Add the ability to send audit messages to confined admin policies

Remove permissive domain from cmirrord and dontaudit sys_tty_config Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser virt needs to be able to read processes to clearance for MLS
2010-09-15 11:31:20 -04:00 · 2010-09-15 11:31:20 -04:00 · 9461b60657
commit 9461b60657
parent 3b0a9c74bb
8 changed files with 15 additions and 7 deletions
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@ -37,6 +37,7 @@ files_list_var(dbadm_t)
 selinux_get_enforce_mode(dbadm_t)

 logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)

 userdom_dontaudit_search_user_home_dirs(dbadm_t)

--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
 seutil_domtrans_setfiles(webadm_t)

 logging_send_syslog_msg(webadm_t)
+logging_send_audit_msgs(webadm_t)

 userdom_dontaudit_search_user_home_dirs(webadm_t)

--- a/policy/modules/services/cmirrord.te
+++ b/policy/modules/services/cmirrord.te
@ -9,8 +9,6 @@ type cmirrord_t;
 type cmirrord_exec_t;
 init_daemon_domain(cmirrord_t, cmirrord_exec_t)

-permissive cmirrord_t;
-
 type cmirrord_initrc_exec_t;
 init_script_file(cmirrord_initrc_exec_t)

@ -26,6 +24,7 @@ files_pid_file(cmirrord_var_run_t)
 #

 allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
 allow cmirrord_t self:process signal;

 allow cmirrord_t self:fifo_file rw_fifo_file_perms;
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@ -579,10 +579,13 @@ optional_policy(`
 ')

 optional_policy(`
-	unconfined_dbus_send(crond_t)
-	unconfined_shell_domtrans(crond_t)
 	unconfined_domain(crond_t)
 	unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_shell_domtrans(crond_t)
+	unconfined_dbus_send(crond_t)
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')

--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@ -57,6 +57,8 @@ corenet_tcp_bind_generic_node(tgtd_t)
 corenet_tcp_bind_iscsi_port(tgtd_t)
 corenet_sendrecv_iscsi_server_packets(tgtd_t)

+dev_search_sysfs(tgtd_t)
+
 files_read_etc_files(tgtd_t)

 fs_read_anon_inodefs_files(tgtd_t)
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@ -321,6 +321,7 @@ fs_rw_hugetlbfs_files(virtd_t)
 mls_fd_share_all_levels(virtd_t)
 mls_file_read_to_clearance(virtd_t)
 mls_file_write_to_clearance(virtd_t)
+mls_process_read_to_clearance(virtd_t)
 mls_process_write_to_clearance(virtd_t)
 mls_net_write_within_range(virtd_t)
 mls_socket_write_to_clearance(virtd_t)
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@ -14,3 +14,4 @@ HOME_DIR/Music(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.gvfs(/.*)?	<<none>>
+HOME_DIR/\.debug(/.*)?	<<none>>
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -123,6 +123,9 @@ template(`userdom_base_user_template',`
 	auth_use_nsswitch($1_usertype)

 	init_stream_connect($1_usertype)
+	# The library functions always try to open read-write first,
+	# then fall back to read-only if it fails. 
+	init_dontaudit_rw_utmp($1_usertype)

 	libs_exec_ld_so($1_usertype)

@ -886,9 +889,6 @@ template(`userdom_login_user_template', `
 	auth_dontaudit_write_login_records($1_t)
 	auth_rw_cache($1_t)

-	# The library functions always try to open read-write first,
-	# then fall back to read-only if it fails. 
-	init_dontaudit_rw_utmp($1_usertype)
 	# Stop warnings about access to /dev/console
 	init_dontaudit_use_fds($1_usertype)
 	init_dontaudit_use_script_fds($1_usertype)