trunk: 6 patches from the fedora policy, cherry picked by david hardeman.

2008-08-14 14:19:50 +00:00 · 2008-08-14 14:19:50 +00:00 · 3e59876583
commit 3e59876583
parent 6e328912ac
10 changed files with 121 additions and 43 deletions
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@ -49,6 +49,11 @@ interface(`bootloader_run',`

 	role $2 types bootloader_t;
 	allow bootloader_t $3:chr_file rw_term_perms;
+
+	ifdef(`distro_redhat',`
+		# for mke2fs
+		mount_run(bootloader_t, $2, $3)
+	')
 ')

 ########################################
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@ -1,5 +1,5 @@

-policy_module(bootloader, 1.8.0)
+policy_module(bootloader, 1.8.1)

 ########################################
 #
@ -172,6 +172,10 @@ ifdef(`distro_redhat',`

 	# for mke2fs
 	mount_domtrans(bootloader_t)
+
+	optional_policy(`
+		unconfined_domain(bootloader_t)
+	')
 ')

 optional_policy(`
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@ -1,5 +1,5 @@

-policy_module(kudzu, 1.6.0)
+policy_module(kudzu, 1.6.1)

 ########################################
 #
@ -143,28 +143,6 @@ optional_policy(`
 ')

 optional_policy(`
-	# cjp: this was originally in the else block
-	# of ifdef userhelper.te, but it seems to
-	# make more sense here.  also, require
-	# blocks curently do not work in the
-	# else block of optionals
+	unconfined_domtrans(kudzu_t)
 	unconfined_domain(kudzu_t)
 ')
-
-ifdef(`TODO',`
-allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`
-	allow kudzu_t printconf_t:file { getattr read };
-')
-optional_policy(`
-	allow kudzu_t xserver_exec_t:file getattr;
-')
-optional_policy(`
-	allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-optional_policy(`
-	role system_r types sysadm_userhelper_t;
-	domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;
-')
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@ -19,3 +19,5 @@
 /var/lib/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_lib_t,s0)

 /var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
+
+/var/spool/courier(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@ -123,3 +123,77 @@ interface(`courier_domtrans_pop',`

 	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
 ')
+
+########################################
+## <summary>
+##	Read courier config files
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_read_config',`
+	gen_require(`
+		type courier_etc_t;
+	')
+
+	read_files_pattern($1, courier_etc_t, courier_etc_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete courier
+##	spool directories.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_dirs',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete courier
+##	spool files.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_files',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Read and write to courier spool pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`courier_rw_spool_pipes',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
+')
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@ -1,5 +1,5 @@

-policy_module(courier, 1.5.0)
+policy_module(courier, 1.5.1)

 ########################################
 #
@ -9,12 +9,15 @@ policy_module(courier, 1.5.0)
 courier_domain_template(authdaemon)

 type courier_etc_t;
-files_type(courier_etc_t)
+files_config_file(courier_etc_t)

 courier_domain_template(pcp)

 courier_domain_template(pop)

+type courier_spool_t;
+files_type(courier_spool_t)
+
 courier_domain_template(tcpd)

 type courier_var_lib_t;
--- a/policy/modules/services/rdisc.te
+++ b/policy/modules/services/rdisc.te
@ -1,5 +1,5 @@

-policy_module(rdisc, 1.5.0)
+policy_module(rdisc, 1.5.1)

 ########################################
 #
@ -47,6 +47,8 @@ libs_use_shared_libs(rdisc_t)

 logging_send_syslog_msg(rdisc_t)

+miscfiles_read_localization(rdisc_t)
+
 sysnet_read_config(rdisc_t)

 userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@ -1,5 +1,5 @@

-policy_module(rpc, 1.8.0)
+policy_module(rpc, 1.8.1)

 ########################################
 #
@ -62,22 +62,23 @@ files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)

 # rpc.statd executes sm-notify
 can_exec(rpcd_t, rpcd_exec_t)
-corecmd_search_bin(rpcd_t)

 kernel_read_system_state(rpcd_t) 
-kernel_search_network_state(rpcd_t) 
+kernel_read_network_state(rpcd_t)
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)  
 kernel_rw_fs_sysctls(rpcd_t)

+corecmd_exec_bin(rpcd_t)
+
+files_manage_mounttab(rpcd_t)
+
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
 fs_read_rpc_symlinks(rpcd_t)
 fs_read_rpc_sockets(rpcd_t) 
-term_use_controlling_term(rpcd_t)

-# cjp: this should really have its own type
-files_manage_mounttab(rpcd_t)
+selinux_dontaudit_read_fs(rpcd_t)

 miscfiles_read_certs(rpcd_t)

@ -104,12 +105,9 @@ kernel_read_network_state(nfsd_t)
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)

-fs_mount_nfsd_fs(nfsd_t) 
-fs_search_nfsd_fs(nfsd_t) 
-fs_getattr_all_fs(nfsd_t) 
-fs_rw_nfsd_fs(nfsd_t) 
-
-term_use_controlling_term(nfsd_t) 
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+dev_rw_lvm_control(nfsd_t)

 # does not really need this, but it is easier to just allow it
 files_search_pids(nfsd_t) 
@ -118,6 +116,14 @@ files_getattr_tmp_dirs(nfsd_t)
 # cjp: this should really have its own type
 files_manage_mounttab(rpcd_t)

+fs_mount_nfsd_fs(nfsd_t) 
+fs_search_nfsd_fs(nfsd_t) 
+fs_getattr_all_fs(nfsd_t) 
+fs_getattr_all_dirs(nfsd_t)
+fs_rw_nfsd_fs(nfsd_t) 
+
+storage_dontaudit_read_fixed_disk(nfsd_t)
+
 # Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)

@ -149,6 +155,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })

+kernel_read_system_state(gssd_t)
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
@ -162,6 +169,8 @@ fs_read_rpc_files(gssd_t)
 files_list_tmp(gssd_t) 
 files_read_usr_symlinks(gssd_t) 

+auth_use_nsswitch(gssd_t)
+
 miscfiles_read_certs(gssd_t)

 tunable_policy(`allow_gssd_read_tmp',`
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
@ -8,5 +8,5 @@

 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)

-/var/spool/fax		--	gen_context(system_u:object_r:getty_var_run_t,s0)
-/var/spool/voice	--	gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/fax(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/voice(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@ -1,5 +1,5 @@

-policy_module(getty,1.6.0)
+policy_module(getty, 1.6.1)

 ########################################
 #
@ -9,6 +9,7 @@ policy_module(getty,1.6.0)
 type getty_t;
 type getty_exec_t;
 init_domain(getty_t,getty_exec_t)
+init_system_domain(getty_t, getty_exec_t)
 domain_interactive_fd(getty_t)

 type getty_etc_t;