rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

patch from dan Fri, 27 Jan 2006 01:37:19 -0500

Browse Source
This commit is contained in:
Chris PeBenito 2006-01-27 20:13:08 +00:00
parent 270d428a46
commit 51a89cc574
18 changed files with 88 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
refpolicy/policy/modules/admin/rpm.fc
View File

@ -14,8 +14,10 @@
ifdef(`distro_redhat', `
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)

1
refpolicy/policy/modules/admin/rpm.if
View File

@ -71,6 +71,7 @@ interface(`rpm_run',`
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
seutil_run_loadpol(rpm_script_t,$2,$3)
allow rpm_t $3:chr_file rw_term_perms;
')

3
refpolicy/policy/modules/admin/rpm.te
View File

@ -1,5 +1,5 @@
policy_module(rpm,1.2.0)
policy_module(rpm,1.2.1)
########################################
#
@ -288,6 +288,7 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
# ideally we would not need this

4
refpolicy/policy/modules/apps/mono.te
View File

@ -1,5 +1,5 @@
policy_module(mono,1.0.0)
policy_module(mono,1.0.1)
########################################
#
@ -18,7 +18,7 @@ domain_entry_file(mono_t,mono_exec_t)
#
ifdef(`targeted_policy',`
allow mono_t self:process execheap;
allow mono_t self:process { execheap execmem };
unconfined_domain_template(mono_t)
role system_r types mono_t;
')

5
refpolicy/policy/modules/kernel/files.fc
View File

@ -125,6 +125,11 @@ HOME_ROOT/lost\+found/.* <<none>>
/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/mnt/[^/]*/.* <<none>>
#
# /net
#
/net -d gen_context(system_u:object_r:mnt_t,s0)
#
# /opt
#

2
refpolicy/policy/modules/kernel/files.if
View File

@ -321,7 +321,7 @@ interface(`files_list_non_security',`
attribute file_type, security_file_type;
')
dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
allow $1 { file_type -security_file_type }:dir r_dir_perms;
')
########################################

16
refpolicy/policy/modules/kernel/filesystem.if
View File

@ -969,6 +969,22 @@ interface(`fs_read_eventpollfs',`
allow $1 eventpollfs_t:file r_file_perms;
')
########################################
## <summary>
## Search inotifyfs filesystem.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`fs_search_inotifyfs',`
gen_require(`
type inotifyfs_t;
')
allow $1 inotifyfs_t:dir search_dir_perms;
')
########################################
## <summary>
## Mount an iso9660 filesystem, which

2
refpolicy/policy/modules/kernel/storage.fc
View File

@ -42,8 +42,8 @@ ifdef(`distro_redhat', `
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)

3
refpolicy/policy/modules/services/cups.te
View File

@ -1,5 +1,5 @@
policy_module(cups,1.2.0)
policy_module(cups,1.2.1)
########################################
#
@ -148,6 +148,7 @@ fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
term_dontaudit_use_console(cupsd_t)
term_write_unallocated_ttys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
auth_dontaudit_read_pam_pid(cupsd_t)

4
refpolicy/policy/modules/services/hal.te
View File

@ -1,5 +1,5 @@
policy_module(hal,1.2.1)
policy_module(hal,1.2.2)
########################################
#
@ -116,6 +116,8 @@ term_dontaudit_use_unallocated_tty(hald_t)
init_use_fd(hald_t)
init_use_script_pty(hald_t)
init_domtrans_script(hald_t)
init_write_initctl(hald_t)
init_read_utmp(hald_t)
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)

3
refpolicy/policy/modules/system/locallogin.te
View File

@ -1,5 +1,5 @@
policy_module(locallogin,1.1.1)
policy_module(locallogin,1.1.2)
########################################
#
@ -239,6 +239,7 @@ allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
fs_use_tmpfs_chr_dev(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:

