Remove unused patches
This commit is contained in:
Dan Walsh
parent
2599f2f590
commit
c1f199109a
288
apache.patch
288
apache.patch
@ -1,288 +0,0 @@
|
||||
diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.if.apache serefpolicy-3.10.0/policy/modules/kernel/domain.if
|
||||
diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.apache serefpolicy-3.10.0/policy/modules/kernel/domain.te
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.apache serefpolicy-3.10.0/policy/modules/services/apache.if
|
||||
--- serefpolicy-3.10.0/policy/modules/services/apache.if.apache 2011-10-11 10:17:05.262944711 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-11 10:17:13.416929487 -0400
|
||||
@@ -16,55 +16,43 @@ template(`apache_content_template',`
|
||||
attribute httpd_exec_scripts, httpd_script_exec_type;
|
||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||
type httpd_sys_content_t;
|
||||
+ attribute httpd_script_type, httpd_content_type;
|
||||
')
|
||||
|
||||
#This type is for webpages
|
||||
type httpd_$1_content_t; # customizable;
|
||||
+ typeattribute httpd_$1_content_t httpd_content_type;
|
||||
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
|
||||
files_type(httpd_$1_content_t)
|
||||
|
||||
# This type is used for .htaccess files
|
||||
- type httpd_$1_htaccess_t; # customizable;
|
||||
+ type httpd_$1_htaccess_t, httpd_content_type; # customizable;
|
||||
+ typeattribute httpd_$1_htaccess_t httpd_content_type;
|
||||
files_type(httpd_$1_htaccess_t)
|
||||
|
||||
# Type that CGI scripts run as
|
||||
- type httpd_$1_script_t;
|
||||
+ type httpd_$1_script_t, httpd_script_type;
|
||||
domain_type(httpd_$1_script_t)
|
||||
role system_r types httpd_$1_script_t;
|
||||
|
||||
- search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
|
||||
-
|
||||
# This type is used for executable scripts files
|
||||
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
|
||||
- corecmd_shell_entry_type(httpd_$1_script_t)
|
||||
+ typeattribute httpd_$1_script_exec_t httpd_content_type;
|
||||
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
|
||||
|
||||
type httpd_$1_rw_content_t; # customizable
|
||||
+ typeattribute httpd_$1_rw_content_t httpd_content_type;
|
||||
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
|
||||
files_type(httpd_$1_rw_content_t)
|
||||
|
||||
- type httpd_$1_ra_content_t; # customizable
|
||||
+ type httpd_$1_ra_content_t, httpd_content_type; # customizable
|
||||
+ typeattribute httpd_$1_ra_content_t httpd_content_type;
|
||||
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
|
||||
files_type(httpd_$1_ra_content_t)
|
||||
|
||||
- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
|
||||
-
|
||||
- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
-
|
||||
- allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
||||
- allow httpd_$1_script_t self:unix_stream_socket connectto;
|
||||
-
|
||||
- allow httpd_$1_script_t httpd_t:fifo_file write;
|
||||
- # apache should set close-on-exec
|
||||
- apache_dontaudit_leaks(httpd_$1_script_t)
|
||||
-
|
||||
# Allow the script process to search the cgi directory, and users directory
|
||||
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
|
||||
|
||||
- append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
|
||||
- logging_search_logs(httpd_$1_script_t)
|
||||
-
|
||||
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
||||
allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
|
||||
|
||||
@@ -83,27 +71,6 @@ template(`apache_content_template',`
|
||||
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
|
||||
- kernel_dontaudit_search_sysctl(httpd_$1_script_t)
|
||||
- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
|
||||
-
|
||||
- dev_read_rand(httpd_$1_script_t)
|
||||
- dev_read_urand(httpd_$1_script_t)
|
||||
-
|
||||
- corecmd_exec_all_executables(httpd_$1_script_t)
|
||||
- application_exec_all(httpd_$1_script_t)
|
||||
-
|
||||
- files_exec_etc_files(httpd_$1_script_t)
|
||||
- files_read_etc_files(httpd_$1_script_t)
|
||||
- files_search_home(httpd_$1_script_t)
|
||||
-
|
||||
- libs_exec_ld_so(httpd_$1_script_t)
|
||||
- libs_exec_lib_files(httpd_$1_script_t)
|
||||
-
|
||||
- miscfiles_read_fonts(httpd_$1_script_t)
|
||||
- miscfiles_read_public_files(httpd_$1_script_t)
|
||||
-
|
||||
- seutil_dontaudit_search_config(httpd_$1_script_t)
|
||||
-
|
||||
# Allow the web server to run scripts and serve pages
|
||||
tunable_policy(`httpd_builtin_scripting',`
|
||||
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
@@ -111,19 +78,11 @@ template(`apache_content_template',`
|
||||
manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
|
||||
- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
||||
+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
|
||||
read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
|
||||
- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
||||
- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
-
|
||||
- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
||||
- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
- allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
@@ -138,49 +97,6 @@ template(`apache_content_template',`
|
||||
|
||||
# apache runs the script:
|
||||
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
-
|
||||
- allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
|
||||
- allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms;
|
||||
-
|
||||
- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
|
||||
- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
|
||||
-
|
||||
- allow httpd_$1_script_t self:process { setsched signal_perms };
|
||||
- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
|
||||
- allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
|
||||
-
|
||||
- allow httpd_$1_script_t httpd_t:fd use;
|
||||
- allow httpd_$1_script_t httpd_t:process sigchld;
|
||||
-
|
||||
- dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
|
||||
-
|
||||
- kernel_read_system_state(httpd_$1_script_t)
|
||||
-
|
||||
- dev_read_urand(httpd_$1_script_t)
|
||||
-
|
||||
- fs_getattr_xattr_fs(httpd_$1_script_t)
|
||||
-
|
||||
- files_read_etc_runtime_files(httpd_$1_script_t)
|
||||
- files_read_usr_files(httpd_$1_script_t)
|
||||
-
|
||||
- libs_read_lib_files(httpd_$1_script_t)
|
||||
-
|
||||
- miscfiles_read_localization(httpd_$1_script_t)
|
||||
- allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||
- nis_use_ypbind_uncond(httpd_$1_script_t)
|
||||
- ')
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- postgresql_unpriv_client(httpd_$1_script_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- nscd_socket_use(httpd_$1_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/apache.te.apache serefpolicy-3.10.0/policy/modules/services/apache.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/apache.te.apache 2011-10-11 10:17:05.263944709 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/apache.te 2011-10-11 10:17:13.418929446 -0400
|
||||
@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_
|
||||
|
||||
attribute httpdcontent;
|
||||
attribute httpd_user_content_type;
|
||||
+attribute httpd_content_type;
|
||||
|
||||
# domains that can exec all users scripts
|
||||
attribute httpd_exec_scripts;
|
||||
|
||||
+attribute httpd_script_type;
|
||||
attribute httpd_script_exec_type;
|
||||
attribute httpd_user_script_exec_type;
|
||||
|
||||
@@ -293,6 +295,10 @@ files_tmp_file(httpd_suexec_tmp_t)
|
||||
# setup the system domain for system CGI scripts
|
||||
apache_content_template(sys)
|
||||
|
||||
+optional_policy(`
|
||||
+ postgresql_unpriv_client(httpd_sys_script_t)
|
||||
+')
|
||||
+
|
||||
typeattribute httpd_sys_content_t httpdcontent; # customizable
|
||||
typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
|
||||
typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
|
||||
@@ -1308,3 +1314,91 @@ systemd_passwd_agent_dev_template(httpd)
|
||||
domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
|
||||
dontaudit httpd_passwd_t httpd_config_t:file read;
|
||||
|
||||
+
|
||||
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
|
||||
+corecmd_shell_entry_type(httpd_script_type)
|
||||
+
|
||||
+allow httpd_script_type self:fifo_file rw_file_perms;
|
||||
+allow httpd_script_type self:unix_stream_socket connectto;
|
||||
+
|
||||
+allow httpd_script_type httpd_t:fifo_file write;
|
||||
+# apache should set close-on-exec
|
||||
+apache_dontaudit_leaks(httpd_script_type)
|
||||
+
|
||||
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
|
||||
+logging_search_logs(httpd_script_type)
|
||||
+
|
||||
+kernel_dontaudit_search_sysctl(httpd_script_type)
|
||||
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
|
||||
+
|
||||
+dev_read_rand(httpd_script_type)
|
||||
+dev_read_urand(httpd_script_type)
|
||||
+
|
||||
+corecmd_exec_all_executables(httpd_script_type)
|
||||
+application_exec_all(httpd_script_type)
|
||||
+
|
||||
+files_exec_etc_files(httpd_script_type)
|
||||
+files_read_etc_files(httpd_script_type)
|
||||
+files_search_home(httpd_script_type)
|
||||
+
|
||||
+libs_exec_ld_so(httpd_script_type)
|
||||
+libs_exec_lib_files(httpd_script_type)
|
||||
+
|
||||
+miscfiles_read_fonts(httpd_script_type)
|
||||
+miscfiles_read_public_files(httpd_script_type)
|
||||
+
|
||||
+seutil_dontaudit_search_config(httpd_script_type)
|
||||
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
|
||||
+
|
||||
+allow httpd_t httpd_script_exec_type:file read_file_perms;
|
||||
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
|
||||
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
|
||||
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
|
||||
+
|
||||
+allow httpd_script_type self:process { setsched signal_perms };
|
||||
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+allow httpd_script_type httpd_t:fd use;
|
||||
