trunk: 6 patches from dan.

2009-06-11 15:00:48 +00:00 · 2009-06-11 15:00:48 +00:00 · a65fd90a50
parent 731008ad85
commit a65fd90a50
14 changed files with 221 additions and 16 deletions
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@ -1,5 +1,5 @@

-policy_module(netutils, 1.8.3)
+policy_module(netutils, 1.8.4)

 ########################################
 #
@ -50,7 +50,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
 files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })

 kernel_search_proc(netutils_t)
-kernel_read_sysctl(netutils_t)
+kernel_read_all_sysctls(netutils_t)

 corenet_all_recvfrom_unlabeled(netutils_t)
 corenet_all_recvfrom_netlabel(netutils_t)
@ -140,6 +140,10 @@ userdom_use_user_terminals(ping_t)

 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
+
+	optional_policy(`
+		nagios_dontaudit_rw_pipes(ping_t)
+	')
 ')

 tunable_policy(`user_ping',`
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@ -7,6 +7,7 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -32,6 +33,8 @@ ifdef(`distro_redhat',`
 #
 # /etc
 #
+/etc/acpi/actions(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
 /etc/apcupsd/apccontrol		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/apcupsd/changeme		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/apcupsd/commfailure	--	gen_context(system_u:object_r:bin_t,s0)
@ -67,6 +70,8 @@ ifdef(`distro_redhat',`
 /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/ppp/ipv6-down\..*		--	gen_context(system_u:object_r:bin_t,s0)

+/etc/racoon/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)

 /etc/security/namespace.init    --      gen_context(system_u:object_r:bin_t,s0)
@ -140,6 +145,7 @@ ifdef(`distro_gentoo',`
 /usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)

 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@ -209,7 +215,14 @@ ifdef(`distro_gentoo',`
 /usr/share/mc/extfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/Modules/init(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath	--      gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)?	        gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-shell(/.*)?        gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)?        gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)

 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@ -1,5 +1,5 @@

-policy_module(corecommands, 1.11.1)
+policy_module(corecommands, 1.11.2)

 ########################################
 #
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@ -1610,6 +1610,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
 	allow $1 reserved_port_type:tcp_socket name_connect;
 ')

+########################################
+## <summary>
+##	Connect TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_unreserved_ports',`
+	gen_require(`
+		attribute port_type, reserved_port_type;
+	')
+
+	allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to connect TCP sockets
@ -1685,6 +1703,24 @@ interface(`corenet_rw_tun_tap_dev',`
 	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
 ')

+########################################
+## <summary>
+##	Getattr the point-to-point device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_getattr_ppp_dev',`
+	gen_require(`
+		type ppp_device_t;
+	')
+
+	allow $1 ppp_device_t:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the point-to-point device.
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@

-policy_module(corenetwork, 1.11.7)
+policy_module(corenetwork, 1.11.8)

 ########################################
 #
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@ -525,7 +525,7 @@ interface(`domain_search_all_domains_state',`
 	')

 	kernel_search_proc($1)
-	allow $1 domain:dir search;
+	allow $1 domain:dir search_dir_perms;
 ')

 ########################################
@ -629,6 +629,7 @@ interface(`domain_read_confined_domains_state',`

 	dontaudit $1 unconfined_domain_type:dir search_dir_perms;
 	dontaudit $1 unconfined_domain_type:file read_file_perms;
+	dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
 ')

 ########################################
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@ -1,5 +1,5 @@

-policy_module(domain, 1.6.0)
+policy_module(domain, 1.6.1)

 ########################################
 #
@ -145,7 +145,7 @@ allow unconfined_domain_type domain:msg { send receive };

 # For /proc/pid
 allow unconfined_domain_type domain:dir list_dir_perms;
-allow unconfined_domain_type domain:file read_file_perms;
+allow unconfined_domain_type domain:file rw_file_perms;
 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };

 # act on all domains keys
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@ -5,6 +5,7 @@
 /.*				gen_context(system_u:object_r:default_t,s0)
 /			-d	gen_context(system_u:object_r:root_t,s0)
 /\.journal			<<none>>
+/afs			-d	gen_context(system_u:object_r:mnt_t,s0)
 /initrd\.img.*		-l	gen_context(system_u:object_r:boot_t,s0)
 /vmlinuz.*		-l	gen_context(system_u:object_r:boot_t,s0)

--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -928,6 +928,8 @@ interface(`files_relabel_all_files',`
 	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+	# this is only relabelfrom since there should be no
+	# device nodes with file types.
 	relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })

@ -1094,6 +1096,24 @@ interface(`files_relabelto_all_file_type_fs',`
 	allow $1 file_type:filesystem relabelto;
 ')

+########################################
+## <summary>
+##	Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:filesystem { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Mount all filesystems with the type of a file.
@ -2305,6 +2325,25 @@ interface(`files_rw_isid_type_dirs',`
 	allow $1 file_t:dir rw_dir_perms;
 ')

+########################################
+## <summary>
+##	Delete directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_dirs_pattern($1, file_t, file_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
@ -2362,6 +2401,25 @@ interface(`files_read_isid_type_files',`
 	allow $1 file_t:file read_file_perms;
 ')

