From 9e8f65c83ed6b59764ef8bc609fd0efd2e3ab06b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 26 Mar 2007 20:47:29 +0000 Subject: [PATCH] six trivial patches from dan for iptables, netutils, ipsec, devices, filesystem and cpuspeed --- policy/modules/admin/netutils.te | 4 +- policy/modules/kernel/devices.if | 19 ++++++++ policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/filesystem.if | 18 +++++++ policy/modules/kernel/filesystem.te | 2 +- policy/modules/kernel/storage.fc | 3 +- policy/modules/kernel/storage.te | 2 +- policy/modules/services/cpucontrol.te | 3 +- policy/modules/system/ipsec.if | 67 +++++++++++++++++++++++++++ policy/modules/system/ipsec.te | 2 +- policy/modules/system/iptables.te | 7 +-- policy/modules/system/userdomain.if | 4 ++ policy/modules/system/userdomain.te | 2 +- 13 files changed, 124 insertions(+), 11 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index b34146e8e..c566b7f9e 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils,1.3.1) +policy_module(netutils,1.3.2) ######################################## # @@ -65,6 +65,8 @@ corenet_tcp_connect_all_ports(netutils_t) corenet_sendrecv_all_client_packets(netutils_t) corenet_udp_bind_generic_node(netutils_t) +dev_read_sysfs(netutils_t) + fs_getattr_xattr_fs(netutils_t) domain_use_interactive_fds(netutils_t) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index fc2e6c88b..cbbd523c3 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2501,6 +2501,25 @@ interface(`dev_list_sysfs',` list_dirs_pattern($1,sysfs_t,sysfs_t) ') +######################################## +## +## Write in a sysfs directories. +## +## +## +## The type of the process performing this action. +## +## +# +# cjp: added for cpuspeed +interface(`dev_write_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:dir write; +') + ######################################## ## ## Allow caller to read hardware state information. diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index ff6b4ce6c..1e04a53b5 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.3.1) +policy_module(devices,1.3.2) ######################################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 285776912..172ce142f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1094,6 +1094,24 @@ interface(`fs_relabelfrom_dos_fs',` allow $1 dosfs_t:filesystem relabelfrom; ') +######################################## +## +## Read files on a DOS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_dos_files',` + gen_require(` + type dosfs_t; + ') + + read_files_pattern($1,dosfs_t,dosfs_t) +') + ######################################## ## ## Create, read, write, and delete files diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 33f344702..be1b0e6b2 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.5.1) +policy_module(filesystem,1.5.2) ######################################## # diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 5f1d353c0..ff4e26976 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -42,7 +42,8 @@ ifdef(`distro_redhat', ` /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) +/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 71aff40ee..983ed5479 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,5 +1,5 @@ -policy_module(storage,1.2.0) +policy_module(storage,1.2.1) ######################################## # diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te index bedc36f10..81c14b911 100644 --- a/policy/modules/services/cpucontrol.te +++ b/policy/modules/services/cpucontrol.te @@ -1,5 +1,5 @@ -policy_module(cpucontrol,1.1.0) +policy_module(cpucontrol,1.1.1) ######################################## # @@ -91,6 +91,7 @@ files_pid_filetrans(cpuspeed_t,cpuspeed_var_run_t,file) kernel_read_system_state(cpuspeed_t) kernel_read_kernel_sysctls(cpuspeed_t) +dev_write_sysfs_dirs(cpuspeed_t) dev_rw_sysfs(cpuspeed_t) domain_use_interactive_fds(cpuspeed_t) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index 5a7d7bc36..dbb2b6e4e 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -111,3 +111,70 @@ interface(`ipsec_manage_pid',` files_search_pids($1) manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t) ') + +######################################## +## +## Execute racoon in the racoon domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ipsec_domtrans_racoon',` + gen_require(` + type racoon_t, racoon_exec_t; + ') + + domtrans_pattern($1,racoon_exec_t,racoon_t) +') + +######################################## +## +## Execute setkey in the setkey domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ipsec_domtrans_setkey',` + gen_require(` + type setkey_t, setkey_exec_t; + ') + + domtrans_pattern($1,setkey_exec_t,setkey_t) +') + +######################################## +## +## Execute setkey and allow the specified role the domains. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the racoon and setkey domains. +## +## +## +## +## The type of the terminal allow the racoon and setkey domains to use. +## +## +## +# +interface(`ipsec_run_setkey',` + gen_require(` + type setkey_t; + ') + + ipsec_domtrans_setkey($1) + role $2 types setkey_t; + allow setkey_t $3:chr_file rw_term_perms; +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 2b7ec2269..794838b05 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,5 +1,5 @@ -policy_module(ipsec,1.2.1) +policy_module(ipsec,1.2.2) ######################################## # diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index cc40dcb08..d968d18e3 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables,1.2.1) +policy_module(iptables,1.2.2) ######################################## # @@ -77,9 +77,10 @@ sysnet_dns_name_resolve(iptables_t) userdom_use_all_users_fds(iptables_t) ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(iptables_t) - term_dontaudit_use_generic_ptys(iptables_t) + term_use_unallocated_ttys(iptables_t) + term_use_generic_ptys(iptables_t) files_dontaudit_read_root_files(iptables_t) + unconfined_rw_pipes(iptables_t) ') optional_policy(` diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 46425d76f..b4c73bfaf 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1337,6 +1337,10 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') + optional_policy(` + ipsec_run_setkey($1,$2,$3) + ') + optional_policy(` netlabel_run_mgmt($1,$2, $3) ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index ec35724ec..a4c05ff05 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,2.1.3) +policy_module(userdomain,2.1.4) gen_require(` role sysadm_r, staff_r, user_r;