patch from dan Thu, 18 May 2006 11:56:22 -0400

This commit is contained in:
Chris PeBenito 2006-05-19 14:02:24 +00:00
parent 46fc46cfdd
commit 87eb5c84e7
24 changed files with 141 additions and 28 deletions

View File

@ -85,6 +85,14 @@ gen_tunable(allow_java_execstack,false)
## </desc>
gen_tunable(allow_kerberos,false)
## <desc>
## <p>
## Allow nfs servers to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_nfsd_anon_write,false)
## <desc>
## <p>
## Allow rsync to modify public files

View File

@ -1,5 +1,5 @@
policy_module(consoletype,1.0.0)
policy_module(consoletype,1.0.1)
########################################
#
@ -107,3 +107,10 @@ optional_policy(`
optional_policy(`
userdom_use_unpriv_users_fds(consoletype_t)
')
optional_policy(`
kernel_read_xen_state(consoletype_t)
kernel_write_xen_state(consoletype_t)
xen_append_log(consoletype_t)
xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
')

View File

@ -1,5 +1,5 @@
policy_module(prelink,1.1.1)
policy_module(prelink,1.1.2)
########################################
#
@ -10,6 +10,7 @@ attribute prelink_object;
type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t,prelink_exec_t)
domain_obj_id_change_exemption(prelink_t)
type prelink_cache_t;
files_type(prelink_cache_t)

View File

@ -1,5 +1,5 @@
policy_module(mls,1.3.0)
policy_module(mls,1.3.1)
########################################
#
@ -57,6 +57,7 @@ attribute mlsrangetrans;
#
type lvm_exec_t;
type run_init_t;
type setrans_exec_t;
ifdef(`enable_mls',`
@ -64,4 +65,5 @@ range_transition initrc_t auditd_exec_t s15:c0.c255;
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
range_transition initrc_t setrans_exec_t s15:c0.c255;
range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
')

View File

@ -430,7 +430,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
dontaudit $1 devpts_t:chr_file { getattr read write };
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
########################################

View File

@ -1,5 +1,5 @@
policy_module(terminal,1.1.1)
policy_module(terminal,1.1.2)
########################################
#

View File

@ -8,4 +8,5 @@
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
/var/run/amavis(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(amavis,1.0.3)
policy_module(amavis,1.0.4)
########################################
#
@ -35,12 +35,15 @@ files_tmp_file(amavis_tmp_t)
type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
files_type(amavis_spool_t)
########################################
#
# amavis local policy
#
allow amavis_t self:capability { chown dac_override setgid setuid };
allow amavis_t self:capability { kill chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process { signal sigchld signull };
allow amavis_t self:fifo_file rw_file_perms;
@ -58,6 +61,11 @@ allow amavis_t amavis_quarantine_t:file create_file_perms;
allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
allow amavis_t amavis_quarantine_t:dir create_dir_perms;
# Spool Files
allow amavis_t amavis_spool_t:dir manage_dir_perms;
allow amavis_t amavis_spool_t:file manage_file_perms;
files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
# tmp files
allow amavis_t amavis_tmp_t:file create_file_perms;
allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
@ -82,8 +90,10 @@ allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
allow amavis_t amavis_var_run_t:dir rw_dir_perms;
files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
kernel_dontaudit_list_proc(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)
# find perl
corecmd_exec_bin(amavis_t)
@ -115,6 +125,7 @@ auth_dontaudit_read_shadow(amavis_t)
init_use_fds(amavis_t)
init_use_script_ptys(amavis_t)
init_stream_connect_script(amavis_t)
libs_use_ld_so(amavis_t)
libs_use_shared_libs(amavis_t)
@ -134,8 +145,13 @@ cron_rw_pipes(amavis_t)
mta_read_config(amavis_t)
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(amavis_t)
')
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
')
optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(bind,1.1.3)
policy_module(bind,1.1.4)
########################################
#
@ -123,6 +123,8 @@ term_dontaudit_use_console(named_t)
corecmd_search_sbin(named_t)
dev_read_urand(named_t)
domain_use_interactive_fds(named_t)
files_read_etc_files(named_t)
@ -137,6 +139,7 @@ libs_use_shared_libs(named_t)
logging_send_syslog_msg(named_t)
miscfiles_read_localization(named_t)
miscfiles_read_certs(named_t)
sysnet_read_config(named_t)

