patch from dan Tue, 05 Sep 2006 17:06:06 -0400

Changelog

@@ -67,6 +67,7 @@
 	Wed, 23 Aug 2006
 	Thu, 31 Aug 2006
 	Fri, 01 Sep 2006
+	Tue, 05 Sep 2006
 - Added modules:
 	afs
 	amavis (Erich Schubert)

Makefile

@@ -47,19 +47,21 @@ endif
 BINDIR ?= /usr/bin
 SBINDIR ?= /usr/sbin
 ifdef TEST_TOOLCHAIN
-tc_bindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
-tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
 else
-tc_bindir := $(BINDIR)
-tc_sbindir := $(SBINDIR)
+tc_usrbindir := $(BINDIR)
+tc_usrsbindir := $(SBINDIR)
+tc_sbindir := /sbin
 endif
-CHECKPOLICY ?= $(tc_bindir)/checkpolicy
-CHECKMODULE ?= $(tc_bindir)/checkmodule
-SEMODULE ?= $(tc_sbindir)/semodule
-SEMOD_PKG ?= $(tc_bindir)/semodule_package
-SEMOD_LNK ?= $(tc_bindir)/semodule_link
-SEMOD_EXP ?= $(tc_bindir)/semodule_expand
-LOADPOLICY ?= $(tc_sbindir)/load_policy
+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+SEMODULE ?= $(tc_usrsbindir)/semodule
+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
 SETFILES ?= $(tc_sbindir)/setfiles
 XMLLINT ?= $(BINDIR)/xmllint
 SECHECK ?= $(BINDIR)/sechecker

policy/modules/admin/firstboot.if

@@ -111,20 +111,3 @@ interface(`firstboot_write_pipes',`
 
 	allow $1 firstboot_t:fifo_file write;
 ')
-########################################
-## <summary>
-##	Read firstboot writable config files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`firstboot_read_rw_files',`
-	gen_require(`
-		type firstboot_rw_t;
-	')
-
-	allow $1 firstboot_rw_t:file r_file_perms;
-')

policy/modules/kernel/corecommands.fc

@@ -125,6 +125,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)

policy/modules/kernel/corecommands.te

@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.3.14)
+policy_module(corecommands,1.3.15)
 
 ########################################
 #

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.14)
+policy_module(corenetwork,1.1.15)
 
 ########################################
 #
@@ -126,7 +126,6 @@ network_port(rndc, tcp,953,s0)
 network_port(router, udp,520,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(setroubleshoot, tcp,3267,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)

policy/modules/kernel/filesystem.if

@@ -2043,6 +2043,25 @@ interface(`fs_dontaudit_search_ramfs',`
 	dontaudit $1 ramfs_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete 
+##	directories on a ramfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_ramfs_dirs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit read on a ramfs files.

policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.13)
+policy_module(filesystem,1.3.14)
 
 ########################################
 #

policy/modules/kernel/terminal.if

@@ -412,7 +412,7 @@ interface(`term_dontaudit_manage_pty_dirs',`
 
 ########################################
 ## <summary>
-##	ioctl of generic pty types.
+##	ioctl of generic pty devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -431,6 +431,26 @@ interface(`term_ioctl_generic_ptys',`
 	allow $1 devpts_t:chr_file ioctl;
 ')
 
+########################################
+## <summary>
+##	Dontaudit setting the attributes of
+##	generic pty devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# dwalsh: added for rhgb
+interface(`term_dontaudit_setattr_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dontaudit $1 devpts_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the generic pty

policy/modules/kernel/terminal.te

@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.7)
+policy_module(terminal,1.1.8)
 
 ########################################
 #

policy/modules/services/dovecot.te

@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.2.6)
+policy_module(dovecot,1.2.7)
 
 ########################################
 #
@@ -46,7 +46,6 @@ allow dovecot_t self:fifo_file rw_file_perms;
 allow dovecot_t self:tcp_socket create_stream_socket_perms;
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
 
 domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
 allow dovecot_t dovecot_auth_t:fd use;

policy/modules/services/rhgb.te

@@ -1,5 +1,5 @@
 
-policy_module(rhgb,1.0.1)
+policy_module(rhgb,1.0.2)
 
 ########################################
 #
@@ -10,18 +10,20 @@ type rhgb_t;
 type rhgb_exec_t;
 init_daemon_domain(rhgb_t,rhgb_exec_t)
 
-type rhgb_devpts_t;
-term_pty(rhgb_devpts_t)
-
 type rhgb_tmpfs_t;
 files_tmpfs_file(rhgb_tmpfs_t)
 
+ifdef(`strict_policy',`
+	type rhgb_devpts_t;
+	term_pty(rhgb_devpts_t)
+')
+
 ########################################
 #
 # Local policy
 #
 
