trunk: 4 patches from dan.

2009-05-14 14:41:50 +00:00 · 2009-05-14 14:41:50 +00:00 · 80348b73a0
commit 80348b73a0
parent a47eb527e5
9 changed files with 199 additions and 14 deletions
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@

-policy_module(corenetwork, 1.11.6)
+policy_module(corenetwork, 1.11.7)

 ########################################
 #
@ -69,6 +69,7 @@ network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
 network_port(afs_ka, udp,7004,s0)
 network_port(afs_pt, udp,7002,s0)
 network_port(afs_vl, udp,7003,s0)
+network_port(agentx, udp,705,s0, tcp,705,s0)
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
--- a/policy/modules/services/consolekit.fc
+++ b/policy/modules/services/consolekit.fc
@ -1,3 +1,5 @@
 /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)

+/var/log/ConsoleKit(/.*)?		gen_context(system_u:object_r:consolekit_log_t,s0)
 /var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)?	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@ -38,3 +38,22 @@ interface(`consolekit_dbus_chat',`
 	allow $1 consolekit_t:dbus send_msg;
 	allow consolekit_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Read consolekit log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_read_log',`
+	gen_require(`
+		type consolekit_log_t;
+	')
+
+	read_files_pattern($1, consolekit_log_t, consolekit_log_t)
+	files_search_pids($1)
+')
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@ -1,5 +1,5 @@

-policy_module(consolekit, 1.4.0)
+policy_module(consolekit, 1.4.1)

 ########################################
 #
@ -10,6 +10,9 @@ type consolekit_t;
 type consolekit_exec_t;
 init_daemon_domain(consolekit_t, consolekit_exec_t)

+type consolekit_log_t;
+files_pid_file(consolekit_log_t)
+
 type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)

@ -24,36 +27,69 @@ allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
 allow consolekit_t self:unix_dgram_socket create_socket_perms;

+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+
+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-files_pid_filetrans(consolekit_t, consolekit_var_run_t, file)
+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir })

 kernel_read_system_state(consolekit_t)

 corecmd_exec_bin(consolekit_t)
+corecmd_exec_shell(consolekit_t)

 dev_read_urand(consolekit_t)
 dev_read_sysfs(consolekit_t)

 domain_read_all_domains_state(consolekit_t)
 domain_use_interactive_fds(consolekit_t)
+domain_dontaudit_ptrace_all_domains(consolekit_t)

 files_read_etc_files(consolekit_t)
+files_read_usr_files(consolekit_t)
 # needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)

 fs_list_inotifyfs(consolekit_t)

+mcs_ptrace_all(consolekit_t)
+
 term_use_all_terms(consolekit_t)

 auth_use_nsswitch(consolekit_t)

+init_telinit(consolekit_t)
+init_rw_utmp(consolekit_t)
+
+logging_send_syslog_msg(consolekit_t)
+
 miscfiles_read_localization(consolekit_t)

+userdom_dontaudit_read_user_home_content_files(consolekit_t)
+
+hal_ptrace(consolekit_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_dontaudit_list_nfs(consolekit_t)
+	fs_dontaudit_rw_nfs_files(consolekit_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_dontaudit_list_cifs(consolekit_t)
+	fs_dontaudit_rw_cifs_files(consolekit_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(consolekit_t)
-	dbus_connect_system_bus(consolekit_t)

-	hal_dbus_chat(consolekit_t)
+	optional_policy(`
+		hal_dbus_chat(consolekit_t)
+	')
+
+	optional_policy(`
+		rpm_dbus_chat(consolekit_t)
+	')

 	optional_policy(`
 		unconfined_dbus_chat(consolekit_t)
@ -64,3 +100,8 @@ optional_policy(`
 	xserver_read_user_xauth(consolekit_t)
 	xserver_stream_connect(consolekit_t)
 ')
+
+optional_policy(`
+	#reading .Xauthity
+	unconfined_stream_connect(consolekit_t)
+')
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@ -1,5 +1,5 @@

-policy_module(dcc, 1.7.1)
+policy_module(dcc, 1.7.2)

 ########################################
 #
@ -140,6 +140,7 @@ corenet_all_recvfrom_netlabel(dcc_client_t)
 corenet_udp_sendrecv_generic_if(dcc_client_t)
 corenet_udp_sendrecv_generic_node(dcc_client_t)
 corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)

 files_read_etc_files(dcc_client_t)
 files_read_etc_runtime_files(dcc_client_t)
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@ -115,6 +115,46 @@ interface(`exim_append_log',`
 	logging_search_logs($1)
 ')

+########################################
+## <summary>
+##	Allow the specified domain to manage exim's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_manage_log',`
+	gen_require(`
+		type exim_log_t;
+	')
+
+	manage_files_pattern($1, exim_log_t, exim_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	exim spool dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_manage_spool_dirs',`
+	gen_require(`
+		type exim_spool_t;
+	')
+
+	manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
+	files_search_spool($1)
+')
+
 ########################################
 ## <summary>
 ##	Read exim spool files.
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@ -1,11 +1,18 @@