View File

@ -1,5 +1,5 @@
policy_module(bluetooth,1.2.4)
policy_module(bluetooth,1.2.5)
########################################
#
@ -211,6 +211,7 @@ sysnet_read_config(bluetooth_helper_t)
ifdef(`targeted_policy',`
files_rw_generic_tmp_sockets(bluetooth_helper_t)
files_manage_generic_tmp_files(bluetooth_helper_t)
fs_rw_tmpfs_files(bluetooth_helper_t)
@ -218,7 +219,7 @@ ifdef(`targeted_policy',`
unconfined_stream_connect(bluetooth_helper_t)
userdom_read_all_users_home_content_files(bluetooth_helper_t)
userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
optional_policy(`
xserver_stream_connect_xdm(bluetooth_helper_t)

View File

@ -1,5 +1,5 @@
policy_module(cups,1.3.3)
policy_module(cups,1.3.4)
########################################
#
@ -672,6 +672,7 @@ allow cupsd_lpd_t self:process signal_perms;
allow cupsd_lpd_t self:fifo_file rw_file_perms;
allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
allow cupsd_lpd_t self:udp_socket create_socket_perms;
allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
# for identd
# cjp: this should probably only be inetd_child rules?
@ -731,6 +732,8 @@ miscfiles_read_localization(cupsd_lpd_t)
sysnet_read_config(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
optional_policy(`
inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
')

View File

@ -1,5 +1,5 @@
policy_module(hal,1.3.6)
policy_module(hal,1.3.7)
########################################
#
@ -93,6 +93,7 @@ files_read_usr_files(hald_t)
# hal is now execing pm-suspend
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
files_read_kernel_img(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)

View File

@ -5,3 +5,7 @@
/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
/var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
ifdef(`strict_policy',`
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
')

View File

@ -1,5 +1,5 @@
policy_module(pyzor,1.0.0)
policy_module(pyzor,1.0.1)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(rpc,1.2.3)
policy_module(rpc,1.2.4)
########################################
#
@ -111,9 +111,17 @@ files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(rpcd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
portmap_tcp_connect(nfsd_t)
portmap_udp_chat(nfsd_t)
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
')
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)

View File

@ -41,3 +41,23 @@ interface(`xfs_stream_connect',`
allow $1 xfs_tmp_t:sock_file write;
allow $1 xfs_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Allow the specified domain to execute xfs
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xfs_exec',`
gen_require(`
type xfs_exec_t;
')
can_exec($1,xfs_exec_t)
')

View File

@ -1,5 +1,5 @@
policy_module(xfs,1.0.1)
policy_module(xfs,1.0.2)
########################################
#
@ -42,19 +42,22 @@ allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
corecmd_list_bin(xfs_t)
corecmd_list_sbin(xfs_t)
dev_read_sysfs(xfs_t)
fs_getattr_all_fs(xfs_t)
fs_search_auto_mountpoints(xfs_t)
term_dontaudit_use_console(xfs_t)
domain_use_interactive_fds(xfs_t)
files_read_etc_files(xfs_t)
files_read_etc_runtime_files(xfs_t)
files_read_usr_files(xfs_t)
term_dontaudit_use_console(xfs_t)
init_use_fds(xfs_t)
init_use_script_ptys(xfs_t)
@ -69,6 +72,8 @@ miscfiles_read_fonts(xfs_t)
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
xfs_exec(xfs_t)
ifdef(`distro_debian',`
# for /tmp/.font-unix/fs7100
init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file)

View File

@ -1,5 +1,5 @@
policy_module(init,1.3.12)
policy_module(init,1.3.13)
gen_require(`
class passwd rootok;
@ -374,6 +374,7 @@ mls_file_write_down(initrc_t)
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_rangetrans_target(initrc_t)
modutils_read_module_config(initrc_t)
modutils_domtrans_insmod(initrc_t)

View File

@ -36,6 +36,8 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
ifdef(`distro_debian', `

