first part of dans patch Fri, 14 Apr 2006 08:08:43 -0400

2006-04-17 17:32:54 +00:00 · 2006-04-17 17:32:54 +00:00 · cdc86ee57f
commit cdc86ee57f
parent 2ba3de9690
26 changed files with 168 additions and 27 deletions
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@ -278,6 +278,13 @@ gen_tunable(run_ssh_inetd,false)
 ## </desc>
 gen_tunable(samba_enable_home_dirs,false)
 ## <desc>
 ## <p>
 ## Allow samba to export NFS volumes.
 ## </p>
 ## </desc>
 gen_tunable(samba_share_nfs,false)
 ## <desc>
 ## <p>
 ## Allow spamassassin to do DNS lookups
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@ -134,14 +134,18 @@ level s0:c0.c255;
 # the high range of the file.  We use the high range of the process so
 # that processes can always simply run at s0.
 #
-# Only files are constrained by MCS at this stage.
+# Note that getattr on files is always permitted.
 #
 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
 	( h1 dom h2 );
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 # At this time we do not restrict "ps" type operations via MCS.  This
 # will probably change in future.
 mlsconstrain file { read }
 	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@ -1,5 +1,5 @@
-policy_module(amanda,1.3.0)
+policy_module(amanda,1.3.1)
 #######################################
 #
@ -8,7 +8,7 @@ policy_module(amanda,1.3.0)
 type amanda_t;
 type amanda_inetd_exec_t;
-inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
+inetd_service_domain(amanda_t,amanda_inetd_exec_t)
 role system_r types amanda_t;
 type amanda_exec_t;
@ -189,7 +189,7 @@ optional_policy(`
 #
 # Amanda recover local policy
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
 allow amanda_recover_t self:process { sigkill sigstop signal };
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
 allow amanda_recover_t self:unix_stream_socket { connect create read write };
@ -229,6 +229,7 @@ corenet_udp_sendrecv_all_ports(amanda_recover_t)
 corenet_non_ipsec_sendrecv(amanda_recover_t)
 corenet_tcp_bind_all_nodes(amanda_recover_t)
 corenet_udp_bind_all_nodes(amanda_recover_t)
 corenet_tcp_bind_reserved_port(amanda_recover_t)
 corenet_tcp_connect_amanda_port(amanda_recover_t)
 corecmd_exec_shell(amanda_recover_t)
@ -261,3 +262,7 @@ optional_policy(`
 optional_policy(`
 	nis_use_ypbind(amanda_recover_t)
 ')
 optional_policy(`
 	nscd_socket_use(amanda_recover_t)
 ')
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ b/refpolicy/policy/modules/admin/bootloader.te
@ -1,5 +1,5 @@
-policy_module(bootloader,1.2.1)
+policy_module(bootloader,1.2.2)
 ########################################
 #
@ -88,6 +88,8 @@ dev_read_raw_memory(bootloader_t)
 fs_getattr_xattr_fs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
 mls_file_read_up(bootloader_t)
 term_getattr_all_user_ttys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@ -1,5 +1,5 @@
-policy_module(usermanage,1.3.2)
+policy_module(usermanage,1.3.3)
 ########################################
 #
@ -514,6 +514,7 @@ userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
 # Add/remove user home directories
 userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_generic_user_home_content_dirs(useradd_t)
 userdom_manage_staff_home_dirs(useradd_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 mta_manage_spool(useradd_t)
--- a/refpolicy/policy/modules/apps/java.te
+++ b/refpolicy/policy/modules/apps/java.te
@ -1,5 +1,5 @@
-policy_module(java,1.1.1)
+policy_module(java,1.1.2)
 ########################################
 #
@ -7,10 +7,8 @@ policy_module(java,1.1.1)
 #
 type java_t;
 domain_type(java_t)
 type java_exec_t;
-files_type(java_exec_t)
+init_system_domain(java_t,java_exec_t)
 ########################################
 #
--- a/refpolicy/policy/modules/apps/mono.te
+++ b/refpolicy/policy/modules/apps/mono.te
@ -1,5 +1,5 @@
-policy_module(mono,1.1.1)
+policy_module(mono,1.1.2)
 ########################################
 #
@ -22,6 +22,8 @@ ifdef(`targeted_policy',`
 	unconfined_domain_noaudit(mono_t)
 	role system_r types mono_t;
 	init_dbus_chat_script(mono_t)
