From 704327e8b2a085e040fe47878fd249bc15be8d35 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 16 Nov 2005 21:08:52 +0000 Subject: [PATCH] fix transitions in and out of unconfined. fix bugs uncovered by rawhide testing --- refpolicy/policy/modules/admin/rpm.te | 16 ++++++++------ refpolicy/policy/modules/admin/updfstab.te | 9 ++++---- refpolicy/policy/modules/kernel/bootloader.te | 13 ++++++++++-- refpolicy/policy/modules/services/dovecot.te | 10 ++++----- refpolicy/policy/modules/services/hal.if | 17 +++++++++++++++ refpolicy/policy/modules/services/inetd.te | 14 ++++++------- refpolicy/policy/modules/system/unconfined.te | 21 +++++++++++-------- 7 files changed, 67 insertions(+), 33 deletions(-) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 7d00dad2..416c7b82 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.0) +policy_module(rpm,1.0.1) ######################################## # @@ -143,7 +143,6 @@ auth_dontaudit_read_shadow(rpm_t) corecmd_exec_bin(rpm_t) corecmd_exec_sbin(rpm_t) -corecmd_shell_domtrans(rpm_t,rpm_script_t) domain_exec_all_entry_files(rpm_t) domain_read_all_domains_state(rpm_t) @@ -179,6 +178,11 @@ ifdef(`targeted_policy',` # unconfined in the targeted policy allow rpm_t rpm_log_t:file create_file_perms; logging_create_log(rpm_t,rpm_log_t) + + # cjp: if rpm_t and xdm_t are aliases of + # unconfined_t, this will break xdm logins + # by making users log in to rpm_script_t. + corecmd_shell_domtrans(rpm_t,rpm_script_t) ') optional_policy(`cron.te',` @@ -330,16 +334,16 @@ ifdef(`targeted_policy',` mta_send_mail(rpm_script_t) ') ') + + optional_policy(`bootloader.te',` + bootloader_domtrans(rpm_script_t) + ') ') tunable_policy(`allow_execmem',` allow rpm_script_t self:process execmem; ') -optional_policy(`bootloader.te',` - bootloader_domtrans(rpm_script_t) -') - optional_policy(`nis.te',` nis_use_ypbind(rpm_script_t) ') diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index dfc42d3f..ac5487d0 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -1,5 +1,5 @@ -policy_module(updfstab,1.0) +policy_module(updfstab,1.0.1) ######################################## # @@ -98,6 +98,10 @@ optional_policy(`dbus.te',` dbus_send_system_bus_msg(updfstab_t) ') +optional_policy(`hald.te',` + hal_stream_connect(updfstab_t) +') + optional_policy(`modutils.te',` modutils_read_module_conf(updfstab_t) modutils_exec_insmod(updfstab_t) @@ -121,9 +125,6 @@ optional_policy(`rhgb.te',` rhgb_domain(updfstab_t) ') allow updfstab_t tmpfs_t:dir getattr; -ifdef(`hald.te', ` -can_unix_connect(updfstab_t, hald_t) -') ') optional_policy(`dbus.te',` diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index ee399f98..9d3fd0cd 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.0) +policy_module(bootloader,1.0.1) ######################################## # @@ -73,7 +73,7 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin allow bootloader_t self:process { sigkill sigstop signull signal }; allow bootloader_t self:fifo_file { getattr read write }; -allow bootloader_t boot_t:dir rw_dir_perms; +allow bootloader_t boot_t:dir { create rw_dir_perms }; allow bootloader_t boot_t:file create_file_perms; allow bootloader_t boot_t:lnk_file create_lnk_perms; @@ -195,6 +195,11 @@ ifdef(`distro_redhat',` mount_domtrans(bootloader_t) ') +ifdef(`targeted_policy',` + term_use_unallocated_tty(bootloader_t) + term_use_generic_pty(bootloader_t) +') + optional_policy(`fstools.te',` fstools_exec(bootloader_t) ') @@ -215,6 +220,10 @@ optional_policy(`modutils.te',` modutils_exec_update_mods(bootloader_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(bootloader_t) +') + optional_policy(`rpm.te',` rpm_rw_pipe(bootloader_t) ') diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index