View File

@ -1,5 +1,5 @@
policy_module(selinuxutil,1.2.6)
policy_module(selinuxutil,1.2.7)
gen_require(`
bool secure_mode;
@ -92,7 +92,11 @@ role system_r types restorecond_t;
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
type run_init_t;
# real declaration moved to mls until
# range transitions work in modules
gen_require(`
type run_init_t;
')
type run_init_exec_t;
domain_type(run_init_t)
domain_entry_file(run_init_t,run_init_exec_t)
@ -447,7 +451,7 @@ libs_use_shared_libs(restorecond_t)
logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(run_init_t)
miscfiles_read_localization(restorecond_t)
#################################
#
@ -461,6 +465,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
mls_rangetrans_source(run_init_t)
ifdef(`direct_sysadm_daemon',`',`
ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
@ -526,6 +532,8 @@ ifdef(`targeted_policy',`',`
#
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow semanage_t policy_config_t:file { read write };
@ -535,6 +543,8 @@ kernel_read_kernel_sysctls(semanage_t)
corecmd_exec_bin(semanage_t)
corecmd_exec_sbin(semanage_t)
dev_read_urand(semanage_t)
files_read_etc_files(semanage_t)
files_read_usr_files(semanage_t)
files_list_pids(semanage_t)
@ -544,6 +554,8 @@ mls_rangetrans_target(semanage_t)
mls_file_read_up(semanage_t)
selinux_get_enforce_mode(semanage_t)
# for setsebool:
selinux_set_boolean(semanage_t)
term_use_all_terms(semanage_t)
@ -551,6 +563,8 @@ libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
libs_use_lib_files(semanage_t)
logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t)
seutil_search_default_contexts(semanage_t)
@ -565,6 +579,8 @@ seutil_manage_module_store(semanage_t)
seutil_get_semanage_trans_lock(semanage_t)
seutil_get_semanage_read_lock(semanage_t)
userdom_search_sysadm_home_dirs(semanage_t)
ifdef(`targeted_policy',`
# Handle pp files created in homedir and /tmp
files_read_generic_tmp_files(semanage_t)

View File

@ -1,5 +1,5 @@
policy_module(setrans,1.0.0)
policy_module(setrans,1.0.1)
########################################
#
@ -23,7 +23,8 @@ mls_trusted_object(setrans_var_run_t)
# setrans local policy
#
allow setrans_t self:process { setcap signal_perms };
allow setrans_t self:capability sys_resource;
allow setrans_t self:process { setrlimit setcap signal_perms };
allow setrans_t self:unix_stream_socket create_stream_socket_perms;
allow setrans_t self:unix_dgram_socket create_socket_perms;
allow setrans_t self:netlink_selinux_socket create_socket_perms;
@ -57,6 +58,7 @@ selinux_compute_access_vector(setrans_t)
term_dontaudit_use_generic_ptys(setrans_t)
init_use_fds(setrans_t)
init_dontaudit_use_script_ptys(setrans_t)
libs_use_ld_so(setrans_t)
libs_use_shared_libs(setrans_t)

View File

@ -1,5 +1,5 @@
policy_module(sysnetwork,1.1.4)
policy_module(sysnetwork,1.1.5)
########################################
#
@ -247,6 +247,8 @@ optional_policy(`
')
optional_policy(`
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
')
@ -349,6 +351,8 @@ optional_policy(`
')
optional_policy(`
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')

View File

@ -12,6 +12,7 @@
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(xen,1.0.3)
policy_module(xen,1.0.4)
########################################
#
@ -77,7 +77,7 @@ allow xend_t self:packet_socket create_socket_perms;
# pid file
allow xend_t xend_var_run_t:file manage_file_perms;
allow xend_t xend_var_run_t:sock_file manage_file_perms;
allow xend_t xend_var_run_t:dir rw_dir_perms;
allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
# log files
@ -153,10 +153,12 @@ sysnet_dns_name_resolve(xend_t)
sysnet_delete_dhcpc_pid(xend_t)
sysnet_read_dhcpc_pid(xend_t)
consoletype_exec(xend_t)
xen_stream_connect_xenstore(xend_t)
optional_policy(`
consoletype_domtrans(xend_t)
')
########################################
#
# Xen console local policy
@ -180,6 +182,7 @@ kernel_read_xen_state(xenconsoled_t)
term_create_pty(xenconsoled_t,xen_devpts_t);
term_dontaudit_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
@ -198,6 +201,7 @@ xen_stream_connect_xenstore(xenconsoled_t)
allow xenstored_t self:capability { dac_override mknod ipc_lock };
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
# pid file
allow xenstored_t xenstored_var_run_t:file manage_file_perms;
@ -220,12 +224,15 @@ dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
term_dontaudit_use_generic_ptys(xenstored_t)
term_dontaudit_use_console(xenconsoled_t)
init_use_fds(xenstored_t)
libs_use_ld_so(xenstored_t)
libs_use_shared_libs(xenstored_t)
logging_send_syslog_msg(xenstored_t)
miscfiles_read_localization(xenstored_t)
xen_append_log(xenstored_t)