+allow httpd_script_type httpd_t:process sigchld;
|
||||
+
|
||||
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
|
||||
+
|
||||
+kernel_read_system_state(httpd_script_type)
|
||||
+
|
||||
+dev_read_urand(httpd_script_type)
|
||||
+
|
||||
+fs_getattr_xattr_fs(httpd_script_type)
|
||||
+
|
||||
+files_read_etc_runtime_files(httpd_script_type)
|
||||
+files_read_usr_files(httpd_script_type)
|
||||
+
|
||||
+libs_read_lib_files(httpd_script_type)
|
||||
+
|
||||
+miscfiles_read_localization(httpd_script_type)
|
||||
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
|
||||
+
|
||||
+tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||
+ nis_use_ypbind_uncond(httpd_script_type)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nscd_socket_use(httpd_script_type)
|
||||
+')
|
||||
+
|
||||
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+
|
||||
+tunable_policy(`httpd_builtin_scripting',`
|
||||
+ allow httpd_t httpd_content_type:dir search_dir_perms;
|
||||
+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
|
||||
+
|
||||
+ allow httpd_t httpd_content_type:dir list_dir_perms;
|
||||
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+
|
||||
+ allow httpd_t httpd_content_type:dir list_dir_perms;
|
||||
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
||||
+')
|
||||
+
|
||||
+
|
||||
@ -1,140 +0,0 @@
|
||||
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
|
||||
index 50e9ee4..72417f5 100644
|
||||
--- a/policy/modules/admin/consoletype.te
|
||||
+++ b/policy/modules/admin/consoletype.te
|
||||
@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0)
|
||||
|
||||
type consoletype_t;
|
||||
type consoletype_exec_t;
|
||||
-init_domain(consoletype_t, consoletype_exec_t)
|
||||
-init_system_domain(consoletype_t, consoletype_exec_t)
|
||||
+application_domain(consoletype_t, consoletype_exec_t)
|
||||
+role system_r types consoletype_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
|
||||
index f808287..bd59f2e 100644
|
||||
--- a/policy/modules/admin/firstboot.te
|
||||
+++ b/policy/modules/admin/firstboot.te
|
||||
@@ -97,10 +97,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_domtrans(firstboot_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
dbus_system_bus_client(firstboot_t)
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
|
||||
index ba9b9d6..09ae47c 100644
|
||||
--- a/policy/modules/apps/usernetctl.if
|
||||
+++ b/policy/modules/apps/usernetctl.if
|
||||
@@ -47,10 +47,6 @@ interface(`usernetctl_run',`
|
||||
sysnet_run_dhcpc(usernetctl_t, $2)
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_run(usernetctl_t, $2)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
iptables_run(usernetctl_t, $2)
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
|
||||
index f938024..93edd6b 100644
|
||||
--- a/policy/modules/apps/usernetctl.te
|
||||
+++ b/policy/modules/apps/usernetctl.te
|
||||
@@ -61,6 +61,10 @@ sysnet_read_config(usernetctl_t)
|
||||
userdom_use_inherited_user_terminals(usernetctl_t)
|
||||
|
||||
optional_policy(`
|
||||
+ consoletype_exec(usernetctl_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
hostname_exec(usernetctl_t)
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index c6aa0bc..9cfa342 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -151,7 +151,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_run(sysadm_t, sysadm_r)
|
||||
+ consoletype_exec(sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
|
||||
index c985b07..0931220 100644
|
||||
--- a/policy/modules/services/networkmanager.te
|
||||
+++ b/policy/modules/services/networkmanager.te
|
||||
@@ -205,7 +205,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_domtrans(NetworkManager_t)
|
||||
+ consoletype_exec(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
|
||||
index 5f6e7b8..6a68d33 100644
|
||||
--- a/policy/modules/services/puppet.te
|
||||
+++ b/policy/modules/services/puppet.te
|
||||
@@ -148,7 +148,7 @@ tunable_policy(`puppet_manage_all_files',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_domtrans(puppet_t)
|
||||
+ consoletype_exec(puppet_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
|
||||
index be800df..22c9f0d 100644
|
||||
--- a/policy/modules/system/sysnetwork.if
|
||||
+++ b/policy/modules/system/sysnetwork.if
|
||||
@@ -49,10 +49,6 @@ interface(`sysnet_run_dhcpc',`
|
||||
sysnet_run_ifconfig(dhcpc_t, $2)
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_run(dhcpc_t, $2)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
hostname_run(dhcpc_t, $2)
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index 767ccbd..b9b4dd9 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -170,7 +170,7 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_domtrans(dhcpc_t)
|
||||
+ consoletype_exec(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index c31aeb2..8febc7a 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -240,7 +240,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- consoletype_domtrans(udev_t)
|
||||
+ consoletype_exec(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -1,10 +0,0 @@
|
||||
diff -up serefpolicy-3.10.0/policy/mcs.trans serefpolicy-3.10.0/policy/mcs
|
||||
--- serefpolicy-3.10.0/policy/mcs.trans 2011-12-05 16:30:45.081703537 -0500
|
||||
+++ serefpolicy-3.10.0/policy/mcs 2011-12-05 16:34:09.674001926 -0500
|
||||
@@ -1,4 +1,6 @@
|
||||
ifdef(`enable_mcs',`
|
||||
+default_range dir_file_class_set target low;
|
||||
+
|
||||
#
|
||||
# Define sensitivities
|
||||
#
|
||||
@ -1,317 +0,0 @@
|
||||
diff -up serefpolicy-3.10.0/policy/global_tunables.denyexecmem serefpolicy-3.10.0/policy/global_tunables
|
||||
--- serefpolicy-3.10.0/policy/global_tunables.denyexecmem 2011-11-08 16:11:51.764047705 -0500
|
||||
+++ serefpolicy-3.10.0/policy/global_tunables 2011-11-08 16:11:52.028047558 -0500
|
||||
@@ -20,10 +20,10 @@ gen_tunable(allow_execheap,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
|
||||
+## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
|
||||
## </p>
|
||||
## </desc>
|
||||
-gen_tunable(allow_execmem,false)
|
||||
+gen_tunable(deny_execmem,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.denyexecmem serefpolicy-3.10.0/policy/modules/admin/rpm.te
|
||||
--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.denyexecmem 2011-11-08 16:11:51.771047703 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-11-08 16:11:52.030047557 -0500
|
||||
@@ -382,7 +382,7 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
')
|
||||
|
||||
-tunable_policy(`allow_execmem',`
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
allow rpm_script_t self:process execmem;
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/apps/games.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/games.te
|
||||
--- serefpolicy-3.10.0/policy/modules/apps/games.te.denyexecmem 2011-06-27 14:18:04.000000000 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/apps/games.te 2011-11-08 16:11:52.031047556 -0500
|
||||
@@ -166,7 +166,7 @@ userdom_manage_user_tmp_sockets(games_t)
|
||||
# Suppress .icons denial until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files(games_t)
|
||||
|
||||
-tunable_policy(`allow_execmem',`
|
||||
+tunable_policy(`deny_execmem',`', `
|
||||
allow games_t self:process execmem;
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/mozilla.te
|
||||
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.denyexecmem 2011-11-08 16:11:51.786047693 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-11-08 16:11:52.032047555 -0500
|
||||
@@ -178,8 +178,12 @@ xserver_user_x_domain_template(mozilla,
|
||||
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
||||
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
|
||||
|
||||
-tunable_policy(`allow_execmem',`
|
||||
- allow mozilla_t self:process { execmem execstack };
|
||||
+tunable_policy(`allow_execstack',`
|
||||
+ allow mozilla_t self:process execstack;
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
+ allow mozilla_t self:process execmem;
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
@@ -410,12 +414,12 @@ userdom_read_user_home_content_symlinks(
|
||||
userdom_read_home_certs(mozilla_plugin_t)
|
||||
userdom_dontaudit_write_home_certs(mozilla_plugin_t)
|
||||
|
||||
-tunable_policy(`allow_execmem',`
|
||||
- allow mozilla_plugin_t self:process { execmem execstack };
|
||||
+tunable_policy(`deny_execmem',`', `
|
||||
+ allow mozilla_plugin_t self:process execmem;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execstack',`
|
||||
- allow mozilla_plugin_t self:process { execstack };
|
||||
+ allow mozilla_plugin_t self:process execstack;
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
diff -up serefpolicy-3.10.0/policy/modules/apps/mplayer.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/mplayer.te
|
||||
--- serefpolicy-3.10.0/policy/modules/apps/mplayer.te.denyexecmem 2011-11-08 16:11:51.048048110 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/apps/mplayer.te 2011-11-08 16:11:53.818046549 -0500
|
||||
@@ -92,7 +92,7 @@ ifndef(`enable_mls',`
|
||||
fs_read_removable_symlinks(mencoder_t)
|
||||
')
|
||||
|
||||
-tunable_policy(`allow_execmem',`
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
allow mencoder_t self:process execmem;
|
||||
')
|
||||
|
||||
@@ -252,7 +252,7 @@ ifdef(`enable_mls',`',`
|
||||
fs_read_removable_symlinks(mplayer_t)
|
||||
')
|
||||
|
||||
-tunable_policy(`allow_execmem',`
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
allow mplayer_t self:process execmem;
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/kernel/corecommands.te.denyexecmem serefpolicy-3.10.0/policy/modules/kernel/corecommands.te
|
||||
--- serefpolicy-3.10.0/policy/modules/kernel/corecommands.te.denyexecmem 2011-06-27 14:18:04.000000000 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/kernel/corecommands.te 2011-11-08 16:11:52.033047554 -0500
|
||||
@@ -13,7 +13,7 @@ attribute exec_type;