+########################################
+## <summary>
+##	Delete files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_files_pattern($1, file_t, file_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
@ -2820,6 +2878,7 @@ interface(`files_search_kernel_modules',`
 	')

 	allow $1 modules_object_t:dir search_dir_perms;
+	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
 ')

 ########################################
@ -3546,7 +3605,7 @@ interface(`files_delete_usr_dirs',`
 		type usr_t;
 	')

-	allow $1 usr_t:file delete_dir_perms;
+	delete_dirs_pattern($1, usr_t, usr_t)
 ')

 ########################################
@ -4411,6 +4470,28 @@ interface(`files_read_all_locks',`
 	read_lnk_files_pattern($1, lockfile, lockfile)
 ')

+########################################
+## <summary>
+##	manage all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	manage_dirs_pattern($1, lockfile, lockfile)
+	manage_files_pattern($1, lockfile, lockfile)
+	manage_lnk_files_pattern($1, lockfile, lockfile)
+')
+
 ########################################
 ## <summary>
 ##	Create an object in the locks directory, with a private
@ -4532,7 +4613,8 @@ interface(`files_read_generic_pids',`
 		type var_t, var_run_t;
 	')

-	read_files_pattern($1, { var_t var_run_t }, var_run_t)
+	list_dirs_pattern($1, var_t, var_run_t)
+	read_files_pattern($1, var_run_t, var_run_t)
 ')

 ########################################
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@ -1,5 +1,5 @@

-policy_module(files, 1.11.0)
+policy_module(files, 1.11.1)

 ########################################
 #
@ -199,7 +199,7 @@ fs_associate_ramfs(file_type)
 # Rules for all tmp file types
 #

-allow tmpfile tmp_t:filesystem associate;
+allow file_type tmp_t:filesystem associate;

 fs_associate_tmpfs(tmpfile)

--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -157,7 +157,7 @@ interface(`kernel_signal',`
 		type kernel_t;
 	')

-	allow kernel_t $1:process signal;
+	allow $1 kernel_t:process signal;
 ')

 ########################################
@ -817,7 +817,7 @@ interface(`kernel_dontaudit_read_system_state',`
 		type proc_t;
 	')

-	dontaudit $1 proc_t:file { getattr read };
+	dontaudit $1 proc_t:file read_file_perms;
 ')

 ########################################
@ -1181,6 +1181,25 @@ interface(`kernel_write_xen_state',`
 	write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
 ')

+########################################
+## <summary>
+##	Allow attempts to list all proc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_list_all_proc',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	allow $1 proc_type:dir list_dir_perms;
+	allow $1 proc_type:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to list all proc directories.
@ -1197,6 +1216,7 @@ interface(`kernel_dontaudit_list_all_proc',`
 	')

 	dontaudit $1 proc_type:dir list_dir_perms;
+	dontaudit $1 proc_type:file getattr;
 ')

 ########################################
@ -1232,10 +1252,11 @@ interface(`kernel_dontaudit_search_sysctl',`
 #
 interface(`kernel_read_sysctl',`
 	gen_require(`
-		type sysctl_t;
+		type sysctl_t, proc_t;
 	')

 	list_dirs_pattern($1, proc_t, sysctl_t)
+	read_files_pattern($1, sysctl_t, sysctl_t)
 ')

 ########################################
@ -1566,6 +1587,25 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
 	dontaudit $1 sysctl_kernel_t:dir search;
 ')

+########################################
+## <summary>
+##	Read generic crypto sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_crypto_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_crypto_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
+')
+
 ########################################
 ## <summary>
 ##	Read generic kernel sysctls.
@ -1767,6 +1807,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 	')

 	dontaudit $1 sysctl_type:dir list_dir_perms;
+	dontaudit $1 sysctl_type:file getattr;
 ')

 ########################################
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@

-policy_module(kernel, 1.10.3)
+policy_module(kernel, 1.10.4)

 ########################################
 #
@ -100,6 +100,7 @@ type proc_net_t, proc_type;
 genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)

 type proc_xen_t, proc_type;
+files_mountpoint(proc_xen_t)
 genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)

 #
@ -120,6 +121,10 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
 type sysctl_rpc_t, sysctl_type;
 genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)

+# /proc/sys/crypto directory and files
+type sysctl_crypto_t, sysctl_type;
+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
+
 # /proc/sys/fs directory and files
 type sysctl_fs_t, sysctl_type;
 files_mountpoint(sysctl_fs_t)
@ -198,6 +203,8 @@ allow kernel_t self:fifo_file rw_fifo_file_perms;
 allow kernel_t self:sock_file read_sock_file_perms;
 allow kernel_t self:fd use;

+allow kernel_t debugfs_t:dir search_dir_perms;
+
 allow kernel_t proc_t:dir list_dir_perms;
 allow kernel_t proc_t:file read_file_perms;
 allow kernel_t proc_t:lnk_file read_lnk_file_perms;
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@ -1,5 +1,25 @@
 ## <summary>Net Saint / NAGIOS - network monitoring server</summary>

+########################################
+## <summary>
+##	Do not audit attempts to read or write nagios
+##	unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nagios_dontaudit_rw_pipes',`
+	gen_require(`
+		type nagios_t;
+	')
+
+	dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@ -1,5 +1,5 @@

-policy_module(nagios, 1.7.1)
+policy_module(nagios, 1.7.2)

 ########################################
 #