 	optional_policy(`
 		avahi_dbus_chat(mono_t)
 	')
@ -29,4 +31,8 @@ ifdef(`targeted_policy',`
 	optional_policy(`
 		hal_dbus_chat(mono_t)
 	')
 	optional_policy(`
 		networkmanager_dbus_chat(mono_t)
 	')
 ')
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@ -2701,7 +2701,7 @@ interface(`dev_rw_xen',`
 	')
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file rw_file_perms;
 ')
 ########################################
@ -2720,7 +2720,7 @@ interface(`dev_manage_xen',`
 	')
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file manage_file_perms;
 ')
 ########################################
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@
-policy_module(devices,1.1.10)
+policy_module(devices,1.1.11)
 ########################################
 #
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@ -946,6 +946,24 @@ interface(`files_mounton_all_mountpoints',`
 	allow $1 mountpoint:file { getattr mounton };
 ')
 ########################################
 ## <summary>
 ##	Get the attributes of all mount points.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_getattr_all_mountpoints',`
 	gen_require(`
 		attribute mountpoint;
 	')
 	allow $1 mountpoint:dir getattr;
 ')
 ########################################
 #
 # files_list_root(domain)
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@ -1,5 +1,5 @@
-policy_module(files,1.2.6)
+policy_module(files,1.2.7)
 ########################################
 #
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -1150,6 +1150,9 @@ interface(`kernel_rw_vm_sysctls',`
 	allow $1 sysctl_t:dir r_dir_perms;
 	allow $1 sysctl_vm_t:dir list_dir_perms;
 	allow $1 sysctl_vm_t:file rw_file_perms;
 	# hal needs this
 	allow $1 sysctl_vm_t:dir write;
 ')
 ########################################
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@
-policy_module(kernel,1.3.4)
+policy_module(kernel,1.3.5)
 ########################################
 #
--- a/refpolicy/policy/modules/kernel/mcs.te
+++ b/refpolicy/policy/modules/kernel/mcs.te
@ -32,6 +32,10 @@ type unconfined_t;
 type xdm_exec_t;
 ifdef(`enable_mcs',`
 # The eventual plan is to have a range_transition to s0 for the daemon by
 # default and have the daemons which need to run with all categories be
 # exceptions.  But while range_transitions have to be in the base module
 # this is not possible.
 range_transition getty_t login_exec_t s0 - s0:c0.c255;
 range_transition init_t xdm_exec_t s0 - s0:c0.c255;
 range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@ -1,5 +1,5 @@
-policy_module(avahi,1.2.0)
+policy_module(avahi,1.2.1)
 ########################################
 #
@ -92,6 +92,7 @@ optional_policy(`
 	dbus_system_bus_client_template(avahi,avahi_t)
 	dbus_connect_system_bus(avahi_t)
 	dbus_send_system_bus(avahi_t)
 	init_dbus_chat_script(avahi_t)
 ')
 optional_policy(`
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@ -1,5 +1,5 @@
-policy_module(hal,1.3.4)
+policy_module(hal,1.3.5)
 ########################################
 #
@ -103,6 +103,7 @@ files_getattr_default_dirs(hald_t)
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
 fs_list_auto_mountpoints(hald_t)
 files_getattr_all_mountpoints(hald_t)
 mls_file_read_up(hald_t)
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@ -198,6 +198,45 @@ interface(`mailman_search_data',`
 	allow $1 mailman_data_t:dir search_dir_perms;
 ')
 #######################################
 ## <summary>
 ##	Allow domain to to read mailman data files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mailman_read_data_files',`
 	gen_require(`
 		type mailman_data_t;
 	')
 	allow $1 mailman_data_t:dir search_dir_perms;
 	allow $1 mailman_data_t:file read_file_perms;
 ')
 #######################################
 ## <summary>
 ##	Allow domain to to create mailman data files
 ##	and write the directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mailman_manage_data_files',`
 	gen_require(`
 		type mailman_data_t;
 	')
 	allow $1 mailman_data_t:dir rw_dir_perms;
 	allow $1 mailman_data_t:file manage_file_perms;
 ')
