diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 0fd5c5f2e..3f81343a6 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,4 +1,4 @@ -policy_module(bootloader, 1.14.0) +policy_module(bootloader, 1.14.1) ######################################## # @@ -155,15 +155,14 @@ ifdef(`distro_redhat',` # for memlock allow bootloader_t self:capability ipc_lock; - # new file system defaults to file_t, granting file_t access is still bad. allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms }; - # new file system defaults to file_t, granting file_t access is still bad. - files_manage_isid_type_dirs(bootloader_t) - files_manage_isid_type_files(bootloader_t) - files_manage_isid_type_symlinks(bootloader_t) - files_manage_isid_type_blk_files(bootloader_t) - files_manage_isid_type_chr_files(bootloader_t) + # new file system defaults to unlabeled, granting unlabeled access is still bad. + kernel_manage_unlabeled_dirs(bootloader_t) + kernel_manage_unlabeled_files(bootloader_t) + kernel_manage_unlabeled_symlinks(bootloader_t) + kernel_manage_unlabeled_blk_files(bootloader_t) + kernel_manage_unlabeled_chr_files(bootloader_t) # for mke2fs mount_run(bootloader_t, bootloader_roles) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 72bc6d815..d8e0731b0 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -1,4 +1,4 @@ -policy_module(dmesg, 1.3.0) +policy_module(dmesg, 1.3.1) ######################################## # @@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t) kernel_change_ring_buffer_level(dmesg_t) kernel_list_proc(dmesg_t) kernel_read_proc_symlinks(dmesg_t) +# for when /usr is not mounted: +kernel_dontaudit_search_unlabeled(dmesg_t) dev_read_sysfs(dmesg_t) @@ -35,8 +37,6 @@ term_dontaudit_use_console(dmesg_t) domain_use_interactive_fds(dmesg_t) files_list_etc(dmesg_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(dmesg_t) init_use_fds(dmesg_t) init_use_script_ptys(dmesg_t) diff --git a/policy/modules/contrib b/policy/modules/contrib index 1841db13d..fc714e2e8 160000 --- a/policy/modules/contrib +++ b/policy/modules/contrib @@ -1 +1 @@ -Subproject commit 1841db13d655ca7a090d4b7c86add9c2869b9e01 +Subproject commit fc714e2e840188c55b5ebc8e9b1e09d342f2864e diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 1e0390f69..ed7f324f8 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,4 +1,4 @@ -policy_module(authlogin, 2.5.2) +policy_module(authlogin, 2.5.3) ######################################## # @@ -220,6 +220,7 @@ dontaudit pam_console_t pam_var_console_t:file write; kernel_read_kernel_sysctls(pam_console_t) kernel_use_fds(pam_console_t) +kernel_dontaudit_search_unlabeled(pam_console_t) # Read /proc/meminfo kernel_read_system_state(pam_console_t) @@ -255,7 +256,6 @@ dev_read_urand(pam_console_t) files_read_etc_files(pam_console_t) files_search_pids(pam_console_t) files_list_mnt(pam_console_t) -files_dontaudit_search_isid_type_dirs(pam_console_t) # read /etc/mtab files_read_etc_runtime_files(pam_console_t) diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index edece47dc..a3cc2efa2 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -1,4 +1,4 @@ -policy_module(clock, 1.7.0) +policy_module(clock, 1.7.1) ######################################## # @@ -30,6 +30,8 @@ allow hwclock_t adjtime_t:file { rw_file_perms setattr }; kernel_read_kernel_sysctls(hwclock_t) kernel_read_system_state(hwclock_t) +# for when /usr is not mounted: +kernel_dontaudit_search_unlabeled(hwclock_t) corecmd_exec_bin(hwclock_t) corecmd_exec_shell(hwclock_t) @@ -38,8 +40,6 @@ dev_read_sysfs(hwclock_t) dev_rw_realtime_clock(hwclock_t) files_read_etc_files(hwclock_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(hwclock_t) fs_getattr_xattr_fs(hwclock_t) fs_search_auto_mountpoints(hwclock_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 610fa406b..65f634a45 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,4 +1,4 @@ -policy_module(fstools, 1.16.3) +policy_module(fstools, 1.16.4) ######################################## # @@ -56,6 +56,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon }; kernel_read_system_state(fsadm_t) kernel_read_kernel_sysctls(fsadm_t) kernel_request_load_module(fsadm_t) +kernel_manage_unlabeled_dirs(fsadm_t) # Allow console log change (updfstab) kernel_change_ring_buffer_level(fsadm_t) # mkreiserfs