diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index db7e5540..d04ec62b 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -36,6 +36,11 @@ type bootloader_tmp_t; files_make_file(bootloader_tmp_t) devices_make_device_node(bootloader_tmp_t) +######################################## +# +# bootloader local policy +# + allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; allow bootloader_t self:process { sigkill sigstop signull signal }; allow bootloader_t self:fifo_file { getattr read write }; @@ -50,6 +55,7 @@ storage_raw_write_fixed_disk(bootloader_t) storage_raw_read_removable_device(bootloader_t) storage_raw_write_removable_device(bootloader_t) +devices_get_all_block_device_attributes(bootloader_t) # for reading BIOS data (cjp: ?) devices_raw_read_memory(bootloader_t) @@ -66,7 +72,7 @@ logging_send_system_log_message(bootloader_t) #files_create_private_config(bootloader_t,bootloader_etc_t) #allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -filesystem_read_persistent_filesystem_stats(bootloader_t) +filesystem_read_persistent_filesystem_attributes(bootloader_t) terminal_use_controlling_terminal(bootloader_t) @@ -115,6 +121,10 @@ allow bootloader_t bootloader_tmp_t:lnk_file { create read getattr setattr unlin # for tune2fs (cjp: ?) files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t) +ifdef(`fsadm.te', ` +filesystemtools_execute(bootloader_t) +') + ################################################################################ ifdef(`TODO',` @@ -124,7 +134,6 @@ allow bootloader_t admin_tty_type:chr_file rw_file_perms; allow bootloader_t privfd:fd use; allow bootloader_t { device_type ttyfile }:chr_file getattr; -allow bootloader_t device_type:blk_file getattr; allow bootloader_t initctl_t:fifo_file getattr; # no transition from initrc to bootloader, @@ -141,10 +150,6 @@ allow bootloader_t sysfs_t:dir getattr; allow bootloader_t var_t:dir search; allow bootloader_t var_t:file { getattr read }; -ifdef(`fsadm.te', ` -allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans }; -') - # LVM2 / Device Mapper's /dev/mapper/control # maybe we should change the labeling for this ifdef(`lvm.te', ` diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 183c03c2..9fa98404 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -77,6 +77,62 @@ type device_t; class dir { getattr search read write add_name remove_name }; ') +######################################## +# +# devices_get_all_block_device_attributes(domain,[`optional']) +# +define(`devices_get_all_block_device_attributes',` +requires_block_template(devices_get_all_block_device_attributes_depend,$2) +allow $1 device_node:blk_file getattr; +') + +define(`devices_get_all_block_device_attributes_depend',` +attribute device_node; +class blk_file getattr; +') + +######################################## +# +# devices_get_all_character_device_attributes(domain,[`optional']) +# +define(`devices_get_all_character_device_attributes',` +requires_block_template(devices_get_all_character_device_attributes_depend,$2) +allow $1 device_node:chr_file getattr; +') + +define(`devices_get_all_character_device_attributes_depend',` +attribute device_node; +class chr_file getattr; +') + +######################################## +# +# devices_set_all_block_device_attributes(domain,[`optional']) +# +define(`devices_set_all_block_device_attributes',` +requires_block_template(devices_set_all_block_device_attributes_depend,$2) +allow $1 device_node:blk_file setattr; +') + +define(`devices_set_all_block_device_attributes_depend',` +attribute device_node; +class blk_file setattr; +') + +######################################## +# +# devices_set_all_character_device_attributes(domain,[`optional']) +# +define(`devices_set_all_character_device_attributes',` +requires_block_template(devices_set_all_character_device_attributes_depend,$2) +allow $1 device_node:chr_file setattr; +') + +define(`devices_set_all_character_device_attributes_depend',` +attribute device_node; +class chr_file setattr; +') + ######################################## # # devices_raw_read_memory(domain,[`optional']) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index f8184e71..aeda90f8 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -91,28 +91,28 @@ class filesystem