From c6d4c8f186a9f000fc90b78edcc27935110c19e6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 15 Nov 2005 18:47:20 +0000 Subject: [PATCH] clean up some hacks --- refpolicy/policy/modules/services/apache.if | 17 +++++++++++++ refpolicy/policy/modules/services/apache.te | 2 +- refpolicy/policy/modules/services/xdm.te | 6 ++++- .../policy/modules/system/corecommands.if | 24 +++++++++++++++---- .../policy/modules/system/corecommands.te | 2 +- refpolicy/policy/modules/system/init.te | 1 - refpolicy/policy/modules/system/libraries.te | 10 ++++---- refpolicy/policy/modules/system/locallogin.te | 5 ---- .../policy/modules/system/selinuxutil.te | 2 +- refpolicy/policy/modules/system/unconfined.if | 15 ++++++++---- refpolicy/policy/modules/system/unconfined.te | 6 +---- refpolicy/policy/modules/system/userdomain.te | 7 +++++- refpolicy/policy/support/misc_macros.spt | 10 ++++++++ 13 files changed, 76 insertions(+), 31 deletions(-) diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index b836c9ca..601edbf8 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -529,6 +529,23 @@ interface(`apache_dontaudit_append_log',` dontaudit $1 httpd_log_t:file { getattr append }; ') +######################################## +## +## Do not audit attempts to search Apache +## module directories. +## +## +## Domain to not audit. +## +# +interface(`apache_dontaudit_search_modules',` + gen_require(` + type httpd_modules_t; + ') + + allow $1 httpd_modules_t:dir r_dir_perms; +') + ######################################## ## ## Allow the specified domain to list diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 9cc54893..84b8befe 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.0) +policy_module(apache,1.0.1) # # NOTES: diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te index ef633987..d369ae87 100644 --- a/refpolicy/policy/modules/services/xdm.te +++ b/refpolicy/policy/modules/services/xdm.te @@ -1,5 +1,5 @@ -policy_module(xdm,1.0) +policy_module(xdm,1.0.1) ######################################## # @@ -100,6 +100,10 @@ ifdef(`targeted_policy',` files_create_var_lib(xdm_t,xdm_var_lib_t) ') +optional_policy(`locallogin.te',` + locallogin_signull(xdm_t) +') + ifdef(`TODO',` # cjp: TODO: integrate strict policy: daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 9301bf28..087902e3 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -10,17 +10,31 @@ ######################################## ## -## Create a aliased type to bin_t. +## Create a aliased type to generic bin files. ## +## +##

+## Create a aliased type to generic bin files. +##

+##

+## This is added to support targeted policy. Its +## use should be limited. It has no effect +## on the strict policy. +##

+##
## ## Alias type for bin_t. ## interface(`corecmd_bin_alias',` - gen_require(` - type bin_t; - ') + ifdef(`targeted_policy',` + gen_require(` + type bin_t; + ') - typealias bin_t alias $1; + typealias bin_t alias $1; + ',` + errprint(`Warning: $0($1) has no effect in strict policy.'__endline__) + ') ') ######################################## diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 9aaca9f7..83ee7984 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.0) +policy_module(corecommands,1.0.1) ######################################## # diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 57579001..cb78de2f 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -499,7 +499,6 @@ optional_policy(`dbus.te',` dbus_send_system_bus_msg(initrc_t) # FIXME - allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; allow initrc_t system_dbusd_t:unix_stream_socket connectto; allow initrc_t system_dbusd_var_run_t:sock_file write; diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index b0ab6c10..a05b81ff 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.0) +policy_module(libraries,1.0.1) ######################################## # @@ -24,6 +24,9 @@ files_type(ld_so_t) type lib_t; files_type(lib_t) +kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t) +kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t }) + # # shlib_t is the type of shared objects in the system lib # directories. @@ -46,9 +49,6 @@ ifdef(`targeted_policy',` files_type(texrel_shlib_t) ') -kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t) -kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t }) - ######################################## # # ldconfig local policy @@ -100,5 +100,5 @@ ifdef(`targeted_policy',` optional_policy(`apache.te',` # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway - dontaudit ldconfig_t httpd_modules_t:dir search; + apache_dontaudit_search_modules(ldconfig_t) ') diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 075a8240..2349d05e 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -216,11 +216,6 @@ optional_policy(`usermanage.te',` ') ifdef(`TODO',` -# this goes to xdm: -optional_policy(`locallogin.te',` - # FIXME: what is this for? - locallogin_signull(xdm_t) -') # Login can polyinstantiate polyinstantiater(local_login_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 1b3e9c37..a0769368 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -195,7 +195,7 @@ ifdef(`targeted_policy', ` # cjp: temporary hack to cover # up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; -dontaudit load_policy_t unconfined_t:fifo_file read; +unconfined_dontaudit_read_pipe(load_policy_t) ######################################## # diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 6e12ad12..19f21b03 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -256,7 +256,8 @@ interface(`unconfined_dontaudit_rw_tcp_socket',` ##

##

## This is added to support targeted policy. Its -## use should be very limited. +## use should be limited. It has no effect +## on the strict policy. ##

## ## @@ -264,9 +265,13 @@ interface(`unconfined_dontaudit_rw_tcp_socket',` ## # interface(`unconfined_alias_domain',` - gen_require(` - type unconfined_t; - ') + ifdef(`targeted_policy',` + gen_require(` + type unconfined_t; + ') - typealias unconfined_t alias $1; + typealias unconfined_t alias $1; + ',` + errprint(`Warning: $0($1) has no effect in strict policy.'__endline__) + ') ') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 4a2fdc0c..4b660ffe 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.0) +policy_module(unconfined,1.0.1) ######################################## # @@ -28,10 +28,6 @@ ifdef(`targeted_policy',` allow unconfined_t self:system syslog_read; dontaudit unconfined_t self:capability sys_module; - # Define some type aliases to help with compatibility with - # macros and domains from the "strict" policy. - typealias unconfined_t alias { secadm_t sysadm_t }; - files_create_boot_flag(unconfined_t) init_domtrans_script(unconfined_t) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index d56c6495..fbdc5e6b 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.0) +policy_module(userdomain,1.0.1) ######################################## # @@ -53,6 +53,11 @@ define(`role_change',` ') ifdef(`targeted_policy',` + # Define some type aliases to help with compatibility with + # macros and domains from the "strict" policy. + unconfined_alias_domain(secadm_t) + unconfined_alias_domain(sysadm_t) + # User home directory type. type user_home_t alias { staff_home_t sysadm_home_t }, home_type; files_type(user_home_t) diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt index 25ca305f..f854137c 100644 --- a/refpolicy/policy/support/misc_macros.spt +++ b/refpolicy/policy/support/misc_macros.spt @@ -11,6 +11,16 @@ # define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') +# +# __endline__ +# +# dummy macro to insert a newline. used for +# errprint, so the close parentheses can be +# indented correctly. +# +define(`__endline__',` +') + ######################################## # # gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])