-allow rhgb_t self:capability { sys_admin sys_tty_config };
+allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
 dontaudit rhgb_t self:capability sys_tty_config;
 allow rhgb_t self:process signal_perms;
 allow rhgb_t self:shm create_shm_perms;
@@ -29,9 +31,7 @@ allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
 allow rhgb_t self:fifo_file rw_file_perms;
 allow rhgb_t self:tcp_socket create_socket_perms;
 allow rhgb_t self:udp_socket create_socket_perms;
-
-allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
-term_create_pty(rhgb_t,rhgb_devpts_t)
+allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms;
 allow rhgb_t rhgb_tmpfs_t:file manage_file_perms;
@@ -45,6 +45,7 @@ kernel_read_system_state(rhgb_t)
 
 corecmd_exec_bin(rhgb_t)
 corecmd_exec_sbin(rhgb_t)
+corecmd_exec_shell(rhgb_t)
 
 corenet_non_ipsec_sendrecv(rhgb_t)
 corenet_tcp_sendrecv_generic_if(rhgb_t)
@@ -61,6 +62,7 @@ dev_read_sysfs(rhgb_t)
 domain_use_interactive_fds(rhgb_t)
 
 files_read_etc_files(rhgb_t)
+files_read_var_files(rhgb_t)
 files_read_etc_runtime_files(rhgb_t)
 files_search_tmp(rhgb_t)
 files_read_usr_files(rhgb_t)
@@ -73,13 +75,17 @@ files_dontaudit_search_var(rhgb_t)
 fs_search_auto_mountpoints(rhgb_t)
 fs_mount_ramfs(rhgb_t)
 fs_unmount_ramfs(rhgb_t)
+fs_getattr_tmpfs(rhgb_t)
 # for ramfs file systems
+fs_manage_ramfs_dirs(rhgb_t)
 fs_manage_ramfs_files(rhgb_t)
 fs_manage_ramfs_pipes(rhgb_t)
 fs_manage_ramfs_sockets(rhgb_t)
 
 term_dontaudit_use_console(rhgb_t)
 term_use_unallocated_ttys(rhgb_t)
+term_use_ptmx(rhgb_t)
+term_getattr_pty_fs(rhgb_t)
 
 init_use_fds(rhgb_t)
 init_use_script_ptys(rhgb_t)
@@ -96,22 +102,30 @@ miscfiles_read_localization(rhgb_t)
 miscfiles_read_fonts(rhgb_t)
 
 sysnet_read_config(rhgb_t)
+sysnet_domtrans_ifconfig(rhgb_t)
 
 userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
+userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
 
 xserver_read_xdm_xserver_tmp_files(rhgb_t)
 xserver_kill_xdm_xserver(rhgb_t)
 # for running setxkbmap
 xserver_read_xkb_libs(rhgb_t)
 
-ifdef(`targeted_policy',`
+ifdef(`strict_policy',`
+	allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
+	term_create_pty(rhgb_t,rhgb_devpts_t)
+', `
+	files_dontaudit_read_root_files(rhgb_t)
+
+	term_dontaudit_use_generic_ptys(rhgb_t)
+	term_dontaudit_setattr_generic_ptys(rhgb_t)
 	term_dontaudit_use_unallocated_ttys(rhgb_t)
 	term_dontaudit_use_generic_ptys(rhgb_t)
-	files_dontaudit_read_root_files(rhgb_t)
-')
 
-optional_policy(`
-	firstboot_read_rw_files(rhgb_t)
+	xserver_domtrans_xdm_xserver(rhgb_t)
+	xserver_signal_xdm_xserver(rhgb_t)
+	xserver_read_xdm_tmp_files(rhgb_t)
 ')
 
 optional_policy(`
@@ -127,21 +141,7 @@ optional_policy(`
 ')
 
 ifdef(`TODO',`
-	#TODO
-	ifdef(`hide_broken_symptoms', `
-		# for a bug in the X server
-		dontaudit mount_t rhgb_gph_t:fd use;
-	')
-	#TODO this seems a bit much
+	#this seems a bit much
 	allow domain rhgb_devpts_t:chr_file { read write };
-	#TODO this (ie files_dontaudit_read_default_files(rhgb_t))doesn't make sense with the following
-	allow rhgb_t default_t:file { getattr read };
-	#TODO
-	# for gnome-pty-helper
-	gph_domain(rhgb, system)
 	allow initrc_t rhgb_gph_t:fd use;
-	ifdef(`hide_broken_symptoms', `
-		# it should not do this
-		dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-	')
 ')

policy/modules/services/setroubleshoot.te

@@ -1,5 +1,5 @@
 
-policy_module(setroubleshoot,1.0.0)
+policy_module(setroubleshoot,1.0.1)
 