|
||||
#
|
||||
# bin_t is the type of files in the system bin/sbin directories.
|
||||
#
|
||||
-type bin_t alias { ls_exec_t sbin_t };
|
||||
+type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t };
|
||||
corecmd_executable_file(bin_t)
|
||||
dev_associate(bin_t) #For /dev/MAKEDEV
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.denyexecmem serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
|
||||
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.denyexecmem 2011-11-08 16:11:51.729047726 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-11-08 16:11:52.034047554 -0500
|
||||
@@ -104,11 +104,11 @@ unconfined_domain_noaudit(unconfined_t)
|
||||
usermanage_run_passwd(unconfined_t, unconfined_r)
|
||||
usermanage_run_chfn(unconfined_t, unconfined_r)
|
||||
|
||||
-tunable_policy(`allow_execmem',`
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
allow unconfined_t self:process execmem;
|
||||
')
|
||||
|
||||
-tunable_policy(`allow_execmem && allow_execstack',`
|
||||
+tunable_policy(`allow_execstack',`
|
||||
allow unconfined_t self:process execstack;
|
||||
')
|
||||
|
||||
@@ -230,7 +230,6 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(unconfined_dbusd_t)
|
||||
- unconfined_execmem_domtrans(unconfined_dbusd_t)
|
||||
|
||||
optional_policy(`
|
||||
xserver_rw_shm(unconfined_dbusd_t)
|
||||
@@ -389,48 +388,5 @@ optional_policy(`
|
||||
xserver_manage_home_fonts(unconfined_t)
|
||||
')
|
||||
|
||||
-########################################
|
||||
-#
|
||||
-# Unconfined Execmem Local policy
|
||||
-#
|
||||
-
|
||||
-optional_policy(`
|
||||
- execmem_role_template(unconfined, unconfined_r, unconfined_t)
|
||||
- typealias unconfined_execmem_t alias execmem_t;
|
||||
- typealias unconfined_execmem_t alias unconfined_openoffice_t;
|
||||
- unconfined_domain_noaudit(unconfined_execmem_t)
|
||||
- allow unconfined_execmem_t unconfined_t:process transition;
|
||||
- rpm_transition_script(unconfined_execmem_t)
|
||||
- role system_r types unconfined_execmem_t;
|
||||
-
|
||||
- optional_policy(`
|
||||
- init_dbus_chat_script(unconfined_execmem_t)
|
||||
- dbus_system_bus_client(unconfined_execmem_t)
|
||||
- unconfined_dbus_chat(unconfined_execmem_t)
|
||||
- unconfined_dbus_connect(unconfined_execmem_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- tunable_policy(`allow_unconfined_nsplugin_transition',`', `
|
||||
- nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
|
||||
- ')
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- tunable_policy(`unconfined_login',`
|
||||
- mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
|
||||
- ')
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
|
||||
- ')
|
||||
-')
|
||||
-
|
||||
-########################################
|
||||
-#
|
||||
-# Unconfined mount local policy
|
||||
-#
|
||||
-
|
||||
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.te.denyexecmem serefpolicy-3.10.0/policy/modules/services/postgresql.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/postgresql.te.denyexecmem 2011-11-08 16:11:51.439047890 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/postgresql.te 2011-11-08 16:11:52.035047553 -0500
|
||||
@@ -329,7 +329,7 @@ userdom_dontaudit_use_user_terminals(pos
|
||||
|
||||
mta_getattr_spool(postgresql_t)
|
||||
|
||||
-tunable_policy(`allow_execmem',`
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
allow postgresql_t self:process execmem;
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.denyexecmem serefpolicy-3.10.0/policy/modules/services/xserver.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.denyexecmem 2011-11-08 16:11:51.969047589 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-08 16:11:52.037047551 -0500
|
||||
@@ -1412,7 +1412,7 @@ tunable_policy(`allow_xserver_execmem',`
|
||||
')
|
||||
|
||||
# Hack to handle the problem of using the nvidia blobs
|
||||
-tunable_policy(`allow_execmem',`
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
allow xdm_t self:process execmem;
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.denyexecmem serefpolicy-3.10.0/policy/modules/system/unconfined.if
|
||||
--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.denyexecmem 2011-11-08 16:11:51.983047584 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-11-08 16:11:52.038047550 -0500
|
||||
@@ -63,16 +63,14 @@ interface(`unconfined_domain_noaudit',`
|
||||
allow $1 self:process execheap;
|
||||
')
|
||||
|
||||
- tunable_policy(`allow_execmem',`
|
||||
+ tunable_policy(`deny_execmem',`',`
|
||||
# Allow making anonymous memory executable, e.g.
|
||||
# for runtime-code generation or executable stack.
|
||||
allow $1 self:process execmem;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execstack',`
|
||||
- # Allow making the stack executable via mprotect;
|
||||
- # execstack implies execmem;
|
||||
- allow $1 self:process { execstack execmem };
|
||||
+ allow $1 self:process execstack;
|
||||
# auditallow $1 self:process execstack;
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.denyexecmem serefpolicy-3.10.0/policy/modules/system/userdomain.if
|
||||
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.denyexecmem 2011-11-08 16:11:51.986047581 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-08 16:11:52.041047550 -0500
|
||||
@@ -149,12 +149,12 @@ template(`userdom_base_user_template',`
|
||||
|
||||
systemd_dbus_chat_logind($1_usertype)
|
||||
|
||||
- tunable_policy(`allow_execmem',`
|
||||
+ tunable_policy(`deny_execmem',`', `
|
||||
# Allow loading DSOs that require executable stack.
|
||||
allow $1_t self:process execmem;
|
||||
')
|
||||
|
||||
- tunable_policy(`allow_execmem && allow_execstack',`
|
||||
+ tunable_policy(`allow_execstack',`
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1_t self:process execstack;
|
||||
')
|
||||
diff -up serefpolicy-3.10.0/policy/modules/apps/mplayer.te~ serefpolicy-3.10.0/policy/modules/apps/mplayer.te
|
||||
diff -up serefpolicy-3.10.0/policy/modules/apps/sandbox.te~ serefpolicy-3.10.0/policy/modules/apps/sandbox.te
|
||||
--- serefpolicy-3.10.0/policy/modules/apps/sandbox.te~ 2011-11-08 16:12:17.701033064 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/apps/sandbox.te 2011-11-08 16:24:21.364582225 -0500
|
||||
@@ -40,7 +40,12 @@ files_type(sandbox_devpts_t)
|
||||
#
|
||||
# sandbox xserver policy
|
||||
#
|
||||
-allow sandbox_xserver_t self:process { execmem execstack };
|
||||
+allow sandbox_xserver_t self:process execstack;
|
||||
+
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
+ allow sandbox_xserver_t self:process execmem;
|
||||
+')
|
||||
+
|
||||
allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
|
||||
allow sandbox_xserver_t self:shm create_shm_perms;
|
||||
allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -119,7 +124,11 @@ optional_policy(`
|
||||
# sandbox local policy
|
||||
#
|
||||
|
||||
-allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
|
||||
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
+ allow sandbox_domain self:process execmem;
|
||||
+')
|
||||
+
|
||||
allow sandbox_domain self:fifo_file manage_file_perms;
|
||||
allow sandbox_domain self:sem create_sem_perms;
|
||||
allow sandbox_domain self:shm create_shm_perms;
|
||||
@@ -168,7 +177,11 @@ mta_dontaudit_read_spool_symlinks(sandbo
|
||||
#
|
||||
# sandbox_x_domain local policy
|
||||
#
|
||||
-allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
|
||||
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
+ allow sandbox_x_domain self:process execmem;
|
||||
+')
|
||||
+
|
||||
allow sandbox_x_domain self:fifo_file manage_file_perms;
|
||||
allow sandbox_x_domain self:sem create_sem_perms;
|
||||
allow sandbox_x_domain self:shm create_shm_perms;
|
||||
diff -up serefpolicy-3.10.0/policy/modules/apps/thumb.te~ serefpolicy-3.10.0/policy/modules/apps/thumb.te
|
||||
--- serefpolicy-3.10.0/policy/modules/apps/thumb.te~ 2011-11-08 16:12:17.709033060 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/apps/thumb.te 2011-11-08 16:23:18.017395117 -0500
|
||||
@@ -19,7 +19,12 @@ ubac_constrained(thumb_tmp_t)
|
||||
# thumb local policy
|
||||
#
|
||||
|
||||
-allow thumb_t self:process { setsched signal setrlimit execmem };
|
||||
+allow thumb_t self:process { setsched signal setrlimit };
|
||||
+
|
||||
+tunable_policy(`deny_execmem',`',`
|
||||
+ allow thumb_t self:process execmem;
|
||||
+')
|
||||
+
|
||||
allow thumb_t self:fifo_file manage_fifo_file_perms;
|
||||
allow thumb_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
diff -up serefpolicy-3.10.0/policy/modules/roles/xguest.te~ serefpolicy-3.10.0/policy/modules/roles/xguest.te
|
||||
--- serefpolicy-3.10.0/policy/modules/roles/xguest.te~ 2011-11-08 16:12:18.349032697 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/roles/xguest.te 2011-11-08 16:21:44.303111563 -0500
|
||||
@@ -54,7 +54,6 @@ optional_policy(`
|
||||
mount_dontaudit_exec_fusermount(xguest_t)
|
||||
')
|
||||
|
||||
-allow xguest_t self:process execmem;
|
||||
kernel_dontaudit_request_load_module(xguest_t)
|
||||
|
||||
tunable_policy(`allow_execstack',`
|
||||
245
ephemeral.patch
245
ephemeral.patch
@ -1,245 +0,0 @@
|
||||
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
||||
index 68929b9..3370160 100644
|
||||
--- a/policy/modules/apps/mozilla.te
|
||||
+++ b/policy/modules/apps/mozilla.te
|
||||
@@ -116,6 +116,7 @@ corenet_tcp_sendrecv_http_cache_port(mozilla_t)
|
||||
corenet_tcp_sendrecv_squid_port(mozilla_t)
|
||||
corenet_tcp_connect_flash_port(mozilla_t)
|
||||
corenet_tcp_sendrecv_ftp_port(mozilla_t)
|
||||
+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
|
||||
corenet_tcp_sendrecv_ipp_port(mozilla_t)
|
||||
corenet_tcp_connect_http_port(mozilla_t)
|
||||
corenet_tcp_connect_http_cache_port(mozilla_t)
|
||||
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
|
||||
index 31c02d2..f61ee10 100644
|
||||
--- a/policy/modules/apps/sandbox.te
|
||||
+++ b/policy/modules/apps/sandbox.te
|
||||
@@ -382,6 +382,7 @@ corenet_tcp_connect_http_cache_port(sandbox_web_type)
|
||||
corenet_tcp_connect_squid_port(sandbox_web_type)
|
||||
corenet_tcp_connect_flash_port(sandbox_web_type)
|
||||
corenet_tcp_connect_ftp_port(sandbox_web_type)
|
||||
+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
|
||||
corenet_tcp_connect_ipp_port(sandbox_web_type)
|
||||
corenet_tcp_connect_streaming_port(sandbox_web_type)
|
||||
corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
|
||||
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
|
||||
index 5a41e58..54e4c81 100644
|
||||
--- a/policy/modules/kernel/corenetwork.if.in
|
||||
+++ b/policy/modules/kernel/corenetwork.if.in
|
||||
@@ -2269,6 +2269,42 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Bind TCP sockets to all ports > 32768.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_tcp_bind_all_ephemeral_ports',`
|
||||
+ gen_require(`
|
||||
+ attribute ephemeral_port_type;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 ephemeral_port_type:tcp_socket name_bind;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Bind UDP sockets to all ports > 32768.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_udp_bind_all_ephemeral_ports',`
|
||||
+ gen_require(`
|
||||
+ attribute ephemeral_port_type;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 ephemeral_port_type:udp_socket name_bind;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Connect DCCP sockets to reserved ports.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2341,6 +2377,24 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Connect TCP sockets to all ports > 32768.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_tcp_connect_all_ephemeral_ports',`
|
||||
+ gen_require(`
|
||||
+ attribute ephemeral_port_type;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 ephemeral_port_type:tcp_socket name_connect;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts to connect DCCP sockets
|
||||
## all reserved ports.
|
||||
## </summary>
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index 5287f7a..f65fb75 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -14,6 +14,7 @@ attribute port_type;
|
||||
attribute defined_port_type;
|
||||
attribute reserved_port_type;
|
||||
attribute unreserved_port_type;
|
||||
+attribute ephemeral_port_type;
|
||||
attribute rpc_port_type;
|
||||
attribute server_packet_type;
|
||||
|
||||
@@ -66,11 +67,17 @@ type port_t, port_type;
|
||||
sid port gen_context(system_u:object_r:port_t,s0)
|
||||
|
||||
#
|
||||
-# port_t is the default type of INET port numbers.
