fixes from gentoo strict testing:
- Allow semanage to read from /root on strict non-MLS for local policy modules. - Gentoo init script fixes for udev. - Allow udev to read kernel modules.inputmap. - Dnsmasq fixes from testing. - Allow kernel NFS server to getattr filesystems so df can work on clients.
This commit is contained in:
parent
0f9a2be65d
commit
ed38ca9f3d
|
@ -1,3 +1,10 @@
|
|||
- Allow semanage to read from /root on strict non-MLS for
|
||||
local policy modules.
|
||||
- Gentoo init script fixes for udev.
|
||||
- Allow udev to read kernel modules.inputmap.
|
||||
- Dnsmasq fixes from testing.
|
||||
- Allow kernel NFS server to getattr filesystems so df can work
|
||||
on clients.
|
||||
- Patch from Matt Anderson for a MLS constraint exemption on a
|
||||
file that can be written to from a subject whose range is
|
||||
within the object's range.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(logrotate,1.3.0)
|
||||
policy_module(logrotate,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -118,6 +118,7 @@ seutil_dontaudit_read_config(logrotate_t)
|
|||
|
||||
sysnet_read_config(logrotate_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
|
||||
userdom_use_unpriv_users_fds(logrotate_t)
|
||||
|
||||
cron_system_entry(logrotate_t, logrotate_exec_t)
|
||||
|
|
|
@ -325,6 +325,8 @@ interface(`portage_main_domain',`
|
|||
|
||||
# run setfiles -r
|
||||
seutil_domtrans_setfiles($1)
|
||||
# run semodule
|
||||
seutil_domtrans_semanage($1)
|
||||
|
||||
portage_domtrans_gcc_config($1)
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(portage,1.1.0)
|
||||
policy_module(portage,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -629,6 +629,26 @@ interface(`fs_read_cifs_files',`
|
|||
allow $1 cifs_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of filesystems that
|
||||
## do not have extended attribute support.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_getattr_noxattr_fs',`
|
||||
gen_require(`
|
||||
attribute noxattrfs;
|
||||
')
|
||||
|
||||
allow $1 noxattrfs:filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all noxattrfs directories.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(filesystem,1.4.1)
|
||||
policy_module(filesystem,1.4.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(kernel,1.4.0)
|
||||
policy_module(kernel,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -287,6 +287,8 @@ optional_policy(`
|
|||
corenet_sendrecv_portmap_client_packets(kernel_t)
|
||||
corenet_sendrecv_generic_server_packets(kernel_t)
|
||||
|
||||
fs_getattr_xattr_fs(kernel_t)
|
||||
|
||||
auth_dontaudit_getattr_shadow(kernel_t)
|
||||
|
||||
sysnet_read_config(kernel_t)
|
||||
|
@ -296,6 +298,7 @@ optional_policy(`
|
|||
rpc_udp_rw_nfs_sockets(kernel_t)
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
fs_getattr_noxattr_fs(kernel_t)
|
||||
fs_list_noxattr_fs(kernel_t)
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
@ -306,6 +309,7 @@ optional_policy(`
|
|||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
fs_getattr_noxattr_fs(kernel_t)
|
||||
fs_list_noxattr_fs(kernel_t)
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(dnsmasq,1.1.0)
|
||||
policy_module(dnsmasq,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -21,9 +21,11 @@ files_pid_file(dnsmasq_var_run_t)
|
|||
# Local policy
|
||||
#
|
||||
|
||||
allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
|
||||
allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
|
||||
dontaudit dnsmasq_t self:capability sys_tty_config;
|
||||
allow dnsmasq_t self:process signal_perms;
|
||||
allow dnsmasq_t self:process { setcap signal_perms };
|
||||
allow dnsmasq_t self:fifo_file { read write };
|
||||
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
|
||||
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
|
||||
allow dnsmasq_t self:udp_socket create_socket_perms;
|
||||
allow dnsmasq_t self:packet_socket create_socket_perms;
|
||||
|
|
|
@ -160,3 +160,21 @@ interface(`hotplug_read_config',`
|
|||
allow $1 hotplug_etc_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the hotplug PIDs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hotplug_search_pids',`
