From 8c0a06a69a1c9bfceef3371dd2c97e514765a4e3 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 09:53:54 +0200 Subject: [PATCH 01/29] Type print_spool_t is not required here. Signed-off-by: Dominick Grift --- policy/modules/apps/pulseaudio.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index 15fef119..9f12b513 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -17,7 +17,7 @@ # interface(`pulseaudio_role',` gen_require(` - type pulseaudio_t, pulseaudio_exec_t, print_spool_t; + type pulseaudio_t, pulseaudio_exec_t; class dbus { acquire_svc send_msg }; ') From cb76ff4560e88d828cb57de965acea58384a8f29 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 10:13:16 +0200 Subject: [PATCH 02/29] Type xenstored_var_run_t is required here. Signed-off-by: Dominick Grift --- policy/modules/system/xen.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index 4af4e6b4..4aa96c6d 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -251,7 +251,7 @@ interface(`xen_domtrans_xm',` # interface(`xen_stream_connect_xm',` gen_require(` - type xm_t; + type xm_t, xenstored_var_run_t; ') files_search_pids($1) From 0540e22fcc0f5e8bca8085b063b98372e5924ac9 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 10:35:12 +0200 Subject: [PATCH 03/29] Use ps_process_pattern to read state. Permission to seach proc_t directories is required to read automount state. Signed-off-by: Dominick Grift --- policy/modules/services/automount.if | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index d80a16b8..bba047d9 100644 --- a/policy/modules/services/automount.if +++ b/policy/modules/services/automount.if @@ -68,7 +68,8 @@ interface(`automount_read_state',` type automount_t; ') - read_files_pattern($1, automount_t, automount_t) + kernel_search_proc($1) + ps_process_pattern($1, automount_t) ') ######################################## From d8d33a15bfc6baca33721dae389b49fd0c6e05e6 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 10:51:47 +0200 Subject: [PATCH 04/29] Permission to search generic pid directories is included with files_pid_filetrans. Signed-off-by: Dominick Grift --- policy/modules/services/courier.if | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if index 99713375..efbc8af5 100644 --- a/policy/modules/services/courier.if +++ b/policy/modules/services/courier.if @@ -42,7 +42,6 @@ template(`courier_domain_template',` manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - files_search_pids(courier_$1_t) files_pid_filetrans(courier_$1_t, courier_var_run_t, dir) kernel_read_system_state(courier_$1_t) From beb9c35b25ce3f789af317542267e7b558dcbc9d Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 10:57:45 +0200 Subject: [PATCH 05/29] Types crontab_exec_t, cron_spool_t and user_cron_spool_t are required here. Signed-off-by: Dominick Grift --- policy/modules/services/cron.if | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index cbd01beb..74d7a2b2 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -13,7 +13,8 @@ # template(`cron_common_crontab_template',` gen_require(` - type crond_t, crond_var_run_t; + type crond_t, crond_var_run_t, crontab_exec_t; + type cron_spool_t, user_cron_spool_t; ') ############################## From 5ecaacae6132387ffd0d8dc05c9706a82e9a2e28 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 10:58:27 +0200 Subject: [PATCH 06/29] Type system_cronjob_var_run_t is not required here. Signed-off-by: Dominick Grift --- policy/modules/services/cron.if | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 74d7a2b2..98220745 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -674,7 +674,6 @@ interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; type cron_var_run_t; - type system_cronjob_var_run_t; ') dontaudit $1 system_cronjob_tmp_t:file write_file_perms; From 47cf98ddd567c4e2e5142a116a07bfbe601ddd6c Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 11:04:10 +0200 Subject: [PATCH 07/29] Permission to get attributes of target devicekit_t, devicekit_disk_t and devicekit_power_t domains are included with ps_process_patterns. Signed-off-by: Dominick Grift --- policy/modules/services/devicekit.if | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if index f706b994..70cf0184 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -165,13 +165,13 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') - allow $1 devicekit_t:process { ptrace signal_perms getattr }; + allow $1 devicekit_t:process { ptrace signal_perms }; ps_process_pattern($1, devicekit_t) - allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; + allow $1 devicekit_disk_t:process { ptrace signal_perms }; ps_process_pattern($1, devicekit_disk_t) - allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; + allow $1 devicekit_power_t:process { ptrace signal_perms }; ps_process_pattern($1, devicekit_power_t) admin_pattern($1, devicekit_tmp_t) From cf152b495370fa212159d56130e589afbacf4897 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 11:08:39 +0200 Subject: [PATCH 08/29] Replace some type statements by comma delimiters. Signed-off-by: Dominick Grift --- policy/modules/services/dhcp.