 ########################################
 #
@@ -64,9 +64,7 @@ corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
 corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
 corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
 corenet_tcp_bind_all_nodes(setroubleshootd_t)
-corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
 corenet_tcp_connect_smtp_port(setroubleshootd_t)
-corenet_sendrecv_setroubleshoot_server_packets(setroubleshootd_t)
 corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
 
 dev_read_urand(setroubleshootd_t)

policy/modules/services/ssh.te

@@ -1,5 +1,5 @@
 
-policy_module(ssh,1.3.9)
+policy_module(ssh,1.3.10)
 
 ########################################
 #
@@ -12,8 +12,10 @@ attribute ssh_server;
 type ssh_exec_t;
 corecmd_executable_file(ssh_exec_t)
 
+type ssh_keygen_t;
 type ssh_keygen_exec_t;
-corecmd_executable_file(ssh_keygen_exec_t)
+init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
+role system_r types ssh_keygen_t;
 
 type ssh_keysign_exec_t;
 corecmd_executable_file(ssh_keysign_exec_t)
@@ -39,10 +41,6 @@ ifdef(`targeted_policy',`
 	type ssh_agent_exec_t;
 	files_type(ssh_agent_exec_t)
 
-	type ssh_keygen_t;
-	init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
-	role system_r types ssh_keygen_t;
-
 	ssh_server_template(sshd)
 	ssh_server_template(sshd_extern)
 
@@ -193,7 +191,6 @@ ifdef(`strict_policy',`
 # ssh_keygen local policy
 #
 
-ifdef(`targeted_policy',`',`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
 
@@ -244,6 +241,10 @@ ifdef(`targeted_policy',`',`
 	files_dontaudit_read_root_files(ssh_keygen_t)
 ')
 
+optional_policy(`
+	nscd_socket_use(ssh_keygen_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
 ')
@@ -251,4 +252,3 @@ ifdef(`targeted_policy',`',`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
-')

policy/modules/services/xserver.if

@@ -1072,9 +1072,28 @@ interface(`xserver_read_xdm_tmp_files',`
 		type xdm_tmp_t;
 	')
 
+	allow $1 xdm_tmp_t:dir search_dir_perms;
 	allow $1 xdm_tmp_t:file { getattr read };
 ')
 
+########################################
+## <summary>
+##	Signal XDM X servers
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_signal_xdm_xserver',`
+	gen_require(`
+		type xdm_xserver_t;
+	')
+
+	allow $1 xdm_xserver_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Kill XDM X servers

policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.1.14)
+policy_module(xserver,1.1.15)
 
 ########################################
 #
@@ -99,6 +99,11 @@ dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
 
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 
+allow xdm_t xdm_tmp_t:dir manage_dir_perms;
+allow xdm_t xdm_tmp_t:file manage_file_perms;
+allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
 
@@ -218,11 +223,6 @@ ifdef(`strict_policy',`
 	allow xdm_t xdm_lock_t:file create_file_perms;
 	files_lock_filetrans(xdm_t,xdm_lock_t,file)
 
-	allow xdm_t xdm_tmp_t:dir manage_dir_perms;
-	allow xdm_t xdm_tmp_t:file manage_file_perms;
-	allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
-	files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-
 	allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
 	allow xdm_t xdm_tmpfs_t:file manage_file_perms;
 	allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;

policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.3.13)
+policy_module(authlogin,1.3.14)
 
 ########################################
 #
@@ -176,7 +176,7 @@ dev_getattr_xserver_misc_dev(pam_console_t)
 dev_setattr_xserver_misc_dev(pam_console_t)
 dev_read_urand(pam_console_t)
 
-fs_search_auto_mountpoints(pam_console_t)
+fs_list_auto_mountpoints(pam_console_t)
 
 mls_file_read_up(pam_console_t)
 mls_file_write_down(pam_console_t)

policy/modules/system/xen.te

@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.9)
+policy_module(xen,1.0.10)
 
 ########################################
 #
@@ -131,6 +131,7 @@ corenet_tcp_bind_all_nodes(xend_t)
 corenet_tcp_bind_xen_port(xend_t)
 corenet_tcp_bind_soundd_port(xend_t)
 corenet_tcp_bind_generic_port(xend_t)
+corenet_tcp_bind_vnc_port(xend_t)
 corenet_sendrecv_xen_server_packets(xend_t)
 corenet_sendrecv_soundd_server_packets(xend_t)
 corenet_rw_tun_tap_dev(xend_t)
@@ -175,6 +176,8 @@ sysnet_dns_name_resolve(xend_t)
 sysnet_delete_dhcpc_pid(xend_t)
 sysnet_read_dhcpc_pid(xend_t)
 
+userdom_dontaudit_search_sysadm_home_dirs(xend_t)
+
 xen_stream_connect_xenstore(xend_t)
 
 netutils_domtrans(xend_t)