From 9af48eef6e360cc37235a233e8e8e4f1e2ccebdc Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 10 Apr 2007 13:10:58 +0000 Subject: [PATCH] six patches from dan --- policy/modules/admin/firstboot.if | 18 +++++ policy/modules/admin/firstboot.te | 2 +- policy/modules/admin/kudzu.te | 4 +- policy/modules/admin/logwatch.te | 4 +- policy/modules/kernel/corenetwork.if.in | 84 +++++++++++++++++++++++ policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/services/ccs.te | 14 +++- policy/modules/services/cyrus.te | 7 +- policy/modules/services/networkmanager.te | 4 +- policy/modules/services/ntp.te | 3 +- 10 files changed, 131 insertions(+), 11 deletions(-) diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if index d55f6ddc..5d1b2ab6 100644 --- a/policy/modules/admin/firstboot.if +++ b/policy/modules/admin/firstboot.if @@ -124,3 +124,21 @@ interface(`firstboot_rw_pipes',` allow $1 firstboot_t:fifo_file { read write }; ') + +######################################## +## +## Do not audit attemps to read and write to a firstboot unnamed pipe. +## +## +## +## Domain to not audit. +## +## +# +interface(`firstboot_dontaudit_rw_pipes',` + gen_require(` + type firstboot_t; + ') + + dontaudit $1 firstboot_t:fifo_file { read write }; +') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index fcc2128d..9362210c 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -1,5 +1,5 @@ -policy_module(firstboot,1.3.0) +policy_module(firstboot,1.3.1) gen_require(` class passwd rootok; diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index 65772725..54ccd8d1 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -1,5 +1,5 @@ -policy_module(kudzu,1.3.1) +policy_module(kudzu,1.3.2) ######################################## # @@ -22,7 +22,7 @@ files_pid_file(kudzu_var_run_t) # allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; -dontaudit kudzu_t self:capability sys_tty_config; +dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config }; allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:fifo_file rw_fifo_file_perms; allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index e318417d..9e35883c 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -1,5 +1,5 @@ -policy_module(logwatch,1.3.1) +policy_module(logwatch,1.3.2) ################################# # @@ -30,6 +30,7 @@ allow logwatch_t self:capability { dac_override dac_read_search setgid }; allow logwatch_t self:process signal; allow logwatch_t self:fifo_file rw_file_perms; allow logwatch_t self:unix_stream_socket create_stream_socket_perms; +allow logwatch_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t) manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t) @@ -76,6 +77,7 @@ libs_use_shared_libs(logwatch_t) libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) +logging_send_syslog_msg(logwatch_t) miscfiles_read_localization(logwatch_t) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 864395b9..d433fa27 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -3,6 +3,90 @@ ## Contains the initial SIDs for network objects. ## +######################################## +## +## Define type to be a network port type +## +## +##

+## Define type to be a network port type +##

+##

+## This is a template to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+##
+## +## +## Type to be used for network ports. +## +## +# +interface(`corenet_port',` + gen_require(` + attribute port_type; + ') + + typeattribute $1 port_type; +') + +######################################## +## +## Define network type to be a reserved port (lt 1024) +## +## +##

+## Define network type to be a reserved port (lt 1024) +##

+##

+## This is a template to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+##
+## +## +## Type to be used for network ports. +## +## +# +interface(`corenet_reserved_port',` + gen_require(` + attribute reserved_port_type; + ') + + typeattribute $1 reserved_port_type; +') + +######################################## +## +## Define network type to be a rpc port ( 512 lt PORT lt 1024) +## +## +##

+## Define network type to be a rpc port ( 512 lt PORT lt 1024) +##

+##

+## This is a template to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+##
+## +## +## Type to be used for network ports. +## +## +# +interface(`corenet_rpc_port',` + gen_require(` + attribute rpc_port_type; + ') + + typeattribute $1 rpc_port_type; +') + ######################################## ## ## Send and receive TCP network traffic on the generic interfaces. diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 140e4ae1..2b67c129 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.4) +policy_module(corenetwork,1.2.5) ######################################## # diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index 4d1557c3..9d06f766 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -1,5 +1,5 @@ -policy_module(ccs,1.0.3) +policy_module(ccs,1.0.4) ######################################## # @@ -10,10 +10,14 @@ type ccs_t; type ccs_exec_t; init_daemon_domain(ccs_t, ccs_exec_t) -# pid files +# conf files type cluster_conf_t; files_type(cluster_conf_t) +# tmp files +type ccs_tmp_t; +files_tmp_file(ccs_tmp_t) + # log files type ccs_var_log_t; logging_log_file(ccs_var_log_t) @@ -45,6 +49,12 @@ allow ccs_t self:socket create_socket_perms; manage_files_pattern(ccs_t,cluster_conf_t,cluster_conf_t) +# tmp file +allow ccs_t ccs_tmp_t:dir manage_dir_perms; +manage_dirs_pattern(ccs_t,ccs_tmp_t,ccs_tmp_t) +manage_files_pattern(ccs_t,ccs_tmp_t,ccs_tmp_t) +files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir }) + # log files manage_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t) manage_sock_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index a559e2b4..b5fb28cd 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -1,5 +1,5 @@ -policy_module(cyrus,1.2.1) +policy_module(cyrus,1.2.2) ######################################## # @@ -111,6 +111,7 @@ userdom_use_unpriv_users_fds(cyrus_t) userdom_use_sysadm_ptys(cyrus_t) mta_manage_spool(cyrus_t) +mta_send_mail(cyrus_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(cyrus_t) @@ -122,6 +123,10 @@ optional_policy(` cron_system_entry(cyrus_t,cyrus_exec_t) ') +optional_policy(` + kerberos_use(cyrus_t) +') + optional_policy(` ldap_stream_connect(cyrus_t) ') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index f85badef..302931eb 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.5.3) +policy_module(networkmanager,1.5.4) ######################################## # @@ -22,7 +22,7 @@ files_pid_file(NetworkManager_var_run_t) # and it receives a unexpected signal (rh bug #204161) allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; -allow NetworkManager_t self:process { ptrace setcap getsched signal_perms }; +allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 9cdb6b92..aefa4fe4 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -1,5 +1,5 @@ -policy_module(ntp,1.2.1) +policy_module(ntp,1.2.2) ######################################## # @@ -129,6 +129,7 @@ optional_policy(` optional_policy(` firstboot_dontaudit_use_fds(ntpd_t) + firstboot_dontaudit_rw_pipes(ntpd_t) ') optional_policy(`