From 693d4aedb5156a18126cc111c71be586e29a7d6f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 25 Sep 2006 18:53:06 +0000 Subject: [PATCH] patch from dan Fri, 22 Sep 2006 16:30:34 -0400 --- Changelog | 1 + policy/global_tunables | 7 ++++++ policy/modules/admin/bootloader.fc | 4 +++- policy/modules/admin/bootloader.te | 2 +- policy/modules/admin/readahead.te | 4 +++- policy/modules/kernel/corenetwork.te.in | 4 ++-- policy/modules/kernel/files.fc | 6 +++--- policy/modules/kernel/files.te | 4 +++- policy/modules/kernel/filesystem.if | 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/bind.te | 3 ++- policy/modules/services/cron.fc | 1 + policy/modules/services/cron.te | 2 +- policy/modules/services/hal.te | 8 ++++--- policy/modules/services/networkmanager.te | 3 ++- policy/modules/services/nscd.te | 4 +++- policy/modules/services/postfix.fc | 1 + policy/modules/services/postfix.te | 2 +- policy/modules/services/ssh.te | 5 ++++- policy/modules/system/init.if | 3 +++ policy/modules/system/init.te | 11 +++++++++- policy/modules/system/logging.te | 3 ++- policy/modules/system/udev.te | 3 ++- policy/modules/system/userdomain.if | 26 ++++++++++++++++++++++- policy/modules/system/userdomain.te | 20 +++++++++++------ 25 files changed, 101 insertions(+), 30 deletions(-) diff --git a/Changelog b/Changelog index 3017da42..1d127e03 100644 --- a/Changelog +++ b/Changelog @@ -70,6 +70,7 @@ Fri, 01 Sep 2006 Tue, 05 Sep 2006 Wed, 20 Sep 2006 + Fri, 22 Sep 2006 - Added modules: afs amavis (Erich Schubert) diff --git a/policy/global_tunables b/policy/global_tunables index 2b981226..2bfe1e7d 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -573,6 +573,13 @@ gen_tunable(xdm_sysadm_login,false) # ifdef(`targeted_policy',` +## +##

+## Allow all daemons the ability to use unallocated ttys +##

+## +gen_tunable(allow_daemons_use_tty,false) + ## ##

## Allow mount to mount any file diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index bcedf95e..31f64c26 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -6,7 +6,9 @@ /usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +#/sbin/grub-.* -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0) +#/sbin/grubby -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index a01e35d9..fe747510 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.2.6) +policy_module(bootloader,1.2.7) ######################################## # diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index 7f91460c..d635ec29 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -1,5 +1,5 @@ -policy_module(readahead,1.2.1) +policy_module(readahead,1.2.2) ######################################## # @@ -52,6 +52,8 @@ fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) +mls_file_read_up(readahead_t) + term_dontaudit_use_console(readahead_t) auth_dontaudit_read_shadow(readahead_t) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 65dfdd01..5bdfa083 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.1.16) +policy_module(corenetwork,1.1.17) ######################################## # @@ -82,7 +82,7 @@ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0) +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(i18n_input, tcp,9010,s0) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 61d1524b..14336445 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -20,7 +20,7 @@ ifdef(`distro_redhat',` ') ifdef(`distro_suse',` -/success -- gen_context(system_u:object_r:etc_runtime_t,s0) +/success -- gen_context(system_u:object_r:etc_runtime_t,s0) ') # @@ -49,7 +49,7 @@ ifdef(`distro_suse',` /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) @@ -58,7 +58,7 @@ ifdef(`distro_suse',` /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/reader.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/smartd\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index e35bab1d..a1f2e79a 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.18) +policy_module(files,1.2.19) ######################################## # @@ -58,6 +58,8 @@ files_type(etc_t) # type etc_runtime_t; files_type(etc_runtime_t) +#Temporarily in policy until FC5 dissappears +typealias etc_runtime_t alias firstboot_rw_t; # # file_t is the default type of a file that has not yet been diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index c704c3f4..ae9c9f6d 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -455,7 +455,7 @@ interface(`fs_register_binary_executable_type',` ') allow $1 binfmt_misc_fs_t:dir { getattr search }; - allow $1 binfmt_misc_fs_t:file { getattr ioctl write }; + allow $1 binfmt_misc_fs_t:file { getattr ioctl write read }; ') ######################################## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index