diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 3a2a61c2..89be24dc 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -15,10 +15,7 @@ define(`sysnetwork_dhcpc_transition',` requires_block_template(`$0'_depend) - allow $1 dhcpc_exec_t:file { getattr read execute }; - allow $1 dhcpc_t:process transition; - type_transition $1 dhcpc_exec_t:process dhcpc_t; - dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1, dhcp_exec_t, dhcp_t) allow $1 dhcpc_t:fd use; allow dhcpc_t $1:fd use; @@ -49,10 +46,7 @@ define(`sysnetwork_dhcpc_transition_depend',` define(`sysnetwork_ifconfig_transition',` requires_block_template(`$0'_depend) - allow $1 ifconfig_exec_t:file { getattr read execute }; - allow $1 ifconfig_t:process transition; - type_transition $1 ifconfig_exec_t:process ifconfig_t; - dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1, ifconfig_exec_t, ifconfig_t) allow $1 ifconfig_t:fd use; allow ifconfig_t $1:fd use; @@ -117,13 +111,13 @@ define(`sysnetwork_read_network_config',` requires_block_template(`$0'_depend) files_search_general_system_config_directory($1) - allow $1 net_conf_t:file { getattr read }; + allow $1 net_conf_t:file r_file_perms; ') define(`sysnetwork_read_network_config_depend',` type net_conf_t; - class file { getattr read }; + class file r_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index af58a12a..f7a12810 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -46,11 +46,11 @@ dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }; -allow dhcpc_t self:fifo_file { ioctl read getattr lock write append }; +allow dhcpc_t self:tcp_socket create_socket_perms; +allow dhcpc_t self:udp_socket create_socket_perms; +allow dhcpc_t self:packet_socket create_socket_perms; +allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow dhcpc_t self:fifo_file rw_file_perms; allow dhcpc_t dhcp_etc_t:dir r_dir_perms; allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms; @@ -61,26 +61,23 @@ allow dhcpc_t dhcpc_state_t:file create_file_perms; type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t; # create pid file -allow dhcpc_t dhcpc_var_run_t:file { getattr create read write append setattr unlink }; +allow dhcpc_t dhcpc_var_run_t:file create_file_perms; files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. -allow dhcpc_t net_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow dhcpc_t net_conf_t:file create_file_perms; files_create_private_config(dhcpc_t,net_conf_t,file) # create temp files -allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms; +allow dhcpc_t dhcpc_tmp_t:file create_file_perms; files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir }) -allow dhcpc_t dhcpc_exec_t:file { getattr read execute execute_no_trans }; +can_exec(dhcpc_t, dhcpc_exec_t) # transition to ifconfig -allow dhcpc_t ifconfig_exec_t:file { getattr read execute }; -allow dhcpc_t ifconfig_t:process transition; -type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t; -dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh }; +domain_auto_trans(dhcp_t, ifconfig_exec_t, ifconfig_t) allow dhcpc_t ifconfig_t:fd use; allow ifconfig_t dhcpc_t:fd use; allow ifconfig_t dhcpc_t:fifo_file rw_file_perms; @@ -244,21 +241,21 @@ allow ifconfig_t self:capability net_admin; dontaudit ifconfig_t self:capability sys_module; allow ifconfig_t self:fd use; -allow ifconfig_t self:fifo_file { read getattr lock ioctl write append }; -allow ifconfig_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow ifconfig_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow ifconfig_t self:fifo_file rw_file_perms; +allow ifconfig_t self:unix_dgram_socket create_socket_perms; +allow ifconfig_t self:unix_stream_socket create_stream_socket_perms; allow ifconfig_t self:unix_dgram_socket sendto; allow ifconfig_t self:unix_stream_socket connectto; -allow ifconfig_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow ifconfig_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow ifconfig_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow ifconfig_t self:shm create_shm_perms; +allow ifconfig_t self:sem create_sem_perms; +allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc -allow ifconfig_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip -allow ifconfig_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; +allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:tcp_socket { create ioctl }; files_read_general_system_config(ifconfig_t); diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 87313f3a..a6d5734e 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -15,10 +15,7 @@ define(`udev_transition',` requires_block_template(`$0'_depend) - allow $1 udev_exec_t:file { getattr read execute }; - allow $1 udev_t:process transition; - type_transition $1 udev_exec_t:process udev_t; - dontaudit $1 udev_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1, udev_exec_t, udev_t) allow $1 udev_t:fd use; allow udev_t $1:fd use; @@ -49,13 +46,13 @@ define(`udev_transition_depend',` define(`udev_read_database',` requires_block_template(`$0'_depend) - allow $1 udev_tdb_t:file { getattr read }; + allow $1 udev_tdb_t:file r_file_perms; ') define(`udev_read_database_depend',` type udev_tdb_t; - class file { getattr read }; + class file r_file_perms; ') ######################################## @@ -72,13 +69,13 @@ define(`udev_read_database_depend',` define(`udev_modify_database',` requires_block_template(`$0'_depend) - allow $1 udev_tdb_t:file { getattr read write append }; + allow $1 udev_tdb_t:file rw_file_perms; ') define(`udev_modify_database_depend',` type udev_tdb_t; - class file { getattr read write append }; + class file rw_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 6ce9680e..da53514e 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -38,29 +38,30 @@ allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; -allow udev_t self:fifo_file { read getattr lock ioctl write append }; +allow udev_t self:fifo_file rw_file_perms; allow udev_t self:unix_stream_socket { listen accept }; allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; -allow udev_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow udev_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow udev_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow udev_t self:shm create_shm_perms; +allow udev_t self:sem create_sem_perms; +allow udev_t self:msgq create_msgq_perms; allow udev_t self:msg { send receive }; -allow udev_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow udev_t self:rawip_socket create_socket_perms; -allow udev_t udev_exec_t:file { getattr read write ioctl execute execute_no_trans }; +allow udev_t udev_exec_t:file write; +can_exec(udev_t, udev_exec_t) -allow udev_t udev_helper_exec_t:dir { read getattr lock search ioctl }; +allow udev_t udev_helper_exec_t:dir r_dir_perms; # read udev config -allow udev_t udev_etc_t:file { read getattr lock ioctl }; +allow udev_t udev_etc_t:file r_file_perms; # create udev database in /dev/.udevdb -allow udev_t udev_tbl_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow udev_t udev_tbl_t:file create_file_perms; devices_create_dev_entry(udev_t,udev_tbl_t,file) -allow udev_t udev_var_run_t : dir { read getattr lock search ioctl add_name remove_name write }; -allow udev_t udev_var_run_t : file { create ioctl read getattr lock write setattr append link unlink rename }; +allow udev_t udev_var_run_t : dir rw_file_perms; +allow udev_t udev_var_run_t : file create_file_perms; kernel_read_system_state(udev_t) kernel_get_core_interface_attributes(udev_t)