From fcee22ad0dc6540d781e69fc9c6369234688f973 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 19 Nov 2008 15:24:10 +0000 Subject: [PATCH] trunk: 5 patches from dan. --- policy/modules/services/audioentropy.fc | 2 + policy/modules/services/audioentropy.te | 6 +- policy/modules/services/avahi.fc | 4 ++ policy/modules/services/avahi.if | 90 +++++++++++++++++++++++++ policy/modules/services/avahi.te | 15 ++++- policy/modules/services/bluetooth.fc | 5 ++ policy/modules/services/bluetooth.if | 53 +++++++++++++++ policy/modules/services/bluetooth.te | 19 ++++-- policy/modules/services/dcc.if | 18 +++++ policy/modules/services/dcc.te | 58 +++++----------- policy/modules/services/hal.fc | 3 +- policy/modules/services/hal.if | 39 +++++++++++ policy/modules/services/hal.te | 23 +++++-- 13 files changed, 280 insertions(+), 55 deletions(-) diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc index bcf3e1c7..001235e9 100644 --- a/policy/modules/services/audioentropy.fc +++ b/policy/modules/services/audioentropy.fc @@ -2,3 +2,5 @@ # /usr # /usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) + +/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te index 64a716a8..d56d600f 100644 --- a/policy/modules/services/audioentropy.te +++ b/policy/modules/services/audioentropy.te @@ -1,5 +1,5 @@ -policy_module(audio_entropy, 1.4.1) +policy_module(audio_entropy, 1.4.2) ######################################## # @@ -35,6 +35,10 @@ dev_write_urand(entropyd_t) dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) dev_read_sound(entropyd_t) +# set sound card parameters such as +# sample format, number of channels +# and sample rate. +dev_write_sound(entropyd_t) fs_getattr_all_fs(entropyd_t) fs_search_auto_mountpoints(entropyd_t) diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc index 49dcc5f3..01a01a7f 100644 --- a/policy/modules/services/avahi.fc +++ b/policy/modules/services/avahi.fc @@ -1,5 +1,9 @@ +/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) +/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) + +/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if index 607c1132..74823c8f 100644 --- a/policy/modules/services/avahi.if +++ b/policy/modules/services/avahi.if @@ -1,5 +1,60 @@ ## mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +######################################## +## +## Execute avahi server in the avahi domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`avahi_domtrans',` + gen_require(` + type avahi_exec_t, avahi_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, avahi_exec_t, avahi_t) +') + +######################################## +## +## Send avahi a signal +## +## +## +## The type of the process performing this action. +## +## +# +interface(`avahi_signal',` + gen_require(` + type avahi_t; + ') + + allow $1 avahi_t:process signal; +') + +######################################## +## +## Send avahi a kill signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`avahi_kill',` + gen_require(` + type avahi_t; + ') + + allow $1 avahi_t:process sigkill; +') + ######################################## ## ## Send and receive messages from @@ -57,3 +112,38 @@ interface(`avahi_dontaudit_search_pid',` dontaudit $1 avahi_var_run_t:dir search_dir_perms; ') + +######################################## +## +## All of the rules required to administrate +## an avahi environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the avahi domain. +## +## +## +# +interface(`avahi_admin',` + gen_require(` + type avahi_t, avahi_var_run_t; + type avahi_initrc_exec_t; + ') + + allow $1 avahi_t:process { ptrace signal_perms }; + ps_process_pattern($1, avahi_t) + + init_labeled_script_domtrans($1, avahi_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 avahi_initrc_exec_t system_r; + allow $2 system_r; + + files_list_pids($1) + admin_pattern($1, avahi_var_run_t) +') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 8120ad57..719990a8 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -1,5 +1,5 @@ -policy_module(avahi, 1.9.1) +policy_module(avahi, 1.9.2) ######################################## # @@ -10,6 +10,12 @@ type avahi_t; type avahi_exec_t; init_daemon_domain(avahi_t, avahi_exec_t) +type avahi_initrc_exec_t; +init_script_file(avahi_initrc_exec_t) + +type