patch from dan 1/16/06

This commit is contained in:
Chris PeBenito 2006-01-17 17:50:10 +00:00
parent cc5df23b7e
commit 93727e3fd2
27 changed files with 131 additions and 74 deletions

View File

@ -16,9 +16,9 @@ If you want to setup a directory where you can upload files to you must label th
.TP
chcon -t public_content_rw_t /var/ftp/incoming
.TP
You must also turn on the boolean allow_ftp_anon_write.
You must also turn on the boolean allow_ftpd_anon_write.
.TP
setsebool -P allow_ftp_anon_write=1
setsebool -P allow_ftpd_anon_write=1
.TP
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
.TP

View File

@ -1,5 +1,5 @@
policy_module(kudzu,1.0.1)
policy_module(kudzu,1.0.2)
########################################
#
@ -63,6 +63,7 @@ fs_search_ramfs(kudzu_t)
fs_write_ramfs_socket(kudzu_t)
mls_file_read_up(kudzu_t)
mls_file_write_down(kudzu_t)
modutils_read_mods_deps(kudzu_t)
modutils_read_module_conf(kudzu_t)

View File

@ -1,5 +1,5 @@
policy_module(readahead,1.0.1)
policy_module(readahead,1.0.2)
########################################
#
@ -35,6 +35,7 @@ dev_getattr_generic_blk_file(readahead_t)
dev_getattr_all_chr_files(readahead_t)
dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t)
domain_use_wide_inherit_fd(readahead_t)
@ -46,6 +47,7 @@ fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
fs_getattr_all_pipes(readahead_t)
fs_getattr_all_files(readahead_t)
fs_search_ramfs(readahead_t)
term_dontaudit_use_console(readahead_t)

View File

@ -2,3 +2,4 @@
# /usr
#
/usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)

View File

@ -1133,6 +1133,22 @@ interface(`dev_delete_lvm_control',`
allow $1 lvm_control_t:chr_file unlink;
')
########################################
## <summary>
## dontaudit getattr raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_dontaudit_getattr_memory_dev',`
gen_require(`
type memory_device_t;
')
dontaudit $1 memory_device_t:chr_file getattr;
')
########################################
## <summary>
## Read raw memory devices (e.g. /dev/mem).

View File

@ -952,6 +952,23 @@ interface(`fs_relabelfrom_dos_fs',`
allow $1 dosfs_t:filesystem relabelfrom;
')
########################################
## <summary>
## Read eventpollfs files
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`fs_read_eventpollfs',`
gen_require(`
type eventpollfs_t;
')
allow $1 eventpollfs_t:dir search_dir_perms;
allow $1 eventpollfs_t:file r_file_perms;
')
########################################
## <summary>
## Mount an iso9660 filesystem, which
@ -2280,6 +2297,25 @@ interface(`fs_use_tmpfs_chr_dev',`
allow $1 tmpfs_t:chr_file rw_file_perms;
')
########################################
## <summary>
## dontaudit Read and write character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`fs_dontaudit_use_tmpfs_chr_dev',`
gen_require(`
type tmpfs_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
dontaudit $1 tmpfs_t:dir r_dir_perms;
dontaudit $1 tmpfs_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Relabel character nodes on tmpfs filesystems.

View File

@ -1,5 +1,5 @@
policy_module(mls,1.1.2)
policy_module(mls,1.1.3)
########################################
#
@ -55,6 +55,7 @@ attribute mlsrangetrans;
# temporarily have to break encapsulation to work around this.
#
type auditd_exec_t;
type crond_exec_t;
type cupsd_exec_t;
type getty_t;
@ -87,4 +88,5 @@ range_transition unconfined_t initrc_exec_t s0;
ifdef(`enable_mls',`
# run init with maximum MLS range
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition initrc_t auditd_exec_t s15:c0.c255;
')

View File

@ -1,5 +1,5 @@
policy_module(apache,1.1.3)
policy_module(apache,1.1.4)
#
# NOTES:
@ -690,6 +690,10 @@ optional_policy(`mysql',`
unconfined_domain_template(httpd_unconfined_script_t)
optional_policy(`cron',`
cron_system_entry(httpd_t, httpd_exec_t)
')
optional_policy(`nscd',`
nscd_use_socket(httpd_unconfined_script_t)
')

View File

@ -1,5 +1,5 @@
policy_module(apm,1.1.1)
policy_module(apm,1.1.2)
########################################
#
@ -196,6 +196,7 @@ optional_policy(`clock',`
')
optional_policy(`cron',`
cron_system_entry(apmd_t, apmd_exec_t)
cron_domtrans_anacron_system_job(apmd_t)
')

