From 2e2a24e07d902d3accdc25668805b69e64b45171 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 21:30:35 +0200 Subject: [PATCH 01/24] Use stream_connect_pattern. Signed-off-by: Dominick Grift --- policy/modules/services/zebra.if | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if index 6b876050..5860687f 100644 --- a/policy/modules/services/zebra.if +++ b/policy/modules/services/zebra.if @@ -38,8 +38,7 @@ interface(`zebra_stream_connect',` ') files_search_pids($1) - allow $1 zebra_var_run_t:sock_file write; - allow $1 zebra_t:unix_stream_socket connectto; + stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) ') ######################################## From 60d27bf8abb33abb9217a0932075fae64c530a5c Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 21:48:12 +0200 Subject: [PATCH 02/24] Tunable, optional, if(n)def block go below. Signed-off-by: Dominick Grift --- policy/modules/services/xserver.if | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 4bc9fff5..fa4c4b55 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -59,10 +59,6 @@ interface(`xserver_restricted_role',` domtrans_pattern($2, iceauth_exec_t, iceauth_t) -ifdef(`hide_broken_symptoms', ` - dontaudit iceauth_t $2:socket_class_set { read write }; -') - allow $2 iceauth_home_t:file read_file_perms; domtrans_pattern($2, xauth_exec_t, xauth_t) @@ -100,9 +96,6 @@ ifdef(`hide_broken_symptoms', ` dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) - tunable_policy(`user_direct_dri',` - dev_rw_dri($2) - ') # GNOME checks for usb and other devices: dev_rw_usbfs($2) @@ -121,11 +114,19 @@ ifdef(`hide_broken_symptoms', ` # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + ifdef(`hide_broken_symptoms', ` + dontaudit iceauth_t $2:socket_class_set { read write }; + ') + # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') + + tunable_policy(`user_direct_dri',` + dev_rw_dri($2) + ') ') ######################################## @@ -513,15 +514,15 @@ template(`xserver_user_x_domain_template',` xserver_object_types_template($1) xserver_common_x_domain_template($1,$2) - tunable_policy(`user_direct_dri',` - dev_rw_dri($2) - ') - # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') + + tunable_policy(`user_direct_dri',` + dev_rw_dri($2) + ') ') ######################################## @@ -582,6 +583,7 @@ interface(`xserver_domtrans_xauth',` ') domtrans_pattern($1, xauth_exec_t, xauth_t) + ifdef(`hide_broken_symptoms', ` dontaudit xauth_t $1:socket_class_set { read write }; ') From 2d102f8402c6b2a3e3f765280aa289a58539659c Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 21:36:17 +0200 Subject: [PATCH 03/24] Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift --- policy/modules/services/virt.if | 1 - policy/modules/services/xfs.if | 2 +- policy/modules/services/xserver.if | 29 +++++++------- policy/modules/services/zabbix.if | 8 ++-- policy/modules/services/zarafa.if | 56 ++++++++++++++-------------- policy/modules/services/zosremote.if | 4 +- 6 files changed, 47 insertions(+), 53 deletions(-) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 1a0701b1..1bf06021 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -609,4 +609,3 @@ interface(`virt_dontaudit_write_pipes',` dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ') - diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if index aa6e5a8d..42a0efbd 100644 --- a/policy/modules/services/xfs.if +++ b/policy/modules/services/xfs.if @@ -1,4 +1,4 @@ -## X Windows Font Server +## X Windows Font Server ######################################## ## diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index fa4c4b55..8ed36f25 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -114,7 +114,7 @@ interface(`xserver_restricted_role',` # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) - ifdef(`hide_broken_symptoms', ` + ifdef(`hide_broken_symptoms',` dontaudit iceauth_t $2:socket_class_set { read write }; ') @@ -179,7 +179,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - ') ####################################### @@ -504,7 +503,7 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) - xserver_ro_session($2,$3) + xserver_ro_session($2, $3) xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -512,7 +511,7 @@ template(`xserver_user_x_domain_template',` # X object manager xserver_object_types_template($1) - xserver_common_x_domain_template($1,$2) + xserver_common_x_domain_template($1, $2) # Client write xserver shm tunable_policy(`allow_write_xshm',` @@ -584,7 +583,7 @@ interface(`xserver_domtrans_xauth',` domtrans_pattern($1, xauth_exec_t, xauth_t) - ifdef(`hide_broken_symptoms', ` + ifdef(`hide_broken_symptoms',` dontaudit xauth_t $1:socket_class_set { read write }; ') ') @@ -712,7 +711,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') - allow $1 xdm_t:fd use; + allow $1 xdm_t:fd use; ') ######################################## @@ -731,7 +730,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') - dontaudit $1 xdm_t:fd use; + dontaudit $1 xdm_t:fd use; ') ######################################## @@ -749,7 +748,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') - allow $1 xdm_t:fifo_file { getattr read write }; + allow $1 xdm_t:fifo_file { getattr read write }; ') ######################################## @@ -764,12 +763,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` - gen_require(` type xdm_t; ') - dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; + dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -1039,7 +1037,7 @@ interface(`xserver_read_xdm_etc_files',` type xdm_etc_t; ') - files_search_etc($1) + files_search_etc($1) read_files_pattern($1, xdm_etc_t, xdm_etc_t) ') @@ -1058,7 +1056,7 @@ interface(`xserver_manage_xdm_etc_files',` type xdm_etc_t; ') - files_search_etc($1) + files_search_etc($1) manage_files_pattern($1, xdm_etc_t, xdm_etc_t) ') @@ -1077,7 +1075,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') - files_search_tmp($1) + files_search_tmp($1) read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') @@ -1171,7 +1169,7 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') - allow $1 xserver_t:process siginh; + allow $1 xserver_t:process siginh; domtrans_pattern($1, xserver_exec_t, xserver_t) allow xserver_t $1:process getpgid; @@ -1314,7 +1312,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the -## virtual core keyboard and virtual core pointer devices. +## virtual core keyboard and virtual core pointer devices. ## ## ## @@ -1600,7 +1598,6 @@ interface(`xserver_search_xdm_lib',` allow $1 xdm_var_lib_t:dir search_dir_perms; ') - ######################################## ## ## Make an X executable an entrypoint for the specified domain. diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if index d77e631f..4776863d 100644 --- a/policy/modules/services/zabbix.if +++ b/policy/modules/services/zabbix.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run zabbix. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`zabbix_domtrans',` @@ -44,9 +44,9 @@ interface(`zabbix_read_log',` ## zabbix log files. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`zabbix_append_log',` diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if index bba31242..77367ec0 100644 --- a/policy/modules/services/zarafa.if +++ b/policy/modules/services/zarafa.if @@ -1,15 +1,14 @@ - ## policy for zarafa services ###################################### ## -## Creates types and rules for a basic -## zararfa init daemon domain. +## Creates types and rules for a basic +## zararfa init daemon domain. ## ## -## -## Prefix for the domain. -## +## +## Prefix for the domain. +## ## # template(`zarafa_domain_template',` @@ -19,12 +18,12 @@ template(`zarafa_domain_template',` ') ############################## - # - # $1_t declarations - # + # + # $1_t declarations + # type zarafa_$1_t, zarafa_domain; - type zarafa_$1_exec_t; + type zarafa_$1_exec_t; init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) type zarafa_$1_log_t; @@ -34,28 +33,28 @@ template(`zarafa_domain_template',` files_pid_file(zarafa_$1_var_run_t) ############################## - # + # # $1_t local policy - # + # manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) + manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) #stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t) manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t) #manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t) logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file }) -') - +') + ######################################## ## ## Execute a domain transition to run zarafa_server. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`zarafa_server_domtrans',` @@ -66,15 +65,14 @@ interface(`zarafa_server_domtrans',` domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) ') - ######################################## ## ## Execute a domain transition to run zarafa_deliver. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`zarafa_deliver_domtrans',` @@ -87,19 +85,19 @@ interface(`zarafa_deliver_domtrans',` ####################################### ## -## Connect to zarafa-server unix domain stream socket. +## Connect to zarafa-server unix domain stream socket. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## ## # interface(`zarafa_stream_connect_server',` - gen_require(` - type zarafa_server_t, zarafa_server_var_run_t; - ') + gen_require(` + type zarafa_server_t, zarafa_server_var_run_t; + ') - stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) + stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) ') diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if index 702e7680..1d24e1ed 100644 --- a/policy/modules/services/zosremote.if +++ b/policy/modules/services/zosremote.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run audispd-zos-remote. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`zosremote_domtrans',` From 5ebd1a52a569eb58a53538c683ad64d12434af0e Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 08:51:01 +0200 Subject: [PATCH 04/24] Use domtrans_pattern because it include permission the sigchld target domain and other required access to domain transition. Signed-off-by: Dominick Grift --- policy/modules/services/ucspitcp.if | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if index c1feba4f..bf821706 100644 --- a/policy/modules/services/ucspitcp.if +++ b/policy/modules/services/ucspitcp.if @@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', ` role system_r types $1; - domain_auto_trans(ucspitcp_t, $2, $1) - allow $1 ucspitcp_t:fd use; - allow $1 ucspitcp_t:process sigchld; - allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms; + domtrans_pattern(ucspitcp_t, $2, $1) ') From d0b7562f02f7211a9e3d3982455c3a0b88a57e64 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 09:36:06 +0200 Subject: [PATCH 05/24] Do not audit interface should not provide permission to read parent directories. Signed-off-by: Dominick Grift --- policy/modules/services/sssd.if | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 941380a7..82083089 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -128,7 +128,6 @@ interface(`sssd_dontaudit_search_lib',` ') dontaudit $1 sssd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) ') ######################################## From a87e8f736c0f3ca50a652079d591ea6adb369d33 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 09:42:26 +0200 Subject: [PATCH 06/24] Redundant: domtrans_pattern includes these. Signed-off-by: Dominick Grift --- policy/modules/services/ssh.if | 3 --- 1 file changed, 3 deletions(-) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 3061e830..617ad5fb 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -411,9 +411,6 @@ template(`ssh_role_template',` # for the transition back to normal privs upon exec userdom_search_user_home_content($1_ssh_agent_t) userdom_user_home_domtrans($1_ssh_agent_t, $3) - allow $3 $1_ssh_agent_t:fd use; - allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; - allow $3 $1_ssh_agent_t:process sigchld; tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) From f416df73dd6029657808711022d397e8f808390c Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 09:50:08 +0200 Subject: [PATCH 07/24] Redundant: This is included with userdom_search_user_home_content. Signed-off-by: Dominick Grift --- policy/modules/services/ssh.if | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 617ad5fb..7b02f86e 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -394,7 +394,6 @@ template(`ssh_role_template',` files_read_etc_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t) - files_search_home($1_ssh_agent_t) libs_read_lib_files($1_ssh_agent_t) From 50e85752ad9c3af904a81b7d1af7f6bc27c98630 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 09:59:06 +0200 Subject: [PATCH 08/24] Allow users to ptrace and send any kind of signal to their ssh agent instead of only a generic signal. Signed-off-by: Dominick Grift --- policy/modules/services/ssh.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 7b02f86e..68a7db80 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -339,7 +339,7 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) - allow $3 ssh_t:process signal; + allow $3 ssh_t:process { ptrace signal_perms }; # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; @@ -372,7 +372,7 @@ template(`ssh_role_template',` stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. - allow $3 $1_ssh_agent_t:process signal; + allow $3 $1_ssh_agent_t:process { ptrace signal_perms }; # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) From 9a2fd7d1445dca055e47a4ca20213fb231d6ce44 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 10:01:16 +0200 Subject: [PATCH 09/24] Redundant: This is included with userdom_read_user_home_content_files. Signed-off-by: Dominick Grift --- policy/modules/services/ssh.if | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 68a7db80..d3b2b559 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -248,7 +248,6 @@ template(`ssh_server_template', ` miscfiles_read_localization($1_t) userdom_dontaudit_relabelfrom_user_ptys($1_t) - userdom_search_user_home_dirs($1_t) userdom_read_user_home_content_files($1_t) # Allow checking users mail at login From a3d20a3c3a4988018e94a2619cf16d3fa2f64dc6 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 10:45:36 +0200 Subject: [PATCH 10/24] Use relabel permission sets where possible. --- policy/modules/services/xserver.