From ce6bf7cc233822df5dff9f22f0cd23aa5a2da707 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 28 Aug 2006 02:46:20 +0000 Subject: [PATCH] more testing fixes --- policy/modules/kernel/terminal.if | 39 +++++++++++++++++++++++++++ policy/modules/kernel/terminal.te | 2 +- policy/modules/system/authlogin.te | 1 + policy/modules/system/clock.if | 43 +++++++++++++++++++++--------- policy/modules/system/clock.te | 2 +- policy/modules/system/init.te | 3 +++ policy/modules/system/logging.te | 9 ++++++- 7 files changed, 83 insertions(+), 16 deletions(-) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 44faeed01..774450ef4 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -90,6 +90,7 @@ interface(`term_tty',` typeattribute $2 ttynode, serial_device; type_change $1 tty_device_t:chr_file $2; + fs_associate($1) files_associate_tmp($1) # Debian login is from shadow utils and does not allow resetting the perms. @@ -713,6 +714,25 @@ interface(`term_setattr_unallocated_ttys',` allow $1 tty_device_t:chr_file setattr; ') +######################################## +## +## Do not audit attempts to set the attributes +## of unallocated tty device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_dontaudit_setattr_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dontaudit $1 tty_device_t:chr_file setattr; +') + ######################################## ## ## Do not audit attempts to ioctl @@ -774,6 +794,25 @@ interface(`term_reset_tty_labels',` allow $1 tty_device_t:chr_file relabelto; ') +######################################## +## +## Append to unallocated ttys. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_append_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tty_device_t:chr_file { getattr append }; +') + ######################################## ## ## Write to unallocated ttys. diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 497652a80..c2f363950 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.1.4) +policy_module(terminal,1.1.5) ######################################## # diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 1006dc420..1b0376dad 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -265,6 +265,7 @@ term_dontaudit_use_unallocated_ttys(system_chkpwd_t) term_dontaudit_use_generic_ptys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) +userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) ######################################## # diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if index d5c66e357..542db15ad 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -55,14 +55,14 @@ interface(`clock_run',` ') ######################################## -## -## Execute hwclock in the caller domain. -## -## +## +## Execute hwclock in the caller domain. +## +## ## -## The type of the process performing this action. +## The type of the process performing this action. ## -## +## # interface(`clock_exec',` gen_require(` @@ -73,14 +73,32 @@ interface(`clock_exec',` ') ######################################## -## -## Allow executing domain to modify clock drift -## -## +## +## Do not audit attempts to write clock drift adjustments. +## +## ## -## The type of the process performing this action. +## Domain to not audit. ## -## +## +# +interface(`clock_dontaudit_write_adjtime',` + gen_require(` + type adjtime_t; + ') + + dontaudit $1 adjtime_t:file write; +') + +######################################## +## +## Read and write clock drift adjustments. +## +## +## +## Domain allowed access. +## +## # interface(`clock_rw_adjtime',` gen_require(` @@ -90,4 +108,3 @@ interface(`clock_rw_adjtime',` allow $1 adjtime_t:file rw_file_perms; files_list_etc($1) ') - diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 03d988588..8b7cef369 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -1,5 +1,5 @@ -policy_module(clock,1.0.1) +policy_module(clock,1.0.2) ######################################## # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index ab9d4b3f9..2cb9b8cde 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -416,6 +416,9 @@ ifdef(`distro_gentoo',` # mounting tmpfs on /dev fs_tmpfs_filetrans(initrc_t,initrc_state_t,file) + # init scripts touch this + clock_dontaudit_write_adjtime(initrc_t) + optional_policy(` arpwatch_manage_data_files(initrc_t) ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 0c1b3ed0b..195a1a121 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.3.9) +policy_module(logging,1.3.10) ######################################## # @@ -349,6 +349,13 @@ miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_sysadm_home_dirs(syslogd_t) +ifdef(`distro_gentoo',` + # default gentoo syslog-ng config appends kernel + # and high priority messages to /dev/tty12 + term_append_unallocated_ttys(syslogd_t) + term_dontaudit_setattr_unallocated_ttys(syslogd_t) +') + ifdef(`distro_suse',` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)