From 5bf9deb5bb62ce8a0ad2281019a3a4f7d9571148 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 20 Jun 2007 19:47:10 +0000 Subject: [PATCH] trunk: 3 patches from dan --- Changelog | 1 + policy/modules/kernel/corecommands.fc | 2 + policy/modules/kernel/corecommands.if | 18 +++++++++ policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/files.fc | 2 +- policy/modules/kernel/files.if | 46 +++++++++++++++++++--- policy/modules/kernel/files.te | 2 +- policy/modules/kernel/filesystem.if | 56 +++++++++++++++++++++++++++ policy/modules/kernel/filesystem.te | 29 +++++++++++++- policy/modules/kernel/selinux.if | 37 ++++++++++++++++++ policy/modules/kernel/selinux.te | 2 +- 11 files changed, 187 insertions(+), 10 deletions(-) diff --git a/Changelog b/Changelog index 1b2e5a46..dc7b54a7 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Filesystem updates from Dan Walsh. - Large samba update from Dan Walsh. - Drop snmpd_etc_t. - Confine sendmail and logrotate on targeted. diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index d422ed89..108106a5 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -189,6 +189,7 @@ ifdef(`distro_gentoo', ` ifdef(`distro_redhat', ` /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -248,6 +249,7 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index cb69796e..3de09696 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -929,6 +929,24 @@ interface(`corecmd_exec_all_executables',` read_lnk_files_pattern($1,bin_t,exec_type) ') +######################################## +## +## Do not audit attempts to execute all executables. +## +## +## +## Domain allowed access. +## +## +# +interface(`corecmd_dontaudit_exec_all_executables',` + gen_require(` + attribute exec_type; + ') + + dontaudit $1 exec_type:file { execute execute_no_trans }; +') + ######################################## ## ## Create, read, write, and all executable files. diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index bf373cd8..4fa3ded3 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.6.0) +policy_module(corecommands,1.6.1) ######################################## # diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index d5aca091..0aa22666 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -45,7 +45,6 @@ ifdef(`distro_suse',` /etc -d gen_context(system_u:object_r:etc_t,s0) /etc/.* gen_context(system_u:object_r:etc_t,s0) /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -54,6 +53,7 @@ ifdef(`distro_suse',` /etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 386e7ef3..cd51464b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -992,7 +992,7 @@ interface(`files_dontaudit_search_all_dirs',` attribute file_type; ') - dontaudit $1 file_type:dir search; + dontaudit $1 file_type:dir search_dir_perms; ') ######################################## @@ -1320,7 +1320,7 @@ interface(`files_dontaudit_search_boot',` type boot_t; ') - dontaudit $1 boot_t:dir search; + dontaudit $1 boot_t:dir search_dir_perms; ') ######################################## @@ -3308,6 +3308,24 @@ interface(`files_list_usr',` allow $1 usr_t:dir list_dir_perms; ') +######################################## +## +## Add and remove entries from /usr directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_usr_dirs',` + gen_require(` + type usr_t; + ') + + allow $1 usr_t:dir rw_dir_perms; +') + ######################################## ## ## Get the attributes of files in /usr. @@ -3366,6 +3384,24 @@ interface(`files_exec_usr_files',` read_lnk_files_pattern($1,usr_t,usr_t) ') +######################################## +## +## Create, read, write, and delete files in the /usr directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_usr_files',` + gen_require(` + type usr_t; + ') + + manage_files_pattern($1, usr_t, usr_t) +') + ######################################## ## ## Relabel a file to the type used in /usr. @@ -3637,7 +3673,7 @@ interface(`files_dontaudit_search_var',` type var_t; ') - dontaudit $1 var_t:dir search; + dontaudit $1 var_t:dir search_dir_perms; ') ######################################## @@ -3993,7 +4029,7 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') - dontaudit $1 var_lock_t:dir search; + dontaudit $1 var_lock_t:dir search_dir_perms; ') ######################################## @@ -4181,7 +4217,7 @@ interface(`files_dontaudit_search_pids',` type var_run_t; ') - dontaudit $1 var_run_t:dir search; + dontaudit $1 var_run_t:dir search_dir_perms; ') ######################################## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 0339a5d7..81473765 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.5.1) +policy_module(files,1.5.2) ######################################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 172ce142..dc1bd814 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1094,6 +1094,24 @@ interface(`fs_relabelfrom_dos_fs',` allow $1 dosfs_t:filesystem relabelfrom; ') +######################################## +## +## Search dosfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_search_dos',` + gen_require(` + type dosfs_t; + ') + + allow $1 dosfs_t:dir search_dir_perms; +') + ######################################## ## ## Read files on a DOS filesystem. @@ -1154,6 +1172,24 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') +######################################## +## +## Mount a FUSE filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mount_fusefs',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:filesystem mount; +') + ######################################## ## ## Search inotifyfs filesystem. @@ -1268,6 +1304,26 @@ interface(`fs_getattr_iso9660_fs',` allow $1 iso9660_t:filesystem getattr; ') +######################################## +## +## Read files on an iso9660 filesystem, which +## is usually used on CDs. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_iso9660_files',` + gen_require(` + type iso9660_t; + ') + + allow $1 iso9660_t:dir list_dir_perms; + allow $1 iso9660_t:file getattr; +') + ######################################## ## ## Read files on an iso9660 filesystem, which diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index ca7bf0da..f6a7c5b5 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.6.0) +policy_module(filesystem,1.6.1) ######################################## # @@ -54,17 +54,29 @@ genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) type capifs_t; fs_type(capifs_t) +files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) type configfs_t; fs_type(configfs_t) genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) +type cpusetfs_t; +fs_type(cpusetfs_t) +allow cpusetfs_t self:filesystem associate; +genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) + type eventpollfs_t; fs_type(eventpollfs_t) # change to task SID 20060628 #genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0) +type fusefs_t; +fs_noxattr_type(fusefs_t) +allow fusefs_t self:filesystem associate; +genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) +genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) + type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) @@ -83,6 +95,11 @@ type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) +type mvfs_t; +fs_noxattr_type(mvfs_t) +allow mvfs_t self:filesystem associate; +genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) + type nfsd_fs_t; fs_type(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) @@ -105,6 +122,16 @@ fs_type(rpc_pipefs_t) genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) files_mountpoint(rpc_pipefs_t) +type spufs_t; +fs_type(spufs_t) +genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) +files_mountpoint(spufs_t) + +type vxfs_t; +fs_noxattr_type(vxfs_t) +files_mountpoint(vxfs_t) +genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) + # # tmpfs_t is the type for tmpfs filesystems # diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index a7d7e7ee..ed24ad2c 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -30,6 +30,43 @@ interface(`selinux_get_fs_mount',` kernel_read_system_state($1) ') +######################################## +## +## Get the attributes of the selinuxfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`selinux_getattr_fs',` + gen_require(` + type security_t; + ') + + allow $1 security_t:filesystem getattr; +') + +######################################## +## +## Do not audit attempts to get the +## attributes of the selinuxfs filesystem +## +## +## +## Domain to not audit. +## +## +# +interface(`selinux_dontaudit_getattr_fs',` + gen_require(` + type security_t; + ') + + dontaudit $1 security_t:filesystem getattr; +') + ######################################## ## ## Do not audit attempts to get the diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index c1972e8d..a0561f0a 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -1,5 +1,5 @@ -policy_module(selinux,1.3.0) +policy_module(selinux,1.3.1) ######################################## #