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 8ed36f25..5efb6568 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -158,10 +158,10 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; - allow $2 iceauth_home_t:file { relabelfrom relabelto }; + allow $2 iceauth_home_t:file relabel_file_perms; allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; + allow $2 xauth_home_t:file relabel_file_perms; mls_xwin_read_to_clearance($2) manage_dirs_pattern($2, user_fonts_t, user_fonts_t) From b0e9aaafb92dbbeb2281a2715dfaa3bf58eb6f36 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 21:39:31 +0200 Subject: [PATCH 11/24] This is not a role capability. This is not a role capability. Signed-off-by: Dominick Grift This is not a role capability. --- policy/modules/services/squid.if | 1 - policy/modules/services/xserver.if | 1 - policy/modules/services/zarafa.if | 1 - 3 files changed, 3 deletions(-) diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if index d2496bd7..fb9774ae 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',` ## Domain to not audit. ## ## -## # interface(`squid_dontaudit_search_cache',` gen_require(` diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 5efb6568..a42438ad 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1566,7 +1566,6 @@ template(`xserver_read_user_iceauth',` ## Domain allowed access. ## ## -## # interface(`xserver_rw_inherited_user_fonts',` gen_require(` diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if index 77367ec0..29aea13c 100644 --- a/policy/modules/services/zarafa.if +++ b/policy/modules/services/zarafa.if @@ -92,7 +92,6 @@ interface(`zarafa_deliver_domtrans',` ## Domain allowed access. ## ## -## # interface(`zarafa_stream_connect_server',` gen_require(` From c5caddd673f7fef4f3beabaeda534f5837e6a5c0 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 11:00:39 +0200 Subject: [PATCH 12/24] This type is not required here. --- policy/modules/services/spamassassin.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 76cfada6..5ceb6dab 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -279,7 +279,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` # interface(`spamd_stream_connect',` gen_require(` - type spamd_t, spamd_var_run_t, spamd_spool_t; + type spamd_t, spamd_var_run_t; ') stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) From 4ff4ddfaa3a75121b71a2c4c8ce4f229c3159b07 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 11:05:31 +0200 Subject: [PATCH 13/24] Allow users to ptrace and send any kind of signal to spamassassin agents. --- policy/modules/services/spamassassin.if | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 5ceb6dab..9c20d364 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -25,9 +25,13 @@ interface(`spamassassin_role',` role $1 types { spamc_t spamassassin_t }; domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + + allow $2 spamassassin_t:process { ptrace signal_perms }; ps_process_pattern($2, spamassassin_t) domtrans_pattern($2, spamc_exec_t, spamc_t) + + allow $2 spamc_t:process { ptrace signal_perms }; ps_process_pattern($2, spamc_t) manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) From f92662114af7a7c2c63649eaaf4ae157eacbb8ec Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 21:37:38 +0200 Subject: [PATCH 14/24] Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Signed-off-by: Dominick Grift Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Signed-off-by: Dominick Grift Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. --- policy/modules/services/smartmon.if | 1 + policy/modules/services/snmp.if | 1 + policy/modules/services/spamassassin.if | 3 +++ policy/modules/services/sssd.if | 1 + policy/modules/services/tftp.if | 1 + policy/modules/services/vhostmd.if | 7 ++++--- policy/modules/services/xserver.if | 1 + policy/modules/services/zarafa.if | 2 +- 8 files changed, 13 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index adea9f92..a35509f7 100644 --- a/policy/modules/services/smartmon.if +++ b/policy/modules/services/smartmon.if @@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',` type fsdaemon_tmp_t; ') + files_search_tmp($1) allow $1 fsdaemon_tmp_t:file read_file_perms; ') diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index 275f9fb5..699c2aba 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',` type snmpd_var_lib_t; ') + files_search_var_lib($1) allow $1 snmpd_var_lib_t:dir list_dir_perms; read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 9c20d364..56950e6a 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -151,6 +151,7 @@ interface(`spamassassin_manage_home_client',` type spamc_home_t; ') + userdom_search_user_home_dirs($1) manage_dirs_pattern($1, spamc_home_t, spamc_home_t) manage_files_pattern($1, spamc_home_t, spamc_home_t) manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) @@ -249,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',` type spamd_tmp_t; ') + files_search_tmp($1) allow $1 spamd_tmp_t:file read_file_perms; ') @@ -286,6 +288,7 @@ interface(`spamd_stream_connect',` type spamd_t, spamd_var_run_t; ') + files_search_pids($1) stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) ') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 82083089..5c346470 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -89,6 +89,7 @@ interface(`sssd_manage_pids',` type sssd_var_run_t; ') + files_search_pids($1) manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) ') diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index 4d10ddac..242576d0 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -108,6 +108,7 @@ interface(`tftp_admin',` allow $1 tftpd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, tftpd_t) + files_list_var_lib($1) admin_pattern($1, tftpdir_rw_t) admin_pattern($1, tftpdir_t) diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if index dadae8ee..941311e9 100644 --- a/policy/modules/services/vhostmd.if +++ b/policy/modules/services/vhostmd.if @@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',` ') allow $1 vhostmd_tmpfs_t:file read_file_perms; - files_search_tmp($1) + fs_search_tmpfs($1) ') ######################################## @@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',` ') rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) - files_search_tmp($1) + fs_search_tmpfs($1) ') ######################################## @@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',` ') manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) - files_search_tmp($1) + fs_search_tmpfs($1) ') ######################################## @@ -146,6 +146,7 @@ interface(`vhostmd_manage_pid_files',` type vhostmd_var_run_t; ') + files_search_pids($1) manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) ') diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index a42438ad..f6cb1add 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -788,6 +788,7 @@ interface(`xserver_stream_connect_xdm',` ') files_search_tmp($1) + files_search_pids($1) stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) ') diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if index 29aea13c..78fc1043 100644 --- a/policy/modules/services/zarafa.if +++ b/policy/modules/services/zarafa.if @@ -12,7 +12,6 @@ ## # template(`zarafa_domain_template',` - gen_require(` attribute zarafa_domain; ') @@ -98,5 +97,6 @@ interface(`zarafa_stream_connect_server',` type zarafa_server_t, zarafa_server_var_run_t; ') + files_search_var_lib($1) stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) ') From b35d25934894aec3b5342369abc1e346f086d5c1 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 08:25:20 +0200 Subject: [PATCH 15/24] XML summary ffixes. XML summary fixes. Signed-off-by: Dominick Grift XML summary fixes. --- policy/modules/services/setroubleshoot.if | 2 +- policy/modules/services/sssd.if | 5 ----- policy/modules/services/virt.if | 2 +- 3 files changed, 2 insertions(+), 7 deletions(-) diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if index 9dc40919..a7fbedc2 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if @@ -109,7 +109,7 @@ interface(`setroubleshoot_dbus_chat_fixit',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 5c346470..a433746b 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -225,11 +225,6 @@ interface(`sssd_stream_connect',` ## The role to be allowed to manage the sssd domain. ## ## -## -## -## The type of the user terminal. -## -## ## # interface(`sssd_admin',` diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 1bf06021..9a3d24fe 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -227,7 +227,7 @@ interface(`virt_read_content',` ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # From ba6db03dc0d0651316ed07e1da09774bb2324bd8 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 11:24:30 +0200 Subject: [PATCH 16/24] Redundant: mta_sendmail_domtrans calls domtrans_pattern which already includes these permissions. --- policy/modules/services/sendmail.if | 4 ---- 1 file changed, 4 deletions(-) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if index 4f7eb51f..1e9cb000 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -51,10 +51,6 @@ interface(`sendmail_domtrans',` ') mta_sendmail_domtrans($1, sendmail_t) - - allow sendmail_t $1:fd use; - allow sendmail_t $1:fifo_file rw_file_perms; - allow sendmail_t $1:process sigchld; ') ####################################### From 59c03405487678f6de02969b4ed3a5e225a36516 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 22:09:15 +0200 Subject: [PATCH 17/24] Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Signed-off-by: Dominick Grift Use permission sets where possible. Signed-off-by: Dominick Grift Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. --- policy/modules/services/sendmail.if | 4 ++-- policy/modules/services/snmp.if | 2 +- policy/modules/services/spamassassin.if | 2 +- policy/modules/services/squid.if | 2 +- policy/modules/services/ssh.if | 10 +++++----- policy/modules/services/virt.if | 2 +- policy/modules/services/xserver.if | 22 +++++++++++----------- 7 files changed, 22 insertions(+), 22 deletions(-) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if index 1e9cb000..0c97e36a 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -166,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',` type sendmail_t; ') - allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; + allow $1 sendmail_t:unix_stream_socket rw_socket_perms; ') ######################################## @@ -185,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` type sendmail_t; ') - dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; + dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; ') ######################################## diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index 699c2aba..64e9fb1d 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -84,7 +84,7 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` ') dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; dontaudit $1 snmpd_var_lib_t:file read_file_perms; - dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; + dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; ') ######################################## diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 56950e6a..f906f43a 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -270,7 +270,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` type spamd_tmp_t; ') - dontaudit $1 spamd_tmp_t:sock_file getattr; + dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; ') ######################################## diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if index fb9774ae..dc4f590c 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',` type squid_t; ') - allow $1 squid_t:unix_stream_socket { getattr read write }; + allow $1 squid_t:unix_stream_socket rw_socket_perms; ') ######################################## diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index d3b2b559..bb8c7d1f 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -189,7 +189,7 @@ template(`ssh_server_template', ` allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:shm create_shm_perms; - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; term_create_pty($1_t, $1_devpts_t) manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) @@ -485,7 +485,7 @@ interface(`ssh_read_pipes',` type sshd_t; ') - allow $1 sshd_t:fifo_file { getattr read }; + allow $1 sshd_t:fifo_file read_fifo_file_perms; ') ######################################## ## @@ -502,7 +502,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') - allow $1 sshd_t:fifo_file { write read getattr ioctl }; + allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -645,7 +645,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') - allow $1 sshd_key_t:file setattr; + allow $1 sshd_key_t:file setattr_file_perms; files_search_pids($1) ') @@ -722,7 +722,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') - dontaudit $1 sshd_key_t:file { getattr read }; + dontaudit $1 sshd_key_t:file read_file_perms; ') ###################################### diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 9a3d24fe..1840faaf 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -38,7 +38,7 @@ template(`virt_domain_template',` dev_node($1_image_t) dev_associate_sysfs($1_image_t) - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1_t, $1_devpts_t) manage_dirs_pattern($1_t, $1_image_t, $1_image_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index f6cb1add..54f5506e 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -73,11 +73,11 @@ interface(`xserver_restricted_role',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; + allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file { read write }; + allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; dontaudit $2 xdm_t:tcp_socket { read write }; - dontaudit $2 xdm_tmp_t:dir setattr; + dontaudit $2 xdm_tmp_t:dir setattr_dir_perms; allow $2 xdm_t:dbus send_msg; allow xdm_t $2:dbus send_msg; @@ -87,7 +87,7 @@ interface(`xserver_restricted_role',` allow $2 