From 8cf671418b15625ea57e2e526b182ee2ed912c8b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 16 Feb 2006 19:32:13 +0000 Subject: [PATCH] patch from dan Tue, 14 Feb 2006 09:01:16 -0500 --- refpolicy/policy/mcs | 13 ++++- refpolicy/policy/modules/admin/prelink.te | 3 +- refpolicy/policy/modules/kernel/devices.if | 19 ++++++++ refpolicy/policy/modules/kernel/devices.te | 2 +- refpolicy/policy/modules/kernel/mcs.fc | 1 + refpolicy/policy/modules/kernel/mcs.if | 23 +++++++++ refpolicy/policy/modules/kernel/mcs.te | 47 +++++++++++++++++++ refpolicy/policy/modules/kernel/mls.te | 32 +------------ .../policy/modules/services/bluetooth.te | 3 +- refpolicy/policy/modules/services/hal.te | 5 +- refpolicy/policy/modules/services/mta.te | 5 +- .../policy/modules/services/networkmanager.te | 4 +- refpolicy/policy/modules/services/postfix.te | 6 ++- refpolicy/policy/modules/system/init.fc | 3 +- refpolicy/policy/modules/system/init.te | 6 ++- refpolicy/policy/modules/system/libraries.if | 22 ++++++++- refpolicy/policy/modules/system/libraries.te | 2 +- .../policy/modules/system/selinuxutil.if | 23 ++++++++- .../policy/modules/system/selinuxutil.te | 2 +- refpolicy/policy/modules/system/unconfined.if | 3 +- refpolicy/policy/modules/system/unconfined.te | 2 +- refpolicy/policy/modules/system/userdomain.te | 9 +++- 22 files changed, 185 insertions(+), 50 deletions(-) diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs index ce5ad18c..9a39f467 100644 --- a/refpolicy/policy/mcs +++ b/refpolicy/policy/mcs @@ -137,15 +137,24 @@ level s0:c0.c255; # Only files are constrained by MCS at this stage. # mlsconstrain file { write setattr append unlink link rename - create ioctl lock execute } (h1 dom h2); + ioctl lock execute relabelfrom } (h1 dom h2); + +mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2)); mlsconstrain file { read } ((h1 dom h2) or ( t1 == mlsfileread )); # new file labels must be dominated by the relabeling subject clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto } +mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } ( h1 dom h2 ); +mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } + (( h1 dom h2 ) and ( l2 eq h2 )); + +mlsconstrain process { ptrace } ( h1 dom h2 ); + +mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or + ( t1 == mcskillall ); define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append link unlink rename relabelfrom relabelto }') diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index 3433cda8..0c301162 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.0.2) +policy_module(prelink,1.0.3) ######################################## # @@ -74,6 +74,7 @@ libs_relabel_shared_libs(prelink_t) libs_use_lib_files(prelink_t) libs_manage_lib_files(prelink_t) libs_relabel_lib_files(prelink_t) +libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 01e85511..917c544a 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -2311,6 +2311,25 @@ interface(`dev_write_urand',` allow $1 urandom_device_t:chr_file { getattr write ioctl }; ') +######################################## +## +## Read and write generic the USB devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_generic_usb_dev',` + gen_require(` + type usb_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 usb_device_t:chr_file { read write }; +') + ######################################## ## ## Mount a usbfs filesystem. diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 1e3008f9..0827543c 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.0.1) +policy_module(devices,1.0.2) ######################################## # diff --git a/refpolicy/policy/modules/kernel/mcs.fc b/refpolicy/policy/modules/kernel/mcs.fc index e69de29b..fa8a4b15 100644 --- a/refpolicy/policy/modules/kernel/mcs.fc +++ b/refpolicy/policy/modules/kernel/mcs.fc @@ -0,0 +1 @@ +# no MCS file contexts diff --git a/refpolicy/policy/modules/kernel/mcs.if b/refpolicy/policy/modules/kernel/mcs.if index e69de29b..1ceab9f7 100644 --- a/refpolicy/policy/modules/kernel/mcs.if +++ b/refpolicy/policy/modules/kernel/mcs.if @@ -0,0 +1,23 @@ +## Multicategory security policy +## +## Contains attributes used in MCS policy. +## + +######################################## +## +## This domain is allowed to sigkill and sigstop +## all domains regardless of their MCS level. +## +## +## +## Domain target for user exemption. +## +## +# +interface(`mcs_killall',` + gen_require(` + attribute mcskillall; + ') + + typeattribute $1 mcskillall; +') diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te index e69de29b..260d9503 100644 --- a/refpolicy/policy/modules/kernel/mcs.te +++ b/refpolicy/policy/modules/kernel/mcs.te @@ -0,0 +1,47 @@ + +policy_module(mcs,1.0.0) + +######################################## +# +# Declarations +# + +attribute mcskillall; + +######################################## +# +# THIS IS A HACK +# +# Only the base module can have range_transitions, so we +# temporarily have to break encapsulation to work around this. +# + +type auditd_exec_t; +type crond_exec_t; +type cupsd_exec_t; +type getty_t; +type