first part of dans patch Tue, 11 Apr 2006 09:25:24 -0400

This commit is contained in:
Chris PeBenito 2006-04-12 15:04:28 +00:00
parent 03631a52df
commit 8cfa5a00e1
29 changed files with 136 additions and 48 deletions

View File

@ -1,5 +1,5 @@
policy_module(rpm,1.3.3)
policy_module(rpm,1.3.4)
########################################
#
@ -117,6 +117,7 @@ fs_search_auto_mountpoints(rpm_t)
mls_file_read_up(rpm_t)
mls_file_write_down(rpm_t)
mls_file_upgrade(rpm_t)
mls_file_downgrade(rpm_t)
selinux_get_fs_mount(rpm_t)
selinux_validate_context(rpm_t)

View File

@ -1,3 +1,8 @@
#
# /opt
#
/opt(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
#
# /usr
#

View File

@ -1,5 +1,5 @@
policy_module(java,1.1.0)
policy_module(java,1.1.1)
########################################
#

View File

@ -72,6 +72,8 @@ ifdef(`distro_suse', `
/dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(devices,1.1.8)
policy_module(devices,1.1.9)
########################################
#

View File

@ -197,6 +197,27 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:lnk_file read;
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_raw_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
corenet_tcp_bind_all_nodes(httpd_$1_script_t)
corenet_udp_bind_all_nodes(httpd_$1_script_t)
corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
sysnet_read_config(httpd_$1_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;

View File

@ -1,5 +1,5 @@
policy_module(apache,1.3.5)
policy_module(apache,1.3.6)
#
# NOTES:

View File

@ -1,5 +1,5 @@
policy_module(automount,1.2.1)
policy_module(automount,1.2.2)
########################################
#
@ -123,6 +123,7 @@ logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
miscfiles_read_certs(automount_t)
# Run mount in the mount_t domain.
mount_domtrans(automount_t)

View File

@ -1,5 +1,5 @@
policy_module(bluetooth,1.2.3)
policy_module(bluetooth,1.2.4)
########################################
#
@ -41,7 +41,7 @@ files_pid_file(bluetooth_var_run_t)
# Bluetooth services local policy
#
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getsched signal_perms };
allow bluetooth_t self:fifo_file rw_file_perms;
@ -176,9 +176,10 @@ allow bluetooth_helper_t self:tcp_socket create_socket_perms;
allow bluetooth_helper_t bluetooth_t:socket { read write };
allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms;
allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
allow bluetooth_helper_t bluetooth_helper_tmp_t:dir manage_dir_perms;
allow bluetooth_helper_t bluetooth_helper_tmp_t:file manage_file_perms;
allow bluetooth_helper_t bluetooth_helper_tmp_t:sock_file manage_file_perms;
files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
kernel_read_system_state(bluetooth_helper_t)
kernel_read_kernel_sysctls(bluetooth_helper_t)
@ -213,6 +214,8 @@ ifdef(`targeted_policy',`
fs_rw_tmpfs_files(bluetooth_helper_t)
term_dontaudit_use_generic_ptys(bluetooth_helper_t)
unconfined_stream_connect(bluetooth_helper_t)
userdom_read_all_users_home_content_files(bluetooth_helper_t)
@ -223,6 +226,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`
bluetooth_dbus_chat(bluetooth_helper_t)
dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
dbus_connect_system_bus(bluetooth_helper_t)
dbus_send_system_bus(bluetooth_helper_t)

View File

@ -1,5 +1,5 @@
policy_module(cups,1.3.2)
policy_module(cups,1.3.3)
########################################
#
@ -110,7 +110,7 @@ allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
allow cupsd_t cupsd_var_run_t:file create_file_perms;
allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms };
allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)

View File

@ -1,5 +1,5 @@
policy_module(dbus,1.2.1)
policy_module(dbus,1.2.2)
gen_require(`
class dbus { send_msg acquire_svc };
@ -102,6 +102,7 @@ libs_use_shared_libs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
miscfiles_read_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)

