patch from dan Fri, 22 Sep 2006 16:30:34 -0400

Changelog

@@ -70,6 +70,7 @@
 	Fri, 01 Sep 2006
 	Tue, 05 Sep 2006
 	Wed, 20 Sep 2006
+	Fri, 22 Sep 2006
 - Added modules:
 	afs
 	amavis (Erich Schubert)

policy/global_tunables

@@ -573,6 +573,13 @@ gen_tunable(xdm_sysadm_login,false)
 #
 
 ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow all daemons the ability to use unallocated ttys
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty,false)
+
 ## <desc>
 ## <p>
 ## Allow mount to mount any file

policy/modules/admin/bootloader.fc

@@ -6,7 +6,9 @@
 
 /usr/sbin/mkinitrd	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
-/sbin/grub.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+#/sbin/grub-.*		--	gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
+#/sbin/grubby		--	gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
 /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/mkinitrd		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)

policy/modules/admin/bootloader.te

@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.2.6)
+policy_module(bootloader,1.2.7)
 
 ########################################
 #

policy/modules/admin/readahead.te

@@ -1,5 +1,5 @@
 
-policy_module(readahead,1.2.1)
+policy_module(readahead,1.2.2)
 
 ########################################
 #
@@ -52,6 +52,8 @@ fs_dontaudit_read_ramfs_pipes(readahead_t)
 fs_dontaudit_read_ramfs_files(readahead_t)
 fs_read_tmpfs_symlinks(readahead_t)
 
+mls_file_read_up(readahead_t)
+
 term_dontaudit_use_console(readahead_t)
 
 auth_dontaudit_read_shadow(readahead_t)

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.16)
+policy_module(corenetwork,1.1.17)
 
 ########################################
 #
@@ -82,7 +82,7 @@ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
 network_port(giftd, tcp,1213,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
 network_port(i18n_input, tcp,9010,s0)

policy/modules/kernel/files.fc

@@ -20,7 +20,7 @@ ifdef(`distro_redhat',`
 ')
 
 ifdef(`distro_suse',`
-/success			--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/success		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 
 #
@@ -49,7 +49,7 @@ ifdef(`distro_suse',`
 /etc/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/ioctl\.save		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/issue		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/issue\.net		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
@@ -58,7 +58,7 @@ ifdef(`distro_suse',`
 /etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/reader.conf	-- 	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/smartd\.conf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/smartd\.conf.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 
 /etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
 

policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.18)
+policy_module(files,1.2.19)
 
 ########################################
 #
@@ -58,6 +58,8 @@ files_type(etc_t)
 #
 type etc_runtime_t;
 files_type(etc_runtime_t)
+#Temporarily in policy until FC5 dissappears
+typealias etc_runtime_t alias firstboot_rw_t;
 
 #
 # file_t is the default type of a file that has not yet been

policy/modules/kernel/filesystem.if

@@ -455,7 +455,7 @@ interface(`fs_register_binary_executable_type',`
 	')
 
 	allow $1 binfmt_misc_fs_t:dir { getattr search };
-	allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
+	allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
 ')
 
 ########################################

policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.15)
+policy_module(filesystem,1.3.16)
 
 ########################################
 #

policy/modules/services/bind.te

@@ -1,5 +1,5 @@
 
-policy_module(bind,1.1.9)
+policy_module(bind,1.1.10)
 
 ########################################
 #
@@ -223,6 +223,7 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
 allow ndc_t named_t:unix_stream_socket connectto;
 
 allow ndc_t named_conf_t:file { getattr read };
+allow ndc_t named_conf_t:lnk_file { getattr read };
 
 allow ndc_t named_var_run_t:sock_file rw_file_perms;
 

policy/modules/services/cron.fc

@@ -10,6 +10,7 @@
 /usr/sbin/cron(d)?		--	gen_context(system_u:object_r:crond_exec_t,s0)
 /usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
 
+/var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/crond?\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/crond\.reboot		--	gen_context(system_u:object_r:crond_var_run_t,s0)

policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron,1.3.13)
+policy_module(cron,1.3.14)
 
 gen_require(`
 	class passwd rootok;

policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.13)
+policy_module(hal,1.3.14)
 
