From ac498fa5d921ef21d1b6c511839d92bfa5273347 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 27 Aug 2010 10:56:56 -0400 Subject: [PATCH] More fixes --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/roles/dbadm.te | 2 +- policy/modules/services/cobbler.if | 18 ------------------ policy/modules/services/devicekit.te | 1 + policy/modules/services/xserver.if | 2 -- policy/modules/system/init.te | 13 ++++++++++--- 6 files changed, 30 insertions(+), 24 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 9223f7df..d0aaa1cd 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3824,6 +3824,24 @@ interface(`dev_rw_sysfs',` list_dirs_pattern($1, sysfs_t, sysfs_t) ') +######################################## +## +## Allow caller to modify hardware state information. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + manage_dirs_pattern($1, sysfs_t, sysfs_t) +') + ######################################## ## ## Read from pseudo random number generator devices (e.g., /dev/urandom). diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te index a3ddd43e..20d93338 100644 --- a/policy/modules/roles/dbadm.te +++ b/policy/modules/roles/dbadm.te @@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false) role dbadm_r; -userdom_unpriv_user_template(dbadm) +userdom_base_user_template(dbadm) ######################################## # diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if index a57fe376..1bdfe84c 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if @@ -146,24 +146,6 @@ interface(`cobbler_manage_lib_files',` files_search_var_lib($1) ') -######################################## -## -## dontaudit read and write Cobbler log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_dontaudit_rw_log',` - gen_require(` - type cobbler_var_log_t; - ') - - dontaudit $1 cobbler_var_log_t:file rw_inherited_files_perms; -') - ######################################## ## ## Do not audit attempts to read and write diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index a7de6034..1e554a9e 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -228,6 +228,7 @@ dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) +dev_read_rand(devicekit_power_t) files_read_kernel_img(devicekit_power_t) files_read_etc_files(devicekit_power_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 8696a6e0..6ff8f250 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -101,8 +101,6 @@ ifdef(`hide_broken_symptoms', ` dev_getattr_agp_dev($2) tunable_policy(`user_direct_dri',` dev_rw_dri($2) - ',` - dev_dontaudit_rw_dri($2) ') # GNOME checks for usb and other devices: diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index cd266c0e..a100eb6d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -220,7 +220,7 @@ storage_raw_rw_fixed_disk(init_t) modutils_domtrans_insmod(init_t) tunable_policy(`init_systemd',` - allow init_t self:unix_dgram_socket create_socket_perms; + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; allow init_t self:process { setsockcreate setfscreate }; allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow init_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -239,6 +239,7 @@ tunable_policy(`init_systemd',` dev_read_generic_chr_files(init_t) dev_relabelfrom_generic_chr_files(init_t) dev_relabel_autofs_dev(init_t) + dev_manage_sysfs_dirs(init_t) files_mounton_all_mountpoints(init_t) files_manage_all_pids_dirs(init_t) @@ -249,16 +250,17 @@ tunable_policy(`init_systemd',` fs_list_auto_mountpoints(init_t) fs_read_cgroup_files(init_t) fs_write_cgroup_files(init_t) + fs_search_cgroup_dirs(daemon) selinux_compute_create_context(init_t) selinux_validate_context(init_t) selinux_unmount_fs(init_t) + storage_getattr_removable_dev(init_t) + init_read_script_state(init_t) seutil_read_file_contexts(init_t) - - storage_getattr_removable_dev(init_t) ') optional_policy(` @@ -286,6 +288,11 @@ optional_policy(` nscd_socket_use(init_t) ') +optional_policy(` + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) +') + optional_policy(` sssd_stream_connect(init_t) ')