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if index 5e2cea82..aa4da1d9 100644 --- a/policy/modules/services/dhcp.if +++ b/policy/modules/services/dhcp.if @@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',` # interface(`dhcpd_admin',` gen_require(` - type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; + type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; type dhcpd_var_run_t, dhcpd_initrc_exec_t; ') From b36824efdf4da9b79b57ff0ce4578c38028aa5ac Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:10:14 +0200 Subject: [PATCH 09/29] Permit fetchmail_admin to ptrace and signal the fetchmail_t domain. Signed-off-by: Dominick Grift --- policy/modules/services/fetchmail.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if index 6537214c..7d64c0af 100644 --- a/policy/modules/services/fetchmail.if +++ b/policy/modules/services/fetchmail.if @@ -18,6 +18,7 @@ interface(`fetchmail_admin',` type fetchmail_var_run_t; ') + allow $1 fetchmail_t:process { ptrace signal_perms }; ps_process_pattern($1, fetchmail_t) files_list_etc($1) From 7d36c9fa134ba49f95b453412c5355c0c58a85bb Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 10:25:11 +0200 Subject: [PATCH 10/29] Permission to search proc_t directories is required to be able to read abrt state. Signed-off-by: Dominick Grift Permission to search generic proc directories is required to read hald_t state. --- policy/modules/services/abrt.if | 1 + policy/modules/services/hal.if | 1 + 2 files changed, 2 insertions(+) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if index 8a5d6a4e..022c0792 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -71,6 +71,7 @@ interface(`abrt_read_state',` type abrt_t; ') + kernel_search_proc($1) ps_process_pattern($1, abrt_t) ') diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if index 5b9771ec..4e8c0425 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -51,6 +51,7 @@ interface(`hal_read_state',` type hald_t; ') + kernel_search_proc($1) ps_process_pattern($1, hald_t) ') From 4b81a55013a7d263629d023551a282e1f3f8e2fa Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:20:40 +0200 Subject: [PATCH 11/29] This is redundant since base user can search generic proc directories and included ps_process_pattern call permits all else. Signed-off-by: Dominick Grift --- policy/modules/services/hddtemp.if | 4 ---- 1 file changed, 4 deletions(-) diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if index 87b45312..777b0362 100644 --- a/policy/modules/services/hddtemp.if +++ b/policy/modules/services/hddtemp.if @@ -70,8 +70,4 @@ interface(`hddtemp_admin',` admin_pattern($1, hddtemp_etc_t) files_search_etc($1) - - allow $1 hddtemp_t:dir list_dir_perms; - read_lnk_files_pattern($1, hddtemp_t, hddtemp_t) - kernel_search_proc($1) ') From aa5baa96ed64733d186444de72e7d5d48c3cd9cc Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:23:05 +0200 Subject: [PATCH 12/29] Allow icecast_admin to ptrace and signal the icecast_t domain. Signed-off-by: Dominick Grift --- policy/modules/services/icecast.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if index ecab47ab..3aa86f30 100644 --- a/policy/modules/services/icecast.if +++ b/policy/modules/services/icecast.if @@ -173,6 +173,7 @@ interface(`icecast_admin',` type icecast_t, icecast_initrc_exec_t; ') + allow $1 icecast_t:process { ptrace signal_perms }; ps_process_pattern($1, icecast_t) # Allow icecast_t to restart the apache service From 7d34935ff24827a37ee7f7716ac190073a422b92 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:35:55 +0200 Subject: [PATCH 13/29] Memcached_admin is required to search generic pid directories to be able to manage memcached pid content. Signed-off-by: Dominick Grift --- policy/modules/services/memcached.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if index c28a8763..ee60e591 100644 --- a/policy/modules/services/memcached.if +++ b/policy/modules/services/memcached.if @@ -70,5 +70,6 @@ interface(`memcached_admin',` role_transition $2 memcached_initrc_exec_t system_r; allow $2 system_r; + files_search_pids($1) admin_pattern($1, memcached_var_run_t) ') From 0ab415250b89144d0f0ee28307fb5d68646313e4 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:40:34 +0200 Subject: [PATCH 14/29] Redundant: mpd_search_lib already includes files_search_var_lib. Signed-off-by: Dominick Grift --- policy/modules/services/mpd.if | 2 -- 1 file changed, 2 deletions(-) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if index 07dac12d..053d1f8f 100644 --- a/policy/modules/services/mpd.if +++ b/policy/modules/services/mpd.if @@ -53,7 +53,6 @@ interface(`mpd_read_data_files',` type mpd_data_t; ') - files_search_var_lib($1) mpd_search_lib($1) read_files_pattern($1, mpd_data_t, mpd_data_t) ') @@ -114,7 +113,6 @@ interface(`mpd_manage_data_files',` type