 ########################################
 #
@@ -111,6 +111,10 @@ storage_raw_write_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
 storage_raw_write_fixed_disk(hald_t)
 
+# hal_probe_serial causes these
+term_setattr_unallocated_ttys(hald_t)
+term_dontaudit_use_unallocated_ttys(hald_t)
+
 auth_use_nsswitch(hald_t)
 
 init_use_fds(hald_t)
@@ -144,8 +148,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hald_t)
 
 ifdef(`targeted_policy',`
 	term_dontaudit_use_console(hald_t)
-	term_setattr_unallocated_ttys(hald_t)
-	term_dontaudit_use_unallocated_ttys(hald_t)
 	term_dontaudit_use_generic_ptys(hald_t)
 	files_dontaudit_read_root_files(hald_t)
 ')

policy/modules/services/networkmanager.te

@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.3.8)
+policy_module(networkmanager,1.3.9)
 
 ########################################
 #
@@ -163,6 +163,7 @@ optional_policy(`
 optional_policy(`
 	ppp_domtrans(NetworkManager_t)
 	ppp_read_pid_files(NetworkManager_t)
+	ppp_signal(NetworkManager_t)
 ')
 
 optional_policy(`

policy/modules/services/nscd.te

@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.2.8)
+policy_module(nscd,1.2.9)
 
 gen_require(`
 	class nscd all_nscd_perms;
@@ -89,6 +89,8 @@ domain_use_interactive_fds(nscd_t)
 
 files_read_etc_files(nscd_t)
 files_read_generic_tmp_symlinks(nscd_t)
+# Needed to read files created by firstboot "/etc/hesiod.conf"
+files_read_etc_runtime_files(nscd_t)
 
 init_use_fds(nscd_t)
 init_use_script_ptys(nscd_t)

policy/modules/services/postfix.fc

@@ -22,6 +22,7 @@ ifdef(`distro_redhat', `
 /usr/lib/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
 /usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
 /usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 /usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)

policy/modules/services/postfix.te

@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.2.13)
+policy_module(postfix,1.2.14)
 
 ########################################
 #

policy/modules/services/ssh.te

@@ -1,5 +1,5 @@
 
-policy_module(ssh,1.3.12)
+policy_module(ssh,1.3.13)
 
 ########################################
 #
@@ -71,12 +71,15 @@ ifdef(`targeted_policy',`
 ifdef(`strict_policy',`
 	# so a tunnel can point to another ssh tunnel
 	allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
+	allow sshd_t self:key { search link write };
 
 	allow sshd_t sshd_tmp_t:dir create_dir_perms;
 	allow sshd_t sshd_tmp_t:file create_file_perms;
 	allow sshd_t sshd_tmp_t:sock_file create_file_perms;
 	files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
 
+	kernel_link_key(sshd_t)
+
 	# for X forwarding
 	corenet_tcp_bind_xserver_port(sshd_t)
 	corenet_sendrecv_xserver_server_packets(sshd_t)

policy/modules/system/init.if

@@ -63,8 +63,11 @@ interface(`init_daemon_domain',`
 		attribute direct_run_init, direct_init, direct_init_entry;
 		type initrc_t;
 		role system_r;
+		attribute daemon;
 	')
 
+	typeattribute $1 daemon;
+
 	domain_type($1)
 	domain_entry_file($1,$2)
 

policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.25)
+policy_module(init,1.3.26)
 
 gen_require(`
 	class passwd rootok;
@@ -16,6 +16,9 @@ attribute direct_run_init;
 attribute direct_init;
 attribute direct_init_entry;
 
+# Mark process types as daemons
+attribute daemon;
+
 #
 # init_t is the domain of the init process.
 #
@@ -206,6 +209,7 @@ optional_policy(`
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
 allow initrc_t self:capability ~{ sys_admin sys_module };
+dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 
 # Allow IPC with self
@@ -513,6 +517,11 @@ ifdef(`targeted_policy',`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
+
+	tunable_policy(`allow_daemons_use_tty',`
+		term_use_unallocated_ttys(daemon)
+		term_use_generic_ptys(daemon)
+	')
 ',`
 	# cjp: require doesnt work in the else of optionals :\
 	# this also would result in a type transition

