trunk: 3 patches from dan.

This commit is contained in:
Chris PeBenito 2007-10-29 22:08:34 +00:00
parent 164772b537
commit 7d4161cdc9
11 changed files with 220 additions and 22 deletions

View File

@ -4717,8 +4717,7 @@ interface(`files_polyinstantiate_all',`
files_search_home($1) files_search_home($1)
corecmd_exec_bin($1) corecmd_exec_bin($1)
seutil_domtrans_setfiles($1) seutil_domtrans_setfiles($1)
fs_mount_tmpfs($1) mount_domtrans($1)
fs_unmount_tmpfs($1)
') ')
') ')

View File

@ -1,5 +1,5 @@
policy_module(files,1.7.3) policy_module(files,1.7.4)
######################################## ########################################
# #

View File

@ -835,6 +835,27 @@ interface(`kernel_dontaudit_read_proc_symlinks',`
dontaudit $1 proc_t:lnk_file read; dontaudit $1 proc_t:lnk_file read;
') ')
#######################################
## <summary>
## Allow caller to read and write state information for AFS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_rw_afs_state',`
gen_require(`
type proc_t, proc_afs_t;
')
read_files_pattern($1,proc_t,proc_afs_t)
list_dirs_pattern($1,proc_t,proc_t)
')
####################################### #######################################
## <summary> ## <summary>
## Allow caller to read the state information for software raid. ## Allow caller to read the state information for software raid.

View File

@ -1,5 +1,5 @@
policy_module(kernel,1.8.2) policy_module(kernel,1.8.3)
######################################## ########################################
# #
@ -71,6 +71,9 @@ fs_type(proc_t)
genfscon proc / gen_context(system_u:object_r:proc_t,s0) genfscon proc / gen_context(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0) genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
type proc_afs_t, proc_type;
genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
# kernel message interface # kernel message interface
type proc_kmsg_t, proc_type; type proc_kmsg_t, proc_type;
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh) genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)

View File

@ -32,6 +32,7 @@
/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

View File

@ -1,5 +1,5 @@
policy_module(storage,1.4.1) policy_module(storage,1.4.2)
######################################## ########################################
# #

View File

@ -61,6 +61,26 @@ interface(`application_exec',`
can_exec($1, application_exec_type) can_exec($1, application_exec_type)
') ')
########################################
## <summary>
## Execute all executable files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`application_exec_all',`
corecmd_dontaudit_exec_all_executables($1)
corecmd_exec_bin($1)
corecmd_exec_shell($1)
corecmd_exec_chroot($1)
application_exec($1)
')
######################################## ########################################
## <summary> ## <summary>
## Create a domain which can be started by users ## Create a domain which can be started by users

View File

@ -1,5 +1,5 @@
policy_module(application,1.0.0) policy_module(application,1.0.1)
# Attribute of user applications # Attribute of user applications
attribute application_domain_type; attribute application_domain_type;

View File

@ -13,6 +13,7 @@
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', ` ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)