unmount; ######################################## # -# filesystem_read_persistent_filesystem_stats(domain,[`optional']) +# filesystem_read_persistent_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_persistent_filesystem_stats',` -requires_block_template(filesystem_read_persistent_filesystem_stats_depend,$2) +define(`filesystem_read_persistent_filesystem_attributes',` +requires_block_template(filesystem_read_persistent_filesystem_attributes_depend,$2) allow $1 fs_t:filesystem getattr; ') -define(`filesystem_read_persistent_filesystem_stats_depend',` +define(`filesystem_read_persistent_filesystem_attributes_depend',` type fs_t; class filesystem getattr; ') ######################################## # -# filesystem_ignore_read_persistent_filesystem_stats(domain,[`optional']) +# filesystem_ignore_read_persistent_filesystem_attributes(domain,[`optional']) # -define(`filesystem_ignore_read_persistent_filesystem_stats',` -requires_block_template(filesystem_ignore_read_persistent_filesystem_stats_depend,$2) +define(`filesystem_ignore_read_persistent_filesystem_attributes',` +requires_block_template(filesystem_ignore_read_persistent_filesystem_attributes_depend,$2) dontaudit $1 fs_t:filesystem getattr; ') -define(`filesystem_ignore_read_persistent_filesystem_stats_depend',` +define(`filesystem_ignore_read_persistent_filesystem_attributes_depend',` type fs_t; class filesystem getattr; ') @@ -161,14 +161,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_automount_filesystem_stats(domain,[`optional']) +# filesystem_read_automount_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_automount_filesystem_stats',` -requires_block_template(filesystem_read_automount_filesystem_stats_depend,$2) +define(`filesystem_read_automount_filesystem_attributes',` +requires_block_template(filesystem_read_automount_filesystem_attributes_depend,$2) allow $1 autofs_t:filesystem getattr; ') -define(`filesystem_read_automount_filesystem_stats_depend',` +define(`filesystem_read_automount_filesystem_attributes_depend',` type autofs_t; class filesystem getattr; ') @@ -233,14 +233,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_windows_network_filesystem_stats(domain,[`optional']) +# filesystem_read_windows_network_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_windows_network_filesystem_stats',` -requires_block_template(filesystem_read_windows_network_filesystem_stats_depend,$2) +define(`filesystem_read_windows_network_filesystem_attributes',` +requires_block_template(filesystem_read_windows_network_filesystem_attributes_depend,$2) allow $1 cifs_t:filesystem getattr; ') -define(`filesystem_read_windows_network_filesystem_stats_depend',` +define(`filesystem_read_windows_network_filesystem_attributes_depend',` type cifs_t; class filesystem getattr; ') @@ -289,14 +289,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_dos_filesystem_stats(domain,[`optional']) +# filesystem_read_dos_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_dos_filesystem_stats',` -requires_block_template(filesystem_read_dos_filesystem_stats_depend,$2) +define(`filesystem_read_dos_filesystem_attributes',` +requires_block_template(filesystem_read_dos_filesystem_attributes_depend,$2) allow $1 dosfs_t:filesystem getattr; ') -define(`filesystem_read_dos_filesystem_stats_depend',` +define(`filesystem_read_dos_filesystem_attributes_depend',` type dosfs_t; class filesystem getattr; ') @@ -345,14 +345,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_cd_filesystem_stats(domain,[`optional']) +# filesystem_read_cd_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_cd_filesystem_stats',` -requires_block_template(filesystem_read_cd_filesystem_stats_depend,$2) +define(`filesystem_read_cd_filesystem_attributes',` +requires_block_template(filesystem_read_cd_filesystem_attributes_depend,$2) allow $1 iso9660_t:filesystem getattr; ') -define(`filesystem_read_cd_filesystem_stats_depend',` +define(`filesystem_read_cd_filesystem_attributes_depend',` type iso9660_t; class filesystem getattr; ') @@ -401,14 +401,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_nfs_filesystem_stats(domain,[`optional']) +# filesystem_read_nfs_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_nfs_filesystem_stats',` -requires_block_template(filesystem_read_nfs_filesystem_stats_depend,$2) +define(`filesystem_read_nfs_filesystem_attributes',` +requires_block_template(filesystem_read_nfs_filesystem_attributes_depend,$2) allow $1 nfs_t:filesystem getattr; ') -define(`filesystem_read_nfs_filesystem_stats_depend',` +define(`filesystem_read_nfs_filesystem_attributes_depend',` type nfs_t; class filesystem getattr; ') @@ -457,14 +457,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_nfsd_filesystem_stats(domain,[`optional']) +# filesystem_read_nfsd_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_nfsd_filesystem_stats',` -requires_block_template(filesystem_read_nfsd_filesystem_stats_depend,$2) +define(`filesystem_read_nfsd_filesystem_attributes',` +requires_block_template(filesystem_read_nfsd_filesystem_attributes_depend,$2) allow $1 nfsd_fs_t:filesystem getattr; ') -define(`filesystem_read_nfsd_filesystem_stats_depend',` +define(`filesystem_read_nfsd_filesystem_attributes_depend',` type nfsd_fs_t; class filesystem getattr; ') @@ -513,14 +513,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_ram_filesystem_stats(domain,[`optional']) +# filesystem_read_ram_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_ram_filesystem_stats',` -requires_block_template(filesystem_read_ram_filesystem_stats_depend,$2) +define(`filesystem_read_ram_filesystem_attributes',` +requires_block_template(filesystem_read_ram_filesystem_attributes_depend,$2) allow $1 ramfs_t:filesystem getattr; ') -define(`filesystem_read_ram_filesystem_stats_depend',` +define(`filesystem_read_ram_filesystem_attributes_depend',` type ramfs_t; class filesystem getattr; ') @@ -569,14 +569,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_rom_filesystem_stats(domain,[`optional']) +# filesystem_read_rom_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_rom_filesystem_stats',` -requires_block_template(filesystem_read_rom_filesystem_stats_depend,$2) +define(`filesystem_read_rom_filesystem_attributes',` +requires_block_template(filesystem_read_rom_filesystem_attributes_depend,$2) allow $1 romfs_t:filesystem getattr; ') -define(`filesystem_read_rom_filesystem_stats_depend',` +define(`filesystem_read_rom_filesystem_attributes_depend',` type romfs_t; class filesystem getattr; ') @@ -625,14 +625,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_rpc_pipefs_filesystem_stats(domain,[`optional']) +# filesystem_read_rpc_pipefs_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_rpc_pipefs_filesystem_stats',` -requires_block_template(filesystem_read_rpc_pipefs_filesystem_stats_depend,$2) +define(`filesystem_read_rpc_pipefs_filesystem_attributes',` +requires_block_template(filesystem_read_rpc_pipefs_filesystem_attributes_depend,$2) allow $1 rpc_pipefs_t:filesystem getattr; ') -define(`filesystem_read_rpc_pipefs_filesystem_stats_depend',` +define(`filesystem_read_rpc_pipefs_filesystem_attributes_depend',` type rpc_pipefs_t; class filesystem getattr; ') @@ -681,14 +681,14 @@ class filesystem unmount; ######################################## # -# filesystem_read_tmpfs_filesystem_stats(domain,[`optional']) +# filesystem_read_tmpfs_filesystem_attributes(domain,[`optional']) # -define(`filesystem_read_tmpfs_filesystem_stats',` -requires_block_template(filesystem_read_tmpfs_filesystem_stats_depend,$2) +define(`filesystem_read_tmpfs_filesystem_attributes',` +requires_block_template(filesystem_read_tmpfs_filesystem_attributes_depend,$2) allow $1 tmpfs_t:filesystem getattr; ') -define(`filesystem_read_tmpfs_filesystem_stats_depend',` +define(`filesystem_read_tmpfs_filesystem_attributes_depend',` type tmpfs_t; class filesystem getattr; ') diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 28771479..fdb0ec5c 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -36,6 +36,38 @@ class blk_file { getattr write ioctl }; devices_list_device_nodes_depend ') +######################################## +# +# storage_get_fixed_disk_attributes(domain,[`optional']) +# +define(`storage_get_fixed_disk_attributes',` +requires_block_template(storage_get_fixed_disk_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 fixed_disk_device_t:blk_file getattr; +') + +define(`storage_get_fixed_disk_attributes_depend',` +type fixed_disk_device_t; +class blk_file getattr; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_set_fixed_disk_attributes(domain,[`optional']) +# +define(`storage_set_fixed_disk_attributes',` +requires_block_template(storage_set_fixed_disk_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 