allow all domains to use /dev/{zero,null,tty}

refpolicy/policy/modules/admin/netutils.te

@@ -118,8 +118,6 @@ corenetwork_bind_tcp_on_all_nodes(ping_t)
 
 filesystem_ignore_get_persistent_filesystem_attributes(ping_t)
 
-terminal_ignore_use_controlling_terminal(ping_t)
-
 domain_use_widely_inheritable_file_descriptors(ping_t)
 
 files_read_general_system_config(ping_t)

refpolicy/policy/modules/admin/usermanage.te

@@ -87,7 +87,6 @@ kernel_compute_reachable_user_contexts(chfn_t)
 
 terminal_use_all_users_physical_terminals(chfn_t)
 terminal_use_all_users_pseudoterminals(chfn_t)
-terminal_use_controlling_terminal(chfn_t)
 
 filesystem_get_persistent_filesystem_attributes(chfn_t)
 
@@ -167,8 +166,6 @@ devices_get_pseudorandom_data(crack_t)
 
 filesystem_get_persistent_filesystem_attributes(crack_t)
 
-terminal_use_controlling_terminal(crack_t)
-
 files_read_general_system_config(crack_t)
 files_read_runtime_system_config(crack_t)
 # for dictionaries
@@ -310,7 +307,6 @@ filesystem_get_persistent_filesystem_attributes(passwd_t)
 
 terminal_use_all_users_physical_terminals(passwd_t)
 terminal_use_all_users_pseudoterminals(passwd_t)
-terminal_use_controlling_terminal(passwd_t)
 
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
@@ -411,7 +407,6 @@ filesystem_get_persistent_filesystem_attributes(sysadm_passwd_t)
 
 terminal_use_all_users_physical_terminals(sysadm_passwd_t)
 terminal_use_all_users_pseudoterminals(sysadm_passwd_t)
-terminal_use_controlling_terminal(sysadm_passwd_t)
 
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.

refpolicy/policy/modules/kernel/bootloader.te

@@ -104,7 +104,6 @@ logging_send_system_log_message(bootloader_t)
 
 filesystem_get_persistent_filesystem_attributes(bootloader_t)
 
-terminal_use_controlling_terminal(bootloader_t)
 terminal_get_all_users_physical_terminal_attributes(bootloader_t)
 
 allow bootloader_t bootloader_etc_t:file { getattr read };

refpolicy/policy/modules/kernel/devices.if

@@ -297,15 +297,31 @@ class chr_file { getattr write ioctl };
 
 ########################################
 #
-# devices_discard_data_stream(domain)
+# devices_read_dev_null(domain)
 #
-define(`devices_discard_data_stream',`
+define(`devices_read_dev_null',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr read search };
+allow $1 null_device_t:chr_file { getattr read };
+')
+
+define(`devices_read_dev_null_depend',`
+type device_t, null_device_t;
+class device_t:dir { getattr read search };
+class chr_file { getattr read };
+')
+
+########################################
+#
+# devices_write_dev_null(domain)
+#
+define(`devices_write_dev_null',`
 requires_block_template(`$0'_depend)
 allow $1 device_t:dir { getattr read search };
 allow $1 null_device_t:chr_file { getattr append write };
 ')
 
-define(`devices_discard_data_stream_depend',`
+define(`devices_write_dev_null_depend',`
 type device_t, null_device_t;
 class device_t:dir { getattr read search };
 class chr_file { getattr append write };
@@ -313,20 +329,54 @@ class chr_file { getattr append write };
 
 ########################################
 #
-# devices_get_zeros(domain)
+# devices_use_dev_null(domain)
 #
-define(`devices_get_zeros',`
+define(`devices_use_dev_null',`
+devices_read_dev_null($1)
+devices_write_dev_null($1)
+')
+
+########################################
+#
+# devices_read_dev_zero(domain)
+#
+define(`devices_read_dev_zero',`
 requires_block_template(`$0'_depend)
 allow $1 device_t:dir { getattr read search };
 allow $1 zero_device_t:chr_file { getattr read };
 ')
 
-define(`devices_get_zeros_depend',`
+define(`devices_read_dev_zero_depend',`
 type device_t, zero_device_t;
 class device_t:dir { getattr read search };
 class chr_file { getattr read };
 ')
 