View File

@ -26,7 +26,8 @@ template(`authlogin_common_auth_domain_template',`
type $1_chkpwd_t, can_read_shadow_passwords; type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t) application_domain($1_chkpwd_t,chkpwd_exec_t)
allow $1_chkpwd_t self:capability { audit_control setuid }; allow $1_chkpwd_t self:capability { dac_override setuid };
dontaudit $1_chkpwd_t self:capability sys_tty_config;
allow $1_chkpwd_t self:process getattr; allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t) files_list_etc($1_chkpwd_t)
@ -106,9 +107,6 @@ template(`authlogin_per_role_template',`
role $3 types $1_chkpwd_t; role $3 types $1_chkpwd_t;
role $3 types system_chkpwd_t; role $3 types system_chkpwd_t;
# cjp: is this really needed?
allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
dontaudit $2 shadow_t:file { getattr read }; dontaudit $2 shadow_t:file { getattr read };
# Transition from the user domain to this domain. # Transition from the user domain to this domain.
@ -169,6 +167,9 @@ template(`auth_domtrans_user_chk_passwd',`
## </param> ## </param>
# #
interface(`auth_login_pgm_domain',` interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t;
')
domain_type($1) domain_type($1)
domain_subj_id_change_exemption($1) domain_subj_id_change_exemption($1)
@ -176,11 +177,22 @@ interface(`auth_login_pgm_domain',`
domain_obj_id_change_exemption($1) domain_obj_id_change_exemption($1)
role system_r types $1; role system_r types $1;
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
# for SSP/ProPolice # for SSP/ProPolice
dev_read_urand($1) dev_read_urand($1)
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
files_read_etc_files($1) files_read_etc_files($1)
fs_list_auto_mountpoints($1)
selinux_get_fs_mount($1) selinux_get_fs_mount($1)
selinux_validate_context($1) selinux_validate_context($1)
selinux_compute_access_vector($1) selinux_compute_access_vector($1)
@ -196,16 +208,20 @@ interface(`auth_login_pgm_domain',`
mls_fd_share_all_levels($1) mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1) auth_domtrans_chk_passwd($1)
auth_domtrans_upd_passwd($1)
auth_dontaudit_read_shadow($1) auth_dontaudit_read_shadow($1)
auth_read_login_records($1) auth_read_login_records($1)
auth_append_login_records($1) auth_append_login_records($1)
auth_rw_lastlog($1) auth_rw_lastlog($1)
auth_append_faillog($1) auth_rw_faillog($1)
auth_exec_pam($1) auth_exec_pam($1)
auth_use_nsswitch($1)
init_rw_utmp($1) init_rw_utmp($1)
logging_send_audit_msgs($1)
logging_send_syslog_msg($1) logging_send_syslog_msg($1)
# logging_set_loginuid($1)
seutil_read_config($1) seutil_read_config($1)
seutil_read_default_contexts($1) seutil_read_default_contexts($1)
@ -309,11 +325,8 @@ interface(`auth_domtrans_chk_passwd',`
type system_chkpwd_t, chkpwd_exec_t, shadow_t; type system_chkpwd_t, chkpwd_exec_t, shadow_t;
') ')
# cjp: is this really needed?
allow $1 self:capability audit_control;
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) domtrans_pattern($1, chkpwd_exec_t, system_chkpwd_t)
dontaudit $1 shadow_t:file { getattr read }; dontaudit $1 shadow_t:file { getattr read };
@ -345,6 +358,86 @@ interface(`auth_domtrans_chk_passwd',`
') ')
') ')
########################################
## <summary>
## Execute chkpwd programs in the chkpwd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the updpwd domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the updpwd domain to use.
## </summary>
## </param>
#
interface(`auth_run_chk_passwd',`
gen_require(`
type system_chkpwd_t;
')
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
')
########################################
## <summary>
## Execute a domain transition to run unix_update.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`auth_domtrans_upd_passwd',`
gen_require(`
type updpwd_t, updpwd_exec_t;
')
domtrans_pattern($1,updpwd_exec_t,updpwd_t)
auth_dontaudit_read_shadow($1)
')
########################################
## <summary>
## Execute updpwd programs in the updpwd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the updpwd domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the updpwd domain to use.
## </summary>
## </param>
#
interface(`auth_run_upd_passwd',`
gen_require(`
type updpwd_t;
')
auth_domtrans_upd_passwd($1)
role $2 types updpwd_t;
allow updpwd_t $3:chr_file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of the shadow passwords file. ## Get the attributes of the shadow passwords file.
@ -693,6 +786,24 @@ interface(`auth_domtrans_pam',`
domtrans_pattern($1,pam_exec_t,pam_t) domtrans_pattern($1,pam_exec_t,pam_t)
') ')
########################################
## <summary>
## Execute pam programs in the pam domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`auth_signal_pam',`
gen_require(`
type pam_t;
')
allow $1 pam_t:process signal;
')
######################################## ########################################
## <summary> ## <summary>
## Execute pam programs in the PAM domain. ## Execute pam programs in the PAM domain.
@ -1318,16 +1429,14 @@ interface(`auth_manage_login_records',`
## </param> ## </param>
# #
interface(`auth_use_nsswitch',` interface(`auth_use_nsswitch',`
gen_require(`
type var_auth_t;
')
allow $1 self:netlink_route_socket r_netlink_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms;
allow $1 var_auth_t:dir list_dir_perms;
allow $1 var_auth_t:file manage_file_perms;
files_list_var_lib($1) files_list_var_lib($1)
# read /etc/nsswitch.conf
files_read_etc_files($1)
miscfiles_read_certs($1) miscfiles_read_certs($1)
sysnet_dns_name_resolve($1) sysnet_dns_name_resolve($1)
@ -1347,6 +1456,7 @@ interface(`auth_use_nsswitch',`
optional_policy(` optional_policy(`
samba_stream_connect_winbind($1) samba_stream_connect_winbind($1)
samba_read_var_files($1)
') ')
') ')