|
||||
gen_require(`
|
||||
type hotplug_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 hotplug_var_run_t:dir search_dir_perms;
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(hotplug,1.3.0)
|
||||
policy_module(hotplug,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1072,6 +1072,26 @@ interface(`init_read_script_files',`
|
|||
allow $1 initrc_exec_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of init script
|
||||
## status files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_getattr_script_status_files',`
|
||||
gen_require(`
|
||||
type initrc_state_t;
|
||||
')
|
||||
|
||||
allow $1 initrc_state_t:dir search_dir_perms;
|
||||
allow $1 initrc_state_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read init script
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(init,1.4.2)
|
||||
policy_module(init,1.4.3)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(selinuxutil,1.3.3)
|
||||
policy_module(selinuxutil,1.3.4)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
gen_require(`
|
||||
|
@ -617,10 +617,13 @@ seutil_manage_default_contexts(semanage_t)
|
|||
|
||||
userdom_search_sysadm_home_dirs(semanage_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# cjp: need a more general way to handle this:
|
||||
ifdef(`enable_mls',`
|
||||
# read secadm tmp files
|
||||
',`
|
||||
# Handle pp files created in homedir and /tmp
|
||||
files_read_generic_tmp_files(semanage_t)
|
||||
userdom_read_generic_user_home_content_files(semanage_t)
|
||||
userdom_read_sysadm_home_content_files(semanage_t)
|
||||
userdom_read_sysadm_tmp_files(semanage_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(udev,1.4.0)
|
||||
policy_module(udev,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -136,6 +136,8 @@ logging_send_syslog_msg(udev_t)
|
|||
miscfiles_read_localization(udev_t)
|
||||
|
||||
modutils_domtrans_insmod(udev_t)
|
||||
# read modules.inputmap:
|
||||
modutils_read_module_deps(udev_t)
|
||||
|
||||
seutil_read_config(udev_t)
|
||||
seutil_read_default_contexts(udev_t)
|
||||
|
@ -148,6 +150,12 @@ sysnet_domtrans_dhcpc(udev_t)
|
|||
userdom_use_sysadm_ttys(udev_t)
|
||||
userdom_dontaudit_search_all_users_home_content(udev_t)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
# during boot, init scripts use /dev/.rcsysinit
|
||||
# existance to determine if we are in early booting
|
||||
init_getattr_script_status_files(udev_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
fs_manage_tmpfs_dirs(udev_t)
|
||||
fs_manage_tmpfs_files(udev_t)
|
||||
|
@ -183,6 +191,8 @@ optional_policy(`
|
|||
|
||||
optional_policy(`
|
||||
hotplug_read_config(udev_t)
|
||||
# usb.agent searches /var/run/usb
|
||||
hotplug_search_pids(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
@ -4486,13 +4486,41 @@ interface(`userdom_search_sysadm_home_content_dirs',`
|
|||
## </param>
|
||||
#
|
||||
interface(`userdom_read_sysadm_home_content_files',`
|
||||
gen_require(`
|
||||
type sysadm_home_dir_t, sysadm_home_t;
|
||||
')
|
||||
ifdef(`strict_policy',`
|
||||
gen_require(`
|
||||
type sysadm_home_dir_t, sysadm_home_t;
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
|
||||
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
|
||||
files_search_home($1)
|
||||
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
|
||||
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
|
||||
',`
|
||||
userdom_read_generic_user_home_content_files($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in the sysadm users home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_read_sysadm_tmp_files',`
|
||||
ifdef(`strict_policy',`
|
||||
gen_require(`
|
||||
type sysadm_tmp_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
allow $1 sysadm_tmp_t:dir list_dir_perms;
|
||||
allow $1 sysadm_tmp_t:{ file lnk_file } r_file_perms;
|
||||
',`
|
||||
files_read_generic_tmp_files($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(userdomain,2.0.1)
|
||||
policy_module(userdomain,2.0.2)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
|
|
Loading…
Reference in New Issue