avahi_var_lib_t; +files_pid_file(avahi_var_lib_t) + type avahi_var_run_t; files_pid_file(avahi_var_run_t) @@ -20,13 +26,17 @@ files_pid_file(avahi_var_run_t) allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot }; dontaudit avahi_t self:capability sys_tty_config; -allow avahi_t self:process { setrlimit signal_perms setcap }; +allow avahi_t self:process { setrlimit signal_perms getcap setcap }; allow avahi_t self:fifo_file rw_fifo_file_perms; allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow avahi_t self:unix_dgram_socket create_socket_perms; allow avahi_t self:tcp_socket create_stream_socket_perms; allow avahi_t self:udp_socket create_socket_perms; +manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) +manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) +files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) + manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) allow avahi_t avahi_var_run_t:dir setattr; @@ -73,6 +83,7 @@ init_signull_script(avahi_t) logging_send_syslog_msg(avahi_t) miscfiles_read_localization(avahi_t) +miscfiles_read_certs(avahi_t) userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc index 3cb34d00..caa93384 100644 --- a/policy/modules/services/bluetooth.fc +++ b/policy/modules/services/bluetooth.fc @@ -3,6 +3,9 @@ # /etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) /etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0) +/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) +/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) # # /usr @@ -21,4 +24,6 @@ # /var # /var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) + +/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index edf2769c..f6028fde 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -152,3 +152,56 @@ interface(`bluetooth_dontaudit_read_helper_state',` dontaudit $1 bluetooth_helper_t:dir search; dontaudit $1 bluetooth_helper_t:file { read getattr }; ') + +######################################## +## +## All of the rules required to administrate +## an bluetooth environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the bluetooth domain. +## +## +## +# +interface(`bluetooth_admin',` + gen_require(` + type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; + type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_conf_t, bluetooth_conf_rw_t; + type bluetooth_initrc_exec_t; + ') + + allow $1 bluetooth_t:process { ptrace signal_perms }; + ps_process_pattern($1, bluetooth_t) + + init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bluetooth_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, bluetooth_tmp_t) + + files_list_var($1) + admin_pattern($1, bluetooth_lock_t) + + files_list_etc($1) + admin_pattern($1, bluetooth_conf_t) + admin_pattern($1, bluetooth_conf_rw_t) + + files_list_spool($1) + admin_pattern($1, bluetooth_spool_t) + + files_list_var_lib($1) + admin_pattern($1, bluetooth_var_lib_t) + + files_list_pids($1) + admin_pattern($1, bluetooth_var_run_t) +') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 302dd11d..ad014bd6 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth, 3.0.0) +policy_module(bluetooth, 3.0.1) ######################################## # @@ -34,6 +34,9 @@ typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t sec files_tmpfs_file(bluetooth_helper_tmpfs_t) ubac_constrained(bluetooth_helper_tmpfs_t) +type bluetooth_initrc_exec_t; +init_script_file(bluetooth_initrc_exec_t) + type bluetooth_lock_t; files_lock_file(bluetooth_lock_t) @@ -51,14 +54,14 @@ files_pid_file(bluetooth_var_run_t) # Bluetooth services local policy # -allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock }; +allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; dontaudit bluetooth_t self:capability sys_tty_config; allow bluetooth_t self:process { getsched signal_perms }; allow bluetooth_t self:fifo_file rw_fifo_file_perms; allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:unix_dgram_socket create_socket_perms; -allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; +allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow bluetooth_t self:tcp_socket create_stream_socket_perms; allow bluetooth_t self:udp_socket create_socket_perms; @@ -106,6 +109,7 @@ dev_read_sysfs(bluetooth_t) dev_rw_usbfs(bluetooth_t) dev_rw_generic_usb_dev(bluetooth_t) dev_read_urand(bluetooth_t) +dev_rw_input_dev(bluetooth_t) fs_getattr_all_fs(bluetooth_t) fs_search_auto_mountpoints(bluetooth_t) @@ -124,12 +128,13 @@ files_read_etc_files(bluetooth_t) files_read_etc_runtime_files(bluetooth_t) files_read_usr_files(bluetooth_t) +auth_use_nsswitch(bluetooth_t) + logging_send_syslog_msg(bluetooth_t) miscfiles_read_localization(bluetooth_t) miscfiles_read_fonts(bluetooth_t) - -sysnet_read_config(bluetooth_t) +miscfiles_read_hwdata(bluetooth_t) userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_user_terminals(bluetooth_t) @@ -138,6 +143,10 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t) optional_policy(` dbus_system_bus_client(bluetooth_t) dbus_connect_system_bus(bluetooth_t) + + optional_policy(` + cups_dbus_chat(bluetooth_t) + ') ') optional_policy(` diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if index 80102a7b..70733793 100644 --- a/policy/modules/services/dcc.if +++ b/policy/modules/services/dcc.if @@ -64,6 +64,24 @@ interface(`dcc_domtrans_client',` domtrans_pattern($1, dcc_client_exec_t, dcc_client_t) ') +######################################## +## +## Send a signal to the dcc_client. +## +## +## +## Domain allowed access. +## +## +# +interface(`dcc_signal_client',` + gen_require(` + type dcc_client_t; + ') + + allow $1 dcc_client_t:process signal; +') + ######################################## ## ## Execute dcc_client in the dcc_client domain, and diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te index baddef3d..d49af9af 100644 --- a/policy/modules/services/dcc.te +++ b/policy/modules/services/dcc.te @@ -1,5 +1,5 @@ -policy_module(dcc, 1.6.1) +policy_module(dcc, 1.6.2) ######################################## # @@ -105,25 +105,20 @@ corenet_udp_sendrecv_all_ports(cdcc_t) files_read_etc_files(cdcc_t) files_read_etc_runtime_files(cdcc_t) +auth_use_nsswitch(cdcc_t) + logging_send_syslog_msg(cdcc_t) miscfiles_read_localization(cdcc_t) -sysnet_read_config(cdcc_t) -sysnet_dns_name_resolve(cdcc_t) - userdom_use_user_terminals(cdcc_t) -optional_policy(` - nscd_socket_use(cdcc_t) -') - ######################################## # # dcc procmail interface local policy # -allow dcc_client_t self:capability setuid; +allow dcc_client_t self:capability { setuid setgid }; allow dcc_client_t self:unix_dgram_socket create_socket_perms; allow dcc_client_t self:udp_socket create_socket_perms; @@ -138,6 +133,8 @@ allow dcc_client_t dcc_var_t:dir list_dir_perms; read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) +kernel_read_system_state(dcc_client_t) + corenet_all_recvfrom_unlabeled(dcc_client_t) corenet_all_recvfrom_netlabel(dcc_client_t) corenet_udp_sendrecv_generic_if(dcc_client_t) @@ -147,17 +144,16 @@ corenet_udp_sendrecv_all_ports(dcc_client_t) files_read_etc_files(dcc_client_t) files_read_etc_runtime_files(dcc_client_t) +auth_use_nsswitch(dcc_client_t) + logging_send_syslog_msg(dcc_client_t) miscfiles_read_localization(dcc_client_t) -sysnet_read_config(dcc_client_t) -sysnet_dns_name_resolve(dcc_client_t) - userdom_use_user_terminals(dcc_client_t) optional_policy(` - nscd_socket_use(dcc_client_t) + spamassassin_read_spamd_tmp_files(dcc_client_t) ') ######################################## @@ -189,19 +185,14 @@ corenet_udp_sendrecv_all_ports(dcc_dbclean_t) files_read_etc_files(dcc_dbclean_t) files_read_etc_runtime_files(dcc_dbclean_t) +auth_use_nsswitch(dcc_dbclean_t) + logging_send_syslog_msg(dcc_dbclean_t) miscfiles_read_localization(dcc_dbclean_t) -sysnet_read_config(dcc_dbclean_t) -sysnet_dns_name_resolve(dcc_dbclean_t) - userdom_use_user_terminals(dcc_dbclean_t) -optional_policy(` - nscd_socket_use(dcc_dbclean_t) -') - ######################################## # # Server daemon local policy @@ -259,20 +250,15 @@ files_read_etc_runtime_files(dccd_t) fs_getattr_all_fs(dccd_t) fs_search_auto_mountpoints(dccd_t) +auth_use_nsswitch(dccd_t) + logging_send_syslog_msg(dccd_t) miscfiles_read_localization(dccd_t) -sysnet_read_config(dccd_t) -sysnet_dns_name_resolve(dccd_t) - userdom_dontaudit_use_unpriv_user_fds(dccd_t) userdom_dontaudit_search_user_home_dirs(dccd_t) -optional_policy(` - nscd_socket_use(dccd_t) -') - optional_policy(` seutil_sigchld_newrole(dccd_t) ') @@ -329,20 +315,15 @@ files_read_etc_runtime_files(dccifd_t) fs_getattr_all_fs(dccifd_t) fs_search_auto_mountpoints(dccifd_t) +auth_use_nsswitch(dccifd_t) + logging_send_syslog_msg(dccifd_t) miscfiles_read_localization(dccifd_t) -sysnet_read_config(dccifd_t) -sysnet_dns_name_resolve(dccifd_t) - userdom_dontaudit_use_unpriv_user_fds(dccifd_t) userdom_dontaudit_search_user_home_dirs(dccifd_t) -optional_policy(` - nscd_socket_use(dccifd_t) -') - optional_policy(` seutil_sigchld_newrole(dccifd_t) ') @@ -398,20 +379,15 @@ files_read_etc_runtime_files(dccm_t) fs_getattr_all_fs(dccm_t) fs_search_auto_mountpoints(dccm_t) +auth_use_nsswitch(dccm_t) + logging_send_syslog_msg(dccm_t) miscfiles_read_localization(dccm_t) -sysnet_read_config(dccm_t) -sysnet_dns_name_resolve(dccm_t) - userdom_dontaudit_use_unpriv_user_fds(dccm_t) userdom_dontaudit_search_user_home_dirs(dccm_t) -optional_policy(` - nscd_socket_use(dccm_t) -') - optional_policy(` seutil_sigchld_newrole(dccm_t) ') diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc index 130c3179..cd17ac55 100644 --- a/policy/modules/services/hal.fc +++ b/policy/modules/services/hal.fc @@ -9,6 +9,7 @@ /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) /usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) +/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) @@ -17,7 +18,7 @@ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) /var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) -/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0) +/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0) /var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if index e95a24c8..43c653c0 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -18,6 +18,45 @@ interface(`hal_domtrans',` domtrans_pattern($1, hald_exec_t, hald_t) ') +######################################## +## +## Get the attributes of a hal process. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_getattr',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:process getattr; +') + +######################################## +## +## Read hal system state +## +## +## +## Domain to not audit. +## +## +# +interface(`hal_read_state',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:dir list_dir_perms; + read_files_pattern($1, hald_t, hald_t) + read_lnk_files_pattern($1, hald_t, hald_t) + dontaudit $1 hald_t:process ptrace; +') + ######################################## ## ## Allow ptrace of hal domain diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 3e49a369..04ec5ae9 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal, 1.10.1) +policy_module(hal, 1.10.2) ######################################## # @@ -297,6 +297,10 @@ optional_policy(` vbetool_domtrans(hald_t) ') +optional_policy(` + virt_manage_images(hald_t) +') + ######################################## # # Hal acl local policy @@ -338,6 +342,8 @@ storage_setattr_removable_dev(hald_acl_t) auth_use_nsswitch(hald_acl_t) +logging_send_syslog_msg(hald_acl_t) + miscfiles_read_localization(hald_acl_t) ######################################## @@ -345,6 +351,8 @@ miscfiles_read_localization(hald_acl_t) # Local hald mac policy # +allow hald_mac_t self:capability { setgid setuid }; + domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; allow hald_mac_t hald_t:unix_stream_socket connectto; @@ -353,6 +361,8 @@ manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_mac_t) +write_files_pattern(hald_mac_t, hald_log_t, hald_log_t) + kernel_read_system_state(hald_mac_t) dev_read_raw_memory(hald_mac_t) @@ -360,6 +370,9 @@ dev_write_raw_memory(hald_mac_t) dev_read_sysfs(hald_mac_t) files_read_usr_files(hald_mac_t) +files_read_etc_files(hald_mac_t) + +auth_use_nsswitch(hald_mac_t) miscfiles_read_localization(hald_mac_t) @@ -379,6 +392,8 @@ manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_sonypic_t) +write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t) + files_read_usr_files(hald_sonypic_t) miscfiles_read_localization(hald_sonypic_t) @@ -396,12 +411,10 @@ manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_keymap_t) +write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) + dev_rw_input_dev(hald_keymap_t) files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) - -# This is caused by a bug in hald and PolicyKit. -# Should be removed when this is fixed -#cron_read_system_job_lib_files(hald_t)