needs this @@ -64,6 +65,7 @@ kernel_getattr_core_if(fsadm_t) # Access to /initrd devices kernel_rw_unlabeled_dirs(fsadm_t) kernel_rw_unlabeled_blk_files(fsadm_t) +kernel_read_unlabeled_files(fsadm_t) corecmd_exec_bin(fsadm_t) #RedHat bug #201164 @@ -100,14 +102,9 @@ files_list_home(fsadm_t) files_read_usr_files(fsadm_t) files_read_etc_files(fsadm_t) files_manage_lost_found(fsadm_t) -files_manage_isid_type_dirs(fsadm_t) # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) -# Access to /initrd devices -files_rw_isid_type_dirs(fsadm_t) -files_rw_isid_type_blk_files(fsadm_t) -files_read_isid_type_files(fsadm_t) fs_search_auto_mountpoints(fsadm_t) fs_getattr_xattr_fs(fsadm_t) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index 6d9f4fe3f..07f83b5a8 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -1,4 +1,4 @@ -policy_module(hostname, 1.8.2) +policy_module(hostname, 1.8.3) ######################################## # @@ -23,6 +23,8 @@ dontaudit hostname_t self:capability sys_tty_config; kernel_list_proc(hostname_t) kernel_read_proc_symlinks(hostname_t) +# for when /usr is not mounted: +kernel_dontaudit_search_unlabeled(hostname_t) dev_read_sysfs(hostname_t) # Early devtmpfs, before udev relabel @@ -32,8 +34,6 @@ domain_use_interactive_fds(hostname_t) files_read_etc_files(hostname_t) files_dontaudit_search_var(hostname_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(hostname_t) fs_getattr_xattr_fs(hostname_t) fs_search_auto_mountpoints(hostname_t) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index b2097e743..fb17059a8 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -1,4 +1,4 @@ -policy_module(hotplug, 1.16.0) +policy_module(hotplug, 1.16.1) ######################################## # @@ -49,6 +49,8 @@ kernel_read_system_state(hotplug_t) kernel_read_network_state(hotplug_t) kernel_read_kernel_sysctls(hotplug_t) kernel_rw_net_sysctls(hotplug_t) +# for when filesystems are not mounted early in the boot: +kernel_dontaudit_search_unlabeled(hotplug_t) files_read_kernel_modules(hotplug_t) @@ -86,8 +88,6 @@ files_read_etc_files(hotplug_t) files_manage_etc_runtime_files(hotplug_t) files_etc_filetrans_etc_runtime(hotplug_t, file) files_exec_etc_files(hotplug_t) -# for when filesystems are not mounted early in the boot: -files_dontaudit_search_isid_type_dirs(hotplug_t) init_read_script_state(hotplug_t) # Allow hotplug (including /sbin/ifup-local) to start/stop services and diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index df10b8cdd..25ac63c5d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 1.20.4) +policy_module(init, 1.20.5) gen_require(` class passwd rootok; @@ -125,6 +125,7 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) +kernel_dontaudit_search_unlabeled(init_t) corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) @@ -142,7 +143,6 @@ domain_sigchld_all_domains(init_t) files_read_etc_files(init_t) files_rw_generic_pids(init_t) -files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: @@ -289,6 +289,9 @@ kernel_read_all_sysctls(initrc_t) kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) +# cjp: not sure why these are here; should use mount policy +kernel_list_unlabeled(initrc_t) +kernel_mounton_unlabeled_dirs(initrc_t) files_create_lock_dirs(initrc_t) files_pid_filetrans_lock_dir(initrc_t, "lock") @@ -367,8 +370,6 @@ files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) # Mount and unmount file systems. # cjp: not sure why these are here; should use mount policy -files_list_isid_type_dirs(initrc_t) -files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 446fa9908..c083ccd7a 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,4 +1,4 @@ -policy_module(locallogin, 1.12.0) +policy_module(locallogin, 1.12.1) ######################################## # @@ -216,13 +216,13 @@ allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) +# because file systems are not mounted: +kernel_dontaudit_search_unlabeled(sulogin_t) fs_search_auto_mountpoints(sulogin_t) fs_rw_tmpfs_chr_files(sulogin_t) files_read_etc_files(sulogin_t) -# because file systems are not mounted: -files_dontaudit_search_isid_type_dirs(sulogin_t) auth_read_shadow(sulogin_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index e3d4a68d3..68a2060c7 