 #######################################
 ## <summary>
 ##	List the contents of mailman data directories.
--- a/refpolicy/policy/modules/services/mailman.te
+++ b/refpolicy/policy/modules/services/mailman.te
@ -1,5 +1,5 @@
-policy_module(mailman,1.1.1)
+policy_module(mailman,1.1.2)
 ########################################
 #
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@ -1,5 +1,5 @@
-policy_module(postfix,1.2.1)
+policy_module(postfix,1.2.2)
 ########################################
 #
@ -174,6 +174,11 @@ sysnet_read_config(postfix_master_t)
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 optional_policy(`
 #	for postalias
 	mailman_manage_data_files(postfix_master_t)
 ')
 optional_policy(`
 	mount_send_nfs_client_request(postfix_master_t)
 ')
@ -280,6 +285,11 @@ mta_delete_spool(postfix_local_t)
 # For reading spamassasin
 mta_read_config(postfix_local_t)
 optional_policy(`
 #	for postalias
 	mailman_read_data_files(postfix_local_t)
 ')
 optional_policy(`
 	procmail_domtrans(postfix_local_t)
 ')
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@ -1,5 +1,5 @@
-policy_module(rpc,1.2.1)
+policy_module(rpc,1.2.2)
 ########################################
 #
@ -110,13 +110,13 @@ portmap_tcp_connect(nfsd_t)
 portmap_udp_chat(nfsd_t)
 tunable_policy(`nfs_export_all_rw',`
 	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
 ')
 tunable_policy(`nfs_export_all_ro',`
 	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_read_all_files_except_shadow(nfsd_t)
 ')
 ########################################
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@ -33,6 +33,7 @@ template(`samba_per_userdomain_template',`
 	')
 	tunable_policy(`samba_enable_home_dirs',`
 		userdom_manage_user_home_content_dirs($1,smbd_t)
 		userdom_manage_user_home_content_files($1,smbd_t)
 		userdom_manage_user_home_content_symlinks($1,smbd_t)
 		userdom_manage_user_home_content_sockets($1,smbd_t)
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@ -1,5 +1,5 @@
-policy_module(samba,1.2.3)
+policy_module(samba,1.2.4)
 #################################
 #
@ -296,6 +296,12 @@ tunable_policy(`allow_smbd_anon_write',`
 	miscfiles_manage_public_files(smbd_t)
 ') 
 # Support Samba sharing of NFS mount points
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
 ')
 optional_policy(`
 	cups_read_rw_config(smbd_t)
 ')
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -1,5 +1,5 @@
-policy_module(unconfined,1.3.5)
+policy_module(unconfined,1.3.6)
 ########################################
 #
@ -62,6 +62,8 @@ ifdef(`targeted_policy',`
 	')
 	optional_policy(`
 		init_dbus_chat_script(unconfined_t)
 		dbus_stub(unconfined_t)
 		optional_policy(`
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -3400,6 +3400,35 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
 	dontaudit $1 staff_home_dir_t:dir search;
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete staff
 ##	home directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`userdom_manage_staff_home_dirs',`
 	ifdef(`targeted_policy',`
 		gen_require(`
 			type user_home_dir_t;
 		')
 		files_search_home($1)
 		allow $1 user_home_dir_t:dir manage_dir_perms;
 	',`
 		gen_require(`
 			type staff_home_dir_t;
 		')
 		files_search_home($1)
 		allow $1 staff_home_dir_t:dir manage_dir_perms;
 	')
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to append to the staff
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.14)
+policy_module(userdomain,1.3.15)
 gen_require(`
 	role sysadm_r, staff_r, user_r;
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@ -1,5 +1,5 @@
-policy_module(xen,1.0.0)
+policy_module(xen,1.0.1)
 ########################################
 #
@ -19,6 +19,8 @@ init_daemon_domain(xend_t, xend_exec_t)
 # var/lib files
 type xend_var_lib_t;
 files_type(xend_var_lib_t)
 # for mounting an NFS store
 files_mountpoint(xend_var_lib_t)
 # log files
 type xend_var_log_t;
@ -122,6 +124,7 @@ domain_read_all_domains_state(xend_t)
 domain_dontaudit_read_all_domains_state(xend_t)
 files_read_etc_files(xend_t)
 files_read_kernel_symbol_table(xend_t)
 storage_raw_read_fixed_disk(xend_t)
@ -208,6 +211,7 @@ kernel_read_xen_state(xenstored_t)
 dev_create_generic_dirs(xenstored_t)
 dev_manage_xen(xenconsoled_t)
 dev_filetrans_xen(xenstored_t)
 dev_rw_xen(xenstored_t)
 term_dontaudit_use_generic_ptys(xenstored_t)