module(cups,1.3.8) ######################################## # @@ -629,6 +629,10 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_files(hplip_t) ') +optional_policy(` + mount_send_nfs_client_request(hplip_t) +') + optional_policy(` seutil_sigchld_newrole(hplip_t) ') diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index a36c4ddd..7ef09117 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp,1.2.5) +policy_module(ftp,1.2.6) ######################################## # @@ -57,8 +57,9 @@ allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms; allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms; fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -allow ftpd_t ftpd_var_run_t:file create_file_perms; +allow ftpd_t ftpd_var_run_t:file manage_file_perms; allow ftpd_t ftpd_var_run_t:dir rw_dir_perms; +allow ftpd_t ftpd_var_run_t:sock_file manage_file_perms; files_pid_filetrans(ftpd_t,ftpd_var_run_t,file) # Create and modify /var/log/xferlog. diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index b882b917..74c9809b 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.3.8) +policy_module(hal,1.3.9) ######################################## # @@ -114,6 +114,8 @@ term_dontaudit_use_console(hald_t) term_dontaudit_use_generic_ptys(hald_t) term_use_unallocated_ttys(hald_t) +auth_use_nsswitch(hald_t) + init_use_fds(hald_t) init_use_script_ptys(hald_t) init_domtrans_script(hald_t) diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index 627681cd..2a9c1dd6 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -1,5 +1,5 @@ -policy_module(kerberos,1.1.2) +policy_module(kerberos,1.1.3) ######################################## # @@ -188,6 +188,7 @@ kernel_read_system_state(krb5kdc_t) kernel_read_kernel_sysctls(krb5kdc_t) kernel_list_proc(krb5kdc_t) kernel_read_proc_symlinks(krb5kdc_t) +kernel_read_network_state(krb5kdc_t) corenet_non_ipsec_sendrecv(krb5kdc_t) corenet_tcp_sendrecv_all_if(krb5kdc_t) diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index d0e51f35..09f43fa0 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -1,5 +1,5 @@ -policy_module(mysql,1.2.3) +policy_module(mysql,1.2.4) ######################################## # @@ -34,7 +34,6 @@ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bin dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file { read write }; -allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; @@ -91,6 +90,8 @@ files_read_etc_files(mysqld_t) files_read_usr_files(mysqld_t) files_search_var_lib(mysqld_t) +auth_use_nsswitch(mysqld_t) + init_use_fds(mysqld_t) init_use_script_ptys(mysqld_t) @@ -101,7 +102,6 @@ logging_send_syslog_msg(mysqld_t) miscfiles_read_localization(mysqld_t) -sysnet_use_ldap(mysqld_t) sysnet_read_config(mysqld_t) userdom_dontaudit_use_unpriv_user_fds(mysqld_t) diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index 64d10e5c..c5228b63 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.3.3) +policy_module(networkmanager,1.3.4) ######################################## # @@ -160,6 +160,10 @@ optional_policy(` nscd_signal(NetworkManager_t) ') +optional_policy(` + ppp_domtrans(NetworkManager_t) +') + optional_policy(` seutil_sigchld_newrole(NetworkManager_t) ') diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 8f8ab87e..af22a7ee 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -1,5 +1,5 @@ -policy_module(ntp,1.1.1) +policy_module(ntp,1.1.2) ######################################## # @@ -86,6 +86,8 @@ fs_search_auto_mountpoints(ntpd_t) term_dontaudit_use_console(ntpd_t) +auth_use_nsswitch(ntpd_t) + corecmd_exec_bin(ntpd_t) corecmd_exec_sbin(ntpd_t) corecmd_exec_ls(ntpd_t) diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index a4460d69..15f8deac 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.2.2) +policy_module(procmail,1.2.3) ######################################## # @@ -76,6 +76,10 @@ ifdef(`targeted_policy', ` files_getattr_tmp_dirs(procmail_t) ') +optional_policy(` + clamav_domtrans_clamscan(procmail_t) +') + optional_policy(` logging_send_syslog_msg(procmail_t) ') diff --git a/refpolicy/policy/modules/services/pyzor.te b/refpolicy/policy/modules/services/pyzor.te index 928ad8ed..547a1c7b 100644 --- a/refpolicy/policy/modules/services/pyzor.te +++ b/refpolicy/policy/modules/services/pyzor.te @@ -1,5 +1,5 @@ -policy_module(pyzor,1.0.3) +policy_module(pyzor,1.0.4) ######################################## # @@ -119,6 +119,10 @@ userdom_dontaudit_search_staff_home_dirs(pyzord_t) mta_manage_spool(pyzord_t) +ifdef(`targeted_policy',` + userdom_read_generic_user_home_content_files(pyzord_t) +') + optional_policy(` logging_send_syslog_msg(pyzord_t) ') diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te index b48189d0..5752f5dd 100644 --- a/refpolicy/policy/modules/services/xfs.te +++ b/refpolicy/policy/modules/services/xfs.te @@ -1,5 +1,5 @@ -policy_module(xfs,1.0.2) +policy_module(xfs,1.0.3) ######################################## # @@ -58,6 +58,8 @@ files_read_usr_files(xfs_t) term_dontaudit_use_console(xfs_t) +auth_use_nsswitch(xfs_t) + init_use_fds(xfs_t) init_use_script_ptys(xfs_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 5c7a18a6..baeccb08 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -1284,6 +1284,8 @@ interface(`auth_use_nsswitch',` type var_auth_t; ') + allow $1 self:netlink_route_socket r_netlink_socket_perms; + allow $1 var_auth_t:dir r_dir_perms; allow $1 var_auth_t:file create_file_perms; files_list_var_lib($1) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 5bcf97f7..3cc57bdd 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.3.4) +policy_module(authlogin,1.3.5) ######################################## # diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc index 250db310..cdd15cd9 100644 --- a/refpolicy/policy/modules/system/logging.fc +++ b/refpolicy/policy/modules/system/logging.fc @@ -1,8 +1,7 @@ -/dev/log -s gen_context(system_u:object_r:devlog_t,s0) +/dev/log -s gen_context(system_u:object_r:devlog_t,s0) -/etc/auditd.conf -- gen_context(system_u:object_r:auditd_etc_t,s0) -/etc/audit.rules -- gen_context(system_u:object_r:auditd_etc_t,s0) +/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) @@ -25,7 +24,7 @@ ifdef(`distro_suse', ` /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) -/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255) +/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) /var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 0ef5e546..74aee442 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.3.6) +policy_module(logging,1.3.7) ######################################## # @@ -70,6 +70,7 @@ libs_use_shared_libs(auditctl_t) allow auditctl_t etc_t:file { getattr read }; +allow auditctl_t auditd_etc_t:dir r_dir_perms; allow auditctl_t auditd_etc_t:file r_file_perms; # Needed for adding watches @@ -111,6 +112,7 @@ allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; allow auditd_t self:fifo_file rw_file_perms; +allow auditd_t auditd_etc_t:dir r_dir_perms; allow auditd_t auditd_etc_t:file r_file_perms; allow auditd_t auditd_log_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 63d0d75c..05aea9f7 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.2.7) +policy_module(selinuxutil,1.2.8) gen_require(` bool secure_mode; @@ -115,6 +115,9 @@ files_type(semanage_store_t) type semanage_read_lock_t; files_type(semanage_read_lock_t) +type semanage_tmp_t; +files_tmp_file(semanage_tmp_t) + type semanage_trans_lock_t; files_type(semanage_trans_lock_t) @@ -531,12 +534,17 @@ ifdef(`targeted_policy',`',` # semodule local policy # +allow semanage_t self:capability dac_override; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow semanage_t policy_config_t:file { read write }; +allow semanage_t semanage_tmp_t:dir create_dir_perms; +allow semanage_t semanage_tmp_t:file create_file_perms; +files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) + kernel_read_system_state(semanage_t) kernel_read_kernel_sysctls(semanage_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 985a0eea..25e4ab85 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -473,35 +473,6 @@ template(`base_user_template',` # gnome-session creates socket under /tmp/.ICE-unix/ xserver_create_xdm_tmp_sockets($1_t) ') - - ifdef(`TODO',` - # - # Cups daemon running as user tries to write /etc/printcap - # - dontaudit $1_t usr_t:file setattr; - - # /initrd is left mounted, various programs try to look at it - dontaudit $1_t ramfs_t:dir getattr; - - # - # Running ifconfig as a user generates the following - # - dontaudit $1_t sysctl_net_t:dir search; - - r_dir_file($1_t, usercanread) - - # old browser_domain(): - dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr; - dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search; - dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read; - - allow $1_t usbtty_device_t:chr_file read; - - ifdef(`xdm.te', ` - allow $1_t xdm_var_lib_t:file r_file_perms; - ') - ') dnl endif TODO - ') ####################################### diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 7aed6745..f690a269 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,11 +1,12 @@ -policy_module(userdomain,1.3.27) +policy_module(userdomain,1.3.28) gen_require(` role sysadm_r, staff_r, user_r; ifdef(`enable_mls',` role secadm_r; + role auditadm_r; ') ') @@ -67,6 +68,7 @@ ifdef(`targeted_policy',` # Define some type aliases to help with compatibility with # macros and domains from the "strict" policy. unconfined_alias_domain(secadm_t) + unconfined_alias_domain(auditadm_t) unconfined_alias_domain(sysadm_t) # User home directory type. @@ -82,6 +84,7 @@ ifdef(`targeted_policy',` # compatibility for switching from strict # dominance { role secadm_r { role system_r; }} +# dominance { role auditadm_r { role system_r; }} # dominance { role sysadm_r { role system_r; }} # dominance { role user_r { role system_r; }} # dominance { role staff_r { role system_r; }} @@ -105,8 +108,10 @@ ifdef(`targeted_policy',` ifdef(`enable_mls',` allow secadm_r system_r; + allow auditadm_r system_r; allow secadm_r user_r; allow staff_r secadm_r; + allow staff_r auditadm_r; ') optional_policy(` @@ -126,9 +131,19 @@ ifdef(`targeted_policy',` role_change(staff, sysadm) ifdef(`enable_mls',` - admin_user_template(secadm) + unpriv_user_template(secadm) + unpriv_user_template(auditadm) + + role_change(staff,auditadm) role_change(staff,secadm) + role_change(sysadm,secadm) + role_change(sysadm,auditadm) + + role_change(auditadm,secadm) + role_change(auditadm,sysadm) + + role_change(secadm,auditadm) role_change(secadm,sysadm) ') @@ -172,19 +187,33 @@ ifdef(`targeted_policy',` ') ifdef(`enable_mls',` + seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) + domain_kill_all_domains(auditadm_t) + seutil_read_bin_policy(auditadm_t) + corecmd_exec_shell(auditadm_t) + logging_read_generic_logs(auditadm_t) + logging_manage_audit_log(auditadm_t) + logging_manage_audit_config(auditadm_t) + logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t }) + logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) + + allow secadm_t self:capability dac_override; corecmd_exec_shell(secadm_t) + domain_obj_id_change_exemption(secadm_t) mls_process_read_up(secadm_t) + mls_file_read_up(secadm_t) mls_file_write_down(secadm_t) mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) + auth_relabel_all_files_except_shadow(secadm_t) + auth_relabel_shadow(secadm_t) init_exec(secadm_t) logging_read_audit_log(secadm_t) - logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t }) + logging_read_generic_logs(secadm_t) userdom_dontaudit_append_staff_home_content_files(secadm_t) - files_relabel_all_files(secadm_t) - auth_relabel_shadow(secadm_t) ', ` - logging_read_audit_log(sysadm_t) + logging_manage_audit_log(sysadm_t) + logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal) ') @@ -252,6 +281,7 @@ ifdef(`targeted_policy',` ifdef(`enable_mls',` consoletype_exec(secadm_t) + consoletype_exec(auditadm_t) ') ') @@ -270,6 +300,7 @@ ifdef(`targeted_policy',` ifdef(`enable_mls',` dmesg_exec(secadm_t) + dmesg_exec(auditadm_t) ') ') diff --git a/refpolicy/policy/rolemap b/refpolicy/policy/rolemap index 8aed2520..3e8d3688 100644 --- a/refpolicy/policy/rolemap +++ b/refpolicy/policy/rolemap @@ -15,5 +15,6 @@ ifdef(`strict_policy',` ifdef(`enable_mls',` secadm_r secadm secadm_t + auditadm_r auditadm auditadm_t ') ') diff --git a/refpolicy/policy/users b/refpolicy/policy/users index 820504fe..fecd3c32 100644 --- a/refpolicy/policy/users +++ b/refpolicy/policy/users @@ -29,7 +29,7 @@ ifdef(`targeted_policy',` gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255) ',` gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255) +gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255) ') @@ -44,8 +44,8 @@ ifdef(`targeted_policy',` gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255) ',` ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255) + gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255) ',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255) + gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255) ') ')