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.20.2) +policy_module(logging, 1.20.3) ######################################## # @@ -406,6 +406,8 @@ kernel_read_messages(syslogd_t) kernel_read_vm_sysctls(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) +# /initrd is not umounted before minilog starts +kernel_dontaudit_search_unlabeled(syslogd_t) corenet_all_recvfrom_unlabeled(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) @@ -443,7 +445,6 @@ files_read_usr_files(syslogd_t) files_read_var_files(syslogd_t) files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts -files_dontaudit_search_isid_type_dirs(syslogd_t) files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 9914302fa..e63dfe2a9 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,4 +1,4 @@ -policy_module(lvm, 1.15.3) +policy_module(lvm, 1.15.4) ######################################## # @@ -217,6 +217,8 @@ kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) # Read system variables in /proc/sys kernel_read_kernel_sysctls(lvm_t) +# for when /usr is not mounted: +kernel_dontaudit_search_unlabeled(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -254,8 +256,6 @@ domain_read_all_domains_state(lvm_t) files_read_usr_files(lvm_t) files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(lvm_t) fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) @@ -306,7 +306,7 @@ userdom_use_user_terminals(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: - files_rw_isid_type_dirs(lvm_t) + kernel_rw_unlabeled_dirs(lvm_t) optional_policy(` unconfined_domain(lvm_t) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 7a363b8b2..4d8d62ff6 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,4 +1,4 @@ -policy_module(modutils, 1.14.0) +policy_module(modutils, 1.14.1) ######################################## # @@ -130,6 +130,8 @@ kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) kernel_setsched(insmod_t) +# for when /var is not mounted early in the boot: +kernel_dontaudit_search_unlabeled(insmod_t) corecmd_exec_bin(insmod_t) corecmd_exec_shell(insmod_t) @@ -153,8 +155,6 @@ files_read_usr_files(insmod_t) files_exec_etc_files(insmod_t) # for nscd: files_dontaudit_search_pids(insmod_t) -# for when /var is not mounted early in the boot: -files_dontaudit_search_isid_type_dirs(insmod_t) # for locking: (cjp: ????) files_write_kernel_modules(insmod_t) @@ -299,9 +299,10 @@ userdom_use_user_terminals(update_modules_t) userdom_dontaudit_search_user_home_dirs(update_modules_t) ifdef(`distro_gentoo',` + kernel_list_unlabeled(update_modules_t) # /var + files_search_pids(update_modules_t) files_getattr_usr_src_files(update_modules_t) - files_list_isid_type_dirs(update_modules_t) # /var # update-modules on Gentoo throws errors when run because it # sources /etc/init.d/functions.sh, which always scans diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index ef8b91425..d3e2d647c 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,4 +1,4 @@ -policy_module(mount, 1.16.3) +policy_module(mount, 1.16.4) ######################################## # @@ -65,6 +65,9 @@ kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module kernel_request_load_module(mount_t) +# for when /etc/mtab loses its type +# cjp: this seems wrong, the type should probably be etc +kernel_read_unlabeled_files(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -92,9 +95,6 @@ files_unmount_rootfs(mount_t) files_relabelto_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) -# for when /etc/mtab loses its type -# cjp: this seems wrong, the type should probably be etc -files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) files_list_all_mountpoints(mount_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index a47708965..24654b833 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.16.5) +policy_module(udev, 1.16.6) ######################################## # @@ -95,6 +95,7 @@ kernel_search_debugfs(udev_t) kernel_rw_net_sysctls(udev_t) kernel_read_network_state(udev_t) kernel_read_software_raid_state(udev_t) +kernel_dontaudit_search_unlabeled(udev_t) corecmd_exec_all_executables(udev_t) @@ -116,7 +117,6 @@ files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) files_exec_etc_files(udev_t) -files_dontaudit_search_isid_type_dirs(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t)