+########################################
+#
+# devices_write_dev_zero(domain)
+#
+define(`devices_write_dev_zero',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr read search };
+allow $1 zero_device_t:chr_file { getattr append write };
+')
+
+define(`devices_write_dev_zero_depend',`
+type device_t, zero_device_t;
+class device_t:dir { getattr read search };
+class chr_file { getattr append write };
+')
+
+########################################
+#
+# devices_use_dev_zero(domain)
+#
+define(`devices_use_dev_zero',`
+devices_read_dev_zero($1)
+devices_write_dev_zero($1)
+')
+
 ########################################
 #
 # devices_read_realtime_clock(domain)

refpolicy/policy/modules/system/authlogin.if

@@ -15,8 +15,8 @@ domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
 role $1_r types $1_chkpwd_t;
 role $1_r types system_chkpwd_t;
 
-# Use capabilities.
 allow $1_chkpwd_t self:capability setuid;
+allow $1_chkpwd_t self:process getattr;
 
 authlogin_read_shadow_passwords($1_chkpwd_t)
 logging_send_system_log_message($1_chkpwd_t)
@@ -30,11 +30,23 @@ filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
 
 # is_selinux_enabled
 kernel_read_system_state($1_chkpwd_t)
-#can_getcon($1_chkpwd_t)
 #can_ypbind($1_chkpwd_t)
 #can_kerberos($1_chkpwd_t)
 #can_ldap($1_chkpwd_t)
-#can_resolve($1_chkpwd_t)
+
+tunable_policy(`use_dns',`
+allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces($1_chkpwd_t)
+corenetwork_network_raw_on_all_interfaces($1_chkpwd_t)
+corenetwork_network_udp_on_all_nodes($1_chkpwd_t)
+corenetwork_network_raw_on_all_nodes($1_chkpwd_t)
+corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
+corenetwork_network_udp_on_dns_port($1_chkpwd_t)
+sysnetwork_read_network_config($1_chkpwd_t)
+') dnl end use_dns
+
+# for nscd
+files_ignore_search_system_state_data_directory($1_chkpwd_t)
 
 # Transition from the user domain to this domain.
 ifelse($1, system, `
@@ -44,6 +56,7 @@ terminal_use_general_physical_terminal($1_chkpwd_t)
 # Transition from the user domain to this domain.
 allow $1_t chkpwd_exec_t:file { getattr read execute };
 allow $1_t $1_chkpwd_t:process transition;
+type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
 
 #allow $1_t sbin_t:dir search;
 
@@ -59,16 +72,15 @@ domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
 optional_policy(`selinux.te',`
 selinux_newrole_use_file_descriptors($1_chkpwd_t)
 ')
+
 ') dnl ifelse system
 
-# for nscd
-dontaudit $1_chkpwd_t var_t:dir search;
-')
+') dnl end authlogin_per_userdomain_template
 
 define(`authlogin_per_userdomain_template_depend',`
 type chkpwd_exec_t, system_chkpwd_t;
 class file { getattr read execute };
-class process transition;
+class process { getattr transition };
 class capability setuid;
 class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
 class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
@@ -96,18 +108,32 @@ define(`authlogin_check_password_transition',`
 requires_block_template(`$0'_depend)
 allow $1 chkpwd_exec_t:file { getattr read execute };
 allow $1 system_chkpwd_t:process transition;
+type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
+
 dontaudit $1 shadow_t:file { getattr read };
-#allow auth_chkpwd sbin_t:dir search;
-#can_ypbind(auth_chkpwd)
-#can_kerberos(auth_chkpwd)
-#can_ldap(auth_chkpwd)
-#can_resolve(auth_chkpwd)
-')
+#allow $1_t sbin_t:dir search;
+#can_ypbind($1_t)
+#can_kerberos($1_t)
+#can_ldap($1_t)
+
+tunable_policy(`use_dns',`
+allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces($1)
+corenetwork_network_raw_on_all_interfaces($1)
+corenetwork_network_udp_on_all_nodes($1)
+corenetwork_network_raw_on_all_nodes($1)
+corenetwork_bind_udp_on_all_nodes($1)
+corenetwork_network_udp_on_dns_port($1)
+sysnetwork_read_network_config($1)
+') dnl end use_dns
+
+') dnl end check_password_transition
 
 define(`authlogin_check_password_transition_depend',`
 type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 class file { getattr read execute };
 class process transition;
+class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
 ')
 