mpd_data_t; ') - files_search_var_lib($1) mpd_search_lib($1) manage_files_pattern($1, mpd_data_t, mpd_data_t) ') From 0ba923e7d9bde6eb4a38056bd09453db25be2427 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:43:19 +0200 Subject: [PATCH 15/29] Source is required to search generic tmpfs directories to be able to interact with mpd tmpfs content. Signed-off-by: Dominick Grift --- policy/modules/services/mpd.if | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if index 053d1f8f..2f527226 100644 --- a/policy/modules/services/mpd.if +++ b/policy/modules/services/mpd.if @@ -72,8 +72,7 @@ interface(`mpd_read_tmpfs_files',` type mpd_tmpfs_t; ') - files_search_var_lib($1) - mpd_search_lib($1) + fs_search_tmpfs($1) read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) ') @@ -92,8 +91,7 @@ interface(`mpd_manage_tmpfs_files',` type mpd_tmpfs_t; ') - files_search_var_lib($1) - mpd_search_lib($1) + fs_search_tmpfs($1) manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) ') From c5e7db7a714d6879a6fb816dd2fb0865279b9e50 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:44:59 +0200 Subject: [PATCH 16/29] Allow mpd_admin to manage mpd tmpfs content. Signed-off-by: Dominick Grift --- policy/modules/services/mpd.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if index 2f527226..5599d14a 100644 --- a/policy/modules/services/mpd.if +++ b/policy/modules/services/mpd.if @@ -246,6 +246,7 @@ interface(`mpd_admin',` type mpd_data_t; type mpd_log_t; type mpd_var_lib_t; + type mpd_tmpfs_t; ') allow $1 mpd_t:process { ptrace signal_perms }; @@ -267,4 +268,6 @@ interface(`mpd_admin',` admin_pattern($1, mpd_log_t) + fs_search_tmpfs($1) + admin_pattern($1, mpd_tmpfs_t) ') From f386b9002d4b8693ca592b9a567f25ea5dfaf87f Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:31:03 +0200 Subject: [PATCH 17/29] Use the stream_connect_pattern. Use stream_connect_pattern. Signed-off-by: Dominick Grift --- policy/modules/services/ldap.if | 8 +++----- policy/modules/services/munin.if | 3 +-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if index e5684f44..d15f94d8 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -126,11 +126,10 @@ interface(`ldap_stream_connect',` ') files_search_pids($1) - allow $1 slapd_var_run_t:sock_file write; - allow $1 slapd_t:unix_stream_socket connectto; + stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) optional_policy(` - ldap_stream_connect_dirsrv($1) + ldap_stream_connect_dirsrv($1) ') ') @@ -150,8 +149,7 @@ interface(`ldap_stream_connect_dirsrv',` ') files_search_pids($1) - allow $1 dirsrv_var_run_t:sock_file write; - allow $1 dirsrv_t:unix_stream_socket connectto; + stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) ') ######################################## diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if index 50467384..dda8ca9c 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -57,9 +57,8 @@ interface(`munin_stream_connect',` type munin_var_run_t, munin_t; ') - allow $1 munin_t:unix_stream_socket connectto; - allow $1 munin_var_run_t:sock_file { getattr write }; files_search_pids($1) + stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) ') ####################################### From eb12bc307640f016c6df4e6686828f1deda71ee7 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:50:18 +0200 Subject: [PATCH 18/29] Source is required to search generic pid directories to be able to interact with mysql sockets in var_run. Signed-off-by: Dominick Grift --- policy/modules/services/mysql.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index e9c09824..b81e257b 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -73,6 +73,7 @@ interface(`mysql_stream_connect',` type mysqld_t, mysqld_var_run_t, mysqld_db_t; ') + files_search_pids($1) stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) ') From b6d0a79f2c8592c941525c57d653e7621338b0c8 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:56:18 +0200 Subject: [PATCH 19/29] Use admin_pattern. Allow nslcd_admin to search parent directories to be able to interact with nslcd content. Signed-off-by: Dominick Grift --- policy/modules/services/nslcd.if | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if index 23c769cf..b94add15 100644 --- a/policy/modules/services/nslcd.if +++ b/policy/modules/services/nslcd.if @@ -106,9 +106,9 @@ interface(`nslcd_admin',` role_transition $2 nslcd_initrc_exec_t system_r; allow $2 system_r; - manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t) + files_search_etc($1) + admin_pattern($1, nslcd_conf_t) - manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t) - manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) - manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) + files_search_pids($1) + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') From dcbbeeada390736c2e3b956012c6559f32bc1113 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 10:23:24 +0200 Subject: [PATCH 20/29] Access to get attributes of target