fixed_disk_device_t:blk_file setattr; +') + +define(`storage_set_fixed_disk_attributes_depend',` +type fixed_disk_device_t; +class blk_file setattr; +devices_list_device_nodes_depend +') + ######################################## # # storage_read_scsi_generic(domain,[`optional']) @@ -72,6 +104,38 @@ class blk_file { getattr write ioctl }; devices_list_device_nodes_depend ') +######################################## +# +# storage_get_scsi_generic_attributes(domain,[`optional']) +# +define(`storage_get_scsi_generic_attributes',` +requires_block_template(storage_get_scsi_generic_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 scsi_generic_device_t:blk_file getattr; +') + +define(`storage_get_scsi_generic_attributes_depend',` +type scsi_generic_device_t; +class blk_file getattr; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_set_scsi_generic_attributes(domain,[`optional']) +# +define(`storage_set_scsi_generic_attributes',` +requires_block_template(storage_set_scsi_generic_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 scsi_generic_device_t:blk_file setattr; +') + +define(`storage_set_scsi_generic_attributes_depend',` +type scsi_generic_device_t; +class blk_file setattr; +devices_list_device_nodes_depend +') + ######################################## # # storage_raw_read_removable_device(domain,[`optional']) @@ -104,6 +168,38 @@ class blk_file { getattr write ioctl }; devices_list_device_nodes_depend ') +######################################## +# +# storage_get_removable_device_attributes(domain,[`optional']) +# +define(`storage_get_removable_device_attributes',` +requires_block_template(storage_get_removable_device_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 removable_device_t:blk_file getattr; +') + +define(`storage_get_removable_device_attributes_depend',` +type removable_device_t; +class blk_file getattr; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_set_removable_device_attributes(domain,[`optional']) +# +define(`storage_set_removable_device_attributes',` +requires_block_template(storage_set_removable_device_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 removable_device_t:blk_file setattr; +') + +define(`storage_set_removable_device_attributes_depend',` +type removable_device_t; +class blk_file setattr; +devices_list_device_nodes_depend +') + ######################################## # # storage_read_tape_device(domain,[`optional']) @@ -135,3 +231,35 @@ type tape_device_t; class blk_file { getattr write ioctl }; devices_list_device_nodes_depend ') + +######################################## +# +# storage_get_tape_device_attributes(domain,[`optional']) +# +define(`storage_get_tape_device_attributes',` +requires_block_template(storage_get_tape_device_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 tape_device_t:blk_file getattr; +') + +define(`storage_get_tape_device_attributes_depend',` +type tape_device_t; +class blk_file getattr; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_set_tape_device_attributes(domain,[`optional']) +# +define(`storage_set_tape_device_attributes',` +requires_block_template(storage_set_tape_device_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 tape_device_t:blk_file setattr; +') + +define(`storage_set_tape_device_attributes_depend',` +type tape_device_t; +class blk_file setattr; +devices_list_device_nodes_depend +') diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index aef232fa..40dad0e7 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -1,5 +1,29 @@ # Copyright (C) 2005 Tresys Technology, LLC +######################################## +# +# terminal_make_pseudoterminal(domain,ptytype,[`optional']) +# +define(`terminal_make_pseudoterminal',` +requires_block_template(terminal_make_pseudoterminal_depend,$3) +devices_list_device_nodes($1,optional) +allow $1 ptmx_t:chr_file { getattr read write }; +allow $1 devpts_t:dir { getattr search read }; +allow $1 devpts_t:filesystem getattr; +allow $2 devpts_t:filesystem associate; +type_transition $1 devpts_t:chr_file $2; +typeattribute $2 ptynode; +') + +define(`terminal_make_pseudoterminal_depend',` +attribute ptynode; +type ptmx_t, devpts_t; +class filesystem { getattr associate }; +class dir { getattr search read }; +class chr_file { getattr read write }; +devices_list_device_nodes_depend +') + ######################################## # # terminal_use_console(domain,[`optional']) @@ -32,30 +56,6 @@ class chr_file { read write }; devices_list_device_nodes_depend ') -######################################## -# -# terminal_make_pty(domain,ptytype,[`optional']) -# -define(`terminal_make_pty',` -requires_block_template(terminal_make_pty_depend,$3) -devices_list_device_nodes($1,optional) -allow $1 ptmx_t:chr_file { getattr read write }; -allow $1 devpts_t:dir { getattr search read }; -allow $1 devpts_t:filesystem getattr; -allow $2 devpts_t:filesystem associate; -type_transition $1 devpts_t:chr_file $2; -typeattribute $2 ptynode; -') - -define(`terminal_make_pty_depend',` -attribute ptynode; -type ptmx_t, devpts_t; -class filesystem { getattr associate }; -class dir { getattr search read }; -class chr_file { getattr read write }; -devices_list_device_nodes_depend -') - ######################################## # # terminal_use_all_terminals(domain,[`optional']) @@ -95,14 +95,14 @@ kernel_relabeling_privilege_depend ######################################## # -# terminal_ignore_list_ptys(domain,[`optional']) +# terminal_ignore_list_pseudoterminals(domain,[`optional']) # -define(`terminal_ignore_list_ptys',` -requires_block_template(terminal_ignore_list_ptys_depend,$2) -allow $1 console_device_t:chr_file { read write }; +define(`terminal_ignore_list_pseudoterminals',` +requires_block_template(terminal_ignore_list_pseudoterminals_depend,$2) +dontaudit $1 devpts_t:dir { getattr search read }; ') -define(`terminal_ignore_list_ptys_depend',` +define(`terminal_ignore_list_pseudoterminals_depend',` type devpts_t; class dir { getattr search read }; ') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index ed29fd57..7cc9480f 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -26,7 +26,7 @@ libraries_read_shared_libraries($1_chkpwd_t) files_read_general_system_config($1_chkpwd_t) miscfiles_read_localization($1_chkpwd_t) selinux_read_config($1_chkpwd_t) -filesystem_ignore_read_persistent_filesystem_stats($1_chkpwd_t) +filesystem_ignore_read_persistent_filesystem_attributes($1_chkpwd_t) # is_selinux_enabled kernel_read_system_state($1_chkpwd_t) diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 7a8191b3..69ecf0b1 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -59,6 +59,19 @@ define(`domain_make_entrypoint_file_depend',` class file entrypoint; ') +######################################## +# +# domain_make_file_descriptors_widely_inheritable(domain,[`optional']) +# +define(`domain_make_file_descriptors_widely_inheritable',` +requires_block_template(domain_make_file_descriptors_widely_inheritable_depend,$2) +typeattribute $1 privfd; +') + +define(`domain_make_file_descriptors_widely_inheritable_depend',` +attribute privfd; +') + ######################################## # # domain_signal_all_domains(domain,[`optional']) diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te index 934b65a2..b9b669bd 100644 --- a/refpolicy/policy/modules/system/domain.te +++ b/refpolicy/policy/modules/system/domain.te @@ -3,4 +3,7 @@ # Mark process types as domains attribute domain; +# widely-inheritable file descriptors +attribute privfd; + neverallow domain ~domain:process { transition dyntransition }; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 006a8d9a..28c9abd1 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -19,10 +19,10 @@ filesystem_associate_noxattr_depend ######################################## # -# files_get_all_file_stats(type,[`optional']) +# files_get_all_file_attributes(type,[`optional']) # -define(`files_get_all_file_stats',` -requires_block_template(files_get_all_file_stats_depend,$2) +define(`files_get_all_file_attributes',` +requires_block_template(files_get_all_file_attributes_depend,$2) allow $1 file_type:dir { search getattr }; allow $1 file_type:file getattr; allow $1 file_type:lnk_file getattr; @@ -30,7 +30,7 @@ allow $1 file_type:fifo_file getattr; allow $1 file_type:sock_file getattr; ') -define(`files_get_all_file_stats_depend',` +define(`files_get_all_file_attributes_depend',` attribute file_type; class dir { search getattr }; class file getattr; diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 5d240d63..87a6a80c 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -51,7 +51,7 @@ files_read_general_system_config(getty_t) miscfiles_read_localization(getty_t) # for