 #######################################

refpolicy/policy/modules/system/authlogin.te

@@ -87,7 +87,6 @@ files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
 
 kernel_read_system_state(pam_t)
 
-terminal_use_controlling_terminal(pam_t)
 terminal_use_all_users_physical_terminals(pam_t)
 terminal_use_all_users_pseudoterminals(pam_t)
 
@@ -137,8 +136,6 @@ kernel_read_system_state(pam_console_t)
 kernel_read_hardware_state(pam_console_t)
 kernel_use_file_descriptors(pam_console_t)
 
-devices_discard_data_stream(pam_console_t)
-
 # Allow to set attributes on /dev entries
 storage_get_fixed_disk_attributes(pam_console_t)
 storage_set_fixed_disk_attributes(pam_console_t)
@@ -192,7 +189,6 @@ allow pam_console_t rhgb_t:process sigchld;
 allow pam_console_t rhgb_t:fd use;
 allow pam_console_t rhgb_t:fifo_file { read write };
 ')
-allow pam_console_t null_device_t:chr_file r_file_perms;
 dontaudit pam_console_t unpriv_userdomain:fd use;
 allow pam_console_t autofs_t:dir { search getattr };
 

refpolicy/policy/modules/system/clock.te

@@ -33,7 +33,6 @@ allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
 kernel_read_kernel_sysctl(hwclock_t)
 kernel_read_hardware_state(hwclock_t)
 
-devices_discard_data_stream(hwclock_t)
 devices_modify_realtime_clock(hwclock_t)
 
 filesystem_get_persistent_filesystem_attributes(hwclock_t)
@@ -80,7 +79,6 @@ allow hwclock_t rhgb_t:fd use;
 allow hwclock_t rhgb_t:fifo_file { read write };
 ')
 
-allow hwclock_t null_device_t:chr_file { read getattr lock ioctl };
 dontaudit hwclock_t unpriv_userdomain:fd use;
 allow hwclock_t autofs_t:dir { search getattr };
 

refpolicy/policy/modules/system/domain.if

@@ -30,8 +30,19 @@ class lnk_file { getattr read };
 # domain_make_domain(domain)
 #
 define(`domain_make_domain',`
+
+# start with basic domain
 domain_make_base_domain($1)
+
+# Use trusted objects in /dev
+devices_use_dev_null($1)
+devices_use_dev_zero($1)
+terminal_use_controlling_terminal($1)
+
+# read the root directory
 files_read_root_dir($1)
+
+# send init a sigchld
 init_sigchld($1)
 ')
 

refpolicy/policy/modules/system/hostname.te

@@ -30,8 +30,6 @@ kernel_read_kernel_sysctl(hostname_t)
 kernel_read_hardware_state(hostname_t)
 kernel_ignore_use_file_descriptors(hostname_t)
 
-devices_discard_data_stream(hostname_t)
-
 files_read_general_system_config(hostname_t)
 files_ignore_search_system_state_data_directory(hostname_t)
 filesystem_get_persistent_filesystem_attributes(hostname_t)
@@ -79,7 +77,6 @@ allow hostname_t rhgb_t:fd use;
 allow hostname_t rhgb_t:fifo_file { read write };
 ')
 
-allow hostname_t null_device_t:chr_file { read getattr lock ioctl };
 dontaudit hostname_t unpriv_userdomain:fd use;
 allow hostname_t autofs_t:dir { search getattr };
 ##end daemon_base_domain

refpolicy/policy/modules/system/hotplug.te

@@ -50,7 +50,6 @@ kernel_transition_from(hotplug_t,hotplug_exec_t)
 
 bootloader_read_kernel_modules(hotplug_t)
 
-devices_discard_data_stream(hotplug_t)
 # for SSP
 devices_get_pseudorandom_data(hotplug_t)
 
