trunk: another pile of misc fixes.

2008-05-22 15:24:52 +00:00 · 2008-05-22 15:24:52 +00:00 · b34db7a8ec
parent 8f3a0a95e0
commit b34db7a8ec
20 changed files with 77 additions and 66 deletions
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@ -188,5 +188,5 @@ interface(`apt_dontaudit_manage_db',`

 	dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
 	dontaudit $1 apt_var_lib_t:file manage_file_perms;
-	dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_perms;
+	dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@ -34,7 +34,7 @@
 #
 template(`gnome_per_role_template',`
 	gen_require(`
-		type gconfd_exec_t;
+		type gconfd_exec_t, gconf_etc_t;
 		attribute gnomedomain;
 	')

--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@ -75,7 +75,7 @@ template(`mplayer_per_role_template',`
 	domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)

 	# Allow the user domain to signal/ps.
-	ps_process_pattern($2,$1_mencoder_t,$1_mencoder_t)
+	ps_process_pattern($2,$1_mencoder_t)
 	allow $2 $1_mencoder_t:process signal_perms;

 	# Read /proc files and directories
@ -235,9 +235,8 @@ template(`mplayer_per_role_template',`
 		files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,file)
 		files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir)

-		userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,file)
-		userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,dir)
-
+		userdom_manage_user_untrusted_content_dirs($1,$1_mencoder_t)
+		userdom_manage_user_untrusted_content_files($1,$1_mencoder_t)
 	',`
 		files_dontaudit_list_home($1_mencoder_t)
 		files_dontaudit_list_tmp($1_mencoder_t)
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
@ -24,6 +24,11 @@
 ## </param>
 #
 template(`rssh_per_role_template',`
+	gen_require(`
+		type rssh_exec_t;
+		attribute rssh_domain_type;
+		attribute rssh_ro_content_type;
+	')

 	##############################
 	#
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -473,10 +473,10 @@ interface(`fs_manage_autofs_symlinks',`
 #
 interface(`fs_getattr_binfmt_misc_dirs',`
 	gen_require(`
-		type binfmt_misc_t;
+		type binfmt_misc_fs_t;
 	')

-	allow $1 binfmt_misc_t:dir getattr;
+	allow $1 binfmt_misc_fs_tt:dir getattr;

 ')

--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@ -110,7 +110,7 @@ optional_policy(`
 ')

 optional_policy(`
-	cron_admin_template(sysadm, sysadm_t, sysadm_r)
+	cron_admin_template(sysadm)
 ')

 optional_policy(`
@ -141,7 +141,7 @@ optional_policy(`

 optional_policy(`
 	ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	ethereal_admin_template(sysadm, sysadm_t, sysadm_r)
+	ethereal_admin_template(sysadm)
 ')

 optional_policy(`
@ -184,7 +184,7 @@ optional_policy(`

 optional_policy(`
 	lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	lpr_admin_template(sysadm, sysadm_t, sysadm_r)
+	lpr_admin_template(sysadm)
 ')

 optional_policy(`
@ -202,7 +202,7 @@ optional_policy(`
 ')

 optional_policy(`
-	mta_admin_template(sysadm, sysadm_t, sysadm_r)
+	mta_admin_template(sysadm, sysadm_t)
 ')

 optional_policy(`
@ -296,7 +296,7 @@ optional_policy(`
 ')

 optional_policy(`
-	unconfined_domtrans(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	unconfined_domtrans(sysadm_t)
 ')

 optional_policy(`
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@ -60,16 +60,6 @@ interface(`aide_run',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the aide domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`aide_admin',`
@ -84,5 +74,5 @@ interface(`aide_admin',`
 	manage_files_pattern($1, aide_db_t, aide_db_t)

 	logging_list_logs($1)
-	manage_all_pattern($1, aide_log_t, aide_log_t)
+	manage_files_pattern($1, aide_log_t, aide_log_t)
 ')
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@ -197,21 +197,11 @@ interface(`amavis_create_pid_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the amavis domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`amavis_admin',`
 	gen_require(`
-		type amavis_t, amavis_tmp_t, amavis_log_t;
+		type amavis_t, amavis_tmp_t, amavis_var_log_t;
 		type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
 		type amavis_etc_t, amavis_quarantine_t;
 	')
@ -228,7 +218,7 @@ interface(`amavis_admin',`
 	manage_files_pattern($1, amavis_etc_t, amavis_etc_t)

 	logging_list_logs($1)
-	manage_files_pattern($1, amavis_log_t, amavis_log_t)
+	manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t)

 	files_list_spool($1)
 	manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@ -72,7 +72,7 @@ interface(`apcupsd_read_log',`
 #
 interface(`apcupsd_append_log',`
 	gen_require(`
-		type var_log_t, apcupsd_log_t;
+		type apcupsd_log_t;
 	')

 	logging_search_logs($1)
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@ -36,6 +36,7 @@ template(`bluetooth_per_role_template',`
 	gen_require(`
 		attribute bluetooth_helper_domain;
 		type bluetooth_helper_exec_t;
+		type bluetooth_t;
 	')