|
||||
+# unreserved_port_t is the default type of port numbers > 1024 and non ephemeral
|
||||
#
|
||||
type unreserved_port_t, port_type, unreserved_port_type;
|
||||
|
||||
#
|
||||
+# ephemeral_port_t is the default type of ephemeral port numbers.
|
||||
+# cat /proc/sys/net/ipv4/ip_local_port_range
|
||||
+#
|
||||
+type ephemeral_port_t, port_type, ephemeral_port_type;
|
||||
+
|
||||
+#
|
||||
# reserved_port_t is the type of INET port numbers below 1024.
|
||||
#
|
||||
type reserved_port_t, port_type, reserved_port_type;
|
||||
@@ -293,9 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
-portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
|
||||
-portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
|
||||
-
|
||||
+portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
|
||||
+portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
|
||||
+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
|
||||
+portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
|
||||
+portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
|
||||
+portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
|
||||
########################################
|
||||
#
|
||||
# Network nodes
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
|
||||
index 49f27ca..e8acd10 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.m4
|
||||
+++ b/policy/modules/kernel/corenetwork.te.m4
|
||||
@@ -81,7 +81,13 @@ declare_nodes($1_node_t,shift($*))
|
||||
define(`declare_ports',`dnl
|
||||
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
|
||||
ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
|
||||
-',`typeattribute $1 unreserved_port_type;')
|
||||
+',`
|
||||
+ifelse(eval(range_start($3) < 32768),1,`typeattribute $1 unreserved_port_type;',`
|
||||
+ ifelse(eval(range_start($3) > 61001),1,`typeattribute $1 unreserved_port_type;',`
|
||||
+ typeattribute $1 ephemeral_port_type;
|
||||
+ ')
|
||||
+ ')
|
||||
+')
|
||||
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
|
||||
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
|
||||
')
|
||||
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
|
||||
index 8596b90..9f37c11 100644
|
||||
--- a/policy/modules/services/apache.te
|
||||
+++ b/policy/modules/services/apache.te
|
||||
@@ -137,6 +137,14 @@ gen_tunable(httpd_enable_ftp_server, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
+## Allow httpd to act as a FTP client
|
||||
+## connecting to the ftp port and ephemeral ports
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(httpd_can_connect_ftp, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
## Allow httpd to read home directories
|
||||
## </p>
|
||||
## </desc>
|
||||
@@ -583,6 +591,7 @@ tunable_policy(`httpd_can_network_relay',`
|
||||
corenet_sendrecv_http_client_packets(httpd_t)
|
||||
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
||||
corenet_sendrecv_squid_client_packets(httpd_t)
|
||||
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_execmem',`
|
||||
@@ -621,8 +630,14 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
')
|
||||
|
||||
+tunable_policy(`httpd_can_connect_ftp',`
|
||||
+ corenet_tcp_connect_ftp_port(httpd_t)
|
||||
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
||||
+')
|
||||
+
|
||||
tunable_policy(`httpd_enable_ftp_server',`
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
|
||||
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
|
||||
index 2607914..cb33e76 100644
|
||||
--- a/policy/modules/services/cobbler.te
|
||||
+++ b/policy/modules/services/cobbler.te
|
||||
@@ -110,6 +110,7 @@ corenet_tcp_sendrecv_generic_port(cobblerd_t)
|
||||
corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
|
||||
# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
|
||||
corenet_tcp_connect_ftp_port(cobblerd_t)
|
||||
+corenet_tcp_connect_all_ephemeral_ports(cobblerd_t)
|
||||
corenet_tcp_sendrecv_ftp_port(cobblerd_t)
|
||||
corenet_sendrecv_ftp_client_packets(cobblerd_t)
|
||||
corenet_tcp_connect_http_port(cobblerd_t)
|
||||
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
|
||||
index 9a1355e..f807210 100644
|
||||
--- a/policy/modules/services/ftp.te
|
||||
+++ b/policy/modules/services/ftp.te
|
||||
@@ -218,9 +218,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
|
||||
corenet_tcp_bind_ftp_port(ftpd_t)
|
||||
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
||||
corenet_tcp_bind_generic_port(ftpd_t)
|
||||
-corenet_tcp_bind_all_unreserved_ports(ftpd_t)
|
||||
-corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
|
||||
-corenet_tcp_connect_all_ports(ftpd_t)
|
||||
+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
|
||||
+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
|
||||
corenet_sendrecv_ftp_server_packets(ftpd_t)
|
||||
|
||||
domain_use_interactive_fds(ftpd_t)
|
||||
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
|
||||
index 1b9893a..a8eaa4d 100644
|
||||
--- a/policy/modules/services/mock.te
|
||||
+++ b/policy/modules/services/mock.te
|
||||
@@ -87,7 +87,7 @@ corecmd_dontaudit_exec_all_executables(mock_t)
|
||||
|
||||
corenet_tcp_connect_http_port(mock_t)
|
||||
corenet_tcp_connect_ftp_port(mock_t)
|
||||
-corenet_tcp_connect_all_unreserved_ports(mock_t)
|
||||
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
|
||||
|
||||
dev_read_urand(mock_t)
|
||||
dev_read_sysfs(mock_t)
|
||||
377
execmem.patch
377
execmem.patch
@ -1,377 +0,0 @@
|
||||
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
|
||||
index ec838bd..5d940f8 100644
|
||||
--- a/policy/modules/admin/prelink.te
|
||||
+++ b/policy/modules/admin/prelink.te
|
||||
@@ -126,7 +126,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nsplugin_manage_rw_files(prelink_t)
|
||||
+ mozilla_plugin_manage_rw_files(prelink_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
|
||||
index 35b51ab..800b5c8 100644
|
||||
--- a/policy/modules/apps/mozilla.fc
|
||||
+++ b/policy/modules/apps/mozilla.fc
|
||||
@@ -4,6 +4,11 @@ HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
|
||||
#
|
||||
# /bin
|
||||
@@ -15,6 +20,9 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
||||
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
||||
+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
||||
|
||||
#
|
||||
# /lib
|
||||
@@ -27,4 +35,9 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
||||
/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||
/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||
/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||
+
|
||||
/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
|
||||
+
|
||||
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
||||
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
|
||||
index b9b8ac2..aa15d05 100644
|
||||
--- a/policy/modules/apps/mozilla.if
|
||||
+++ b/policy/modules/apps/mozilla.if
|
||||
@@ -208,10 +208,12 @@ interface(`mozilla_domtrans',`
|
||||
interface(`mozilla_domtrans_plugin',`
|
||||
gen_require(`
|
||||
type mozilla_plugin_t, mozilla_plugin_exec_t;
|
||||
+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
|
||||
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
|
||||
allow mozilla_plugin_t $1:process signull;
|
||||
allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
allow $1 mozilla_plugin_t:fd use;
|
||||
@@ -247,6 +249,7 @@ interface(`mozilla_run_plugin',`
|
||||
|
||||
mozilla_domtrans_plugin($1)
|
||||
role $2 types mozilla_plugin_t;
|
||||
+ role $2 types mozilla_plugin_config_t;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -266,6 +269,7 @@ interface(`mozilla_role_plugin',`
|
||||
')
|
||||
|
||||
role $1 types mozilla_plugin_t;
|
||||
+ role $1 types mozilla_plugin_config_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -360,3 +364,23 @@ interface(`mozilla_plugin_dontaudit_leaks',`
|
||||
|
||||
dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete
|
||||
+## mozilla_plugin rw files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`mozilla_plugin_manage_rw_files',`
|
||||
+ gen_require(`
|
||||
+ type mozilla_plugin_rw_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
|
||||
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
||||
index 75d0b62..344f2e4 100644
|
||||
--- a/policy/modules/apps/mozilla.te
|
||||
+++ b/policy/modules/apps/mozilla.te
|
||||
@@ -23,7 +23,7 @@ type mozilla_conf_t;
|
||||
files_config_file(mozilla_conf_t)
|
||||
|
||||
type mozilla_home_t;
|
||||
-typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
|
||||
+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t nsplugin_home_t };
|
||||
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
|
||||
files_poly_member(mozilla_home_t)
|
||||
userdom_user_home_content(mozilla_home_t)
|
||||
@@ -43,6 +43,13 @@ userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
|
||||
files_tmpfs_file(mozilla_plugin_tmpfs_t)
|
||||
ubac_constrained(mozilla_plugin_tmpfs_t)
|
||||
|
||||
+type mozilla_plugin_rw_t alias nsplugin_rw_t;
|
||||
+files_type(mozilla_plugin_rw_t)
|
||||
+
|
||||
+type mozilla_plugin_config_t;
|
||||
+type mozilla_plugin_config_exec_t;
|
||||
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
|
||||
+
|
||||
type mozilla_tmp_t;
|
||||
files_tmp_file(mozilla_tmp_t)
|
||||
ubac_constrained(mozilla_tmp_t)
|
||||
@@ -280,11 +287,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nsplugin_manage_rw(mozilla_t)
|
||||
- nsplugin_manage_home_files(mozilla_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
pulseaudio_exec(mozilla_t)
|
||||
pulseaudio_stream_connect(mozilla_t)
|
||||
pulseaudio_manage_home_files(mozilla_t)
|
||||
@@ -330,6 +332,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
|
||||
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
|
||||
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
|
||||
|
||||
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
|
||||
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
+
|
||||
can_exec(mozilla_plugin_t, mozilla_exec_t)
|
||||
|
||||
kernel_read_kernel_sysctls(mozilla_plugin_t)
|
||||
@@ -452,17 +458,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nsplugin_domtrans(mozilla_plugin_t)
|
||||
- nsplugin_rw_exec(mozilla_plugin_t)
|
||||
- nsplugin_manage_home_dirs(mozilla_plugin_t)
|
||||
- nsplugin_manage_home_files(mozilla_plugin_t)
|
||||
- nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
|
||||
- nsplugin_user_home_filetrans(mozilla_plugin_t, file)
|
||||
- nsplugin_read_rw_files(mozilla_plugin_t);
|
||||
- nsplugin_signal(mozilla_plugin_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
pulseaudio_exec(mozilla_plugin_t)
|
||||
pulseaudio_stream_connect(mozilla_plugin_t)
|
||||
pulseaudio_setattr_home_dir(mozilla_plugin_t)
|
||||
@@ -491,3 +486,61 @@ optional_policy(`
|
||||
xserver_append_xdm_home_files(mozilla_plugin_t);
|
||||
')
|
||||
|
||||
+########################################
|
||||
+#
|
||||
+# mozilla_plugin_config local policy
|
||||
+#
|
||||
+
|
||||
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
|
||||
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem };
|
||||
+
|
||||
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
|
||||
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
|
||||
+
|
||||
+dev_search_sysfs(mozilla_plugin_config_t)
|
||||
+dev_read_urand(mozilla_plugin_config_t)
|
||||
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
|
||||
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
|
||||
+
|
||||
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
|
||||
+fs_list_inotifyfs(mozilla_plugin_config_t)
|
||||
+
|
||||
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
|
||||
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
+
|
||||
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
|
||||
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
|
||||
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
|
||||
+
|
||||
+corecmd_exec_bin(mozilla_plugin_config_t)
|
||||
+corecmd_exec_shell(mozilla_plugin_config_t)
|
||||
+
|
||||
+kernel_read_system_state(mozilla_plugin_config_t)
|
||||
+kernel_request_load_module(mozilla_plugin_config_t)
|
||||
+
|
||||
+domain_use_interactive_fds(mozilla_plugin_config_t)
|
||||
+
|
||||
+files_read_etc_files(mozilla_plugin_config_t)
|
||||
+files_read_usr_files(mozilla_plugin_config_t)
|
||||
+files_dontaudit_search_home(mozilla_plugin_config_t)
|
||||
+files_list_tmp(mozilla_plugin_config_t)
|
||||
+
|
||||
+auth_use_nsswitch(mozilla_plugin_config_t)
|
||||
+
|
||||
+miscfiles_read_localization(mozilla_plugin_config_t)
|
||||
+miscfiles_read_fonts(mozilla_plugin_config_t)
|
||||
+
|
||||
+userdom_search_user_home_content(mozilla_plugin_config_t)
|
||||
+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
|
||||
+userdom_read_user_home_content_files(mozilla_plugin_config_t)
|
||||
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
|
||||
+
|
||||
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_use_user_fonts(mozilla_plugin_config_t)
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
|
||||
index 39b1056..cc3f02e 100644
|
||||
--- a/policy/modules/kernel/devices.if
|
||||
+++ b/policy/modules/kernel/devices.if
|
||||
@@ -4176,6 +4176,30 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Read cpu online hardware state information.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow the specified domain to read /sys/devices/system/cpu/online file.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_read_cpu_online',`
|
||||
+ gen_require(`
|
||||
+ type cpu_online_t;
|
||||
+ ')
|
||||
+
|
||||
+ dev_search_sysfs($1)
|
||||
+ read_files_pattern($1, cpu_online_t, cpu_online_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read hardware state information.