@@ -59,7 +58,6 @@ filesystem_get_all_filesystems_attributes(hotplug_t)
 storage_set_fixed_disk_attributes(hotplug_t)
 storage_set_removable_device_attributes(hotplug_t)
 
-terminal_use_controlling_terminal(hotplug_t)
 terminal_ignore_use_console(hotplug_t)
 
 init_use_file_descriptors(hotplug_t)
@@ -120,7 +118,6 @@ updfstab_transition(hotplug_t)
 ')
 
 ifdef(`TODO',`
-allow hotplug_t null_device_t:chr_file r_file_perms;
 dontaudit hotplug_t unpriv_userdomain:fd use;
 allow hotplug_t autofs_t:dir { search getattr };
 dontaudit hotplug_t sysadm_home_dir_t:dir search;

refpolicy/policy/modules/system/iptables.te

@@ -47,8 +47,6 @@ kernel_use_file_descriptors(iptables_t)
 
 filesystem_get_persistent_filesystem_attributes(iptables_t)
 
-devices_discard_data_stream(iptables_t)
-
 terminal_ignore_use_console(iptables_t)
 
 init_use_file_descriptors(iptables_t)
@@ -94,7 +92,6 @@ allow iptables_t rhgb_t:process sigchld;
 allow iptables_t rhgb_t:fd use;
 allow iptables_t rhgb_t:fifo_file { read write };
 ')
-allow iptables_t null_device_t:chr_file r_file_perms;
 dontaudit iptables_t unpriv_userdomain:fd use;
 allow iptables_t autofs_t:dir { search getattr };
 tunable_policy(`direct_sysadm_daemon', `

refpolicy/policy/modules/system/logging.te

@@ -102,9 +102,7 @@ kernel_read_hardware_state(syslogd_t)
 kernel_read_kernel_sysctl(syslogd_t)
 
 devices_create_dev_entry(syslogd_t,devlog_t,sock_file)
-devices_discard_data_stream(syslogd_t)
 
-terminal_use_controlling_terminal(syslogd_t)
 terminal_ignore_use_console(syslogd_t)
 
 corenetwork_network_raw_on_all_interfaces(syslogd_t)
@@ -169,7 +167,6 @@ ifdef(`TODO',`
 
 allow syslogd_t proc_t:dir r_dir_perms;
 allow syslogd_t proc_t:lnk_file read;
-allow syslogd_t null_device_t:chr_file r_file_perms;
 dontaudit syslogd_t unpriv_userdomain:fd use;
 allow syslogd_t autofs_t:dir { search getattr };
 dontaudit syslogd_t sysadm_home_dir_t:dir search;

refpolicy/policy/modules/system/modutils.te

@@ -55,12 +55,9 @@ kernel_read_hotplug_sysctl(insmod_t)
 
 bootloader_read_kernel_modules(insmod_t)
 
-terminal_use_controlling_terminal(insmod_t)
-
 devices_write_mtrr(insmod_t)
 devices_get_pseudorandom_data(insmod_t)
 devices_direct_agp_access(insmod_t)
-devices_get_zeros(insmod_t)
 
 filesystem_get_persistent_filesystem_attributes(insmod_t)
 
@@ -204,7 +201,6 @@ devices_get_pseudorandom_data(update_modules_t)
 filesystem_get_persistent_filesystem_attributes(update_modules_t)
 
 terminal_use_console(update_modules_t)
-terminal_use_controlling_terminal(update_modules_t)
 
 init_use_file_descriptors(depmod_t)
 init_script_use_file_descriptors(depmod_t)

refpolicy/policy/modules/system/selinux.te

@@ -108,7 +108,6 @@ allow checkpolicy_t selinux_config_t:dir search;
 filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
 
 terminal_use_console(checkpolicy_t)
-terminal_use_controlling_terminal(checkpolicy_t)
 
 init_use_file_descriptors(checkpolicy_t)
 init_script_use_pseudoterminal(checkpolicy_t)
@@ -161,7 +160,6 @@ kernel_set_selinux_boolean(load_policy_t)
 filesystem_get_persistent_filesystem_attributes(load_policy_t)
 
 terminal_use_console(load_policy_t)
-terminal_use_controlling_terminal(load_policy_t)
 terminal_list_pseudoterminals(load_policy_t)
 
 init_script_use_file_descriptors(load_policy_t)
@@ -223,7 +221,6 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
 
 terminal_use_all_users_physical_terminals(newrole_t)
 terminal_use_all_users_pseudoterminals(newrole_t)
-terminal_use_controlling_terminal(newrole_t)
 