View File

@ -1,5 +1,5 @@
policy_module(authlogin,1.8.1) policy_module(authlogin,1.8.2)
######################################## ########################################
# #
@ -49,6 +49,12 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
type updpwd_t;
type updpwd_exec_t;
domain_type(updpwd_t)
domain_entry_file(updpwd_t,updpwd_exec_t)
role system_r types updpwd_t;
type utempter_t; type utempter_t;
type utempter_exec_t; type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t) application_domain(utempter_t,utempter_exec_t)
@ -94,10 +100,14 @@ allow pam_t pam_tmp_t:dir manage_dir_perms;
allow pam_t pam_tmp_t:file manage_file_perms; allow pam_t pam_tmp_t:file manage_file_perms;
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
auth_use_nsswitch(pam_t)
kernel_read_system_state(pam_t) kernel_read_system_state(pam_t)
fs_search_auto_mountpoints(pam_t) fs_search_auto_mountpoints(pam_t)
miscfiles_read_localization(pam_t)
term_use_all_user_ttys(pam_t) term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t) term_use_all_user_ptys(pam_t)
@ -149,6 +159,8 @@ dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t) dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t) dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t) dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
dev_setattr_input_dev(pam_console_t)
dev_getattr_framebuffer_dev(pam_console_t) dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t) dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t) dev_getattr_generic_usb_dev(pam_console_t)
@ -159,6 +171,8 @@ dev_getattr_mouse_dev(pam_console_t)
dev_setattr_mouse_dev(pam_console_t) dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t) dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t) dev_setattr_power_mgmt_dev(pam_console_t)
dev_getattr_printer_dev(pam_console_t)
dev_setattr_printer_dev(pam_console_t)
dev_getattr_scanner_dev(pam_console_t) dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t) dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t) dev_getattr_sound_dev(pam_console_t)
@ -200,6 +214,7 @@ files_read_etc_runtime_files(pam_console_t)
fs_list_auto_mountpoints(pam_console_t) fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t) fs_list_noxattr_fs(pam_console_t)
fs_getattr_all_fs(pam_console_t)
init_use_fds(pam_console_t) init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t) init_use_script_ptys(pam_console_t)
@ -236,7 +251,7 @@ optional_policy(`
optional_policy(` optional_policy(`
xserver_read_xdm_pid(pam_console_t) xserver_read_xdm_pid(pam_console_t)
xserver_use_xdm_fds(pam_t) xserver_dontaudit_write_log(pam_console_t)
') ')
######################################## ########################################
@ -257,6 +272,34 @@ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
userdom_dontaudit_use_sysadm_terms(system_chkpwd_t) userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
########################################
#
# updpwd local policy
#
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file { read write };
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
allow updpwd_t self:unix_dgram_socket create_socket_perms;
kernel_read_system_state(updpwd_t)
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
libs_use_ld_so(updpwd_t)
libs_use_shared_libs(updpwd_t)
logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t)
######################################## ########################################
# #
# Utempter local policy # Utempter local policy