-policy_module(exim, 1.3.2)
+policy_module(exim, 1.3.3)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow exim to connect to databases (postgres, mysql)
+## </p>
+## </desc>
+gen_tunable(exim_can_connect_db, false)
+
 ## <desc>
 ## <p>
 ## Allow exim to read unprivileged user files.
@ -24,6 +31,10 @@ gen_tunable(exim_manage_user_files, false)
 type exim_t;
 type exim_exec_t;
 init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_agent_executable(exim_exec_t)

 type exim_log_t;
 logging_log_file(exim_log_t)
@ -42,10 +53,12 @@ files_pid_file(exim_var_run_t)
 # exim local policy
 #

-allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown };
+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource  };
+allow exim_t self:process { setrlimit setpgid };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket create_stream_socket_perms;
 allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;

 can_exec(exim_t,exim_exec_t)

@ -66,14 +79,17 @@ manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
 files_pid_filetrans(exim_t, exim_var_run_t, { file dir })

 kernel_read_kernel_sysctls(exim_t)
-
+kernel_read_network_state(exim_t)
 kernel_dontaudit_read_system_state(exim_t)

 corecmd_search_bin(exim_t)

 corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
 corenet_tcp_sendrecv_generic_if(exim_t)
+corenet_udp_sendrecv_generic_if(exim_t)
 corenet_tcp_sendrecv_generic_node(exim_t)
+corenet_udp_sendrecv_generic_node(exim_t)
 corenet_tcp_sendrecv_all_ports(exim_t)
 corenet_tcp_bind_generic_node(exim_t)
 corenet_tcp_bind_smtp_port(exim_t)
@ -82,6 +98,8 @@ corenet_tcp_connect_auth_port(exim_t)
 corenet_tcp_connect_smtp_port(exim_t)
 corenet_tcp_connect_ldap_port(exim_t)
 corenet_tcp_connect_inetd_child_port(exim_t)
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)

 dev_read_rand(exim_t)
 dev_read_urand(exim_t)
@ -89,20 +107,34 @@ dev_read_urand(exim_t)
 # Init script handling
 domain_use_interactive_fds(exim_t)

+files_search_usr(exim_t)
+files_search_var(exim_t)
 files_read_etc_files(exim_t)
+files_read_etc_runtime_files(exim_t)
+
+fs_getattr_xattr_fs(exim_t)
+fs_list_inotifyfs(exim_t)

 auth_use_nsswitch(exim_t)

 logging_send_syslog_msg(exim_t)

 miscfiles_read_localization(exim_t)
-
-sysnet_dns_name_resolve(exim_t)
+miscfiles_read_certs(exim_t)

 userdom_dontaudit_search_user_home_dirs(exim_t)

 mta_read_aliases(exim_t)
-mta_rw_spool(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
+
+tunable_policy(`exim_can_connect_db',`
+	corenet_tcp_connect_mysqld_port(exim_t)
+	corenet_sendrecv_mysqld_client_packets(exim_t)
+        corenet_tcp_connect_postgresql_port(exim_t)
+        corenet_sendrecv_postgresql_client_packets(exim_t)
+')

 tunable_policy(`exim_read_user_files',`
 	userdom_read_user_home_content_files(exim_t)
@ -114,3 +146,51 @@ tunable_policy(`exim_manage_user_files',`
 	userdom_read_user_tmp_files(exim_t)
 	userdom_write_user_tmp_files(exim_t)
 ')
+
+optional_policy(`
+	clamav_domtrans_clamscan(exim_t)
+	clamav_stream_connect(exim_t)
+')
+
+optional_policy(`
+	cron_read_pipes(exim_t)
+	cron_rw_system_job_pipes(exim_t)
+')
+
+optional_policy(`
+	cyrus_stream_connect(exim_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(exim, exim_t)
+')
+
+optional_policy(`
+	mailman_read_data_files(exim_t)
+	mailman_domtrans(exim_t)
+')
+
+optional_policy(`
+	tunable_policy(`exim_can_connect_db',`
+		mysql_stream_connect(exim_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`exim_can_connect_db',`
+		postgresql_stream_connect(exim_t)
+	')
+')
+
+optional_policy(`
+	procmail_domtrans(exim_t)
+')
+
+optional_policy(`
+	sasl_connect(exim_t)
+')
+
+optional_policy(`
+	spamassassin_exec(exim_t)
+	spamassassin_exec_client(exim_t)
+')
--- a/policy/modules/services/snmp.fc
+++ b/policy/modules/services/snmp.fc
@ -20,5 +20,5 @@

 /var/net-snmp(/.*)		gen_context(system_u:object_r:snmpd_var_lib_t,s0)

-/var/run/snmpd		-d	gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
 /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@ -1,5 +1,5 @@

-policy_module(snmp, 1.9.2)
+policy_module(snmp, 1.9.3)

 ########################################
 #
@ -71,6 +71,7 @@ corenet_udp_bind_generic_node(snmpd_t)
 corenet_tcp_bind_snmp_port(snmpd_t)
 corenet_udp_bind_snmp_port(snmpd_t)
 corenet_sendrecv_snmp_server_packets(snmpd_t)
+corenet_tcp_connect_agentx_port(snmpd_t)

 dev_list_sysfs(snmpd_t)
 dev_read_sysfs(snmpd_t)