e6693a72..3e07ec8d 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.0) +policy_module(dovecot,1.0.1) ######################################## # @@ -48,11 +48,11 @@ allow dovecot_auth_t dovecot_t:process sigchld; allow dovecot_auth_t dovecot_t:fd use; allow dovecot_auth_t dovecot_t:fifo_file { ioctl read write getattr lock append }; -allow dovecot_t dovecot_cert_t:dir { getattr read search }; -allow dovecot_t dovecot_cert_t:file { read getattr ioctl lock }; +allow dovecot_t dovecot_cert_t:dir r_dir_perms; +allow dovecot_t dovecot_cert_t:file r_file_perms; allow dovecot_t dovecot_cert_t:lnk_file { getattr read }; -allow dovecot_t dovecot_etc_t:file { getattr read }; +allow dovecot_t dovecot_etc_t:file r_file_perms; files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) @@ -113,7 +113,7 @@ userdom_dontaudit_use_unpriv_user_fd(dovecot_t) userdom_dontaudit_search_sysadm_home_dir(dovecot_t) userdom_priveleged_home_dir_manager(dovecot_t) -mta_append_spool(dovecot_t) +mta_manage_spool(dovecot_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(dovecot_t) diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if index ca45cde2..71a7a525 100644 --- a/refpolicy/policy/modules/services/hal.if +++ b/refpolicy/policy/modules/services/hal.if @@ -37,3 +37,20 @@ interface(`hal_dgram_sendto',` allow $1 hald_t:unix_dgram_socket sendto; ') + +######################################## +## +## Send to hal over a unix domain +## stream socket. +## +## +## Domain allowed access. +## +# +interface(`hal_stream_connect',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:unix_stream_socket connectto; +') diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 6fb22dad..59b2bda8 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -1,5 +1,5 @@ -policy_module(inetd,1.0) +policy_module(inetd,1.0.1) ######################################## # @@ -143,16 +143,16 @@ optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(inetd_t) ') -optional_policy(`udev.te', ` +optional_policy(`udev.te',` udev_read_db(inetd_t) ') -optional_policy(`unconfined.te', ` - unconfined_domtrans(inetd_t) -') - ifdef(`targeted_policy',` - unconfined_domain_template(inetd_t) + unconfined_domain_template(inetd_t) +',` + optional_policy(`unconfined.te',` + unconfined_domtrans(inetd_t) + ') ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 4b660ffe..2d9429e4 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.0.1) +policy_module(unconfined,1.0.2) ######################################## # @@ -70,15 +70,11 @@ ifdef(`targeted_policy',` ') optional_policy(`modutils.te',` - modutils_domtrans_depmod(unconfined_t) - modutils_domtrans_insmod(unconfined_t) modutils_domtrans_update_mods(unconfined_t) ') optional_policy(`netutils.te',` - netutils_domtrans(unconfined_t) netutils_domtrans_ping(unconfined_t) - netutils_domtrans_traceroute(unconfined_t) ') optional_policy(`portmap.te',` @@ -87,6 +83,13 @@ ifdef(`targeted_policy',` optional_policy(`postfix.te',` postfix_domtrans_map(unconfined_t) + # cjp: this should probably be removed: + postfix_domtrans_master(unconfined_t) + ') + + optional_policy(`rpc.te',` + # cjp: this should probably be removed: + rpc_domtrans_nfsd(unconfined_t) ') optional_policy(`rpm.te',` @@ -102,6 +105,10 @@ ifdef(`targeted_policy',` su_per_userdomain_template(sysadm,unconfined_t,system_r) ') + optional_policy(`sysnetwork.te',` + sysnet_domtrans_dhcpc(unconfined_t) + ') + optional_policy(`usermanage.te',` usermanage_domtrans_admin_passwd(unconfined_t) ') @@ -114,9 +121,5 @@ ifdef(`targeted_policy',` ifdef(`use_mcs',` rw_dir_create_file(sysadm_su_t, home_dir_type) ') - ') dnl end TODO - - # FIXME: - typeattribute unconfined_t direct_run_init; ')