trunk: 6 patches from dan.

Changelog

@@ -11,6 +11,9 @@
 - Add support for labeled Booleans.
 - Remove node definitions and change node usage to generic nodes.
 - Add kernel_service access vectors, from Stephen Smalley.
+- Added modules:
+	logadm (Dan Walsh)
+	zosremote (Dan Walsh)
 
 * Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
 - Fix consistency of audioentropy and iscsi module naming.

policy/modules/admin/logwatch.te

@@ -1,5 +1,5 @@
 
-policy_module(logwatch, 1.9.0)
+policy_module(logwatch, 1.9.1)
 
 #################################
 #
@@ -43,6 +43,8 @@ files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
 kernel_read_fs_sysctls(logwatch_t)
 kernel_read_kernel_sysctls(logwatch_t)
 kernel_read_system_state(logwatch_t)
+kernel_read_net_sysctls(logwatch_t)
+kernel_read_network_state(logwatch_t)
 
 corecmd_exec_bin(logwatch_t)
 corecmd_exec_shell(logwatch_t)
@@ -54,6 +56,7 @@ dev_read_sysfs(logwatch_t)
 domain_read_all_domains_state(logwatch_t)
 
 files_list_var(logwatch_t)
+files_read_var_symlinks(logwatch_t)
 files_read_etc_files(logwatch_t)
 files_read_etc_runtime_files(logwatch_t)
 files_read_usr_files(logwatch_t)
@@ -66,10 +69,12 @@ files_dontaudit_search_all_dirs(logwatch_t)
 
 fs_getattr_all_fs(logwatch_t)
 fs_dontaudit_list_auto_mountpoints(logwatch_t)
+fs_list_inotifyfs(logwatch_t)
 
 term_dontaudit_getattr_pty_dirs(logwatch_t)
 term_dontaudit_list_ptys(logwatch_t)
 
+auth_use_nsswitch(logwatch_t)
 auth_dontaudit_read_shadow(logwatch_t)
 
 init_read_utmp(logwatch_t)
@@ -85,6 +90,7 @@ miscfiles_read_localization(logwatch_t)
 selinux_dontaudit_getattr_dir(logwatch_t)
 
 sysnet_dns_name_resolve(logwatch_t)
+sysnet_exec_ifconfig(logwatch_t)
 
 userdom_dontaudit_search_user_home_dirs(logwatch_t)
 
@@ -94,10 +100,6 @@ optional_policy(`
 	apache_read_log(logwatch_t)
 ')
 
-optional_policy(`
-	auth_use_nsswitch(logwatch_t)
-')
-
 optional_policy(`
 	avahi_dontaudit_search_pid(logwatch_t)
 ')

policy/modules/admin/usermanage.if

@@ -115,6 +115,24 @@ interface(`usermanage_domtrans_passwd',`
 	domtrans_pattern($1, passwd_exec_t, passwd_t)
 ')
 
+########################################
+## <summary>
+##	Send sigkills to passwd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_kill_passwd',`
+	gen_require(`
+		type passwd_t;
+	')
+
+	allow $1 passwd_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##	Execute passwd in the passwd domain, and
@@ -138,6 +156,7 @@ interface(`usermanage_run_passwd',`
 
 	usermanage_domtrans_passwd($1)
 	role $2 types passwd_t;
+	auth_run_chk_passwd(passwd_t, $2)
 ')
 
 ########################################

policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage, 1.12.0)
+policy_module(usermanage, 1.12.1)
 
 ########################################
 #
@@ -288,6 +288,7 @@ selinux_compute_user_contexts(passwd_t)
 term_use_all_user_ttys(passwd_t)
 term_use_all_user_ptys(passwd_t)
 
+auth_domtrans_chk_passwd(passwd_t)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
@@ -307,6 +308,7 @@ files_relabel_etc_files(passwd_t)
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(passwd_t)
+init_use_fds(passwd_t)
 
 logging_send_audit_msgs(passwd_t)
 logging_send_syslog_msg(passwd_t)
@@ -320,6 +322,7 @@ userdom_use_unpriv_users_fds(passwd_t)
 # make sure that getcon succeeds
 userdom_getattr_all_users(passwd_t)
 userdom_read_all_users_state(passwd_t)
+userdom_read_user_tmp_files(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(passwd_t)
@@ -492,6 +495,12 @@ userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_se
 
 mta_manage_spool(useradd_t)
 