init_t; +type init_exec_t; +type initrc_t; +type initrc_exec_t; +type login_exec_t; +type sshd_exec_t; +type su_exec_t; +type udev_exec_t; +type unconfined_t; +type xdm_exec_t; + +ifdef(`enable_mcs',` +range_transition getty_t login_exec_t s0 - s0:c0.c255; +range_transition init_t xdm_exec_t s0 - s0:c0.c255; +range_transition initrc_t crond_exec_t s0 - s0:c0.c255; +range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; +range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; +range_transition initrc_t udev_exec_t s0 - s0:c0.c255; +range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; +range_transition kernel_t udev_exec_t s0 - s0:c0.c255; + +# these might be targeted_policy only +range_transition unconfined_t su_exec_t s0 - s0:c0.c255; +range_transition unconfined_t initrc_exec_t s0; +') diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te index 0b66165b..c7b119b0 100644 --- a/refpolicy/policy/modules/kernel/mls.te +++ b/refpolicy/policy/modules/kernel/mls.te @@ -1,5 +1,5 @@ -policy_module(mls,1.2.1) +policy_module(mls,1.2.2) ######################################## # @@ -53,38 +53,10 @@ attribute mlsrangetrans; # # Only the base module can have range_transitions, so we # temporarily have to break encapsulation to work around this. +# Other types are declared in the mcs module. # -type auditd_exec_t; -type crond_exec_t; -type cupsd_exec_t; -type getty_t; -type init_t; -type init_exec_t; -type initrc_t; -type initrc_exec_t; -type login_exec_t; type lvm_exec_t; -type sshd_exec_t; -type su_exec_t; -type udev_exec_t; -type unconfined_t; -type xdm_exec_t; - -ifdef(`enable_mcs',` -range_transition getty_t login_exec_t s0 - s0:c0.c255; -range_transition init_t xdm_exec_t s0 - s0:c0.c255; -range_transition initrc_t crond_exec_t s0 - s0:c0.c255; -range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; -range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; -range_transition initrc_t udev_exec_t s0 - s0:c0.c255; -range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; -range_transition kernel_t udev_exec_t s0 - s0:c0.c255; - -# these might be targeted_policy only -range_transition unconfined_t su_exec_t s0 - s0:c0.c255; -range_transition unconfined_t initrc_exec_t s0; -') ifdef(`enable_mls',` range_transition initrc_t auditd_exec_t s15:c0.c255; diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index b8305fd8..706f5d34 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth,1.1.0) +policy_module(bluetooth,1.1.1) ######################################## # @@ -101,6 +101,7 @@ corenet_udp_bind_all_nodes(bluetooth_t) dev_read_sysfs(bluetooth_t) dev_rw_usbfs(bluetooth_t) +dev_rw_generic_usb_dev(bluetooth_t) dev_read_urand(bluetooth_t) fs_getattr_all_fs(bluetooth_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 8e85e00a..59f80126 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.2.4) +policy_module(hal,1.2.5) ######################################## # @@ -128,10 +128,13 @@ libs_exec_ld_so(hald_t) libs_exec_lib_files(hald_t) logging_send_syslog_msg(hald_t) +logging_search_logs(hald_t) miscfiles_read_localization(hald_t) miscfiles_read_hwdata(hald_t) +modutils_domtrans_insmod(hald_t) + seutil_read_config(hald_t) seutil_read_default_contexts(hald_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 91c90a8d..11a75c37 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta,1.2.1) +policy_module(mta,1.2.2) ######################################## # @@ -44,6 +44,9 @@ role system_r types system_mail_t; # System mail local policy # +# newalias required this, not sure if it is needed in 'if' file +allow system_mail_t self:capability { dac_override }; + allow system_mail_t etc_mail_t:dir { getattr search }; allow system_mail_t etc_mail_t:file r_file_perms; diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index d2576449..6613400a 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.2.2) +policy_module(networkmanager,1.2.3) ######################################## # @@ -22,7 +22,7 @@ allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_overrid dontaudit NetworkManager_t self:capability sys_tty_config; allow NetworkManager_t self:process { setcap getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_file_perms; -allow NetworkManager_t self:unix_dgram_socket create_socket_perms; +allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:tcp_socket create_stream_socket_perms; diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index f54a670e..b323e6d9 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.1.1) +policy_module(postfix,1.1.2) ######################################## # @@ -273,6 +273,8 @@ allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) corecmd_exec_bin(postfix_local_t) +files_read_etc_files(postfix_local_t) + mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin @@ -395,6 +397,8 @@ allow postfix_pipe_t self:fifo_file { read write }; allow postfix_pipe_t postfix_private_t:dir search; allow postfix_pipe_t postfix_private_t:sock_file write; +allow postfix_pipe_t postfix_public_t:fifo_file { getattr write }; + allow