accountsd_t domain is included with ps_process_pattern. Permission to get attributes of target arpwatch_t domain is included with ps_process_pattern. Access to get attributes of target asterisk_t domain is included with ps_process_pattern. Permission to get attributes of target automount_t domain is included with ps_process_pattern. Access to get attributes of target ntpd_t domain is included with ps_process_pattern. Signed-off-by: Dominick Grift --- policy/modules/services/accountsd.if | 2 +- policy/modules/services/arpwatch.if | 2 +- policy/modules/services/asterisk.if | 2 +- policy/modules/services/automount.if | 2 +- policy/modules/services/ntp.if | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if index c0f858de..b46f76fc 100644 --- a/policy/modules/services/accountsd.if +++ b/policy/modules/services/accountsd.if @@ -138,7 +138,7 @@ interface(`accountsd_admin',` type accountsd_t; ') - allow $1 accountsd_t:process { ptrace signal_perms getattr }; + allow $1 accountsd_t:process { ptrace signal_perms }; ps_process_pattern($1, accountsd_t) accountsd_manage_lib_files($1) diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if index c804110a..bdefbe15 100644 --- a/policy/modules/services/arpwatch.if +++ b/policy/modules/services/arpwatch.if @@ -137,7 +137,7 @@ interface(`arpwatch_admin',` type arpwatch_initrc_exec_t; ') - allow $1 arpwatch_t:process { ptrace signal_perms getattr }; + allow $1 arpwatch_t:process { ptrace signal_perms }; ps_process_pattern($1, arpwatch_t) arpwatch_initrc_domtrans($1) diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if index 8b8143ef..c1a2b964 100644 --- a/policy/modules/services/asterisk.if +++ b/policy/modules/services/asterisk.if @@ -64,7 +64,7 @@ interface(`asterisk_admin',` type asterisk_initrc_exec_t; ') - allow $1 asterisk_t:process { ptrace signal_perms getattr }; + allow $1 asterisk_t:process { ptrace signal_perms }; ps_process_pattern($1, asterisk_t) init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index bba047d9..f3848484 100644 --- a/policy/modules/services/automount.if +++ b/policy/modules/services/automount.if @@ -150,7 +150,7 @@ interface(`automount_admin',` type automount_var_run_t, automount_initrc_exec_t; ') - allow $1 automount_t:process { ptrace signal_perms getattr }; + allow $1 automount_t:process { ptrace signal_perms }; ps_process_pattern($1, automount_t) init_labeled_script_domtrans($1, automount_initrc_exec_t) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index e80f8c06..6b240d98 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -144,7 +144,7 @@ interface(`ntp_admin',` type ntpd_initrc_exec_t; ') - allow $1 ntpd_t:process { ptrace signal_perms getattr }; + allow $1 ntpd_t:process { ptrace signal_perms }; ps_process_pattern($1, ntpd_t) init_labeled_script_domtrans($1, ntpd_initrc_exec_t) From d183137edbe3dce1347d575bc14446e305a4ad85 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 12:17:22 +0200 Subject: [PATCH 21/29] XML summary fix. XML summary fix. XML summary fix. Signed-off-by: Dominick Grift --- policy/modules/services/hal.if | 4 ++-- policy/modules/services/jabber.if | 2 +- policy/modules/services/oddjob.if | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if index 4e8c0425..0d50d0d5 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -383,7 +383,7 @@ interface(`hal_read_pid_files',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -458,7 +458,7 @@ interface(`hal_manage_pid_files',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if index 2873e8f8..f17e6297 100644 --- a/policy/modules/services/jabber.if +++ b/policy/modules/services/jabber.if @@ -61,7 +61,7 @@ interface(`jabberd_read_lib_files',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if index 85f6ada5..ca33ae3d 100644 --- a/policy/modules/services/oddjob.if +++ b/policy/modules/services/oddjob.if @@ -29,7 +29,7 @@ interface(`oddjob_domtrans',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # From 1215dfb87cb9773baa25e6d9be4718a53f90578b Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 13:05:32 +0200 Subject: [PATCH 22/29] Allow pads_admin to search parent directories to be able to interact with pads content. Allow plymouthd_admin to search parent directories to be able to interact with plymouthd content. Allow postgresql admin to search parent directories to be able to manage postgresql content. Allow prelude_admin to search parent directories to be able to manage prelude content. Signed-off-by: Dominick Grift --- policy/modules/services/pads.if | 3 +++ policy/modules/services/plymouthd.if | 2 ++ policy/modules/services/postgresql.if | 3 +++ policy/modules/services/prelude.if | 7 +++++++ 4 files changed, 15 insertions(+) diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if index 8ac407e5..4452d3b1 100644 --- a/policy/modules/services/pads.if +++ b/policy/modules/services/pads.if @@ -39,6 +39,9 @@ interface(`pads_admin', ` role_transition $2 pads_initrc_exec_t system_r; allow $2 system_r; + files_search_pids($1) admin_pattern($1, pads_var_run_t) + + files_search_etc($1) admin_pattern($1, pads_config_t) ') diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if index 9759ed80..e90b2a12 100644 --- a/policy/modules/services/plymouthd.if +++ b/policy/modules/services/plymouthd.if @@ -252,9 +252,11 @@ interface(`plymouthd_admin', ` allow $1 plymouthd_t:process { ptrace signal_perms getattr }; read_files_pattern($1, plymouthd_t, plymouthd_t) + files_search_var_lib($1) admin_pattern($1, plymouthd_spool_t) admin_pattern($1, plymouthd_var_lib_t) + files_search_pids($1) admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 539a7c9a..85699e58 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -441,10 +441,13 @@ interface(`postgresql_admin',` admin_pattern($1, postgresql_var_run_t) + files_search_var_lib($1) admin_pattern($1, postgresql_db_t) + files_search_etc($1) admin_pattern($1, postgresql_etc_t) + logging_search_logs($1) admin_pattern($1, postgresql_log_t) admin_pattern($1, postgresql_tmp_t) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index 23166537..e4d87971 100644 --- a/policy/modules/services/prelude.if +++ b/policy/modules/services/prelude.if @@ -136,9 +136,16 @@ interface(`prelude_admin',` allow $2 system_r; admin_pattern($1, prelude_spool_t) + + files_search_var_lib($1) admin_pattern($1, prelude_var_lib_t) + + files_search_pids($1) admin_pattern($1, prelude_var_run_t) admin_pattern($1, prelude_audisp_var_run_t) + + files_search_tmp($1) admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_var_run_t) ') From 39e118bc1559366b015d2ad0c0952b7089bb7686 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 10:20:36 +0200 Subject: [PATCH 23/29] Use ps_process_pattern to read state. Access to get attributes of target afs_t domain is included with ps_process_pattern. Use ps_process_pattern to read state. Access to get attributes of target boinc_t domain is included with ps_process_pattern. Use ps_process_pattern to read state. Access to get attributes of target cobblerd_t domain is included with ps_process_pattern. Use ps_process_pattern to read state. Permission to get attributes of target exim_t domain is included with ps_process_pattern. Use ps_process_pattern to read state. Access to get attributes of target plymouthd_t domain is included with ps_process_pattern. Use ps_process_pattern to read state. Access to get attributes of target pportreserve_t domain is included with ps_process_pattern. Use ps_process_pattern to read state. Access to get attributes of target postfix domains is included with ps_process_pattern. Use ps_process_pattern to read state. Permission to get attributes of target qpidd_t domain is included with ps_process_pattern. Signed-off-by: Dominick Grift --- policy/modules/services/afs.if | 4 ++-- policy/modules/services/boinc.if | 4 ++-- policy/modules/services/cobbler.if | 4 ++-- policy/modules/services/exim.if | 4 ++-- policy/modules/services/plymouthd.if | 4 ++-- policy/modules/services/portreserve.if | 4 ++-- policy/modules/services/postfix.if | 28 +++++++++++++------------- policy/modules/services/qpidd.if | 4 ++-- 8 files changed, 28 insertions(+), 28 deletions(-) diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if index 8559cdc6..49c0cc8c 100644 --- a/policy/modules/services/afs.if +++ b/policy/modules/services/afs.if @@ -97,8 +97,8 @@ interface(`afs_admin',` type afs_t, afs_initrc_exec_t; ') - allow $1 afs_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, afs_t, afs_t) + allow $1 afs_t:process { ptrace signal_perms }; + ps_process_pattern($1, afs_t) # Allow afs_admin to restart the afs service afs_initrc_domtrans($1) diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if index 9f4885c7..272bf743 100644 --- a/policy/modules/services/boinc.if +++ b/policy/modules/services/boinc.if @@ -138,8 +138,8 @@ interface(`boinc_admin',` type boinc_var_lib_t; ') - allow $1 boinc_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, boinc_t, boinc_t) + allow $1 boinc_t:process { ptrace signal_perms }; + ps_process_pattern($1, boinc_t) boinc_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if index 1bdfe84c..b2198bb0 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if @@ -191,8 +191,8 @@ interface(`cobblerd_admin',` type httpd_cobbler_content_rw_t; ') - allow $1 cobblerd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, cobblerd_t, cobblerd_t) + allow $1 cobblerd_t:process { ptrace signal_perms }; + ps_process_pattern($1, cobblerd_t) files_search_etc($1) admin_pattern($1, cobbler_etc_t) diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if index 02179063..1685c5d5 100644 --- a/policy/modules/services/exim.if +++ b/policy/modules/services/exim.if @@ -235,8 +235,8 @@ interface(`exim_admin', ` type exim_tmp_t, exim_spool_t, exim_var_run_t; ') - allow $1 exim_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, exim_t, exim_t) + allow $1 exim_t:process { ptrace signal_perms }; + ps_process_pattern($1, exim_t) exim_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if index e90b2a12..fecc0dc3 100644 --- a/policy/modules/services/plymouthd.if +++ b/policy/modules/services/plymouthd.if @@ -249,8 +249,8 @@ interface(`plymouthd_admin', ` type plymouthd_var_run_t; ') - allow $1 plymouthd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, plymouthd_t, plymouthd_t) + allow $1 plymouthd_t:process { ptrace signal_perms }; + ps_process_pattern($1, plymouthd_t) files_search_var_lib($1) admin_pattern($1, plymouthd_spool_t) diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if index 4af4422f..d91c1f5a 100644 --- a/policy/modules/services/portreserve.if +++ b/policy/modules/services/portreserve.if @@ -105,8 +105,8 @@ interface(`portreserve_admin', ` type portreserve_initrc_exec_t, portreserve_var_run_t; ') - allow $1 portreserve_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, portreserve_t, portreserve_t) + allow $1 portreserve_t:process { ptrace signal_perms }; + ps_process_pattern($1, portreserve_t) portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index b6d763d0..cfcbac74 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -691,26 +691,26 @@ interface(`postfix_admin', ` type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; ') - allow $1 postfix_bounce_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, postfix_bounce_t, postfix_bounce_t) + allow $1 postfix_bounce_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_bounce_t) - allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t) + allow $1 postfix_cleanup_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_cleanup_t) - allow $1 postfix_local_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, postfix_local_t, postfix_local_t) + allow $1 postfix_local_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_local_t) - allow $1 postfix_master_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, postfix_master_t, postfix_master_t) + allow $1 postfix_master_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_master_t) - allow $1 postfix_pickup_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, postfix_pickup_t, postfix_pickup_t) + allow $1 postfix_pickup_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_pickup_t) - allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t) + allow $1 postfix_qmgr_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_qmgr_t) - allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t) + allow $1 postfix_smtpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_smtpd_t) postfix_run_map($1,$2) postfix_run_postdrop($1,$2) diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if index 039bd27f..5dbca44f 100644 --- a/policy/modules/services/qpidd.if +++ b/policy/modules/services/qpidd.if @@ -179,8 +179,8 @@ interface(`qpidd_admin',` type qpidd_t; ') - allow $1 qpidd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, qpidd_t, qpidd_t) + allow $1 qpidd_t:process { ptrace signal_perms }; + ps_process_pattern($1, qpidd_t) gen_require(` From 4eaffd271f30a4447134a7b7c691b415a6054fd6 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 13:37:04 +0200 Subject: [PATCH 24/29] Access to get attributes of target pppd_t domain is included with ps_process_pattern. Access to get attributes of target privoxy_t domain is included with ps_process_pattern. Access to get attributes of target radiusd_t domain is included with ps_process_pattern. Signed-off-by: Dominick Grift --- policy/modules/services/ppp.if | 4 ++-- policy/modules/services/privoxy.if | 2 +- policy/modules/services/radius.if | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index b5246732..f916c76b 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -360,7 +360,7 @@ interface(`ppp_admin',` type pppd_initrc_exec_t; ') - allow $1 pppd_t:process { ptrace signal_perms getattr }; + allow $1 pppd_t:process { ptrace signal_perms }; ps_process_pattern($1, pppd_t) ppp_initrc_domtrans($1) @@ -386,7 +386,7 @@ interface(`ppp_admin',` files_list_pids($1) admin_pattern($1, pppd_var_run_t) - allow $1 pptp_t:process { ptrace signal_perms getattr }; + allow $1 pptp_t:process { ptrace signal_perms }; ps_process_pattern($1, pptp_t) admin_pattern($1, pptp_log_t) diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if index 1da26dc4..c8f6cb52 100644 --- a/policy/modules/services/privoxy.if +++ b/policy/modules/services/privoxy.if @@ -24,7 +24,7 @@ interface(`privoxy_admin',` type privoxy_initrc_exec_t; ') - allow $1 privoxy_t:process { ptrace signal_perms getattr }; + allow $1 privoxy_t:process { ptrace signal_perms }; ps_process_pattern($1, privoxy_t) init_labeled_script_domtrans($1, privoxy_initrc_exec_t) diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if index 9a78598e..8f132e76 100644 --- a/policy/modules/services/radius.if +++ b/policy/modules/services/radius.if @@ -38,7 +38,7 @@ interface(`radius_admin',` type radiusd_initrc_exec_t; ') - allow $1 radiusd_t:process { ptrace signal_perms getattr }; + allow $1 radiusd_t:process { ptrace signal_perms }; ps_process_pattern($1, radiusd_t) init_labeled_script_domtrans($1, radiusd_initrc_exec_t) From 87cd6eef3a1630f222244896b5f43ada8e3020b4 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 13:54:26 +0200 Subject: [PATCH 25/29] Reduntant: Is already included with userdom_search_user_home_dirs. Signed-off-by: Dominick Grift --- policy/modules/services/razor.if | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index 90115064..13ad2fe0 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -174,7 +174,6 @@ template(`razor_manage_user_home_files',` type razor_home_t; ') - files_search_home($1) userdom_search_user_home_dirs($1) manage_files_pattern($1, razor_home_t, razor_home_t) read_lnk_files_pattern($1, razor_home_t, razor_home_t) From ad424545db098b62714082d0b00c59002df657fa Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 10:17:37 +0200 Subject: [PATCH 26/29] Use ps_process_pattern to read state. Use ps_process_pattern. Signed-off-by: Dominick Grift --- policy/modules/services/rgmanager.if | 2 +- policy/modules/system/udev.if | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if index 91dbe719..aaf7c852 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -118,7 +118,7 @@ interface(`rgmanager_admin',` ') allow $1 rgmanager_t:process { ptrace signal_perms }; - read_files_pattern($1, rgmanager_t, rgmanager_t) + ps_process_pattern($1, rgmanager_t) init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index 59bc26b3..5b277ea4 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -89,8 +89,7 @@ interface(`udev_read_state',` ') kernel_search_proc($1) - allow $1 udev_t:file read_file_perms; - allow $1 udev_t:lnk_file read_lnk_file_perms; + ps_process_pattern($1, udev_t) ') ######################################## From ac13ad949bc4e64804a7e86a694248e2bcae02ad Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 13:30:49 +0200 Subject: [PATCH 27/29] Use stream connect pattern. Use stream_connect_pattern. Use stream_connect_pattern. Use stream_connect_pattern. Signed-off-by: Dominick Grift --- policy/modules/services/postgresql.if | 6 ++---- policy/modules/services/resmgr.if | 3 +-- policy/modules/services/ricci.if | 3 +-- policy/modules/services/rpcbind.if | 3 +-- 4 files changed, 5 insertions(+), 10 deletions(-) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 85699e58..2c6b7232 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',` ') files_search_pids($1) - allow $1 postgresql_t:unix_stream_socket connectto; - allow $1 postgresql_var_run_t:sock_file write; - # Some versions of postgresql put the sock file in /tmp - allow $1 postgresql_tmp_t:sock_file write; + files_search_tmp($1) + stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t) ') ######################################## diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if index d457736d..eabdd784 100644 --- a/policy/modules/services/resmgr.if +++ b/policy/modules/services/resmgr.if @@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',` type resmgrd_var_run_t, resmgrd_t; ') - allow $1 resmgrd_t:unix_stream_socket connectto; - allow $1 resmgrd_var_run_t:sock_file { getattr write }; files_search_pids($1) + stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) ') diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if index f3260853..ecc341c8 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -108,8 +108,7 @@ interface(`ricci_stream_connect_modclusterd',` ') files_search_pids($1) - allow $1 ricci_modcluster_var_run_t:sock_file write; - allow $1 ricci_modclusterd_t:unix_stream_socket connectto; + stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) ') ######################################## diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if index ca97ead4..bd3c6b8a 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if @@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',` ') files_search_pids($1) - allow $1 rpcbind_var_run_t:sock_file write; - allow $1 rpcbind_t:unix_stream_socket connectto; + stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t) ') ######################################## From 4ec4a49e8ae12af3abcbb5b1f01021cd7379e15c Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 14:16:05 +0200 Subject: [PATCH 28/29] Add missing admin_patterns to rpcbind_admin. Signed-off-by: Dominick Grift --- policy/modules/services/rpcbind.if | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if index bd3c6b8a..5a4d69d2 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if @@ -144,4 +144,10 @@ interface(`rpcbind_admin',` domain_system_change_exemption($1) role_transition $2 rpcbind_initrc_exec_t system_r; allow $2 system_r; + + files_search_var_lib($1) + admin_pattern($1, rpcbind_var_lib_t) + + files_search_pids($1) + admin_pattern($1, rpcbind_var_run_t) ') From 83029ff3c562353395850162a9ea9def25f4254f Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 14:57:02 +0200 Subject: [PATCH 29/29] Use relabel permission sets where possible. Signed-off-by: Dominick Grift --- policy/modules/admin/logrotate.te | 2 +- policy/modules/admin/prelink.te | 2 +- policy/modules/kernel/terminal.if | 6 +++--- policy/modules/services/lpd.if | 2 +- policy/modules/services/puppet.te | 8 ++++---- policy/modules/services/rpc.if | 2 +- policy/modules/services/virt.te | 4 ++-- policy/modules/system/authlogin.if | 2 +- policy/modules/system/logging.if | 4 ++-- policy/modules/system/userdomain.if | 2 +- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 23ef05f5..dd4cd300 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -127,7 +127,7 @@ cron_search_spool(logrotate_t) mta_send_mail(logrotate_t) ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; + allow logrotate_t logrotate_tmp_t:file relabel_file_perms; # for savelog can_exec(logrotate_t, logrotate_exec_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index cdbaddac..0faba2af 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -63,7 +63,7 @@ files_search_var_lib(prelink_t) # prelink misc objects that are not system # libraries or entrypoints -allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; +allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms }; kernel_read_system_state(prelink_t) kernel_read_kernel_sysctls(prelink_t) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index f9930a37..87a69423 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -336,7 +336,7 @@ interface(`term_relabel_console',` ') dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file { relabelfrom relabelto }; + allow $1 console_device_t:chr_file relabel_chr_file_perms; ') ######################################## @@ -1118,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',` ') dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file { relabelfrom relabelto }; + allow $1 tty_device_t:chr_file relabel_chr_file_perms; ') ######################################## @@ -1300,7 +1300,7 @@ interface(`term_relabel_all_ttys',` ') dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file { relabelfrom relabelto }; + allow $1 ttynode:chr_file relabel_chr_file_perms; ') ######################################## diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index a4f32f54..d801ec0e 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',` ') files_search_spool($1) - allow $1 print_spool_t:file { relabelto relabelfrom }; + allow $1 print_spool_t:file relabel_file_perms; ') ######################################## diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te index 3588ebb9..95872242 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -179,21 +179,21 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) -allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto }; +allow puppetmaster_t puppet_log_t:file relabel_file_perms; manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) -allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto }; +allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) -allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto }; +allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) -allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto }; +allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_system_state(puppetmaster_t) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index b0eac5b4..b65be0cc 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -434,5 +434,5 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) - allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index f38e1ce3..5d16d55e 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -238,8 +238,8 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) -allow virtd_t virt_image_type:file { relabelfrom relabelto }; -allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; +allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index bd3185eb..58192113 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -741,7 +741,7 @@ interface(`auth_relabel_shadow',` ') files_search_etc($1) - allow $1 shadow_t:file { relabelfrom relabelto }; + allow $1 shadow_t:file relabel_file_perms; typeattribute $1 can_relabelto_shadow_passwords; ') diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index aa09d1c7..453377e8 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -1033,8 +1033,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) - allow $1 logfile:dir { relabelfrom relabelto }; - allow $1 logfile:file { relabelfrom relabelto }; + allow $1 logfile:dir relabel_dir_perms; + allow $1 logfile:file relabel_file_perms; init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index c67c8e8a..0a771a8a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1781,7 +1781,7 @@ interface(`userdom_relabel_user_home_files',` type user_home_t; ') - allow $1 user_home_t:file { relabelto relabelfrom }; + allow $1 user_home_t:file relabel_file_perms; ') ########################################