+ifdef(`distro_redhat',`
+	optional_policy(`
+		unconfined_domain(useradd_t)
+	')
+')
+
 optional_policy(`
 	apache_manage_all_user_content(useradd_t)
 ')

policy/modules/roles/logadm.fc

@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon

policy/modules/roles/logadm.if

@@ -0,0 +1,50 @@
+## <summary>Log administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the log administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##     Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change',`
+	gen_require(`
+		role logadm_r;
+	')
+
+	allow $1 logadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the log administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the log administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change_to',`
+	gen_require(`
+		role logadm_r;
+	')
+
+	allow logadm_r $1;
+')

policy/modules/roles/logadm.te

@@ -0,0 +1,20 @@
+
+policy_module(logadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role logadm_r;
+
+userdom_base_user_template(logadm)
+
+########################################
+#
+# logadmin local policy
+#
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r)

policy/modules/services/rpc.fc

@@ -16,6 +16,7 @@
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
 /usr/sbin/rpc\.mountd	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
 /usr/sbin/rpc\.nfsd	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.rquotad	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
 
 #

policy/modules/services/rpc.if

@@ -83,12 +83,13 @@ template(`rpc_domain_template', `
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_portmap_client_packets($1_t)
 	# do not log when it tries to bind to a port belonging to another domain
-	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-	corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
+	corenet_dontaudit_tcp_bind_all_ports($1_t)
+	corenet_dontaudit_udp_bind_all_ports($1_t)
 	# bind to arbitary unused ports
 	corenet_tcp_bind_generic_port($1_t)
 	corenet_udp_bind_generic_port($1_t)
-	corenet_udp_bind_reserved_port($1_t)
+	corenet_tcp_bind_all_rpc_ports($1_t)
+	corenet_udp_bind_all_rpc_ports($1_t)
 	corenet_sendrecv_generic_server_packets($1_t)
 
 	fs_rw_rpc_named_pipes($1_t) 
@@ -203,6 +204,25 @@ interface(`rpc_domtrans_nfsd',`
 	domtrans_pattern($1, nfsd_exec_t, nfsd_t)
 ')
 
+########################################
+## <summary>
+##      Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+	gen_require(`
+		type rpcd_t, rpcd_exec_t;
+	')
+
+	domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+	allow rpcd_t $1:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Read NFS exported content.
@@ -335,3 +355,22 @@ interface(`rpc_read_nfs_state_data',`
 	files_search_var_lib($1)
 	read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
 ')
+
+########################################
+## <summary>
+##	Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')

policy/modules/services/rpc.te

@@ -1,5 +1,5 @@
 
-policy_module(rpc, 1.10.3)
+policy_module(rpc, 1.10.4)
 
 ########################################
 #
@@ -68,6 +68,7 @@ kernel_read_network_state(rpcd_t)
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)
 kernel_rw_fs_sysctls(rpcd_t)
+kernel_dontaudit_getattr_core_if(rpcd_t)
 
 corecmd_exec_bin(rpcd_t)
 
@@ -101,6 +102,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 # for /proc/fs/nfs/exports - should we have a new type?
 kernel_read_system_state(nfsd_t) 
 kernel_read_network_state(nfsd_t) 
+kernel_dontaudit_getattr_core_if(nfsd_t) 
 
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -133,12 +135,23 @@ tunable_policy(`allow_nfsd_anon_write',`
 ') 
 
 tunable_policy(`nfs_export_all_rw',`
+	dev_getattr_all_blk_files(nfsd_t)
+	dev_getattr_all_chr_files(nfsd_t)
+
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-	fs_read_noxattr_fs_files(nfsd_t) 
+	dev_getattr_all_blk_files(nfsd_t)
+	dev_getattr_all_chr_files(nfsd_t)
+
+	files_getattr_all_pipes(nfsd_t)
+	files_getattr_all_sockets(nfsd_t)
+
+	fs_read_noxattr_fs_files(nfsd_t)
+
+	auth_read_all_dirs_except_shadow(nfsd_t)
 	auth_read_all_files_except_shadow(nfsd_t)
 ')
 