dab24512..402fbb11 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.3.15) +policy_module(filesystem,1.3.16) ######################################## # diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 02fdd40e..47131190 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind,1.1.9) +policy_module(bind,1.1.10) ######################################## # @@ -223,6 +223,7 @@ allow ndc_t dnssec_t:lnk_file { getattr read }; allow ndc_t named_t:unix_stream_socket connectto; allow ndc_t named_conf_t:file { getattr read }; +allow ndc_t named_conf_t:lnk_file { getattr read }; allow ndc_t named_var_run_t:sock_file rw_file_perms; diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc index 00f919a5..a950c32a 100644 --- a/policy/modules/services/cron.fc +++ b/policy/modules/services/cron.fc @@ -10,6 +10,7 @@ /usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) +/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 71c5ea73..fe25a509 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.3.13) +policy_module(cron,1.3.14) gen_require(` class passwd rootok; diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index bc7634ea..6c9faa13 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.3.13) +policy_module(hal,1.3.14) ######################################## # @@ -111,6 +111,10 @@ storage_raw_write_removable_device(hald_t) storage_raw_read_fixed_disk(hald_t) storage_raw_write_fixed_disk(hald_t) +# hal_probe_serial causes these +term_setattr_unallocated_ttys(hald_t) +term_dontaudit_use_unallocated_ttys(hald_t) + auth_use_nsswitch(hald_t) init_use_fds(hald_t) @@ -144,8 +148,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hald_t) ifdef(`targeted_policy',` term_dontaudit_use_console(hald_t) - term_setattr_unallocated_ttys(hald_t) - term_dontaudit_use_unallocated_ttys(hald_t) term_dontaudit_use_generic_ptys(hald_t) files_dontaudit_read_root_files(hald_t) ') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 6b157e7d..3b179f51 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.3.8) +policy_module(networkmanager,1.3.9) ######################################## # @@ -163,6 +163,7 @@ optional_policy(` optional_policy(` ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) + ppp_signal(NetworkManager_t) ') optional_policy(` diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index a073fdfc..8edef140 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd,1.2.8) +policy_module(nscd,1.2.9) gen_require(` class nscd all_nscd_perms; @@ -89,6 +89,8 @@ domain_use_interactive_fds(nscd_t) files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) +# Needed to read files created by firstboot "/etc/hesiod.conf" +files_read_etc_runtime_files(nscd_t) init_use_fds(nscd_t) init_use_script_ptys(nscd_t) diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc index 696b5c5b..3ca65e40 100644 --- a/policy/modules/services/postfix.fc +++ b/policy/modules/services/postfix.fc @@ -22,6 +22,7 @@ ifdef(`distro_redhat', ` /usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) /usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) /usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) /usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 60a5f71e..fb89cafd 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.2.13) +policy_module(postfix,1.2.14) ######################################## # diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 038743aa..e24bb9dd 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.3.12) +policy_module(ssh,1.3.13) ######################################## # @@ -71,12 +71,15 @@ ifdef(`targeted_policy',` ifdef(`strict_policy',` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; + allow sshd_t self:key { search link write }; allow sshd_t sshd_tmp_t:dir create_dir_perms; allow sshd_t sshd_tmp_t:file create_file_perms; allow sshd_t sshd_tmp_t:sock_file create_file_perms; files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) + kernel_link_key(sshd_t) + # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 435b60cd..22554b4d 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -63,8 +63,11 @@ interface(`init_daemon_domain',` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; role system_r; + attribute daemon; ') + typeattribute $1 daemon; + domain_type($1) domain_entry_file($1,$2) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index b95fa3d4..f6518ec2 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.3.25) +policy_module(init,1.3.26) gen_require(` class passwd rootok; @@ -16,6 +16,9 @@ attribute direct_run_init; attribute direct_init; attribute direct_init_entry; +# Mark process types as daemons +attribute daemon; + # # init_t is the domain of the init