 	type $1_bluetooth_t, bluetooth_helper_domain;
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@ -255,7 +255,7 @@ optional_policy(`
 ')

 optional_policy(`
-	inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
+	inetd_core_service_domain(cupsd_t, cupsd_exec_t)
 ')

 optional_policy(`
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@ -42,7 +42,7 @@ allow cvs_t self:capability { setuid setgid };

 manage_dirs_pattern(cvs_t,cvs_data_t,cvs_data_t)
 manage_files_pattern(cvs_t,cvs_data_t,cvs_data_t)
-manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t,cvs_data_t)
+manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t)

 manage_dirs_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)
 manage_files_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@ -172,6 +172,7 @@ template(`mta_per_role_template',`
 	gen_require(`
 		attribute mta_user_agent;
 		attribute mailserver_delivery;
+		type sendmail_exec_t;
 	')

 	##############################
@ -332,11 +333,7 @@ interface(`mta_mailserver',`
 ##	The type to be used for the mail server.
 ##	</summary>
 ## </param>
-## <param name="entry_point">
-##	<summary>
-##	The type to be used for the domain entry point program.
-##	</summary>
-## </param>
+#
 interface(`mta_sendmail_mailserver',`
 	gen_require(`
 		attribute mailserver_domain;
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@ -33,17 +33,17 @@ interface(`sasl_connect',`
 #
 interface(`sasl_admin',`
 	gen_require(`
-		type sasl_t;
-		type sasl_tmp_t;
-		type sasl_var_run_t;
+		type saslauthd_t;
+		type saslauthd_tmp_t;
+		type saslauthd_var_run_t;
 	')

-	allow $1 sasl_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, sasl_t)
+	allow $1 saslauthd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, saslauthd_t)
 	        
 	files_list_tmp($1)
-	manage_files_pattern($1, sasl_tmp_t, sasl_tmp_t)
+	manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t)

 	files_list_pids($1)
-	manage_files_pattern($1, sasl_var_run_t, sasl_var_run_t)
+	manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t)
 ')
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@ -32,15 +32,15 @@ interface(`smartmon_read_tmp_files',`
 #
 interface(`smartmon_admin',`
 	gen_require(`
-		type smartmon_t, smartmon_tmp_t, smartmon_var_run_t;
+		type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
 	')

-	allow $1 smartmon_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, smartmon_t)
+	allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, fsdaemon_t)
 	        
 	files_list_tmp($1)
-	manage_files_pattern($1, smartmon_tmp_t, smartmon_tmp_t)
+	manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t)

 	files_list_pids($1)
-	manage_files_pattern($1, smartmon_var_run_t, smartmon_var_run_t)
+	manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t)
 ')
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -202,7 +202,7 @@ template(`ssh_basic_client_template',`
 #
 template(`ssh_per_role_template',`
 	gen_require(`
-		type ssh_agent_exec_t, ssh_keysign_exec_t;
+		type ssh_agent_exec_t, ssh_keysign_exec_t, sshd_t, sshd_key_t;
 	')

 	##############################
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@ -51,7 +51,7 @@ interface(`zabbix_read_log',`
 #
 interface(`zabbix_append_log',`
 	gen_require(`
-		type var_log_t, zabbix_log_t;
+		type zabbix_log_t;
 	')

 	logging_search_logs($1)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1402,11 +1402,6 @@ template(`userdom_admin_user_template',`
 ##	The role  of the object to create.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	The terminal
-##	</summary>
-## </param>
 #
 template(`userdom_security_admin_template',`
 	allow $1 self:capability { dac_read_search dac_override };
@ -3274,6 +3269,39 @@ template(`userdom_dontaudit_list_user_untrusted_content',`
 	dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete users untrusted directories.
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete users untrusted directories.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`userdom_manage_user_untrusted_content_dirs',`
+	gen_require(`
+		type $1_untrusted_content_t;
+	')
+
+	allow $2 $1_untrusted_content_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read user untrusted files.
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@ -87,7 +87,7 @@ interface(`xen_read_image_files',`
 #
 interface(`xen_append_log',`
 	gen_require(`
-		type var_log_t, xend_var_log_t;
+		type xend_var_log_t;
 	')

 	logging_search_logs($1)
@ -108,7 +108,7 @@ interface(`xen_append_log',`
 #
 interface(`xen_manage_log',`
 	gen_require(`
-		type var_log_t, xend_var_log_t;
+		type xend_var_log_t;
 	')

 	logging_search_logs($1)
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@ -223,7 +223,8 @@ define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
 define(`getattr_lnk_file_perms',`{ getattr }')
 define(`setattr_lnk_file_perms',`{ setattr }')
 define(`read_lnk_file_perms',`{ getattr read }')
-define(`write_lnk_file_perms',`{ getattr write lock ioctl }')
+define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
+define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
 define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
 define(`create_lnk_file_perms',`{ create getattr }')
 define(`rename_lnk_file_perms',`{ getattr rename }')