policy-20051208.patch

refpolicy/Changelog

@@ -6,6 +6,7 @@
 	automount
 	fetchmail
 	sysstat
+	vbetool
 
 * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
 - Add unlabeled IPSEC association rule to domains with

refpolicy/policy/modules/admin/updfstab.te

@@ -1,5 +1,5 @@
 
-policy_module(updfstab,1.1.1)
+policy_module(updfstab,1.1.2)
 
 ########################################
 #
@@ -32,6 +32,7 @@ dev_read_sysfs(updfstab_t)
 dev_manage_generic_symlinks(updfstab_t)
 
 fs_getattr_xattr_fs(updfstab_t)
+fs_getattr_tmpfs(updfstab_t)
 fs_getattr_tmpfs_dir(updfstab_t)
 fs_search_auto_mountpoints(updfstab_t)
 

refpolicy/policy/modules/admin/vbetool.fc

@@ -0,0 +1 @@
+/usr/sbin/vbetool	--	gen_context(system_u:object_r:vbetool_exec_t,s0)

refpolicy/policy/modules/admin/vbetool.if

@@ -0,0 +1,24 @@
+## <summary>run real-mode video BIOS code to alter hardware state</summary>
+
+########################################
+## <summary>
+##	Execute vbetool application in the vbetool domain.
+## </summary>
+## <param name="domain" optional="true">
+##	N/A
+## </param>
+#
+interface(`vbetool_domtrans',`
+	gen_require(`
+		type vbetool_t, vbetool_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,vbetool_exec_t,vbetool_t)
+
+	allow $1 vbetool_t:fd use;
+	allow vbetool_t $1:fd use;
+	allow vbetool_t $1:fifo_file rw_file_perms;
+	allow vbetool_t $1:process sigchld;
+
+')

refpolicy/policy/modules/admin/vbetool.te

@@ -0,0 +1,26 @@
+
+policy_module(vbetool,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vbetool_t;
+type vbetool_exec_t;
+init_system_domain(vbetool_t,vbetool_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vbetool_t self:process execmem;
+
+dev_wx_raw_memory(vbetool_t)
+dev_read_raw_memory(vbetool_t)
+dev_rwx_zero_dev(vbetool_t)
+dev_read_sysfs(vbetool_t)
+
+libs_use_ld_so(vbetool_t)
+libs_use_shared_libs(vbetool_t)

refpolicy/policy/modules/kernel/mls.te

@@ -1,5 +1,5 @@
 
-policy_module(mls,1.1.0)
+policy_module(mls,1.1.1)
 
 ########################################
 #
@@ -52,13 +52,14 @@ attribute mlsrangetrans;
 # temporarily have to break encapsulation to work around this.
 #
 
+type crond_exec_t;
 type cupsd_exec_t;
 type getty_t;
-type login_exec_t;
 type init_t;
 type init_exec_t;
 type initrc_t;
 type initrc_exec_t;
+type login_exec_t;
 type sshd_exec_t;
 type su_exec_t;
 type udev_exec_t;
@@ -68,6 +69,7 @@ type xdm_exec_t;
 ifdef(`enable_mcs',`
 range_transition getty_t login_exec_t s0 - s0:c0.c255;
 range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
 range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
 range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
 range_transition initrc_t udev_exec_t s0 - s0:c0.c255;

refpolicy/policy/modules/kernel/terminal.if

@@ -617,6 +617,23 @@ interface(`term_setattr_unallocated_ttys',`
 	allow $1 tty_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to ioctl
+##	unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`term_dontaudit_ioctl_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dontaudit $1 tty_device_t:chr_file ioctl;
+')
+
 ########################################
 ## <summary>
 ##	Relabel from and to the unallocated

refpolicy/policy/modules/services/automount.te

@@ -1,5 +1,5 @@
 
-policy_module(automount,1.0.1)
+policy_module(automount,1.0.2)
 
 ########################################
 #
@@ -58,6 +58,7 @@ allow automount_t automount_var_run_t:dir rw_dir_perms;
 files_create_pid(automount_t,automount_var_run_t)
 
 kernel_read_kernel_sysctl(automount_t)
+kernel_read_fs_sysctl(automount_t)
 kernel_read_proc_symlinks(automount_t)
 kernel_read_system_state(automount_t)
 kernel_list_proc(automount_t)

refpolicy/policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron, 1.1.0)
+policy_module(cron, 1.1.1)
 
 gen_require(`
 	class passwd rootok;
@@ -18,7 +18,11 @@ type cron_spool_t;
 files_type(cron_spool_t)
 
 type crond_t;
-type crond_exec_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type crond_exec_t;
+')
 init_daemon_domain(crond_t,crond_exec_t)
 domain_wide_inherit_fd(crond_t)
 domain_cron_exemption_source(crond_t)

refpolicy/policy/modules/services/dovecot.te

@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.1.0)
+policy_module(dovecot,1.1.1)
 