|
||||
## </summary>
|
||||
## <desc>
|
||||
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
||||
index 1c2562c..112bebb 100644
|
||||
--- a/policy/modules/kernel/devices.te
|
||||
+++ b/policy/modules/kernel/devices.te
|
||||
@@ -225,6 +225,10 @@ files_mountpoint(sysfs_t)
|
||||
fs_type(sysfs_t)
|
||||
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
||||
|
||||
+type cpu_online_t;
|
||||
+allow cpu_online_t sysfs_t:filesystem associate;
|
||||
+genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
|
||||
+
|
||||
#
|
||||
# Type for /dev/tpm
|
||||
#
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index f9a1bcc..a478431 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -115,6 +115,7 @@ kernel_dontaudit_search_debugfs(domain)
|
||||
allow domain self:process { fork getsched sigchld };
|
||||
|
||||
# Use trusted objects in /dev
|
||||
+dev_read_cpu_online(domain)
|
||||
dev_rw_null(domain)
|
||||
dev_rw_zero(domain)
|
||||
term_use_controlling_term(domain)
|
||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||
index 11ad8fb..35524d6 100644
|
||||
--- a/policy/modules/roles/unconfineduser.te
|
||||
+++ b/policy/modules/roles/unconfineduser.te
|
||||
@@ -8,13 +8,6 @@ attribute unconfined_login_domain;
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
-## allow unconfined users to transition to the nsplugin domains when running nspluginviewer
|
||||
-## </p>
|
||||
-## </desc>
|
||||
-gen_tunable(allow_unconfined_nsplugin_transition, false)
|
||||
-
|
||||
-## <desc>
|
||||
-## <p>
|
||||
## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
|
||||
## </p>
|
||||
## </desc>
|
||||
@@ -128,14 +121,6 @@ optional_policy(`
|
||||
attribute unconfined_usertype;
|
||||
')
|
||||
|
||||
- nsplugin_role_notrans(unconfined_r, unconfined_usertype)
|
||||
- optional_policy(`
|
||||
- tunable_policy(`allow_unconfined_nsplugin_transition',`
|
||||
- nsplugin_domtrans(unconfined_usertype)
|
||||
- nsplugin_domtrans_config(unconfined_usertype)
|
||||
- ')
|
||||
- ')
|
||||
-
|
||||
optional_policy(`
|
||||
abrt_dbus_chat(unconfined_usertype)
|
||||
abrt_run_helper(unconfined_usertype, unconfined_r)
|
||||
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
|
||||
index 6f176f9..0258e24 100644
|
||||
--- a/policy/modules/roles/xguest.te
|
||||
+++ b/policy/modules/roles/xguest.te
|
||||
@@ -117,10 +117,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nsplugin_role(xguest_r, xguest_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
pcscd_read_pub_files(xguest_usertype)
|
||||
pcscd_stream_connect(xguest_usertype)
|
||||
')
|
||||
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
||||
index d5a9038..a1cbdb4 100644
|
||||
--- a/policy/modules/services/abrt.te
|
||||
+++ b/policy/modules/services/abrt.te
|
||||
@@ -208,11 +208,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nsplugin_read_rw_files(abrt_t)
|
||||
- nsplugin_read_home(abrt_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
policykit_dbus_chat(abrt_t)
|
||||
policykit_domtrans_auth(abrt_t)
|
||||
policykit_read_lib(abrt_t)
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index 0b3811d..0281618 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -787,10 +787,6 @@ template(`userdom_common_user_template',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nsplugin_role($1_r, $1_usertype)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
tunable_policy(`allow_user_mysql_connect',`
|
||||
mysql_stream_connect($1_t)
|
||||
')
|
||||
36
grub.patch
36
grub.patch
@ -1,36 +0,0 @@
|
||||
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
|
||||
index 7a6f06f..e117271 100644
|
||||
--- a/policy/modules/admin/bootloader.fc
|
||||
+++ b/policy/modules/admin/bootloader.fc
|
||||
@@ -1,9 +1,11 @@
|
||||
-
|
||||
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||
|
||||
-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
+/sbin/installkernel -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
+/sbin/new-kernel-pkg -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
||||
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
|
||||
index f95087c..e7d705e 100644
|
||||
--- a/policy/modules/admin/permissivedomains.te
|
||||
+++ b/policy/modules/admin/permissivedomains.te
|
||||
@@ -2,6 +2,14 @@
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
+ type bootloader_t;
|
||||
+ ')
|
||||
+
|
||||
+ permissive bootloader_t;
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
type systemd_logger_t;
|
||||
')
|
||||
393
passwd.patch
393
passwd.patch
@ -1,393 +0,0 @@
|
||||
diff -up serefpolicy-3.10.0/policy/modules/admin/mcelog.te.passwd serefpolicy-3.10.0/policy/modules/admin/mcelog.te
|
||||
--- serefpolicy-3.10.0/policy/modules/admin/mcelog.te.passwd 2011-10-21 09:57:41.024059743 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/admin/mcelog.te 2011-10-21 09:57:41.523059314 -0400
|
||||
@@ -45,6 +45,8 @@ files_read_etc_files(mcelog_t)
|
||||
# for /dev/mem access
|
||||
mls_file_read_all_levels(mcelog_t)
|
||||
|
||||
+auth_read_passwd(mcelog_t)
|
||||
+
|
||||
logging_send_syslog_msg(mcelog_t)
|
||||
|
||||
miscfiles_read_localization(mcelog_t)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.passwd serefpolicy-3.10.0/policy/modules/admin/usermanage.te
|
||||
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.passwd 2011-10-21 09:57:41.053059719 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-21 09:58:51.127999915 -0400
|
||||
@@ -91,6 +91,7 @@ fs_search_auto_mountpoints(chfn_t)
|
||||
dev_read_urand(chfn_t)
|
||||
dev_dontaudit_getattr_all(chfn_t)
|
||||
|
||||
+auth_manage_passwd(chfn_t)
|
||||
auth_use_pam(chfn_t)
|
||||
|
||||
# allow checking if a shell is executable
|
||||
@@ -98,7 +99,6 @@ corecmd_check_exec_shell(chfn_t)
|
||||
|
||||
domain_use_interactive_fds(chfn_t)
|
||||
|
||||
-files_manage_etc_files(chfn_t)
|
||||
files_read_etc_runtime_files(chfn_t)
|
||||
files_dontaudit_search_var(chfn_t)
|
||||
files_dontaudit_search_home(chfn_t)
|
||||
@@ -209,8 +209,8 @@ init_dontaudit_write_utmp(groupadd_t)
|
||||
|
||||
domain_use_interactive_fds(groupadd_t)
|
||||
|
||||
-files_manage_etc_files(groupadd_t)
|
||||
files_relabel_etc_files(groupadd_t)
|
||||
+files_read_etc_files(groupadd_t)
|
||||
files_read_etc_runtime_files(groupadd_t)
|
||||
files_read_usr_symlinks(groupadd_t)
|
||||
|
||||
@@ -225,9 +225,10 @@ miscfiles_read_localization(groupadd_t)
|
||||
auth_domtrans_chk_passwd(groupadd_t)
|
||||
auth_rw_lastlog(groupadd_t)
|
||||
auth_use_nsswitch(groupadd_t)
|
||||
+auth_manage_passwd(groupadd_t)
|
||||
+auth_manage_shadow(groupadd_t)
