diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 30cfa497a..3517db213 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -48,11 +48,13 @@ ifdef(`distro_suse',` /etc/.* gen_context(system_u:object_r:etc_t,s0) /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -205,19 +207,21 @@ HOME_ROOT/lost\+found/.* <> /usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/local/lost\+found/.* <> -/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) - /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/lost\+found/.* <> /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) -/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) - /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /usr/tmp/.* <> +ifndef(`distro_redhat',` +/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) + +/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) +/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) +') + # # /var # diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 9adeea441..425d176ac 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -174,7 +174,7 @@ interface(`files_security_mountpoint',` ##

## Make the specified type usable for runtime process ID files, ## typically found in /var/run. -## This will also make the type usable for files, making +## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a PID file type may result in problems with starting ## or stopping services. @@ -221,7 +221,7 @@ interface(`files_pid_file',` ## ##

## Make the specified type usable for configuration files. -## This will also make the type usable for files, making +## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a temporary file may result in problems with ## configuration management tools. @@ -349,7 +349,7 @@ interface(`files_poly_member_tmp',` ## ##

## Make the specified type usable for temporary files. -## This will also make the type usable for files, making +## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a temporary file may result in problems with ## purging temporary files. @@ -1426,6 +1426,24 @@ interface(`files_search_all_mountpoints',` allow $1 mountpoint:dir search_dir_perms; ') +######################################## +##

+## Do not audit searching of all mount points. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_search_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') + + dontaudit $1 mountpoint:dir search_dir_perms; +') + ######################################## ## ## List the contents of the root directory. @@ -1550,6 +1568,24 @@ interface(`files_dontaudit_rw_root_chr_files',` dontaudit $1 root_t:chr_file { read write }; ') +######################################## +## +## Delete files in the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_root_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:file unlink; +') + ######################################## ## ## Remove entries from the root directory. @@ -1695,6 +1731,25 @@ interface(`files_create_boot_dirs',` allow $1 boot_t:dir { create rw_dir_perms }; ') +######################################## +## +## Create, read, write, and delete +## directories in /boot. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_boot_dirs',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir manage_dir_perms; +') + ######################################## ## ## Create a private type object in boot @@ -1740,7 +1795,7 @@ interface(`files_read_boot_files',` type boot_t; ') - manage_files_pattern($1, boot_t, boot_t) + read_files_pattern($1, boot_t, boot_t) ') ######################################## @@ -2191,6 +2246,24 @@ interface(`files_list_etc',` allow $1 etc_t:dir list_dir_perms; ') +######################################## +## +## Do not audit attempts to write to /etc dirs. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_write_etc_dirs',` + gen_require(` + type etc_t; + ') + + dontaudit $1 etc_t:dir write; +') + ######################################## ## ## Add and remove entries from /etc directories. @@ -2787,6 +2860,120 @@ interface(`files_delete_isid_type_files',` delete_files_pattern($1, file_t, file_t) ') +######################################## +## +## Delete symbolic links on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_isid_type_symlinks',` + gen_require(` + type file_t; + ') + + delete_lnk_files_pattern($1, file_t, file_t) +') + +######################################## +## +## Delete named pipes on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_isid_type_fifo_files',` + gen_require(` + type file_t; + ') + + delete_fifo_files_pattern($1, file_t, file_t) +') + +######################################## +## +## Delete named sockets on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_isid_type_sock_files',` + gen_require(` + type file_t; + ') + + delete_sock_files_pattern($1, file_t, file_t) +') + +######################################## +## +## Delete block files on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_isid_type_blk_files',` + gen_require(` + type file_t; + ') + + delete_blk_files_pattern($1, file_t, file_t) +') + +######################################## +## +## Do not audit attempts to write to character +## files that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_write_isid_chr_files',` + gen_require(` + type file_t; + ') + + dontaudit $1 file_t:chr_file write; +') + +######################################## +## +## Delete chr files on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_isid_type_chr_files',` + gen_require(` + type file_t; + ') + + delete_chr_files_pattern($1, file_t, file_t) +') + ######################################## ## ## Create, read, write, and delete files @@ -2937,6 +3124,7 @@ interface(`files_search_home',` ') allow $1 home_root_t:dir search_dir_perms; + allow $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -2956,6 +3144,7 @@ interface(`files_dontaudit_search_home',` ') dontaudit $1 home_root_t:dir search_dir_perms; + dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -2975,6 +3164,7 @@ interface(`files_dontaudit_list_home',` ') dontaudit $1 home_root_t:dir list_dir_perms; + dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -2993,6 +3183,7 @@ interface(`files_list_home',` ') allow $1 home_root_t:dir list_dir_perms; + allow $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -3920,6 +4111,24 @@ interface(`files_purge_tmp',` delete_sock_files_pattern($1, tmpfile, tmpfile) ') +######################################## +## +## Set the attributes of the /usr directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_usr_dirs',` + gen_require(` + type usr_t; + ') + + allow $1 usr_t:dir setattr; +') + ######################################## ## ## Search the content of /etc. @@ -3957,6 +4166,24 @@ interface(`files_list_usr',` allow $1 usr_t:dir list_dir_perms; ') +######################################## +## +## Do not audit write of /usr dirs +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_write_usr_dirs',` + gen_require(` + type usr_t; + ') + + dontaudit $1 usr_t:dir write; +') + ######################################## ## ## Add and remove entries from /usr directories. @@ -3977,7 +4204,8 @@ interface(`files_rw_usr_dirs',` ######################################## ## -## dontaudit Add and remove entries from /usr directories. +## Do not audit attempts to add and remove +## entries from /usr directories. ## ## ## @@ -4026,7 +4254,7 @@ interface(`files_delete_usr_files',` type usr_t; ') - allow $1 usr_t:file delete_file_perms; + delete_files_pattern($1, usr_t, usr_t) ') ######################################## @@ -5033,6 +5261,24 @@ interface(`files_dontaudit_getattr_pid_dirs',` dontaudit $1 var_run_t:dir getattr; ') +######################################## +## +## Set the attributes of the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_pid_dirs',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir setattr; +') + ######################################## ## ## Search the contents of runtime process @@ -5109,6 +5355,24 @@ interface(`files_read_generic_pids',` read_files_pattern($1, var_run_t, var_run_t) ') +######################################## +## +## Write named generic process ID pipes +## +## +## +## Domain allowed access. +## +## +# +interface(`files_write_generic_pid_pipes',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:fifo_file write; +') + ######################################## ## ## Create an object in the process ID directory, with a private type. @@ -5514,12 +5778,15 @@ interface(`files_polyinstantiate_all',` allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) + fs_mount_tmpfs($1) + fs_unmount_tmpfs($1) + ifdef(`distro_redhat',` # namespace.init + files_search_tmp($1) files_search_home($1) corecmd_exec_bin($1) seutil_domtrans_setfiles($1) - mount_domtrans($1) ') ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 313493df2..fbc22fbe2 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files, 1.13.0) +policy_module(files, 1.13.1) ######################################## # @@ -194,6 +194,7 @@ fs_associate(file_type) fs_associate_noxattr(file_type) fs_associate_tmpfs(file_type) fs_associate_ramfs(file_type) +fs_associate_hugetlbfs(file_type) ######################################## #