View File

@ -1,5 +1,5 @@
policy_module(automount,1.0.4)
policy_module(automount,1.0.5)
########################################
#
@ -108,6 +108,7 @@ fs_search_auto_mountpoints(automount_t)
fs_manage_auto_mountpoints(automount_t)
term_dontaudit_use_console(automount_t)
term_dontaudit_getattr_pty_dir(automount_t)
init_use_fd(automount_t)
init_use_script_pty(automount_t)

View File

@ -1,5 +1,5 @@
policy_module(cron,1.1.4)
policy_module(cron,1.1.5)
gen_require(`
class passwd rootok;
@ -120,7 +120,7 @@ files_search_default(crond_t)
init_use_fd(crond_t)
init_use_script_pty(crond_t)
init_read_script_pid(crond_t)
init_rw_script_pid(crond_t)
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)

View File

@ -1,5 +1,5 @@
policy_module(cups,1.1.1)
policy_module(cups,1.1.2)
########################################
#
@ -201,8 +201,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`cron',`
cron_use_fd(cupsd_t)
cron_read_pipe(cupsd_t)
cron_system_entry(cupsd_t, cupsd_exec_t)
')
optional_policy(`dbus',`
@ -580,8 +579,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`cron',`
cron_use_system_job_fd(cupsd_config_t)
cron_read_pipe(cupsd_config_t)
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
optional_policy(`dbus',`

View File

@ -1,5 +1,5 @@
policy_module(hal,1.1.5)
policy_module(hal,1.1.6)
########################################
#
@ -50,6 +50,8 @@ kernel_read_kernel_sysctl(hald_t)
kernel_read_fs_sysctl(hald_t)
kernel_write_proc_file(hald_t)
bootloader_getattr_boot_dir(hald_t)
corecmd_exec_bin(hald_t)
corecmd_exec_sbin(hald_t)
@ -82,8 +84,8 @@ domain_exec_all_entry_files(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
files_rw_etc_runtime_files(hald_t)
files_search_mnt(hald_t)
files_manage_mnt_dirs(hald_t)
files_manage_mnt_files(hald_t)
files_search_var_lib(hald_t)
files_read_usr_files(hald_t)
# hal is now execing pm-suspend
@ -145,6 +147,10 @@ optional_policy(`apm',`
apm_stream_connect(hald_t)
')
optional_policy(`bind',`
bind_search_cache(hald_t)
')
optional_policy(`clock',`
clock_domtrans(hald_t)
')
@ -158,6 +164,7 @@ optional_policy(`dbus',`
dbus_system_bus_client_template(hald,hald_t)
dbus_send_system_bus_msg(hald_t)
dbus_connect_system_bus(hald_t)
allow hald_t self:dbus send_msg;
init_dbus_chat_script(hald_t)

View File

@ -1,5 +1,5 @@
policy_module(mta,1.1.3)
policy_module(mta,1.1.4)
########################################
#
@ -53,6 +53,8 @@ kernel_read_network_state(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
fs_read_eventpollfs(system_mail_t)
init_use_script_pty(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)

View File

@ -1,5 +1,5 @@
policy_module(sendmail,1.1.1)
policy_module(sendmail,1.1.2)
########################################
#
@ -31,6 +31,7 @@ allow sendmail_t self:fifo_file rw_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
allow sendmail_t self:tcp_socket create_stream_socket_perms;
allow sendmail_t self:udp_socket create_socket_perms;
allow sendmail_t sendmail_log_t:file create_file_perms;
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
@ -92,6 +93,7 @@ sysnet_read_config(sendmail_t)
userdom_dontaudit_use_unpriv_user_fd(sendmail_t)
userdom_dontaudit_search_sysadm_home_dir(sendmail_t)
mta_read_config(sendmail_t)
mta_filetrans_etc_aliases(sendmail_t)
# Write to /etc/aliases and /etc/mail.
mta_rw_aliases(sendmail_t)

View File

@ -918,6 +918,19 @@ interface(`auth_dontaudit_exec_utempter',`
dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
')
#######################################
#
# auth_setattr_login_records(domain)
#
interface(`auth_setattr_login_records',`
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file setattr;
logging_search_logs($1)
')
#######################################
#
# auth_read_login_records(domain)