|
||||
# these may be unnecessary due to the above
|
||||
# domtrans_chk_passwd() call.
|
||||
-auth_manage_shadow(groupadd_t)
|
||||
auth_relabel_shadow(groupadd_t)
|
||||
auth_etc_filetrans_shadow(groupadd_t)
|
||||
|
||||
@@ -301,6 +302,7 @@ selinux_compute_user_contexts(passwd_t)
|
||||
term_use_all_inherited_terms(passwd_t)
|
||||
term_getattr_all_ptys(passwd_t)
|
||||
|
||||
+auth_manage_passwd(passwd_t)
|
||||
auth_manage_shadow(passwd_t)
|
||||
auth_relabel_shadow(passwd_t)
|
||||
auth_etc_filetrans_shadow(passwd_t)
|
||||
@@ -315,7 +317,6 @@ corenet_tcp_connect_kerberos_password_po
|
||||
domain_use_interactive_fds(passwd_t)
|
||||
|
||||
files_read_etc_runtime_files(passwd_t)
|
||||
-files_manage_etc_files(passwd_t)
|
||||
files_search_var(passwd_t)
|
||||
files_dontaudit_search_pids(passwd_t)
|
||||
files_relabel_etc_files(passwd_t)
|
||||
@@ -396,6 +397,7 @@ fs_search_auto_mountpoints(sysadm_passwd
|
||||
term_use_all_inherited_terms(sysadm_passwd_t)
|
||||
term_getattr_all_ptys(sysadm_passwd_t)
|
||||
|
||||
+auth_manage_passwd(sysadm_passwd_t)
|
||||
auth_manage_shadow(sysadm_passwd_t)
|
||||
auth_relabel_shadow(sysadm_passwd_t)
|
||||
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
||||
@@ -408,7 +410,6 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(sysadm_passwd_t)
|
||||
|
||||
-files_manage_etc_files(sysadm_passwd_t)
|
||||
files_relabel_etc_files(sysadm_passwd_t)
|
||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||
# for nscd lookups
|
||||
@@ -467,7 +468,6 @@ domain_use_interactive_fds(useradd_t)
|
||||
domain_read_all_domains_state(useradd_t)
|
||||
domain_dontaudit_read_all_domains_state(useradd_t)
|
||||
|
||||
-files_manage_etc_files(useradd_t)
|
||||
files_search_var_lib(useradd_t)
|
||||
files_relabel_etc_files(useradd_t)
|
||||
files_read_etc_runtime_files(useradd_t)
|
||||
@@ -495,6 +495,7 @@ auth_rw_faillog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
# these may be unnecessary due to the above
|
||||
# domtrans_chk_passwd() call.
|
||||
+auth_manage_passwd(useradd_t)
|
||||
auth_manage_shadow(useradd_t)
|
||||
auth_relabel_shadow(useradd_t)
|
||||
auth_etc_filetrans_shadow(useradd_t)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/apps/loadkeys.te.passwd serefpolicy-3.10.0/policy/modules/apps/loadkeys.te
|
||||
--- serefpolicy-3.10.0/policy/modules/apps/loadkeys.te.passwd 2011-10-21 09:57:41.074059700 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/apps/loadkeys.te 2011-10-21 09:57:41.525059314 -0400
|
||||
@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t)
|
||||
term_dontaudit_use_console(loadkeys_t)
|
||||
term_use_unallocated_ttys(loadkeys_t)
|
||||
|
||||
+auth_read_passwd(loadkeys_t)
|
||||
+
|
||||
init_dontaudit_use_fds(loadkeys_t)
|
||||
init_dontaudit_use_script_ptys(loadkeys_t)
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/abrt.te.passwd serefpolicy-3.10.0/policy/modules/services/abrt.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/abrt.te.passwd 2011-10-21 09:57:41.146059638 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/abrt.te 2011-10-21 09:57:41.527059312 -0400
|
||||
@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file
|
||||
allow abrt_t self:tcp_socket create_stream_socket_perms;
|
||||
allow abrt_t self:udp_socket create_socket_perms;
|
||||
allow abrt_t self:unix_dgram_socket create_socket_perms;
|
||||
-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# abrt etc files
|
||||
list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
|
||||
@@ -186,10 +185,10 @@ fs_read_nfs_files(abrt_t)
|
||||
fs_read_nfs_symlinks(abrt_t)
|
||||
fs_search_all(abrt_t)
|
||||
|
||||
-sysnet_dns_name_resolve(abrt_t)
|
||||
-
|
||||
logging_read_generic_logs(abrt_t)
|
||||
|
||||
+auth_use_nsswitch(abrt_t)
|
||||
+
|
||||
miscfiles_read_generic_certs(abrt_t)
|
||||
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_t)
|
||||
@@ -209,10 +208,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_use_ypbind(abrt_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
nsplugin_read_rw_files(abrt_t)
|
||||
nsplugin_read_home(abrt_t)
|
||||
')
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/audioentropy.te.passwd serefpolicy-3.10.0/policy/modules/services/audioentropy.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/audioentropy.te.passwd 2011-06-27 14:18:04.000000000 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/audioentropy.te 2011-10-21 09:57:41.528059311 -0400
|
||||
@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
|
||||
|
||||
domain_use_interactive_fds(entropyd_t)
|
||||
|
||||
+auth_read_passwd(entropyd_t)
|
||||
+
|
||||
logging_send_syslog_msg(entropyd_t)
|
||||
|
||||
miscfiles_read_localization(entropyd_t)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.te.passwd serefpolicy-3.10.0/policy/modules/services/plymouthd.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/plymouthd.te.passwd 2011-10-21 09:57:41.332059479 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/plymouthd.te 2011-10-21 09:57:41.530059309 -0400
|
||||
@@ -75,6 +75,8 @@ init_signal(plymouthd_t)
|
||||
logging_link_generic_logs(plymouthd_t)
|
||||
logging_delete_generic_logs(plymouthd_t)
|
||||
|
||||
+auth_read_passwd(plymouthd_t)
|
||||
+
|
||||
miscfiles_read_localization(plymouthd_t)
|
||||
miscfiles_read_fonts(plymouthd_t)
|
||||
miscfiles_manage_fonts_cache(plymouthd_t)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.passwd serefpolicy-3.10.0/policy/modules/services/virt.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/virt.te.passwd 2011-10-21 09:57:41.435059390 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-21 09:57:41.533059306 -0400
|
||||
@@ -888,6 +888,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
|
||||
fs_list_inotifyfs(svirt_lxc_domain)
|
||||
fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
|
||||
|
||||
+auth_dontaudit_read_passwd(svirt_lxc_domain)
|
||||
auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
auth_search_pam_console_data(svirt_lxc_domain)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/authlogin.fc.passwd serefpolicy-3.10.0/policy/modules/system/authlogin.fc
|
||||
--- serefpolicy-3.10.0/policy/modules/system/authlogin.fc.passwd 2011-10-21 09:57:41.451059376 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/authlogin.fc 2011-10-21 09:57:41.534059305 -0400
|
||||
@@ -7,6 +7,9 @@
|
||||
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
+/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
+/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
|
||||
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
|
||||
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/authlogin.if.passwd serefpolicy-3.10.0/policy/modules/system/authlogin.if
|
||||
--- serefpolicy-3.10.0/policy/modules/system/authlogin.if.passwd 2011-10-21 09:57:41.452059376 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/authlogin.if 2011-10-21 09:57:41.535059304 -0400
|
||||
@@ -561,7 +561,6 @@ interface(`auth_domtrans_upd_passwd',`
|
||||
|
||||
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
|
||||
auth_dontaudit_read_shadow($1)
|
||||
-
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -758,6 +757,10 @@ interface(`auth_manage_shadow',`
|
||||
|
||||
allow $1 shadow_t:file manage_file_perms;
|
||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
+ files_var_filetrans($1, shadow_t, file, "shadow")
|
||||
+ files_var_filetrans($1, shadow_t, file, "shadow-")
|
||||
+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
|
||||
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -898,6 +901,9 @@ interface(`auth_manage_faillog',`
|
||||
files_search_pids($1)
|
||||
allow $1 faillog_t:dir manage_dir_perms;
|
||||
allow $1 faillog_t:file manage_file_perms;
|
||||
+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
|
||||
+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
|
||||
+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -1738,6 +1744,7 @@ interface(`auth_manage_login_records',`
|
||||
|
||||
logging_rw_generic_log_dirs($1)
|
||||
allow $1 wtmp_t:file manage_file_perms;
|
||||
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1813,19 +1820,123 @@ interface(`auth_unconfined',`
|
||||
interface(`authlogin_filetrans_named_content',`
|
||||
gen_require(`
|
||||
type shadow_t;
|
||||
+ type passwd_file_t;
|
||||
type faillog_t;
|
||||
type wtmp_t;
|
||||
')
|
||||
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
|
||||
files_etc_filetrans($1, shadow_t, file, "shadow")
|
||||
files_etc_filetrans($1, shadow_t, file, "shadow-")
|
||||
files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
|
||||
files_etc_filetrans($1, shadow_t, file, "gshadow")
|
||||
- files_var_filetrans($1, shadow_t, file, "shadow")
|
||||
- files_var_filetrans($1, shadow_t, file, "shadow-")
|
||||
logging_log_named_filetrans($1, faillog_t, file, "tallylog")
|
||||
logging_log_named_filetrans($1, faillog_t, file, "faillog")
|
||||
logging_log_named_filetrans($1, faillog_t, file, "btmp")
|
||||
files_pid_filetrans($1, faillog_t, file, "faillog")
|
||||
logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Get the attributes of the passwd passwords file.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`auth_getattr_passwd',`
|
||||
+ gen_require(`
|
||||
+ type passwd_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ allow $1 passwd_file_t:file getattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to get the attributes
|
||||
+## of the passwd passwords file.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`auth_dontaudit_getattr_passwd',`
|
||||
+ gen_require(`
|
||||
+ type passwd_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 passwd_file_t:file getattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read the passwd passwords file (/etc/passwd)
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`auth_read_passwd',`
|
||||
+ gen_require(`
|
||||
+ type passwd_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 passwd_file_t:file read_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to read the passwd
|
||||
+## password file (/etc/passwd).
