patch from dan Mon, 25 Sep 2006 15:46:40 -0400

Changelog

@@ -71,6 +71,7 @@
 	Tue, 05 Sep 2006
 	Wed, 20 Sep 2006
 	Fri, 22 Sep 2006
+	Mon, 25 Sep 2006
 - Added modules:
 	afs
 	amavis (Erich Schubert)
@@ -107,6 +108,7 @@
 	ntop
 	nx
 	oav
+	oddjob (Dan Walsh)
 	openca
 	openvpn (Petre Rodan)
 	perdition

policy/modules/admin/prelink.if

@@ -78,6 +78,7 @@ interface(`prelink_delete_cache',`
 	')
 
 	allow $1 prelink_cache_t:file unlink;
+	files_rw_etc_dirs($1)
 ')
 
 ########################################

policy/modules/admin/prelink.te

@@ -1,5 +1,5 @@
 
-policy_module(prelink,1.1.6)
+policy_module(prelink,1.1.7)
 
 ########################################
 #

policy/modules/admin/readahead.te

@@ -1,5 +1,5 @@
 
-policy_module(readahead,1.2.2)
+policy_module(readahead,1.2.3)
 
 ########################################
 #
@@ -36,6 +36,8 @@ dev_getattr_all_chr_files(readahead_t)
 dev_getattr_all_blk_files(readahead_t)
 dev_dontaudit_read_all_blk_files(readahead_t)
 dev_dontaudit_getattr_memory_dev(readahead_t)
+dev_dontaudit_getattr_nvram(readahead_t)
+storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
 
 domain_use_interactive_fds(readahead_t)
 

policy/modules/apps/slocate.te

@@ -1,5 +1,5 @@
 
-policy_module(slocate,1.1.0)
+policy_module(slocate,1.1.1)
 
 #################################
 #
@@ -45,6 +45,7 @@ files_read_etc_files(locate_t)
 files_dontaudit_getattr_all_dirs(locate_t)
 
 fs_getattr_xattr_fs(locate_t)
+fs_getattr_rpc_pipefs(locate_t)
 
 libs_use_shared_libs(locate_t)
 libs_use_ld_so(locate_t)

policy/modules/kernel/devices.if

@@ -3211,3 +3211,23 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	dontaudit getattr generic files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir search;
+	dontaudit $1 device_t:file getattr;
+')
+

policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.23)
+policy_module(devices,1.1.24)
 
 ########################################
 #

policy/modules/kernel/files.if

@@ -1763,6 +1763,24 @@ interface(`files_list_etc',`
 	allow $1 etc_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Add and remove entries from /etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read generic files in /etc.

policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.19)
+policy_module(files,1.2.20)
 
 ########################################
 #

policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron,1.3.14)
+policy_module(cron,1.3.15)
 
 gen_require(`
 	class passwd rootok;
@@ -17,6 +17,14 @@ corecmd_executable_file(anacron_exec_t)
 type cron_spool_t;
 files_type(cron_spool_t)
 
+# var/lib files
+type cron_var_lib_t;
+files_type(cron_var_lib_t)
+
+# var/log files
+type cron_log_t;
+logging_log_file(cron_log_t)
+
 type crond_t;
 # real declaration moved to mls until
 # range_transition works in loadable modules
@@ -228,6 +236,16 @@ optional_policy(`
 # System cron process domain
 #
 
+# This is to handle creation of files in /var/log directory.
+#  Used currently by rpm script log files
+allow system_crond_t cron_log_t:file manage_file_perms;
+logging_log_filetrans(system_crond_t,cron_log_t,file)
+
+# This is to handle /var/lib/misc directory.  Used currently
+# by prelink var/lib files for cron 
+allow system_crond_t cron_var_lib_t:file manage_file_perms;
+files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
+
 optional_policy(`
 	# cjp: why?
 	squid_domtrans(system_crond_t)

policy/modules/services/lpd.fc

@@ -6,13 +6,18 @@
 #
 # /usr
 #
-/usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
-/usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
-/usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
 /usr/bin/lp(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lpr(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lpq(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpstat(\.cups)? --	gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
+/usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/sbin/lpadmin	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpc(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
 
 #
 # /var

policy/modules/services/lpd.te

@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.2.7)
+policy_module(lpd,1.2.8)
 
 ########################################
 #

policy/modules/services/oddjob.fc

@@ -0,0 +1,5 @@
+/usr/lib/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+/usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+/var/run/oddjobd.pid			gen_context(system_u:object_r:oddjob_var_run_t,s0)

policy/modules/services/oddjob.if

@@ -0,0 +1,96 @@
+## <summary>
+##	Oddjob provides a mechanism by which unprivileged applications can
+##	request that specified privileged operations be performed on their
+##	behalf.
+## </summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans',`
+	gen_require(`
+		type oddjob_t, oddjob_exec_t;
+	')
+
+	domain_auto_trans($1,oddjob_exec_t,oddjob_t)
+	allow oddjob_t $1:fd use;
+	allow oddjob_t $1:fifo_file rw_file_perms;
+	allow oddjob_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Make the specified program domain accessable
+##	from the oddjob.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to transition to.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type of the file used as an entrypoint to this domain.
+##	</summary>
+## </param>
+#
+interface(`oddjob_system_entry',`
+	gen_require(`
+		type oddjob_t;
+	')
+
+	domain_auto_trans(oddjob_t, $2, $1)
+	allow $1 oddjob_t:fd use;
+	allow $1 oddjob_t:fifo_file rw_file_perms;
+	allow $1 oddjob_t:process sigchld;
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	oddjob over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`oddjob_dbus_chat',`
+	gen_require(`
+		type oddjob_t;
+		class dbus send_msg;
+	')
+
+	allow $1 oddjob_t:dbus send_msg;
+	allow oddjob_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run oddjob_mkhomedir.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans_mkhomedir',`
+	gen_require(`
+		type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
+	')
+
+	domain_auto_trans($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
+	allow oddjob_mkhomedir_t $1:fd use;
+	allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
+	allow oddjob_mkhomedir_t $1:process sigchld;
+')