View File

@ -1,5 +1,5 @@
policy_module(ftp,1.2.1)
policy_module(ftp,1.2.2)
########################################
#
@ -62,6 +62,7 @@ allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
# Create and modify /var/log/xferlog.
allow ftpd_t xferlog_t:dir search_dir_perms;
allow ftpd_t xferlog_t:file create_file_perms;
logging_log_filetrans(ftpd_t,xferlog_t,file)

View File

@ -1,5 +1,5 @@
policy_module(gpm,1.1.1)
policy_module(gpm,1.1.2)
########################################
#
@ -54,8 +54,7 @@ kernel_read_proc_symlinks(gpm_t)
dev_read_sysfs(gpm_t)
# Access the mouse.
# cjp: why write?
dev_rw_input_dev(event_device_t)
dev_rw_input_dev(gpm_t)
dev_rw_mouse(gpm_t)
fs_getattr_all_fs(gpm_t)

View File

@ -1,5 +1,5 @@
policy_module(hal,1.3.2)
policy_module(hal,1.3.3)
########################################
#
@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
#
# execute openvt which needs setuid
allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_file_perms;
@ -52,6 +52,9 @@ kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
files_search_boot(hald_t)
files_getattr_home_dir(hald_t)
auth_read_pam_console_data(hald_t)
corecmd_exec_bin(hald_t)
corecmd_exec_sbin(hald_t)
@ -93,6 +96,7 @@ files_search_var_lib(hald_t)
files_read_usr_files(hald_t)
# hal is now execing pm-suspend
files_create_boot_flag(hald_t)
files_getattr_default_dirs(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)

View File

@ -1,5 +1,5 @@
policy_module(mysql,1.2.0)
policy_module(mysql,1.2.1)
########################################
#
@ -104,6 +104,7 @@ logging_send_syslog_msg(mysqld_t)
miscfiles_read_localization(mysqld_t)
sysnet_use_ldap(mysqld_t)
sysnet_read_config(mysqld_t)
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)

View File

@ -1,5 +1,5 @@
policy_module(networkmanager,1.3.0)
policy_module(networkmanager,1.3.1)
########################################
#
@ -155,6 +155,7 @@ optional_policy(`
optional_policy(`
nscd_socket_use(NetworkManager_t)
nscd_signal(NetworkManager_t)
')
optional_policy(`

View File

@ -1,5 +1,23 @@
## <summary>Name service cache daemon</summary>
########################################
## <summary>
## Send generic signals to NSCD.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nscd_signal',`
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process signal;
')
########################################
## <summary>
## Execute NSCD in the nscd domain.

View File

@ -1,5 +1,5 @@
policy_module(nscd,1.2.1)
policy_module(nscd,1.2.2)
gen_require(`
class nscd all_nscd_perms;

View File

@ -1,5 +1,5 @@
policy_module(rsync,1.2.0)
policy_module(rsync,1.2.1)
########################################
#
@ -65,6 +65,7 @@ corenet_udp_sendrecv_all_ports(rsync_t)
corenet_non_ipsec_sendrecv(rsync_t)
corenet_tcp_bind_all_nodes(rsync_t)
corenet_udp_bind_all_nodes(rsync_t)
corenet_tcp_bind_rsync_port(rsync_t)
dev_read_urand(rsync_t)
@ -73,10 +74,13 @@ fs_getattr_xattr_fs(rsync_t)
files_read_etc_files(rsync_t)
files_search_home(rsync_t)
init_dontaudit_use_fds(rsync_t)
libs_use_ld_so(rsync_t)
libs_use_shared_libs(rsync_t)
logging_send_syslog_msg(rsync_t)
logging_dontaudit_search_logs(rsync_t)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)