 # Write to utmp.
 init_script_modify_runtime_data(newrole_t)
@@ -253,7 +250,7 @@ allow newrole_t autofs_t:dir { search getattr };
 
 # for when the user types "exec newrole" at the command line
 allow newrole_t privfd:process sigchld;
-
+ 
 # Execute /sbin/pwdb_chkpwd to check the password.
 allow newrole_t sbin_t:dir r_dir_perms;
 
@@ -377,7 +374,6 @@ kernel_compute_reachable_user_contexts(setfiles_t)
 
 filesystem_get_persistent_filesystem_attributes(setfiles_t)
 
-terminal_use_controlling_terminal(setfiles_t)
 terminal_use_all_users_physical_terminals(setfiles_t)
 terminal_use_all_users_pseudoterminals(setfiles_t)
 terminal_use_general_physical_terminal(setfiles_t)

refpolicy/policy/modules/system/selinuxutil.te

@@ -108,7 +108,6 @@ allow checkpolicy_t selinux_config_t:dir search;
 filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
 
 terminal_use_console(checkpolicy_t)
-terminal_use_controlling_terminal(checkpolicy_t)
 
 init_use_file_descriptors(checkpolicy_t)
 init_script_use_pseudoterminal(checkpolicy_t)
@@ -161,7 +160,6 @@ kernel_set_selinux_boolean(load_policy_t)
 filesystem_get_persistent_filesystem_attributes(load_policy_t)
 
 terminal_use_console(load_policy_t)
-terminal_use_controlling_terminal(load_policy_t)
 terminal_list_pseudoterminals(load_policy_t)
 
 init_script_use_file_descriptors(load_policy_t)
@@ -223,7 +221,6 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
 
 terminal_use_all_users_physical_terminals(newrole_t)
 terminal_use_all_users_pseudoterminals(newrole_t)
-terminal_use_controlling_terminal(newrole_t)
 
 # Write to utmp.
 init_script_modify_runtime_data(newrole_t)
@@ -253,7 +250,7 @@ allow newrole_t autofs_t:dir { search getattr };
 
 # for when the user types "exec newrole" at the command line
 allow newrole_t privfd:process sigchld;
-
+ 
 # Execute /sbin/pwdb_chkpwd to check the password.
 allow newrole_t sbin_t:dir r_dir_perms;
 
@@ -377,7 +374,6 @@ kernel_compute_reachable_user_contexts(setfiles_t)
 
 filesystem_get_persistent_filesystem_attributes(setfiles_t)
 
-terminal_use_controlling_terminal(setfiles_t)
 terminal_use_all_users_physical_terminals(setfiles_t)
 terminal_use_all_users_pseudoterminals(setfiles_t)
 terminal_use_general_physical_terminal(setfiles_t)

refpolicy/policy/modules/system/sysnetwork.te

@@ -84,13 +84,11 @@ corenetwork_bind_tcp_on_all_nodes(dhcpc_t)
 corenetwork_bind_udp_on_all_nodes(dhcpc_t)
 corenetwork_bind_udp_on_dhcpc_port(dhcpc_t)
 
-devices_discard_data_stream(dhcpc_t)
 # for SSP
 devices_get_pseudorandom_data(dhcpc_t)
 
 filesystem_get_all_filesystems_attributes(dhcpc_t)
 
-terminal_use_controlling_terminal(dhcpc_t)
 terminal_ignore_use_console(dhcpc_t)
 terminal_ignore_use_all_users_physical_terminals(dhcpc_t)
 terminal_ignore_use_all_users_pseudoterminals(dhcpc_t)
@@ -156,7 +154,6 @@ ntpd_transition(dhcpc_t)
 ')
 
 ifdef(`TODO',`
-allow dhcpc_t null_device_t:chr_file r_file_perms;
 allow dhcpc_t autofs_t:dir { search getattr };
 dontaudit dhcpc_t sysadm_home_dir_t:dir search;