postfix_pipe_t postfix_spool_t:dir search; allow postfix_pipe_t postfix_spool_t:file rw_file_perms; diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc index 8a11fb66..4515bbba 100644 --- a/refpolicy/policy/modules/system/init.fc +++ b/refpolicy/policy/modules/system/init.fc @@ -22,7 +22,8 @@ ifdef(`targeted_policy', `', ` # # /sbin # -/sbin/init -- gen_context(system_u:object_r:init_exec_t,s0) +/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) + ifdef(`distro_gentoo', ` /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 2df80252..a66c750e 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.2.2) +policy_module(init,1.2.3) gen_require(` class passwd rootok; @@ -155,6 +155,8 @@ libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) logging_rw_generic_logs(init_t) +mcs_killall(init_t) + mls_file_read_up(init_t) mls_file_write_down(init_t) mls_rangetrans_target(init_t) @@ -360,6 +362,8 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript miscfiles_read_certs(initrc_t) +mcs_killall(initrc_t) + mls_file_read_up(initrc_t) mls_file_write_down(initrc_t) mls_process_read_up(initrc_t) diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index a53d3383..4bcd9380 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -281,7 +281,7 @@ interface(`libs_manage_lib_files',` type lib_t; ') - allow $1 lib_t:dir search_dir_perms; + allow $1 lib_t:dir rw_dir_perms; allow $1 lib_t:file manage_file_perms; ') @@ -325,6 +325,26 @@ interface(`libs_relabel_lib_files',` allow $1 lib_t:file { relabelfrom relabelto }; ') +######################################## +## +## Delete generic symlinks in library directories. +## +## +## +## Domain allowed access. +## +## +# +# cjp: added for prelink +interface(`libs_delete_lib_symlinks',` + gen_require(` + type lib_t; + ') + + allow $1 lib_t:dir { getattr search read write remove_name }; + allow $1 lib_t:lnk_file unlink; +') + ######################################## ## ## Create, read, write, and delete shared libraries. diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index d7013113..1ad32c82 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.2.1) +policy_module(libraries,1.2.2) ######################################## # diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 606c5112..70792e9f 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -585,6 +585,28 @@ interface(`seutil_read_file_contexts',` allow $1 file_context_t:lnk_file { getattr read }; ') +######################################## +## +## Read and write the file_contexts files. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_rw_file_contexts',` + gen_require(` + type selinux_config_t, file_context_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:dir search; + allow $1 file_context_t:dir r_dir_perms; + allow $1 file_context_t:file rw_file_perms; + allow $1 file_context_t:lnk_file { getattr read }; +') + ######################################## # # seutil_read_bin_policy(domain) @@ -683,4 +705,3 @@ interface(`seutil_manage_src_policy',` allow $1 policy_src_t:dir create_dir_perms; allow $1 policy_src_t:file create_file_perms; ') - diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 9a7e3b94..02db4376 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.1.4) +policy_module(selinuxutil,1.1.5) gen_require(` bool secure_mode; diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index e63d8278..bc32cd79 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -55,10 +55,11 @@ interface(`unconfined_domain_noaudit',` tunable_policy(`allow_execmem && allow_execstack',` # Allow making the stack executable via mprotect. allow $1 self:process execstack; + auditallow $1 self:process execstack; ', ` # These are fairly common but seem to be harmless # caused by using shared libraries built with old tool chains - dontaudit $1 self:process execstack; + #dontaudit $1 self:process execstack; ') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 4eeced6c..596ba653 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.2.4) +policy_module(unconfined,1.2.5) ######################################## # diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index ac593ef2..33ef4fc5 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.2.7) +policy_module(userdomain,1.2.8) gen_require(` role sysadm_r, staff_r, user_r; @@ -165,9 +165,13 @@ ifdef(`targeted_policy',` ') ifdef(`enable_mls',` + corecmd_exec_shell(secadm_t) + mls_process_read_up(secadm_t) + mls_file_write_down(secadm_t) + mls_file_upgrade(secadm_t) + mls_file_downgrade(secadm_t) logging_read_audit_log(secadm_t) logging_domtrans_auditctl(secadm_t) - mls_process_read_up(secadm_t) userdom_dontaudit_append_staff_home_files(secadm_t) ', ` logging_domtrans_auditctl(sysadm_t) @@ -354,6 +358,7 @@ ifdef(`targeted_policy',` seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal) seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal) seutil_run_setfiles(secadm_t,secadm_r,admin_terminal) + seutil_run_restorecon(secadm_t,secadm_r,admin_terminal) ', ` selinux_set_enforce_mode(sysadm_t) selinux_set_boolean(sysadm_t)