diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index 88b7c599..5696994d 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -53,7 +53,7 @@ domain_use_wide_inherit_fd(acct_t) files_read_etc_files(acct_t) files_read_etc_runtime_files(acct_t) # for nscd -files_dontaudit_getattr_pid_dir(acct_t) +files_dontaudit_search_pids(acct_t) init_use_fd(acct_t) init_use_script_pty(acct_t) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 1c751aa8..eefeb836 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -18,8 +18,7 @@ role system_r types consoletype_t; # allow consoletype_t self:capability sys_admin; - -allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow consoletype_t self:fd use; allow consoletype_t self:fifo_file rw_file_perms; allow consoletype_t self:unix_dgram_socket create_socket_perms; diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index c11e1a4b..911bca8f 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -30,7 +30,7 @@ allow logrotate_t self:capability { chown dac_override dac_read_search kill fset # for mailx dontaudit logrotate_t self:capability { setuid setgid }; -allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; # Set a context other than the default one for newly created files. allow logrotate_t self:process setfscreate; diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index eef0d058..a8864e3b 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -55,8 +55,8 @@ domain_entry_file(rpmbuild_t,rpmbuild_exec_t) # rpm Local policy # -allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod }; -allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod }; +allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; allow rpm_t self:fifo_file rw_file_perms; @@ -204,7 +204,7 @@ allow rpm_t sysadm_gph_t:fd use; # allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index 17fd5f24..5a83ccdd 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -51,7 +51,7 @@ template(`sudo_per_userdomain_template',` # Use capabilities. allow $1_sudo_t self:capability { setuid setgid dac_override sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; + allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; allow $1_sudo_t self:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index d2b0a156..72a63653 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -18,6 +18,7 @@ type chfn_exec_t; domain_entry_file(chfn_t,chfn_exec_t) type crack_t; +domain_type(crack_t) role system_r types crack_t; type crack_exec_t; @@ -63,7 +64,7 @@ role system_r types useradd_t; # allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; -allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:fd use; allow chfn_t self:fifo_file rw_file_perms; @@ -195,7 +196,7 @@ dontaudit crack_t sysadm_home_dir_t:dir { getattr search }; allow groupadd_t self:capability { dac_override chown kill setuid sys_resource }; dontaudit groupadd_t self:capability fsetid; -allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process { setrlimit setfscreate }; allow groupadd_t self:fd use; allow groupadd_t self:fifo_file rw_file_perms; @@ -279,7 +280,7 @@ dontaudit groupadd_t sysadm_home_dir_t:dir search; # allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; -allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:fd use; allow passwd_t self:fifo_file rw_file_perms; @@ -368,7 +369,7 @@ dontaudit passwd_t var_run_t:dir search; # allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; -allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; allow sysadm_passwd_t self:fifo_file rw_file_perms; @@ -466,7 +467,7 @@ dontaudit sysadm_passwd_t selinux_config_t:dir search; # allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; allow useradd_t self:fd use; allow useradd_t self:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index be803e67..08aa3013 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -99,7 +99,7 @@ storage_raw_read_removable_device(bootloader_t) storage_raw_write_removable_device(bootloader_t) dev_getattr_all_chr_files(bootloader_t) -dev_setattr_all_blk_files(bootloader_t) +dev_getattr_all_blk_files(bootloader_t) dev_dontaudit_rw_generic_dev_nodes(bootloader_t) dev_read_rand(bootloader_t) dev_read_urand(bootloader_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 1213e091..cba03eaf 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -51,7 +51,7 @@ files_tmp_file(system_crond_tmp_t) allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; -allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process setexec; allow crond_t self:fd use; allow crond_t self:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 27f01c9d..8f6084c3 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -24,7 +24,7 @@ files_tmp_file(remote_login_tmp_t) # allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; allow remote_login_t self:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 9b7ada4d..4489fdcd 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -49,7 +49,7 @@ template(`ssh_per_userdomain_template',` # $1_ssh_t local policy # allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; - allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; + allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_ssh_t self:fd use; allow $1_ssh_t self:fifo_file { read getattr lock ioctl write append }; allow $1_ssh_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 0e68a81a..f8049982 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -70,7 +70,7 @@ logging_log_file(wtmp_t) # PAM local policy # -allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; dontaudit pam_t self:capability sys_tty_config; allow pam_t self:fd use; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 3cbb4f4b..7aab5d02 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -412,7 +412,7 @@ interface(`domain_dontaudit_getsession_all_domains',` class process getsession; ') - allow $1 domain:process getsession; + dontaudit $1 domain:process getsession; ') ######################################## diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 4331448d..f4b01909 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -24,7 +24,7 @@ files_type(swapfile_t) # ipc_lock is for losetup allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config }; -allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_file_perms; allow fsadm_t self:unix_dgram_socket create_socket_perms; diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 3fa5e6bf..8eba00e9 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -258,6 +258,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getsession_all_domains(initrc_t) domain_use_wide_inherit_fd(initrc_t) +domain_exec_all_entry_files(initrc_t) # for lsof which is used by alsa shutdown: domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 26aa3866..447829e5 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -33,8 +33,8 @@ role system_r types sulogin_t; # Local login local policy # -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; +allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow local_login_t self:process { setrlimit setexec }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_file_perms; @@ -216,7 +216,7 @@ optional_policy(`locallogin.te',` # Sulogin local policy # -allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_file_perms; allow sulogin_t self:unix_dgram_socket create_socket_perms; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index dc5dee0c..ee7a5ad4 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -51,7 +51,7 @@ files_type(var_log_t) allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; -allow auditd_t self:process setsched; +allow auditd_t self:process { signal_perms setsched }; allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write }; allow auditd_t var_log_t:dir search; diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index c2367e17..5e0db524 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -174,7 +174,7 @@ userdom_use_all_user_fd(load_policy_t) allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; -allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; allow newrole_t self:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 4086c6a4..669ebee3 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -217,7 +217,7 @@ dontaudit dhcpc_t domain:dir getattr; # Ifconfig local policy # -allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:capability net_admin; dontaudit ifconfig_t self:capability sys_module; diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index d4c20386..12771948 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -35,7 +35,7 @@ files_pid_file(udev_var_run_t) # allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin }; -allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index bd1a4671..3c42fed1 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -60,7 +60,7 @@ template(`base_user_template',` allow $1_t self:capability { setgid chown fowner }; dontaudit $1_t self:capability { sys_nice fsetid }; - allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; + allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_t self:process { ptrace setfscreate }; allow $1_t self:fd use; allow $1_t self:fifo_file rw_file_perms;