View File

@ -1,5 +1,5 @@
policy_module(samba,1.2.2)
policy_module(samba,1.2.3)
#################################
#
@ -193,6 +193,8 @@ allow smbd_t samba_log_t:dir ra_dir_perms;
dontaudit smbd_t samba_log_t:dir remove_name;
allow smbd_t samba_log_t:file { create ra_file_perms };
allow smbd_t samba_net_tmp_t:file getattr;
allow smbd_t samba_secrets_t:dir rw_dir_perms;
allow smbd_t samba_secrets_t:file create_file_perms;
type_transition smbd_t samba_etc_t:file samba_secrets_t;

View File

@ -1,5 +1,5 @@
policy_module(snmp,1.1.0)
policy_module(snmp,1.1.1)
########################################
#
@ -49,6 +49,7 @@ allow snmpd_t snmpd_var_run_t:file create_file_perms;
allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
kernel_read_proc_symlinks(snmpd_t)

View File

@ -6,3 +6,5 @@
/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(getty,1.1.1)
policy_module(getty,1.1.2)
########################################
#
@ -109,6 +109,10 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(getty_t)
')
optional_policy(`
mta_send_mail(getty_t)
')
optional_policy(`
nscd_socket_use(getty_t)
')

View File

@ -33,6 +33,8 @@ ifdef(`distro_redhat',`
#
/opt(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/opt/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
#
# /sbin
@ -55,17 +57,24 @@ ifdef(`distro_redhat',`
/usr(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr(/.*)?/lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware(.*/)?/VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -76,6 +85,7 @@ ifdef(`distro_redhat',`
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_redhat',`
/usr/lib(64)?/.*/program/.*\.so.* gen_context(system_u:object_r:shlib_t,s0)
@ -92,6 +102,7 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -167,16 +178,17 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
/usr/lib(64)?/libdivxdecore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
/usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
/usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr(/.*)?/intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr(/.*)?/intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr(/.*)?/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr(/.*)?/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
') dnl end distro_redhat
ifdef(`distro_suse',`

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.3.3)
policy_module(libraries,1.3.4)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(mount,1.3.3)
policy_module(mount,1.3.4)
########################################
#
@ -19,7 +19,8 @@ files_tmp_file(mount_tmp_t)
# mount local policy
#
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config };
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms;
@ -44,6 +45,7 @@ storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)

View File

@ -55,7 +55,7 @@ interface(`unconfined_domain_noaudit',`
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
auditallow $1 self:process execstack;
# auditallow $1 self:process execstack;
', `
# These are fairly common but seem to be harmless
# caused by using shared libraries built with old tool chains
@ -109,9 +109,10 @@ interface(`unconfined_domain',`
auditallow $1 self:process execheap;
')
tunable_policy(`allow_execmem',`
auditallow $1 self:process execmem;
')
# Turn off this audit for FC5
# tunable_policy(`allow_execmem',`
# auditallow $1 self:process execmem;
# ')
')
########################################

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.3.3)
policy_module(unconfined,1.3.4)
########################################
#
@ -41,6 +41,10 @@ ifdef(`targeted_policy',`
userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
# optional_policy(`
# ada_domtrans(unconfined_t)
# ')
optional_policy(`
amanda_domtrans_recover(unconfined_t)
')
@ -105,10 +109,6 @@ ifdef(`targeted_policy',`
mono_domtrans(unconfined_t)
')
optional_policy(`
netutils_domtrans_ping(unconfined_t)
')
optional_policy(`
portmap_domtrans_helper(unconfined_t)
')

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.10)
policy_module(userdomain,1.3.11)
gen_require(`
role sysadm_r, staff_r, user_r;
@ -181,8 +181,9 @@ ifdef(`targeted_policy',`
logging_read_audit_log(secadm_t)
logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
userdom_dontaudit_append_staff_home_content_files(secadm_t)
files_relabel_all_files(secadm_t)
auth_relabel_shadow(secadm_t)
', `
logging_domtrans_auditctl(sysadm_t)
logging_read_audit_log(sysadm_t)
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
')