View File

@ -1,5 +1,5 @@
policy_module(authlogin,1.1.1)
policy_module(authlogin,1.1.2)
########################################
#
@ -129,14 +129,6 @@ optional_policy(`nscd',`
nscd_use_socket(pam_t)
')
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
# Supress xdm denial
ifdef(`xdm.te', `
dontaudit pam_t xdm_t:fd use;
') dnl ifdef
') dnl endif TODO
########################################
#
# PAM console local policy
@ -229,6 +221,10 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(pam_console_t)
')
optional_policy(`alsa',`
alsa_domtrans(pam_console_t)
')
optional_policy(`gpm',`
gpm_getattr_gpmctl(pam_console_t)
gpm_setattr_gpmctl(pam_console_t)

View File

@ -29,6 +29,7 @@ dev_read_sysfs(hostname_t)
fs_getattr_xattr_fs(hostname_t)
fs_search_auto_mountpoints(hostname_t)
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
term_use_all_user_ttys(hostname_t)
@ -55,35 +56,6 @@ miscfiles_read_localization(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
userdom_use_all_user_fd(hostname_t)
ifdef(`distro_redhat', `
fs_use_tmpfs_chr_dev(hostname_t)
')
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hostname_t)
term_dontaudit_use_generic_pty(hostname_t)
files_dontaudit_read_root_file(hostname_t)
')
optional_policy(`firstboot',`
firstboot_use_fd(hostname_t)
')
optional_policy(`hotplug',`
hotplug_dontaudit_use_fd(hostname_t)
')
optional_policy(`nscd',`
nscd_use_socket(hostname_t)
')
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(hostname_t)
')
optional_policy(`udev',`
udev_dontaudit_use_fd(hostname_t)
udev_read_db(hostname_t)
')

View File

@ -1,5 +1,5 @@
policy_module(init,1.1.4)
policy_module(init,1.1.5)
gen_require(`
class passwd rootok;
@ -298,6 +298,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)

View File

@ -158,7 +158,7 @@ ifdef(`distro_redhat',`
# Flash plugin, Macromedia
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(logging,1.1.1)
policy_module(logging,1.1.2)
########################################
#
@ -20,7 +20,11 @@ type auditd_log_t;
files_security_file(auditd_log_t)
type auditd_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type auditd_exec_t;
')
init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t;

View File

@ -1,5 +1,5 @@
policy_module(lvm,1.1.0)
policy_module(lvm,1.1.1)
########################################
#
@ -209,6 +209,7 @@ storage_create_fixed_disk(lvm_t)
storage_manage_fixed_disk(lvm_t)
term_dontaudit_getattr_all_user_ttys(lvm_t)
term_dontaudit_getattr_pty_dir(lvm_t)
corecmd_search_sbin(lvm_t)
corecmd_dontaudit_getattr_sbin_file(lvm_t)
@ -259,11 +260,3 @@ optional_policy(`gpm',`
optional_policy(`udev',`
udev_read_db(lvm_t)
')
ifdef(`TODO',`
# it has no reason to need this
allow lvm_t var_t:dir { search getattr };
allow lvm_t ramfs_t:filesystem unmount;
dontaudit lvm_t xconsole_device_t:fifo_file getattr;
') dnl end TODO

View File

@ -1,5 +1,5 @@
policy_module(mount,1.1.2)
policy_module(mount,1.1.3)
########################################
#
@ -32,6 +32,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_rw_lvm_control(mount_t)
storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
@ -46,7 +47,7 @@ fs_relabelfrom_all_fs(mount_t)
fs_search_auto_mountpoints(mount_t)
fs_use_tmpfs_chr_dev(mount_t)
term_use_console(mount_t)
term_use_all_terms(mount_t)
# required for mount.smbfs
corecmd_exec_sbin(mount_t)

View File

@ -1,5 +1,5 @@
policy_module(selinuxutil,1.0.2)
policy_module(selinuxutil,1.0.3)
gen_require(`
bool secure_mode;
@ -316,6 +316,7 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
#
allow restorecon_t self:capability { dac_override dac_read_search fowner };
allow restorecon_t self:fifo_file rw_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
@ -469,6 +470,7 @@ ifdef(`distro_gentoo', `
#
allow setfiles_t self:capability { dac_override dac_read_search fowner };
allow setfiles_t self:fifo_file rw_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;

View File

@ -33,6 +33,7 @@ template(`unconfined_domain_template',`
corenet_unconfined($1)
dev_unconfined($1)
domain_unconfined($1)
domain_dontaudit_read_all_domains_state($1)
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)

View File

@ -111,6 +111,7 @@ template(`base_user_template',`
allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
files_search_home($1_t)
can_exec($1_t,$1_tmp_t)

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.1.5)
policy_module(userdomain,1.1.6)
gen_require(`
role sysadm_r, staff_r, user_r, secadm_r;