xserver_tmpfs_t:file read_file_perms; # Read /tmp/.X0-lock - allow $2 xserver_tmp_t:file { getattr read }; + allow $2 xserver_tmp_t:file read_inherited_file_perms; dev_rw_xserver_misc($2) dev_rw_power_management($2) @@ -489,9 +489,9 @@ template(`xserver_user_x_domain_template',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; + allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file { read write }; + allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. @@ -675,7 +675,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') - allow $1 xconsole_device_t:fifo_file setattr; + allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; ') ######################################## @@ -748,7 +748,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') - allow $1 xdm_t:fifo_file { getattr read write }; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -827,7 +827,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') - allow $1 xdm_tmp_t:dir setattr; + allow $1 xdm_tmp_t:dir setattr_dir_perms; ') ######################################## @@ -959,7 +959,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) - allow $1 xserver_log_t:file getattr; + allow $1 xserver_log_t:file getattr_file_perms; ') ######################################## @@ -1152,7 +1152,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') - dontaudit $1 xdm_tmp_t:sock_file getattr; + dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; ') ######################################## From dcf87460eb28fd3388aebd0a30d1c5b95b3bc230 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 08:24:26 +0200 Subject: [PATCH 18/24] Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. --- policy/modules/services/samba.if | 8 ++----- policy/modules/services/sendmail.if | 16 ++++++------- policy/modules/services/smokeping.if | 4 ++-- policy/modules/services/snmp.if | 9 +++---- policy/modules/services/snort.if | 4 ++-- policy/modules/services/spamassassin.if | 3 +-- policy/modules/services/ssh.if | 7 ++---- policy/modules/services/sssd.if | 4 ++-- policy/modules/services/stunnel.if | 2 +- policy/modules/services/tftp.if | 12 +++++----- policy/modules/services/tgtd.if | 32 ++++++++++++------------- policy/modules/services/tuned.if | 4 ++-- policy/modules/services/ucspitcp.if | 2 +- policy/modules/services/ulogd.if | 8 +++---- policy/modules/services/usbmuxd.if | 4 ++-- policy/modules/services/varnishd.if | 24 +++++++++---------- policy/modules/services/vhostmd.if | 7 +++--- policy/modules/services/virt.if | 8 +++---- 18 files changed, 74 insertions(+), 84 deletions(-) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 89935be3..50cc6130 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -722,6 +722,7 @@ template(`samba_helper_template',` gen_require(` type smbd_t; ') + #This type is for samba helper scripts type samba_$1_script_t; domain_type(samba_$1_script_t) @@ -734,7 +735,6 @@ template(`samba_helper_template',` domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) allow smbd_t samba_$1_script_exec_t:file ioctl; - ') ######################################## @@ -760,16 +760,12 @@ interface(`samba_admin',` type smbd_t, smbd_tmp_t; type smbd_var_run_t; type samba_initrc_exec_t; - type samba_log_t, samba_var_t; type samba_etc_t, samba_share_t; type samba_secrets_t; - type swat_var_run_t, swat_tmp_t; - type winbind_var_run_t, winbind_tmp_t; type winbind_log_t; - type samba_unconfined_script_t, samba_unconfined_script_exec_t; ') @@ -781,7 +777,7 @@ interface(`samba_admin',` allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) - + samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if index 0c97e36a..4fc41acc 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -58,17 +58,17 @@ interface(`sendmail_domtrans',` ## Execute sendmail in the sendmail domain. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # -interface(`sendmail_initrc_domtrans', ` - gen_require(` - type sendmail_initrc_exec_t; - ') +interface(`sendmail_initrc_domtrans',` + gen_require(` + type sendmail_initrc_exec_t; + ') - init_labeled_script_domtrans($1, sendmail_initrc_exec_t) + init_labeled_script_domtrans($1, sendmail_initrc_exec_t) ') ######################################## diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if index 824d206e..82652781 100644 --- a/policy/modules/services/smokeping.if +++ b/policy/modules/services/smokeping.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run smokeping. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`smokeping_domtrans',` diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index 64e9fb1d..cbe0584b 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -11,12 +11,12 @@ ## # interface(`snmp_stream_connect',` - gen_require(` + gen_require(` type snmpd_t, snmpd_var_lib_t; - ') + ') - files_search_var_lib($1) - stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) + files_search_var_lib($1) + stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) ') ######################################## @@ -82,6 +82,7 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` gen_require(` type snmpd_var_lib_t; ') + dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; dontaudit $1 snmpd_var_lib_t:file read_file_perms; dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if index c117e8b5..215f4254 100644 --- a/policy/modules/services/snort.if +++ b/policy/modules/services/snort.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run snort. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`snort_domtrans',` diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index f906f43a..b87e327e 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -59,7 +59,6 @@ interface(`spamassassin_exec',` ') can_exec($1, spamassassin_exec_t) - ') ######################################## @@ -318,7 +317,7 @@ interface(`spamassassin_spamd_admin',` allow $1 spamd_t:process { ptrace signal_perms }; ps_process_pattern($1, spamd_t) - + init_labeled_script_domtrans($1, spamd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 spamd_initrc_exec_t system_r; diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index bb8c7d1f..078490e2 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,7 +32,6 @@ ## # template(`ssh_basic_client_template',` - gen_require(` attribute ssh_server; type ssh_exec_t, sshd_key_t, sshd_tmp_t; @@ -167,7 +166,7 @@ template(`ssh_basic_client_template',` ## ## # -template(`ssh_server_template', ` +template(`ssh_server_template',` type $1_t, ssh_server; auth_login_pgm_domain($1_t) @@ -305,7 +304,6 @@ template(`ssh_server_template', ` template(`ssh_role_template',` gen_require(` attribute ssh_server, ssh_agent_type; - type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; type ssh_agent_tmp_t; @@ -487,6 +485,7 @@ interface(`ssh_read_pipes',` allow $1 sshd_t:fifo_file read_fifo_file_perms; ') + ######################################## ## ## Read and write a ssh server unnamed pipe. @@ -592,7 +591,6 @@ interface(`ssh_domtrans',` domtrans_pattern($1, sshd_exec_t, sshd_t) ') - ######################################## ## ## Execute sshd server in the sshd domain. @@ -780,4 +778,3 @@ interface(`ssh_signull',` allow $1 sshd_t:process signull; ') - diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index a433746b..d33bae08 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run sssd. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`sssd_domtrans',` diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if index 6073656f..eaf49b20 100644 --- a/policy/modules/services/stunnel.if +++ b/policy/modules/services/stunnel.if @@ -20,6 +20,6 @@ interface(`stunnel_service_domain',` type stunnel_t; ') - domtrans_pattern(stunnel_t,$2,$1) + domtrans_pattern(stunnel_t, $2, $1) allow $1 stunnel_t:tcp_socket rw_socket_perms; ') diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index 242576d0..b17d182a 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -64,19 +64,19 @@ interface(`tftp_manage_rw_content',` ## with specified types. ## ## -## +## ## Domain allowed access. -## +## ## ## -## +## ## Private file type. -## +## ## ## -## +## ## Class of the object being created. -## +## ## # interface(`tftp_filetrans_tftpdir',` diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if index 74beaaa5..c2ed23a8 100644 --- a/policy/modules/services/tgtd.if +++ b/policy/modules/services/tgtd.if @@ -11,36 +11,36 @@ ##################################### ## -## Allow read and write access to tgtd semaphores. +## Allow read and write access to tgtd semaphores. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`tgtd_rw_semaphores',` - gen_require(` - type tgtd_t; - ') + gen_require(` + type tgtd_t; + ') - allow $1 tgtd_t:sem rw_sem_perms; + allow $1 tgtd_t:sem rw_sem_perms; ') ###################################### ## -## Manage tgtd sempaphores. +## Manage tgtd sempaphores. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`tgtd_manage_semaphores',` - gen_require(` - type tgtd_t; - ') + gen_require(` + type tgtd_t; + ') - allow $1 tgtd_t:sem create_sem_perms; + allow $1 tgtd_t:sem create_sem_perms; ') diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if index 54b86059..fa7ade88 100644 --- a/policy/modules/services/tuned.if +++ b/policy/modules/services/tuned.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run tuned. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`tuned_domtrans',` diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if index bf821706..1f6f55bd 100644 --- a/policy/modules/services/ucspitcp.if +++ b/policy/modules/services/ucspitcp.if @@ -20,7 +20,7 @@ ## ## # -interface(`ucspitcp_service_domain', ` +interface(`ucspitcp_service_domain',` gen_require(` type ucspitcp_t; role system_r; diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if index b078bf75..48c528aa 100644 --- a/policy/modules/services/ulogd.if +++ b/policy/modules/services/ulogd.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run ulogd. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`ulogd_domtrans',` @@ -65,9 +65,9 @@ interface(`ulogd_read_log',` ## Allow the specified domain to search ulogd's log files. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`ulogd_search_log',` diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if index 50150434..53792d33 100644 --- a/policy/modules/services/usbmuxd.if +++ b/policy/modules/services/usbmuxd.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run usbmuxd. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`usbmuxd_domtrans',` diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if index 92142373..0bbbb0de 100644 --- a/policy/modules/services/varnishd.if +++ b/policy/modules/services/varnishd.if @@ -21,7 +21,7 @@ interface(`varnishd_domtrans',` ####################################### ## -## Execute varnishd +## Execute varnishd ## ## ## @@ -61,18 +61,18 @@ interface(`varnishd_read_config',` ## Read varnish lib files. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`varnishd_read_lib_files',` - gen_require(` - type varnishd_var_lib_t; - ') + gen_require(` + type varnishd_var_lib_t; + ') - files_search_var_lib($1) - read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) + files_search_var_lib($1) + read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) ') ####################################### @@ -165,11 +165,10 @@ interface(`varnishd_admin_varnishlog',` allow $2 system_r; files_search_pids($1) - admin_pattern($1, varnishlog_var_run_t) + admin_pattern($1, varnishlog_var_run_t) logging_list_logs($1) admin_pattern($1, varnishlog_log_t) - ') ####################################### @@ -192,7 +191,7 @@ interface(`varnishd_admin_varnishlog',` interface(`varnishd_admin',` gen_require(` type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; - type varnishd_var_run_t, varnishd_tmp_t; + type varnishd_var_run_t, varnishd_tmp_t; type varnishd_initrc_exec_t; ') @@ -215,5 +214,4 @@ interface(`varnishd_admin',` files_search_tmp($1) admin_pattern($1, varnishd_tmp_t) - ') diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if index 941311e9..da605baa 100644 --- a/policy/modules/services/vhostmd.if +++ b/policy/modules/services/vhostmd.if @@ -5,9 +5,9 @@ ## Execute a domain transition to run vhostmd. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`vhostmd_domtrans',` @@ -147,7 +147,7 @@ interface(`vhostmd_manage_pid_files',` ') files_search_pids($1) - manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) + manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) ') ######################################## @@ -221,5 +221,4 @@ interface(`vhostmd_admin',` vhostmd_manage_tmpfs_files($1) vhostmd_manage_pid_files($1) - ') diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 1840faaf..50ef959d 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -91,9 +91,9 @@ interface(`virt_image',` ## Execute a domain transition to run virt. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`virt_domtrans',` @@ -380,9 +380,9 @@ interface(`virt_read_log',` ## virt log files. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`virt_append_log',` From 819518c27304d52b66403a30023359ebbc43ebc3 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 08:40:52 +0200 Subject: [PATCH 19/24] The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. Signed-off-by: Dominick Grift The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. --- policy/modules/services/samba.if | 2 +- policy/modules/services/sasl.if | 2 +- policy/modules/services/sendmail.if | 4 ++-- policy/modules/services/smartmon.if | 2 +- policy/modules/services/snmp.if | 2 +- policy/modules/services/sssd.if | 2 +- policy/modules/services/tftp.if | 2 +- policy/modules/services/tor.if | 2 +- policy/modules/services/uucp.if | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 50cc6130..20a1f782 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -775,7 +775,7 @@ interface(`samba_admin',` allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) - allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; + allow $1 samba_unconfined_script_t:process { ptrace signal_perms }; read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) samba_run_smbcontrol($1, $2, $3) diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if index f1aea88a..c3ffa9d7 100644 --- a/policy/modules/services/sasl.if +++ b/policy/modules/services/sasl.if @@ -42,7 +42,7 @@ interface(`sasl_admin',` type saslauthd_initrc_exec_t; ') - allow $1 saslauthd_t:process { ptrace signal_perms getattr }; + allow $1 saslauthd_t:process { ptrace signal_perms }; ps_process_pattern($1, saslauthd_t) init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if index 4fc41acc..b0c2f3ba 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -334,10 +334,10 @@ interface(`sendmail_admin',` type mail_spool_t; ') - allow $1 sendmail_t:process { ptrace signal_perms getattr }; + allow $1 sendmail_t:process { ptrace signal_perms }; read_files_pattern($1, sendmail_t, sendmail_t) - allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr }; + allow $1 unconfined_sendmail_t:process { ptrace signal_perms }; read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t) sendmail_initrc_domtrans($1) diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index a35509f7..d5b2d934 100644 --- a/policy/modules/services/smartmon.if +++ b/policy/modules/services/smartmon.if @@ -42,7 +42,7 @@ interface(`smartmon_admin',` type fsdaemon_initrc_exec_t; ') - allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; + allow $1 fsdaemon_t:process { ptrace signal_perms }; ps_process_pattern($1, fsdaemon_t) init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index cbe0584b..6aa68d80 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -130,7 +130,7 @@ interface(`snmp_admin',` type snmpd_initrc_exec_t; ') - allow $1 snmpd_t:process { ptrace signal_perms getattr }; + allow $1 snmpd_t:process { ptrace signal_perms }; ps_process_pattern($1, snmpd_t) init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index d33bae08..7e44f26e 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -233,7 +233,7 @@ interface(`sssd_admin',` type sssd_initrc_exec_t; ') - allow $1 sssd_t:process { ptrace signal_perms getattr }; + allow $1 sssd_t:process { ptrace signal_perms }; read_files_pattern($1, sssd_t, sssd_t) # Allow sssd_t to restart the apache service diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index b17d182a..1427b54b 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -105,7 +105,7 @@ interface(`tftp_admin',` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') - allow $1 tftpd_t:process { ptrace signal_perms getattr }; + allow $1 tftpd_t:process { ptrace signal_perms }; ps_process_pattern($1, tftpd_t) files_list_var_lib($1) diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if index 904f13e1..464347fe 100644 --- a/policy/modules/services/tor.if +++ b/policy/modules/services/tor.if @@ -42,7 +42,7 @@ interface(`tor_admin',` type tor_initrc_exec_t; ') - allow $1 tor_t:process { ptrace signal_perms getattr }; + allow $1 tor_t:process { ptrace signal_perms }; ps_process_pattern($1, tor_t) init_labeled_script_domtrans($1, tor_initrc_exec_t) diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if index 0e4774c8..a717e2d6 100644 --- a/policy/modules/services/uucp.if +++ b/policy/modules/services/uucp.if @@ -99,7 +99,7 @@ interface(`uucp_admin',` type uucpd_var_run_t; ') - allow $1 uucpd_t:process { ptrace signal_perms getattr }; + allow $1 uucpd_t:process { ptrace signal_perms }; ps_process_pattern($1, uucpd_t) logging_list_logs($1) From 2de2341198332725de7fda5f4b0c1312d13bdbf5 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 09:31:27 +0200 Subject: [PATCH 20/24] Use ps_process_pattern to read state. Signed-off-by: Dominick Grift Use ps_process_pattern to read state. Use ps_process_pattern to read state. --- policy/modules/services/samba.if | 2 +- policy/modules/services/sendmail.if | 4 ++-- policy/modules/services/sssd.if | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 20a1f782..93b58ea2 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -776,7 +776,7 @@ interface(`samba_admin',` ps_process_pattern($1, nmbd_t) allow $1 samba_unconfined_script_t:process { ptrace signal_perms }; - read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) + ps_process_pattern($1, samba_unconfined_script_t) samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if index b0c2f3ba..cf9fdcdd 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -335,10 +335,10 @@ interface(`sendmail_admin',` ') allow $1 sendmail_t:process { ptrace signal_perms }; - read_files_pattern($1, sendmail_t, sendmail_t) + ps_process_pattern($1, sendmail_t) allow $1 unconfined_sendmail_t:process { ptrace signal_perms }; - read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t) + ps_process_pattern($1, unconfined_sendmail_t) sendmail_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 7e44f26e..39cc338c 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -234,7 +234,7 @@ interface(`sssd_admin',` ') allow $1 sssd_t:process { ptrace signal_perms }; - read_files_pattern($1, sssd_t, sssd_t) + ps_process_pattern($1, sssd_t) # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) From 2f94f46028c8a4c66a73627741b6e8da25177b50 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 22:19:38 +0200 Subject: [PATCH 21/24] Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Signed-off-by: Dominick Grift Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. --- policy/modules/services/samba.if | 15 +++++---------- policy/modules/services/sssd.if | 3 +-- policy/modules/services/tuned.if | 3 +-- policy/modules/services/ulogd.if | 3 +-- policy/modules/services/varnishd.if | 3 +-- policy/modules/services/virt.if | 9 +++------ policy/modules/services/xserver.if | 24 ++++++++---------------- 7 files changed, 20 insertions(+), 40 deletions(-) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 93b58ea2..aea4eac4 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -490,8 +490,7 @@ interface(`samba_manage_var_files',` # interface(`samba_domtrans_smbcontrol',` gen_require(` - type smbcontrol_t; - type smbcontrol_exec_t; + type smbcontrol_t, smbcontrol_exec_t; ') domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) @@ -756,16 +755,12 @@ template(`samba_helper_template',` # interface(`samba_admin',` gen_require(` - type nmbd_t, nmbd_var_run_t; - type smbd_t, smbd_tmp_t; - type smbd_var_run_t; - type samba_initrc_exec_t; - type samba_log_t, samba_var_t; - type samba_etc_t, samba_share_t; - type samba_secrets_t; + type nmbd_t, nmbd_var_run_t, smbd_var_run_t; + type smbd_t, smbd_tmp_t, samba_secrets_t; + type samba_initrc_exec_t, samba_log_t, samba_var_t; + type samba_etc_t, samba_share_t, winbind_log_t; type swat_var_run_t, swat_tmp_t; type winbind_var_run_t, winbind_tmp_t; - type winbind_log_t; type samba_unconfined_script_t, samba_unconfined_script_exec_t; ') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 39cc338c..6dbfc016 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -229,8 +229,7 @@ interface(`sssd_stream_connect',` # interface(`sssd_admin',` gen_require(` - type sssd_t, sssd_public_t; - type sssd_initrc_exec_t; + type sssd_t, sssd_public_t, sssd_initrc_exec_t; ') allow $1 sssd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if index fa7ade88..329f1390 100644 --- a/policy/modules/services/tuned.if +++ b/policy/modules/services/tuned.if @@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',` # interface(`tuned_admin',` gen_require(` - type tuned_t, tuned_var_run_t; - type tuned_initrc_exec_t; + type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; ') allow $1 tuned_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if index 48c528aa..e3c66d8a 100644 --- a/policy/modules/services/ulogd.if +++ b/policy/modules/services/ulogd.if @@ -119,9 +119,8 @@ interface(`ulogd_append_log',` # interface(`ulogd_admin',` gen_require(` - type ulogd_t, ulogd_etc_t; + type ulogd_t, ulogd_etc_t, ulogd_modules_t; type ulogd_var_log_t, ulogd_initrc_exec_t; - type ulogd_modules_t; ') allow $1 ulogd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if index 0bbbb0de..e0f819e9 100644 --- a/policy/modules/services/varnishd.if +++ b/policy/modules/services/varnishd.if @@ -151,9 +151,8 @@ interface(`varnishd_manage_log',` # interface(`varnishd_admin_varnishlog',` gen_require(` - type varnishlog_t; + type varnishlog_t, varnishlog_initrc_exec_t; type varnishlog_var_run_t, varnishlog_log_t; - type varnishlog_initrc_exec_t; ') allow $1 varnishlog_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 50ef959d..6fa35aab 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -14,8 +14,7 @@ template(`virt_domain_template',` gen_require(` type virtd_t; - attribute virt_image_type; - attribute virt_domain; + attribute virt_image_type, virt_domain; ') type $1_t, virt_domain; @@ -154,8 +153,7 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` - type virt_etc_t; - type virt_etc_rw_t; + type virt_etc_t, virt_etc_rw_t; ') files_search_etc($1) @@ -176,8 +174,7 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` - type virt_etc_t; - type virt_etc_rw_t; + type virt_etc_t, virt_etc_rw_t; ') files_search_etc($1) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 54f5506e..73432ead 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -363,9 +363,8 @@ template(`xserver_common_x_domain_template',` type xevent_t, client_xevent_t; type input_xevent_t, $1_input_xevent_t; - attribute x_domain; + attribute x_domain, input_xevent_type; attribute xdrawable_type, xcolormap_type; - attribute input_xevent_type; class x_drawable all_x_drawable_perms; class x_property all_x_property_perms; @@ -783,8 +782,7 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` - type xdm_t, xdm_tmp_t; - type xdm_var_run_t; + type xdm_t, xdm_tmp_t, xdm_var_run_t; ') files_search_tmp($1) @@ -1323,13 +1321,12 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` - type xserver_t; + type xserver_t, root_xdrawable_t; class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; class x_screen all_x_screen_perms; class x_drawable { manage }; - type root_xdrawable_t; attribute x_domain; class x_drawable { read manage setattr show }; class x_resource { write read }; @@ -1357,8 +1354,7 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` - attribute x_domain; - attribute xserver_unconfined_type; + attribute x_domain, xserver_unconfined_type; ') typeattribute $1 x_domain; @@ -1377,8 +1373,7 @@ interface(`xserver_unconfined',` # interface(`xserver_dontaudit_append_xdm_home_files',` gen_require(` - type xdm_home_t; - type xserver_tmp_t; + type xdm_home_t, xserver_tmp_t; ') dontaudit $1 xdm_home_t:file rw_inherited_file_perms; @@ -1405,8 +1400,7 @@ interface(`xserver_dontaudit_append_xdm_home_files',` # interface(`xserver_append_xdm_home_files',` gen_require(` - type xdm_home_t; - type xserver_tmp_t; + type xdm_home_t, xserver_tmp_t; ') allow $1 xdm_home_t:file append_file_perms; @@ -1570,8 +1564,7 @@ template(`xserver_read_user_iceauth',` # interface(`xserver_rw_inherited_user_fonts',` gen_require(` - type user_fonts_t; - type user_fonts_config_t; + type user_fonts_t, user_fonts_config_t; ') allow $1 user_fonts_t:file rw_inherited_file_perms; @@ -1678,8 +1671,7 @@ interface(`xserver_run_xauth',` # interface(`xserver_manage_home_fonts',` gen_require(` - type user_fonts_t; - type user_fonts_config_t; + type user_fonts_t, user_fonts_config_t; ') manage_dirs_pattern($1, user_fonts_t, user_fonts_t) From 23ac318d30df67995a66f5cba4e12c520eb914c7 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 11:41:09 +0200 Subject: [PATCH 22/24] Requires system_r role. --- policy/modules/services/samba.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index aea4eac4..083930dd 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -720,6 +720,7 @@ interface(`samba_stream_connect_winbind',` template(`samba_helper_template',` gen_require(` type smbd_t; + role system_r; ') #This type is for samba helper scripts From 0dacd040c3a5e93d32b121a6931b05d3ef322634 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Thu, 16 Sep 2010 11:44:20 +0200 Subject: [PATCH 23/24] Whitespace, newline and tab fixes. --- policy/modules/services/samba.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 083930dd..1ebc1d59 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -483,9 +483,9 @@ interface(`samba_manage_var_files',` ## Execute a domain transition to run smbcontrol. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`samba_domtrans_smbcontrol',` From 9c9e4c8180b83951c18abe8b4625be029d1238ab Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Sep 2010 21:59:34 +0200 Subject: [PATCH 24/24] This is a role capability. This is a role capability. This is a role capability. Signed-off-by: Dominick Grift This is a role capability. This is a role capability. --- policy/modules/services/samba.if | 1 + policy/modules/services/spamassassin.if | 1 + policy/modules/services/ssh.if | 1 + policy/modules/services/virt.if | 1 + policy/modules/services/xserver.if | 2 ++ 5 files changed, 6 insertions(+) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 1ebc1d59..84732e51 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -131,6 +131,7 @@ interface(`samba_run_net',` ## The role to be allowed the samba_net domain. ## ## +## # template(`samba_role_notrans',` gen_require(` diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index b87e327e..7f57f224 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -14,6 +14,7 @@ ## User domain for the role ## ## +## # interface(`spamassassin_role',` gen_require(` diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 078490e2..784c3635 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -300,6 +300,7 @@ template(`ssh_server_template',` ## User domain for the role ## ## +## # template(`ssh_role_template',` gen_require(` diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 6fa35aab..e584e21c 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -575,6 +575,7 @@ interface(`virt_admin',` ## The role to be allowed the sandbox domain. ## ## +## # interface(`virt_transition_svirt',` gen_require(` diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 73432ead..f34a53f2 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1624,6 +1624,7 @@ interface(`xserver_entry_type',` ## The role to be allowed the xserver domain. ## ## +## # interface(`xserver_run',` gen_require(` @@ -1649,6 +1650,7 @@ interface(`xserver_run',` ## The role to be allowed the xserver domain. ## ## +## # interface(`xserver_run_xauth',` gen_require(`