process. # @@ -206,6 +209,7 @@ optional_policy(` allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:capability ~{ sys_admin sys_module }; +dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; # Allow IPC with self @@ -513,6 +517,11 @@ ifdef(`targeted_policy',` optional_policy(` mono_domtrans(initrc_t) ') + + tunable_policy(`allow_daemons_use_tty',` + term_use_unallocated_ttys(daemon) + term_use_generic_ptys(daemon) + ') ',` # cjp: require doesnt work in the else of optionals :\ # this also would result in a type transition diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index ee6a7d24..c172aec0 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.3.11) +policy_module(logging,1.3.12) ######################################## # @@ -161,6 +161,7 @@ libs_use_shared_libs(auditd_t) miscfiles_read_localization(auditd_t) mls_file_read_up(auditd_t) +mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory mls_rangetrans_target(auditd_t) seutil_dontaudit_read_config(auditd_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 20b73568..591e191f 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.3.5) +policy_module(udev,1.3.6) ######################################## # @@ -92,6 +92,7 @@ dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) domain_read_all_domains_state(udev_t) +domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index d0cd6e1b..e98a911d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -4317,6 +4317,7 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',` ') dontaudit $1 user_home_dir_t:dir search_dir_perms; + dontaudit $1 user_home_t:dir search_dir_perms; dontaudit $1 user_home_t:file r_file_perms; ',` gen_require(` @@ -4324,7 +4325,8 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',` ') dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; - dontaudit $1 sysadm_home_t:dir r_file_perms; + dontaudit $1 sysadm_home_t:dir search_dir_perms; + dontaudit $1 sysadm_home_t:file r_file_perms; ') ') @@ -5121,6 +5123,28 @@ interface(`userdom_write_unpriv_users_tmp_files',` allow $1 user_tmpfile:file { getattr write append }; ') +######################################## +##

+## Read and write unprivileged user ttys. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_use_unpriv_users_ttys',` + ifdef(`targeted_policy',` + term_use_unallocated_ttys($1) + ',` + gen_require(` + attribute user_ttynode; + ') + + allow $1 user_ttynode:chr_file rw_file_perms; + ') +') + ######################################## ## ## Do not audit attempts to use unprivileged diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 323c400f..6f964065 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.3.34) +policy_module(userdomain,1.3.35) gen_require(` role sysadm_r, staff_r, user_r; @@ -111,6 +111,10 @@ ifdef(`strict_policy',` init_exec(sysadm_t) + # Following for sending reboot and wall messages + userdom_use_unpriv_users_ptys(sysadm_t) + userdom_use_unpriv_users_ttys(sysadm_t) + ifdef(`direct_sysadm_daemon',` optional_policy(` init_run_daemon(sysadm_t,sysadm_r,admin_terminal) @@ -128,11 +132,13 @@ ifdef(`strict_policy',` domain_kill_all_domains(auditadm_t) seutil_read_bin_policy(auditadm_t) corecmd_exec_shell(auditadm_t) + logging_send_syslog_msg(auditadm_t) logging_read_generic_logs(auditadm_t) logging_manage_audit_log(auditadm_t) logging_manage_audit_config(auditadm_t) logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t }) logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) + userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) allow secadm_t self:capability dac_override; corecmd_exec_shell(secadm_t) @@ -148,6 +154,7 @@ ifdef(`strict_policy',` logging_read_audit_log(secadm_t) logging_read_generic_logs(secadm_t) userdom_dontaudit_append_staff_home_content_files(secadm_t) + userdom_dontaudit_read_sysadm_home_content_files(secadm_t) ',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) @@ -376,11 +383,12 @@ ifdef(`strict_policy',` selinux_set_parameters(secadm_t) seutil_manage_bin_policy(secadm_t) - seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal) - seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal) - seutil_run_semanage(secadm_t,secadm_r,admin_terminal) - seutil_run_setfiles(secadm_t,secadm_r,admin_terminal) - seutil_run_restorecon(secadm_t,secadm_r,admin_terminal) + seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) + seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) + seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) + seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) + seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) + logging_send_syslog_msg(secadm_t) ', ` selinux_set_enforce_mode(sysadm_t) selinux_set_boolean(sysadm_t)