 ########################################
 #
@@ -154,6 +154,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write io
 
 allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
 
+allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
+
 kernel_read_all_sysctl(dovecot_auth_t)
 kernel_read_system_state(dovecot_auth_t)
 
@@ -165,6 +167,8 @@ auth_use_nsswitch(dovecot_auth_t)
 files_read_etc_files(dovecot_auth_t)
 files_read_etc_runtime_files(dovecot_auth_t)
 files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
 
 libs_use_ld_so(dovecot_auth_t)
 libs_use_shared_libs(dovecot_auth_t)

refpolicy/policy/modules/services/ftp.fc

@@ -21,6 +21,7 @@
 /var/run/proftpd(/.*)? 		gen_context(system_u:object_r:ftpd_var_run_t,s0)
 
 /var/log/muddleftpd\.log.* --	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/proftpd(/.*)?          gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)

refpolicy/policy/modules/services/gpm.te

@@ -1,5 +1,5 @@
 
-policy_module(gpm,1.0.1)
+policy_module(gpm,1.0.2)
 
 ########################################
 #
@@ -28,6 +28,7 @@ files_type(gpmctl_t)
 #
 
 allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:unix_stream_socket create_stream_socket_perms;
 
 allow gpm_t gpm_conf_t:dir r_dir_perms;
 allow gpm_t gpm_conf_t:file r_file_perms;
@@ -94,5 +95,5 @@ optional_policy(`udev',`
 ifdef(`TODO',`
 # Access the mouse.
 # cjp: why write?
-allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
+allow gpm_t event_device_t:chr_file rw_file_perms;
 ')

refpolicy/policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.1.1)
+policy_module(hal,1.1.2)
 
 ########################################
 #
@@ -21,10 +21,10 @@ files_pid_file(hald_var_run_t)
 # Local policy
 #
 
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
+# execute openvt which needs setuid
+allow hald_t self:capability { setuid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
 dontaudit hald_t self:capability sys_tty_config;
-# vbetool requires execmem
-allow hald_t self:process { execmem signal_perms };
+allow hald_t self:process signal_perms;
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow hald_t self:unix_dgram_socket create_socket_perms;
@@ -104,9 +104,11 @@ storage_raw_read_fixed_disk(hald_t)
 storage_raw_write_fixed_disk(hald_t)
 
 term_dontaudit_use_console(hald_t)
+term_dontaudit_ioctl_unallocated_ttys(hald_t)
 
 init_use_fd(hald_t)
 init_use_script_pty(hald_t)
+init_domtrans_script(hald_t)
 
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)
@@ -138,6 +140,10 @@ optional_policy(`apm',`
 	apm_stream_connect(hald_t)
 ')
 
+optional_policy(`clock',`
+	clock_domtrans(hald_t)
+')
+
 optional_policy(`cups',`
 	cups_domtrans_config(hald_t)
 	cups_signal_config(hald_t)
@@ -198,6 +204,10 @@ optional_policy(`updfstab',`
 	updfstab_domtrans(hald_t)
 ')
 
+optional_policy(`vbetool',`
+	vbetool_domtrans(hald_t)
+')
+
 ifdef(`TODO',`
 allow hald_t device_t:dir create_dir_perms;
 ') dnl end TODO

refpolicy/policy/modules/services/spamassassin.te

@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.1.0)
+policy_module(spamassassin,1.1.1)
 
 ########################################
 #
@@ -120,6 +120,8 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(spamd_t)
 	term_dontaudit_use_generic_pty(spamd_t)
 	files_dontaudit_read_root_file(spamd_t)
+	userdom_manage_generic_user_home_dirs(spamd_t)
+	userdom_manage_generic_user_home_files(spamd_t)
 ')
 
 tunable_policy(`use_nfs_home_dirs',`

refpolicy/policy/modules/system/unconfined.if

@@ -32,16 +32,18 @@ template(`unconfined_domain_template',`
 	kernel_unconfined($1)
 	corenet_unconfined($1)
 	dev_unconfined($1)
+	domain_unconfined($1)
+	files_unconfined($1)
 	fs_unconfined($1)
 	selinux_unconfined($1)
 
-	domain_unconfined($1)
-	files_unconfined($1)
+	libs_use_shared_libs($1)
 
 	tunable_policy(`allow_execmem',`
 		# Allow making anonymous memory executable, e.g. 
 		# for runtime-code generation or executable stack.
 		allow $1 self:process execmem;
+		auditallow $1 self:process execmem;
 	')
 
 	tunable_policy(`allow_execmem && allow_execstack',`

refpolicy/policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.1.0)
+policy_module(unconfined,1.1.1)
 
 ########################################
 #