4
refpolicy/policy/modules/system/modutils.te
View File

@ -1,5 +1,5 @@
policy_module(modutils,1.0.0)
policy_module(modutils,1.0.1)
gen_require(`
bool secure_mode_insmod;
@ -113,6 +113,8 @@ logging_search_logs(insmod_t)
miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t,insmod_exec_t)
}

4
refpolicy/policy/modules/system/selinuxutil.te
View File

@ -1,5 +1,5 @@
policy_module(selinuxutil,1.1.1)
policy_module(selinuxutil,1.1.2)
gen_require(`
bool secure_mode;
@ -414,7 +414,7 @@ ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read };
allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit

3
refpolicy/policy/modules/system/udev.te
View File

@ -1,5 +1,5 @@
policy_module(udev,1.2.0)
policy_module(udev,1.2.1)
########################################
#
@ -90,6 +90,7 @@ dev_rw_generic_file(udev_t)
dev_delete_generic_file(udev_t)
fs_getattr_all_fs(udev_t)
fs_search_inotifyfs(udev_t)
selinux_get_fs_mount(udev_t)
selinux_validate_context(udev_t)

5
refpolicy/policy/modules/system/unconfined.if
View File

@ -54,8 +54,13 @@ template(`unconfined_domain_template',`
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
', `
# These are fairly common but seem to be harmless
# caused by using shared libraries built with old tool chains
dontaudit $1 self:process execstack;
')
optional_policy(`authlogin',`
auth_unconfined($1)
')

2
refpolicy/policy/modules/system/unconfined.te
View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.2.1)
policy_module(unconfined,1.2.2)
########################################
#

3
refpolicy/policy/modules/system/userdomain.if
View File

@ -848,9 +848,6 @@ template(`admin_user_template',`
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
selinux_set_enforce_mode($1_t)
selinux_set_boolean($1_t)
selinux_set_parameters($1_t)
# Get security policy decisions:
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)

45
refpolicy/policy/modules/system/userdomain.te
View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.2.4)
policy_module(userdomain,1.2.5)
gen_require(`
role sysadm_r, staff_r, user_r;
@ -156,14 +156,21 @@ ifdef(`targeted_policy',`
mls_process_read_up(sysadm_t)
logging_read_audit_log(sysadm_t)
ifdef(`direct_sysadm_daemon',`
optional_policy(`init',`
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
')
')
ifdef(`enable_mls',`
logging_read_audit_log(secadm_t)
logging_domtrans_auditctl(secadm_t)
mls_process_read_up(secadm_t)
', `
logging_domtrans_auditctl(sysadm_t)
logging_read_audit_log(sysadm_t)
')
tunable_policy(`allow_ptrace',`
domain_ptrace_all_domains(sysadm_t)
')
@ -205,12 +212,20 @@ ifdef(`targeted_policy',`
optional_policy(`consoletype',`
consoletype_exec(sysadm_t)
ifdef(`enable_mls',`
consoletype_exec(secadm_t)
')
')
optional_policy(`ddcprobe',`
ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`dmesg',`
dmesg_exec(sysadm_t)
')
optional_policy(`dmidecode',`
dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
')
@ -320,13 +335,27 @@ ifdef(`targeted_policy',`
')
optional_policy(`selinuxutil',`
seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
ifdef(`targeted_policy',`',`
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
ifdef(`enable_mls',`
selinux_set_enforce_mode(secadm_t)
selinux_set_boolean(secadm_t)
selinux_set_parameters(secadm_t)
seutil_manage_binary_pol(secadm_t)
seutil_run_checkpol(secadm_t,secadm_r,admin_terminal)
seutil_run_loadpol(secadm_t,secadm_r,admin_terminal)
seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
', `
selinux_set_enforce_mode(sysadm_t)
selinux_set_boolean(sysadm_t)
selinux_set_parameters(sysadm_t)
seutil_manage_binary_pol(sysadm_t)
seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
')
')