six patches from dan

2007-04-10 13:10:58 +00:00 · 2007-04-10 13:10:58 +00:00 · 9af48eef6e
commit 9af48eef6e
parent f4e2b1983a
10 changed files with 131 additions and 11 deletions
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@ -124,3 +124,21 @@ interface(`firstboot_rw_pipes',`

 	allow $1 firstboot_t:fifo_file { read write };
 ')
+
+########################################
+## <summary>
+## 	Do not audit attemps to read and write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firstboot_dontaudit_rw_pipes',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	dontaudit $1 firstboot_t:fifo_file { read write };
+')
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@ -1,5 +1,5 @@

-policy_module(firstboot,1.3.0)
+policy_module(firstboot,1.3.1)

 gen_require(`
 	class passwd rootok;
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@ -1,5 +1,5 @@

-policy_module(kudzu,1.3.1)
+policy_module(kudzu,1.3.2)

 ########################################
 #
@ -22,7 +22,7 @@ files_pid_file(kudzu_var_run_t)
 #

 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-dontaudit kudzu_t self:capability sys_tty_config;
+dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
 allow kudzu_t self:process { signal_perms execmem };
 allow kudzu_t self:fifo_file rw_fifo_file_perms;
 allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@ -1,5 +1,5 @@

-policy_module(logwatch,1.3.1)
+policy_module(logwatch,1.3.2)

 #################################
 #
@ -30,6 +30,7 @@ allow logwatch_t self:capability { dac_override dac_read_search setgid };
 allow logwatch_t self:process signal;
 allow logwatch_t self:fifo_file rw_file_perms;
 allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+allow logwatch_t self:netlink_route_socket r_netlink_socket_perms; 

 manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
 manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
@ -76,6 +77,7 @@ libs_use_shared_libs(logwatch_t)
 libs_read_lib_files(logwatch_t)

 logging_read_all_logs(logwatch_t)
+logging_send_syslog_msg(logwatch_t) 

 miscfiles_read_localization(logwatch_t)

--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@ -3,6 +3,90 @@
 ##	Contains the initial SIDs for network objects.
 ## </required>

+########################################
+## <summary>
+##	Define type to be a network port type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network port type
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_port',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	typeattribute $1 port_type;
+')
+
+########################################
+## <summary>
+##	Define network type to be a reserved port (lt 1024)
+## </summary>
+## <desc>
+##	<p>
+##	Define network type to be a reserved port (lt 1024)
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_reserved_port',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	typeattribute $1 reserved_port_type;
+')
+
+########################################
+## <summary>
+##	Define network type to be a rpc port ( 512 lt PORT lt 1024)
+## </summary>
+## <desc>
+##	<p>
+##	Define network type to be a rpc port ( 512 lt PORT lt 1024)
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_rpc_port',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	typeattribute $1 rpc_port_type;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on the generic interfaces.
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@

-policy_module(corenetwork,1.2.4)
+policy_module(corenetwork,1.2.5)

 ########################################
 #
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@ -1,5 +1,5 @@

-policy_module(ccs,1.0.3)
+policy_module(ccs,1.0.4)

 ########################################
 #
@ -10,10 +10,14 @@ type ccs_t;
 type ccs_exec_t;
 init_daemon_domain(ccs_t, ccs_exec_t)

-# pid files
+# conf files
 type cluster_conf_t;
 files_type(cluster_conf_t)

+# tmp files
+type ccs_tmp_t;
+files_tmp_file(ccs_tmp_t)
+
 # log files
 type ccs_var_log_t;
 logging_log_file(ccs_var_log_t)
@ -45,6 +49,12 @@ allow ccs_t self:socket create_socket_perms;

 manage_files_pattern(ccs_t,cluster_conf_t,cluster_conf_t)

+# tmp file
+allow ccs_t ccs_tmp_t:dir manage_dir_perms;
+manage_dirs_pattern(ccs_t,ccs_tmp_t,ccs_tmp_t)
+manage_files_pattern(ccs_t,ccs_tmp_t,ccs_tmp_t)
+files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
+
 # log files
 manage_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)
 manage_sock_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@ -1,5 +1,5 @@

-policy_module(cyrus,1.2.1)
+policy_module(cyrus,1.2.2)

 ########################################
 #
@ -111,6 +111,7 @@ userdom_use_unpriv_users_fds(cyrus_t)
 userdom_use_sysadm_ptys(cyrus_t)

 mta_manage_spool(cyrus_t)
+mta_send_mail(cyrus_t)

 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(cyrus_t)
@ -122,6 +123,10 @@ optional_policy(`
 	cron_system_entry(cyrus_t,cyrus_exec_t)
 ')

+optional_policy(`
+	kerberos_use(cyrus_t)
+')
+
 optional_policy(`
 	ldap_stream_connect(cyrus_t)
 ')
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@ -1,5 +1,5 @@

-policy_module(networkmanager,1.5.3)
+policy_module(networkmanager,1.5.4)

 ########################################
 #
@ -22,7 +22,7 @@ files_pid_file(NetworkManager_var_run_t)
 # and it receives a unexpected signal (rh bug #204161) 
 allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
+allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
 allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
 allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@ -1,5 +1,5 @@

-policy_module(ntp,1.2.1)
+policy_module(ntp,1.2.2)

 ########################################
 #
@ -129,6 +129,7 @@ optional_policy(`

 optional_policy(`
 	firstboot_dontaudit_use_fds(ntpd_t)
+	firstboot_dontaudit_rw_pipes(ntpd_t)
 ')

 optional_policy(`