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.11)
+policy_module(logging,1.3.12)
 
 ########################################
 #
@@ -161,6 +161,7 @@ libs_use_shared_libs(auditd_t)
 miscfiles_read_localization(auditd_t)
 
 mls_file_read_up(auditd_t)
+mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
 mls_rangetrans_target(auditd_t)
 
 seutil_dontaudit_read_config(auditd_t)

policy/modules/system/udev.te

@@ -1,5 +1,5 @@
 
-policy_module(udev,1.3.5)
+policy_module(udev,1.3.6)
 
 ########################################
 #
@@ -92,6 +92,7 @@ dev_rw_generic_files(udev_t)
 dev_delete_generic_files(udev_t)
 
 domain_read_all_domains_state(udev_t)
+domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
 
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)

policy/modules/system/userdomain.if

@@ -4317,6 +4317,7 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
 		')
 
 		dontaudit $1 user_home_dir_t:dir search_dir_perms;
+		dontaudit $1 user_home_t:dir search_dir_perms;
 		dontaudit $1 user_home_t:file r_file_perms;
 	',`
 		gen_require(`
@@ -4324,7 +4325,8 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
 		')
 
 		dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-		dontaudit $1 sysadm_home_t:dir r_file_perms;
+		dontaudit $1 sysadm_home_t:dir search_dir_perms;
+		dontaudit $1 sysadm_home_t:file r_file_perms;
 	')
 ')
 
@@ -5121,6 +5123,28 @@ interface(`userdom_write_unpriv_users_tmp_files',`
 	allow $1 user_tmpfile:file { getattr write append };
 ')
 
+########################################
+## <summary>
+##	Read and write unprivileged user ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_use_unpriv_users_ttys',`
+	ifdef(`targeted_policy',`
+		term_use_unallocated_ttys($1)
+	',`
+		gen_require(`
+			attribute user_ttynode;
+		')
+
+		allow $1 user_ttynode:chr_file rw_file_perms;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to use unprivileged

policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.34)
+policy_module(userdomain,1.3.35)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -111,6 +111,10 @@ ifdef(`strict_policy',`
 
 	init_exec(sysadm_t)
 
+	# Following for sending reboot and wall messages
+	userdom_use_unpriv_users_ptys(sysadm_t)
+	userdom_use_unpriv_users_ttys(sysadm_t)
+
 	ifdef(`direct_sysadm_daemon',`
 		optional_policy(`
 			init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
@@ -128,11 +132,13 @@ ifdef(`strict_policy',`
 		domain_kill_all_domains(auditadm_t)
 	        seutil_read_bin_policy(auditadm_t)
 		corecmd_exec_shell(auditadm_t)
+		logging_send_syslog_msg(auditadm_t)
 	        logging_read_generic_logs(auditadm_t)
 		logging_manage_audit_log(auditadm_t)
 		logging_manage_audit_config(auditadm_t)
 		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
 		logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+		userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
 
 		allow secadm_t self:capability dac_override;
 		corecmd_exec_shell(secadm_t)
@@ -148,6 +154,7 @@ ifdef(`strict_policy',`
 		logging_read_audit_log(secadm_t)
 	        logging_read_generic_logs(secadm_t)
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
+		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
 	',`
 		logging_manage_audit_log(sysadm_t)
 		logging_manage_audit_config(sysadm_t)
@@ -376,11 +383,12 @@ ifdef(`strict_policy',`
 			selinux_set_parameters(secadm_t)
 
 			seutil_manage_bin_policy(secadm_t)
-			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
+			seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
+			seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-			seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
+			seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+			seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
+			seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+			logging_send_syslog_msg(secadm_t)
 		', `
 			selinux_set_enforce_mode(sysadm_t)
 			selinux_set_boolean(sysadm_t)