error condition handling -filesystem_read_persistent_filesystem_stats(getty_t) +filesystem_read_persistent_filesystem_attributes(getty_t) # Chown, chmod, read and write ttys. terminal_use_all_terminals(getty_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index bdd7e445..fc0cabad 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -129,7 +129,6 @@ allow init_t file_t:dir search; # Init script policy # - type initrc_t; domain_make_domain(initrc_t) role system_r types initrc_t; @@ -138,7 +137,7 @@ type initrc_exec_t; domain_make_entrypoint_file(initrc_t,initrc_exec_t) type initrc_devpts_t; -terminal_make_pty(initrc_t,initrc_devpts_t) +terminal_make_pseudoterminal(initrc_t,initrc_devpts_t) type initrc_var_run_t; files_make_file(initrc_var_run_t) @@ -212,6 +211,10 @@ devices_read_framebuffer(initrc_t) devices_read_realtime_clock(initrc_t) devices_read_sound_mixer_levels(initrc_t) devices_write_sound_mixer_levels(initrc_t) +devices_set_all_character_device_attributes(initrc_t) + +storage_set_fixed_disk_attributes(initrc_t) +storage_set_removable_device_attributes(initrc_t) terminal_use_all_terminals(initrc_t) terminal_reset_labels(initrc_t) @@ -223,7 +226,7 @@ libraries_use_dynamic_loader(initrc_t) libraries_read_shared_libraries(initrc_t) libraries_execute_library_scripts(initrc_t) -files_get_all_file_stats(initrc_t) +files_get_all_file_attributes(initrc_t) files_remove_all_tmp_data(initrc_t) files_remove_all_lock_files(initrc_t) files_remove_all_daemon_runtime_data(initrc_t) @@ -281,7 +284,7 @@ ifdef(`targeted_policy',` corecommands_execute_general_programs(run_init_t) corecommands_execute_shell(run_init_t) -filesystem_read_persistent_filesystem_stats(run_init_t) +filesystem_read_persistent_filesystem_attributes(run_init_t) files_read_general_system_config(run_init_t) @@ -294,6 +297,8 @@ authlogin_ignore_read_shadow_passwords(run_init_t) miscfiles_read_localization(run_init_t) +logging_send_system_log_message(run_init_t) + allow run_init_t initrc_t:process transition; allow run_init_t initrc_exec_t:file { getattr read execute }; @@ -303,9 +308,6 @@ allow run_init_t initrc_var_run_t:file { getattr read write }; allow run_init_t self:process setexec; allow run_init_t self:capability setuid; -allow run_init_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow run_init_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - allow run_init_t self:fifo_file { getattr read write }; # often the administrator runs such programs from a directory that is owned @@ -314,7 +316,7 @@ allow run_init_t self:fifo_file { getattr read write }; dontaudit run_init_t self:capability { dac_override dac_read_search }; devices_ignore_list_device_nodes(run_init_t) -terminal_ignore_list_ptys(run_init_t) +terminal_ignore_list_pseudoterminals(run_init_t) ') dnl end ifdef targeted policy @@ -331,12 +333,7 @@ allow initrc_t privfd:fd use; allow initrc_t fixed_disk_device_t:blk_file getattr; # Set device ownerships/modes. -allow initrc_t device_type:chr_file setattr; -allow initrc_t misc_device_t:{ chr_file blk_file } setattr; -allow initrc_t fixed_disk_device_t:blk_file setattr; -allow initrc_t removable_device_t:blk_file setattr; allow initrc_t xconsole_device_t:fifo_file setattr; -allow initrc_t sound_device_t:chr_file setattr; # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index aa59a94a..acd5e751 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -75,7 +75,7 @@ devices_get_pseudorandom_data(insmod_t) devices_direct_agp_access(insmod_t) devices_get_zeros(insmod_t) -filesystem_read_persistent_filesystem_stats(insmod_t) +filesystem_read_persistent_filesystem_attributes(insmod_t) files_read_runtime_system_config(insmod_t) files_read_general_system_config(insmod_t) @@ -171,7 +171,7 @@ type_transition depmod_t modules_object_t:file modules_dep_t; kernel_read_system_state(depmod_t) -filesystem_read_persistent_filesystem_stats(depmod_t) +filesystem_read_persistent_filesystem_attributes(depmod_t) terminal_use_console(depmod_t) @@ -230,7 +230,7 @@ kernel_read_system_state(update_modules_t) devices_get_pseudorandom_data(update_modules_t) -filesystem_read_persistent_filesystem_stats(update_modules_t) +filesystem_read_persistent_filesystem_attributes(update_modules_t) terminal_use_console(update_modules_t) terminal_use_controlling_terminal(update_modules_t)