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`auth_dontaudit_read_passwd',`
|
||||
+ gen_require(`
|
||||
+ type passwd_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 passwd_file_t:file read_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete the passwd
|
||||
+## password file.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`auth_manage_passwd',`
|
||||
+ gen_require(`
|
||||
+ type passwd_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_rw_etc_dirs($1)
|
||||
+ allow $1 passwd_file_t:file manage_file_perms;
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
|
||||
+')
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/authlogin.te.passwd serefpolicy-3.10.0/policy/modules/system/authlogin.te
|
||||
--- serefpolicy-3.10.0/policy/modules/system/authlogin.te.passwd 2011-10-21 09:57:41.453059375 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/authlogin.te 2011-10-21 09:57:41.536059303 -0400
|
||||
@@ -71,6 +71,9 @@ neverallow ~can_read_shadow_passwords sh
|
||||
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||
|
||||
+type passwd_file_t;
|
||||
+files_type(passwd_file_t)
|
||||
+
|
||||
type updpwd_t;
|
||||
type updpwd_exec_t;
|
||||
domain_type(updpwd_t)
|
||||
@@ -350,6 +353,7 @@ kernel_read_system_state(updpwd_t)
|
||||
dev_read_urand(updpwd_t)
|
||||
|
||||
files_manage_etc_files(updpwd_t)
|
||||
+auth_manage_passwd(updpwd_t)
|
||||
|
||||
term_dontaudit_use_console(updpwd_t)
|
||||
term_dontaudit_use_unallocated_ttys(updpwd_t)
|
||||
@@ -422,6 +426,9 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
+
|
||||
+auth_read_passwd(nsswitch_domain)
|
||||
+
|
||||
# read /etc/nsswitch.conf
|
||||
files_read_etc_files(nsswitch_domain)
|
||||
|
||||
154697
policy-F16.patch
154697
policy-F16.patch
File diff suppressed because it is too large
Load Diff
@ -1,351 +0,0 @@
|
||||
diff -up serefpolicy-3.10.0/policy/modules/kernel/devices.if.systemd serefpolicy-3.10.0/policy/modules/kernel/devices.if
|
||||
--- serefpolicy-3.10.0/policy/modules/kernel/devices.if.systemd 2012-01-13 12:21:08.578666030 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/kernel/devices.if 2012-01-13 12:21:08.678669095 -0500
|
||||
@@ -143,13 +143,13 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
type device_t;
|
||||
')
|
||||
|
||||
- relabelfrom_dirs_pattern($1, device_t, device_node)
|
||||
- relabelfrom_files_pattern($1, device_t, device_node)
|
||||
- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
|
||||
- relabel_fifo_files_pattern($1, device_t, { device_t device_node })
|
||||
- relabel_sock_files_pattern($1, device_t, { device_t device_node })
|
||||
- relabel_blk_files_pattern($1, device_t, { device_t device_node })
|
||||
- relabel_chr_files_pattern($1, device_t, { device_t device_node })
|
||||
+ relabel_dirs_pattern($1, device_t, device_node)
|
||||
+ relabel_files_pattern($1, device_t, device_node)
|
||||
+ relabel_lnk_files_pattern($1, device_t, device_node)
|
||||
+ relabel_fifo_files_pattern($1, device_t, device_node)
|
||||
+ relabel_sock_files_pattern($1, device_t, device_node)
|
||||
+ relabel_blk_files_pattern($1, device_t, device_node)
|
||||
+ relabel_chr_files_pattern($1, device_t, device_node)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4201,6 +4201,27 @@ interface(`dev_read_cpu_online',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Relabel cpu online hardware state information.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_relabel_cpu_online',`
|
||||
+ gen_require(`
|
||||
+ type cpu_online_t;
|
||||
+ type sysfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ dev_search_sysfs($1)
|
||||
+ allow $1 cpu_online_t:file relabel;
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read hardware state information.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -4269,6 +4290,26 @@ interface(`dev_relabel_sysfs_dirs',`
|
||||
')
|
||||
|
||||
########################################
|
||||
+## <summary>
|
||||
+## Relabel hardware state files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_relabel_all_sysfs',`
|
||||
+ gen_require(`
|
||||
+ type sysfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||
+ relabel_files_pattern($1, sysfs_t, sysfs_t)
|
||||
+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
## <summary>
|
||||
## Allow caller to modify hardware state information.
|
||||
## </summary>
|
||||
diff -up serefpolicy-3.10.0/policy/modules/roles/staff.te.systemd serefpolicy-3.10.0/policy/modules/roles/staff.te
|
||||
--- serefpolicy-3.10.0/policy/modules/roles/staff.te.systemd 2012-01-13 12:21:08.586666274 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/roles/staff.te 2012-01-13 12:21:08.678669095 -0500
|
||||
@@ -70,6 +70,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ bluetooth_role(staff_r, staff_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
dbadm_role_change(staff_r)
|
||||
')
|
||||
|
||||
@@ -238,10 +242,6 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- bluetooth_role(staff_r, staff_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
cdrecord_role(staff_r, staff_t)
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.systemd serefpolicy-3.10.0/policy/modules/roles/unprivuser.te
|
||||
--- serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.systemd 2012-01-13 12:21:08.586666274 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/roles/unprivuser.te 2012-01-13 12:21:08.678669095 -0500
|
||||
@@ -35,6 +35,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ bluetooth_role(user_r, user_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
colord_dbus_chat(user_t)
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/apache.fc.systemd serefpolicy-3.10.0/policy/modules/services/apache.fc
|
||||
--- serefpolicy-3.10.0/policy/modules/services/apache.fc.systemd 2012-01-13 12:21:08.589666367 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/apache.fc 2012-01-13 12:21:08.678669095 -0500
|
||||
@@ -140,6 +140,8 @@ ifdef(`distro_debian', `
|
||||
|
||||
/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
|
||||
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
+
|
||||
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/blueman.te.systemd serefpolicy-3.10.0/policy/modules/services/blueman.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/blueman.te.systemd 2012-01-13 12:21:08.594666519 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/blueman.te 2012-01-13 12:21:08.679669126 -0500
|
||||
@@ -36,3 +36,7 @@ miscfiles_read_localization(blueman_t)
|
||||
optional_policy(`
|
||||
avahi_domtrans(blueman_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_search_gconf(blueman_t)
|
||||
+')
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/entropyd.te.systemd serefpolicy-3.10.0/policy/modules/services/entropyd.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/entropyd.te.systemd 2012-01-13 12:21:08.609666980 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/entropyd.te 2012-01-13 12:21:08.679669126 -0500
|
||||
@@ -52,6 +52,8 @@ domain_use_interactive_fds(entropyd_t)
|
||||
|
||||
logging_send_syslog_msg(entropyd_t)
|
||||
|
||||
+auth_use_nsswitch(entropyd_t)
|
||||
+
|
||||
miscfiles_read_localization(entropyd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/virt.fc.systemd serefpolicy-3.10.0/policy/modules/services/virt.fc
|
||||
--- serefpolicy-3.10.0/policy/modules/services/virt.fc.systemd 2012-01-13 12:21:08.653668329 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/virt.fc 2012-01-13 12:21:08.679669126 -0500
|
||||
@@ -49,3 +49,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_
|
||||
|
||||
# support for nova-stack
|
||||
/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/init.te.systemd serefpolicy-3.10.0/policy/modules/system/init.te
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/logging.fc.systemd serefpolicy-3.10.0/policy/modules/system/logging.fc
|
||||
--- serefpolicy-3.10.0/policy/modules/system/logging.fc.systemd 2012-01-13 12:21:08.664668666 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/logging.fc 2012-01-13 12:21:11.123743804 -0500
|
||||
@@ -61,6 +61,7 @@ ifdef(`distro_suse', `
|
||||
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
+/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
|
||||
ifndef(`distro_gentoo',`
|
||||
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/logging.te.systemd serefpolicy-3.10.0/policy/modules/system/logging.te
|
||||
--- serefpolicy-3.10.0/policy/modules/system/logging.te.systemd 2012-01-13 12:21:08.665668696 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/logging.te 2012-01-13 12:21:11.123743804 -0500
|
||||
@@ -386,7 +386,7 @@ optional_policy(`
|
||||
# chown fsetid for syslog-ng
|
||||
# sys_admin for the integrated klog of syslog-ng and metalog
|
||||
# cjp: why net_admin!
|
||||
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
|
||||
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
|
||||
dontaudit syslogd_t self:capability sys_tty_config;
|
||||
allow syslogd_t self:capability2 syslog;
|
||||
# setpgid for metalog
|
||||
@@ -474,6 +474,7 @@ tunable_policy(`logging_syslogd_can_send
|
||||
dev_filetrans(syslogd_t, devlog_t, sock_file)
|
||||
dev_read_sysfs(syslogd_t)
|
||||
dev_read_rand(syslogd_t)
|
||||
+dev_read_urand(syslogd_t)
|
||||
# relating to systemd-kmsg-syslogd
|
||||
dev_write_kmsg(syslogd_t)
|
||||
|
||||
@@ -497,6 +498,7 @@ mls_file_write_all_levels(syslogd_t) # N
|
||||
term_write_console(syslogd_t)
|
||||
# Allow syslog to a terminal
|
||||
term_write_unallocated_ttys(syslogd_t)
|
||||
+term_use_generic_ptys(syslogd_t)
|
||||
|
||||
init_stream_connect(syslogd_t)
|
||||
# for sending messages to logged in users
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.systemd serefpolicy-3.10.0/policy/modules/system/sysnetwork.te
|
||||
--- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.systemd 2012-01-13 12:21:08.669668819 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2012-01-13 12:21:11.124743834 -0500
|
||||
@@ -150,6 +150,8 @@ term_dontaudit_use_all_ptys(dhcpc_t)
|
||||
term_dontaudit_use_unallocated_ttys(dhcpc_t)
|
||||
term_dontaudit_use_generic_ptys(dhcpc_t)
|
||||
|
||||
+auth_use_nsswitch(dhcpc_t)
|
||||
+
|
||||
init_rw_utmp(dhcpc_t)
|
||||
init_stream_connect(dhcpc_t)
|
||||
init_stream_send(dhcpc_t)
|
||||
@@ -333,6 +335,7 @@ domain_use_interactive_fds(ifconfig_t)
|
||||
|
||||
read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
|
||||
|
||||
+files_dontaudit_read_root_files(ifconfig_t)
|
||||
files_read_etc_files(ifconfig_t)
|
||||
files_read_etc_runtime_files(ifconfig_t)
|
||||
files_read_usr_files(ifconfig_t)
|
||||
@@ -348,7 +351,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
term_dontaudit_use_ptmx(ifconfig_t)
|
||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
-files_dontaudit_read_root_files(ifconfig_t)
|
||||
+auth_use_nsswitch(ifconfig_t)