policy/modules/services/oddjob.te

@@ -0,0 +1,85 @@
+
+policy_module(oddjob,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oddjob_t;
+type oddjob_exec_t;
+domain_type(oddjob_t)
+init_daemon_domain(oddjob_t, oddjob_exec_t)
+
+type oddjob_mkhomedir_t;
+type oddjob_mkhomedir_exec_t;
+domain_type(oddjob_mkhomedir_t)
+init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
+# pid files
+type oddjob_var_run_t;
+files_pid_file(oddjob_var_run_t)
+
+########################################
+#
+# oddjob local policy
+#
+
+allow oddjob_t self:capability { audit_write setgid } ;
+allow oddjob_t self:process setexec;
+allow oddjob_t self:fifo_file { read write };
+allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
+
+allow oddjob_t oddjob_var_run_t:file manage_file_perms;
+allow oddjob_t oddjob_var_run_t:sock_file manage_file_perms;
+allow oddjob_t oddjob_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
+
+kernel_read_system_state(oddjob_t)
+
+corecmd_search_sbin(oddjob_t)
+corecmd_exec_shell(oddjob_t)
+
+selinux_compute_create_context(oddjob_t)
+
+files_read_etc_files(oddjob_t)
+
+libs_use_ld_so(oddjob_t)
+libs_use_shared_libs(oddjob_t)
+
+miscfiles_read_localization(oddjob_t)
+
+init_dontaudit_use_fds(oddjob_t)
+
+locallogin_dontaudit_use_fds(oddjob_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_ptys(oddjob_t)
+	term_dontaudit_use_unallocated_ttys(oddjob_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client_template(oddjob,oddjob_t)
+	dbus_send_system_bus(oddjob_t)
+	dbus_connect_system_bus(oddjob_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(oddjob_t)
+')
+
+########################################
+#
+# oddjob_mkhomedir local policy
+#
+
+allow oddjob_mkhomedir_t self:fifo_file { read write };
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(oddjob_mkhomedir_t)
+
+libs_use_ld_so(oddjob_mkhomedir_t)
+libs_use_shared_libs(oddjob_mkhomedir_t)
+
+miscfiles_read_localization(oddjob_mkhomedir_t)

policy/modules/services/sendmail.te

@@ -1,5 +1,5 @@
 
-policy_module(sendmail,1.2.3)
+policy_module(sendmail,1.2.4)
 
 ########################################
 #
@@ -32,6 +32,7 @@ allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
 allow sendmail_t self:tcp_socket create_stream_socket_perms;
 allow sendmail_t self:udp_socket create_socket_perms;
+allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow sendmail_t sendmail_log_t:file create_file_perms;
 allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };

policy/modules/services/smartmon.te

@@ -1,5 +1,5 @@
 
-policy_module(smartmon,1.0.2)
+policy_module(smartmon,1.0.3)
 
 ########################################
 #
@@ -60,8 +60,11 @@ files_read_etc_files(fsdaemon_t)
 fs_getattr_all_fs(fsdaemon_t)
 fs_search_auto_mountpoints(fsdaemon_t)
 
+mls_file_read_up(fsdaemon_t)
+
 storage_raw_read_fixed_disk(fsdaemon_t)
 storage_raw_write_fixed_disk(fsdaemon_t)
+storage_raw_read_removable_device(fsdaemon_t)
 
 term_dontaudit_use_console(fsdaemon_t)
 term_dontaudit_search_ptys(fsdaemon_t)

policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.26)
+policy_module(init,1.3.27)
 
 gen_require(`
 	class passwd rootok;
@@ -580,6 +580,8 @@ optional_policy(`
 
 	cups_read_log(initrc_t)
 	cups_read_rw_config(initrc_t)
+#cups init script clears error log
+	cups_write_log(initrc_t)
 ')
 
 optional_policy(`

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.12)
+policy_module(logging,1.3.13)
 
 ########################################
 #
@@ -18,6 +18,7 @@ files_security_file(auditd_etc_t)
 
 type auditd_log_t;
 files_security_file(auditd_log_t)
+files_mountpoint(auditd_log_t)
 
 type auditd_t;
 # real declaration moved to mls until

policy/modules/system/raid.te

@@ -1,5 +1,5 @@
 
-policy_module(raid,1.0.0)
+policy_module(raid,1.0.1)
 
 ########################################
 #
@@ -29,11 +29,13 @@ files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
 kernel_read_system_state(mdadm_t)
 kernel_read_kernel_sysctls(mdadm_t)
 kernel_rw_software_raid_state(mdadm_t)
+kernel_getattr_core_if(mdadm_t)
 
 dev_read_sysfs(mdadm_t)
 # Ignore attempts to read every device file
 dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_files(mdadm_t)
 
 fs_search_auto_mountpoints(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)

policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.14)
+policy_module(unconfined,1.3.15)
 
 ########################################
 #
@@ -129,6 +129,10 @@ ifdef(`targeted_policy',`
 		mono_domtrans(unconfined_t)
 	')
 
+	optional_policy(`
+		oddjob_domtrans_mkhomedir(unconfined_t)
+	')
+
 	optional_policy(`
 		prelink_domtrans(unconfined_t)
 	')