@@ -180,8 +193,7 @@ tunable_policy(`allow_gssd_read_tmp',`
 ')
 
 optional_policy(`
-	kerberos_use(gssd_t)
-	kerberos_read_keytab(gssd_t) 
+	kerberos_keytab_template(gssd, gssd_t) 
 ')
 
 optional_policy(`

policy/modules/services/zosremote.fc

@@ -0,0 +1 @@
+/sbin/audispd-zos-remote	--	gen_context(system_u:object_r:zos_remote_exec_t,s0)

policy/modules/services/zosremote.if

@@ -0,0 +1,45 @@
+## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
+
+########################################
+## <summary>
+##      Execute a domain transition to run audispd-zos-remote.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zosremote_domtrans',`
+        gen_require(`
+                type zos_remote_t, type zos_remote_exec_t;
+        ')
+
+        domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
+')
+
+########################################
+## <summary>
+##	Allow specified type and role to transition and
+##	run in the zos_remote_t domain. Allow specified type
+##	to use zos_remote_t terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the zos_remote domain.
+##	</summary>
+## </param>
+#
+interface(`zosremote_run',`
+	gen_require(`
+		type zos_remote_t;
+	')
+
+	zosremote_domtrans($1)
+	role $2 types zos_remote_t;
+')

policy/modules/services/zosremote.te

@@ -0,0 +1,28 @@
+policy_module(zosremote,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type zos_remote_t;
+type zos_remote_exec_t;
+init_system_domain(zos_remote_t, zos_remote_exec_t)
+logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
+
+########################################
+#
+# zos_remote local policy
+#
+
+allow zos_remote_t self:process signal;
+allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(zos_remote_t)
+
+auth_use_nsswitch(zos_remote_t);
+
+miscfiles_read_localization(zos_remote_t)
+
+logging_send_syslog_msg(zos_remote_t)

policy/modules/system/udev.fc

@@ -17,3 +17,5 @@
 /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
 
 /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
+
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)

policy/modules/system/udev.if

@@ -94,6 +94,24 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
 	dontaudit $1 udev_t:unix_dgram_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Do not audit search of udev database directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`udev_dontaudit_search_db',`
+	gen_require(`
+		type udev_tbl_t;
+	')
+
+	dontaudit $1 udev_tbl_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow process to read list of devices.
@@ -106,11 +124,13 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
 #
 interface(`udev_read_db',`
 	gen_require(`
-		type udev_tdb_t;
+		type udev_tbl_t;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 udev_tdb_t:file read_file_perms;
+	allow $1 udev_tbl_t:dir list_dir_perms;
+	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
 ')
 
 ########################################
@@ -125,9 +145,9 @@ interface(`udev_read_db',`
 #
 interface(`udev_rw_db',`
 	gen_require(`
-		type udev_tdb_t;
+		type udev_tbl_t;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 udev_tdb_t:file rw_file_perms;
+	allow $1 udev_tbl_t:file rw_file_perms;
 ')

policy/modules/system/udev.te

@@ -1,5 +1,5 @@
 
-policy_module(udev, 1.10.1)
+policy_module(udev, 1.10.2)
 
 ########################################
 #
@@ -55,6 +55,7 @@ allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
 
 allow udev_t udev_helper_exec_t:dir list_dir_perms;
+can_exec(udev_t, udev_helper_exec_t)
 
 # read udev config
 allow udev_t udev_etc_t:file read_file_perms;
@@ -78,10 +79,12 @@ kernel_rw_hotplug_sysctls(udev_t)
 kernel_rw_unix_dgram_sockets(udev_t)
 kernel_dgram_send(udev_t)
 kernel_signal(udev_t)
+kernel_search_debugfs(udev_t)
 
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
 kernel_read_network_state(udev_t)
+kernel_read_software_raid_state(udev_t)
 
 corecmd_exec_all_executables(udev_t)
 
@@ -134,6 +137,7 @@ init_getattr_initctl(udev_t)
 
 logging_search_logs(udev_t)
 logging_send_syslog_msg(udev_t)
+logging_send_audit_msgs(udev_t)
 
 miscfiles_read_localization(udev_t)
 
@@ -181,6 +185,7 @@ ifdef(`distro_redhat',`
 
 optional_policy(`
 	alsa_domtrans(udev_t)
+	alsa_read_lib(udev_t)
 	alsa_read_rw_config(udev_t)
 ')
 
@@ -188,6 +193,10 @@ optional_policy(`
 	brctl_domtrans(udev_t)
 ')
 
+optional_policy(`
+	clock_domtrans(udev_t)
+')
+
 optional_policy(`
 	consoletype_exec(udev_t)
 ')
@@ -196,6 +205,10 @@ optional_policy(`
 	dbus_system_bus_client(udev_t)
 ')
 
+optional_policy(`
+	lvm_domtrans(udev_t)
+')
+
 optional_policy(`
 	fstools_domtrans(udev_t)
 ')