|
||||
|
||||
init_use_fds(ifconfig_t)
|
||||
init_use_script_ptys(ifconfig_t)
|
||||
@@ -359,7 +362,6 @@ logging_send_syslog_msg(ifconfig_t)
|
||||
|
||||
miscfiles_read_localization(ifconfig_t)
|
||||
|
||||
-
|
||||
seutil_use_runinit_fds(ifconfig_t)
|
||||
|
||||
sysnet_dns_name_resolve(ifconfig_t)
|
||||
@@ -423,10 +425,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_use_ypbind(ifconfig_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
ppp_use_fds(ifconfig_t)
|
||||
')
|
||||
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/systemd.if.systemd serefpolicy-3.10.0/policy/modules/system/systemd.if
|
||||
--- serefpolicy-3.10.0/policy/modules/system/systemd.if.systemd 2012-01-13 12:21:08.669668819 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/systemd.if 2012-01-13 12:21:11.124743834 -0500
|
||||
@@ -51,6 +51,9 @@ interface(`systemd_exec_systemctl',`
|
||||
init_list_pid_dirs($1)
|
||||
init_read_state($1)
|
||||
init_stream_send($1)
|
||||
+
|
||||
+ systemd_login_list_pid_dirs($1)
|
||||
+ systemd_login_read_pid_files($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/systemd.te.systemd serefpolicy-3.10.0/policy/modules/system/systemd.te
|
||||
--- serefpolicy-3.10.0/policy/modules/system/systemd.te.systemd 2012-01-13 12:21:08.670668850 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/systemd.te 2012-01-13 12:21:11.124743834 -0500
|
||||
@@ -111,6 +111,7 @@ init_dbus_chat(systemd_logind_t)
|
||||
init_dbus_chat_script(systemd_logind_t)
|
||||
init_read_script_state(systemd_logind_t)
|
||||
init_read_state(systemd_logind_t)
|
||||
+init_rw_stream_sockets(systemd_logind_t)
|
||||
|
||||
logging_send_syslog_msg(systemd_logind_t)
|
||||
|
||||
@@ -198,6 +199,8 @@ kernel_read_network_state(systemd_tmpfil
|
||||
files_delete_kernel_modules(systemd_tmpfiles_t)
|
||||
|
||||
dev_write_kmsg(systemd_tmpfiles_t)
|
||||
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
|
||||
+dev_read_cpu_online(systemd_tmpfiles_t)
|
||||
|
||||
domain_obj_id_change_exemption(systemd_tmpfiles_t)
|
||||
|
||||
@@ -322,6 +325,8 @@ fs_getattr_cgroup_files(systemd_notify_t
|
||||
|
||||
auth_use_nsswitch(systemd_notify_t)
|
||||
|
||||
+init_rw_stream_sockets(systemd_notify_t)
|
||||
+
|
||||
miscfiles_read_localization(systemd_notify_t)
|
||||
|
||||
optional_policy(`
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.systemd serefpolicy-3.10.0/policy/modules/system/udev.te
|
||||
--- serefpolicy-3.10.0/policy/modules/system/udev.te.systemd 2012-01-13 12:21:08.670668850 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/udev.te 2012-01-13 12:21:11.124743834 -0500
|
||||
@@ -333,6 +333,7 @@ optional_policy(`
|
||||
kernel_read_xen_state(udev_t)
|
||||
xen_manage_log(udev_t)
|
||||
xen_read_image_files(udev_t)
|
||||
+ xen_stream_connect_xenstore(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/xen.fc.systemd serefpolicy-3.10.0/policy/modules/system/xen.fc
|
||||
--- serefpolicy-3.10.0/policy/modules/system/xen.fc.systemd 2012-01-13 12:21:08.673668943 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/xen.fc 2012-01-13 12:21:11.125743864 -0500
|
||||
@@ -4,7 +4,7 @@
|
||||
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
|
||||
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
|
||||
|
||||
-/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
|
||||
+#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
||||
diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.systemd serefpolicy-3.10.0/policy/modules/system/xen.te
|
||||
--- serefpolicy-3.10.0/policy/modules/system/xen.te.systemd 2012-01-13 12:21:08.673668943 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/system/xen.te 2012-01-13 12:21:11.125743864 -0500
|
||||
@@ -167,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_v
|
||||
#
|
||||
# qemu-dm local policy
|
||||
#
|
||||
+
|
||||
+# TODO: This part of policy should be removed
|
||||
+# qemu-dm should run in xend_t domain
|
||||
+
|
||||
# Do we need to allow execution of qemu-dm?
|
||||
tunable_policy(`xend_run_qemu',`
|
||||
allow qemu_dm_t self:capability sys_resource;
|
||||
@@ -207,6 +211,11 @@ tunable_policy(`xend_run_qemu',`
|
||||
|
||||
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
|
||||
allow xend_t self:process { signal sigkill };
|
||||
+
|
||||
+# needed by qemu_dm
|
||||
+allow xend_t self:capability sys_resource;
|
||||
+allow xend_t self:process setrlimit;
|
||||
+
|
||||
dontaudit xend_t self:process ptrace;
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
allow xend_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -319,7 +328,6 @@ logging_send_syslog_msg(xend_t)
|
||||
miscfiles_read_localization(xend_t)
|
||||
miscfiles_read_hwdata(xend_t)
|
||||
|
||||
-
|
||||
sysnet_domtrans_dhcpc(xend_t)
|
||||
sysnet_signal_dhcpc(xend_t)
|
||||
sysnet_domtrans_ifconfig(xend_t)
|
||||
91
qemu.patch
91
qemu.patch
@ -1,91 +0,0 @@
|
||||
diff -up serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu serefpolicy-3.10.0/policy/modules/apps/qemu.te
|
||||
--- serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu 2011-11-04 13:28:26.200380523 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/apps/qemu.te 2011-11-04 13:28:27.042380389 -0400
|
||||
@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
|
||||
## </desc>
|
||||
gen_tunable(qemu_use_usb, true)
|
||||
|
||||
-type qemu_exec_t;
|
||||
virt_domain_template(qemu)
|
||||
-application_domain(qemu_t, qemu_exec_t)
|
||||
role system_r types qemu_t;
|
||||
|
||||
########################################
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.qemu serefpolicy-3.10.0/policy/modules/services/virt.if
|
||||
--- serefpolicy-3.10.0/policy/modules/services/virt.if.qemu 2011-11-04 13:28:27.013380393 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-11-04 13:28:27.044380389 -0400
|
||||
@@ -16,10 +16,11 @@ template(`virt_domain_template',`
|
||||
attribute virt_image_type, virt_domain;
|
||||
attribute virt_tmpfs_type;
|
||||
attribute virt_ptynode;
|
||||
+ type qemu_exec_t;
|
||||
')
|
||||
|
||||
type $1_t, virt_domain;
|
||||
- domain_type($1_t)
|
||||
+ application_domain($1_t, qemu_exec_t)
|
||||
domain_user_exemption_target($1_t)
|
||||
mls_rangetrans_target($1_t)
|
||||
mcs_untrusted_proc($1_t)
|
||||
@@ -848,3 +849,21 @@ template(`virt_lxc_domain_template',`
|
||||
role system_r types $1_t;
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a qemu_exec_t in the callers domain
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virt_exec_qemu',`
|
||||
+ gen_require(`
|
||||
+ type qemu_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ can_exec($1, qemu_exec_t)
|
||||
+')
|
||||
+
|
||||
diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.qemu serefpolicy-3.10.0/policy/modules/services/virt.te
|
||||
--- serefpolicy-3.10.0/policy/modules/services/virt.te.qemu 2011-11-04 13:28:27.015380393 -0400
|
||||
+++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-11-04 13:30:30.832359916 -0400
|
||||
@@ -73,11 +73,14 @@ gen_tunable(virt_use_usb, true)
|
||||
|
||||
virt_domain_template(svirt)
|
||||
role system_r types svirt_t;
|
||||
+typealias svirt_t alias qemu_t;
|
||||
|
||||
attribute virt_domain;
|
||||
attribute virt_image_type;
|
||||
attribute virt_tmpfs_type;
|
||||
|
||||
+type qemu_exec_t;
|
||||
+
|
||||
type virt_cache_t alias svirt_cache_t;
|
||||
files_type(virt_cache_t)
|
||||
|
||||
@@ -275,6 +278,9 @@ allow virtd_t virt_domain:process { geta
|
||||
allow virt_domain virtd_t:fd use;
|
||||
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
|
||||
|
||||
+can_exec(virtd_t, qemu_exec_t)
|
||||
+can_exec(virt_domain, qemu_exec_t)
|
||||
+
|
||||
allow virtd_t qemu_var_run_t:file relabel_file_perms;
|
||||
manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
|
||||
manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
|
||||
@@ -643,11 +649,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- qemu_entry_type(virt_domain)
|
||||
- qemu_exec(virt_domain)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
virt_read_config(virt_domain)
|
||||
virt_read_lib_files(virt_domain)
|
||||
virt_read_content(virt_domain)
|
||||
50
thumb.patch
50
thumb.patch
@ -1,50 +0,0 @@
|
||||
diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.thumb serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
|
||||
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.thumb 2011-12-13 16:04:19.597732170 -0500
|
||||
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-12-13 16:04:42.718741218 -0500
|
||||
@@ -160,6 +160,11 @@ optional_policy(`
|
||||
rtkit_scheduled(unconfined_t)
|
||||
')
|
||||
|
||||
+ # Might remove later if this proves to be problematic, but would like to gather AVCs
|
||||
+ optional_policy(`
|
||||
+ thumb_role(unconfined_r, unconfined_t)
|
||||
+ ')
|
||||
+
|
||||
optional_policy(`
|
||||
setroubleshoot_dbus_chat(unconfined_t)
|
||||
setroubleshoot_dbus_chat_fixit(unconfined_t)
|
||||
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
||||
index 26c13f2..2354089 100644
|
||||
--- a/policy/modules/kernel/devices.fc
|
||||
+++ b/policy/modules/kernel/devices.fc
|
||||
@@ -205,6 +205,7 @@ ifdef(`distro_redhat',`
|
||||
# /sys
|
||||
#
|
||||
/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||
+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
|
||||
|
||||
/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
|
||||
/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
||||
index 112bebb..8f727be 100644
|
||||
--- a/policy/modules/kernel/devices.te
|
||||
+++ b/policy/modules/kernel/devices.te
|
||||
@@ -226,8 +226,8 @@ fs_type(sysfs_t)
|
||||
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
||||
|
||||
type cpu_online_t;
|
||||
-allow cpu_online_t sysfs_t:filesystem associate;
|
||||
-genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
|
||||
+files_type(cpu_online_t)
|
||||
+dev_associate_sysfs(cpu_online_t)
|
||||
|
||||
#
|
||||
# Type for /dev/tpm
|
||||
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
|
||||
index 7be4ddf..f7021a0 100644
|
||||
--- a/policy/modules/kernel/kernel.fc
|
||||
+++ b/policy/modules/kernel/kernel.fc
|
||||
@@ -1 +1,2 @@
|
||||
-# This module currently does not have any file contexts.
|
||||
+
|
||||
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||
@ -1,14 +0,0 @@
|
||||
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
|
||||
index 683497a..6717658 100644
|
||||
--- a/policy/modules/system/unconfined.if
|
||||
+++ b/policy/modules/system/unconfined.if
|
||||
@@ -136,7 +136,8 @@ interface(`unconfined_domain',`
|
||||
attribute unconfined_services;
|
||||
')
|
||||
|
||||
- unconfined_domain_noaudit($1)
|
||||
+permissive $1;
|
||||
+# unconfined_domain_noaudit($1)
|
||||
|
||||
tunable_policy(`allow_execheap',`
|
||||
auditallow $1 self:process execheap;
|
||||
Loading…
Reference in New Issue
Block a user