diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 208e193..6e3cfa1 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -302,3 +302,17 @@ define(`terminal_ignore_use_general_pseudoterminal_depend',` type devpts_t; class chr_file { read write }; ') + +######################################## +# +# terminal_ignore_use_pseudoterminal_multiplexer(domain) +# +define(`terminal_ignore_use_pseudoterminal_multiplexer',` +requires_block_template(`$0'_depend) +dontaudit $1 ptmx_t:chr_file { getattr read write }; +') + +define(`terminal_ignore_use_pseudoterminal_multiplexer_depend',` +type ptmx_t; +class chr_file { getattr read write }; +') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 8b09787..02d31b0 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -116,8 +116,7 @@ class process transition; # define(`authlogin_modify_login_records',` requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -# FIXME: search var_log_t +logging_search_system_log_directory($1) allow $1 wtmp_t:file { getattr read write setattr }; ') @@ -192,6 +191,38 @@ class file { getattr read write setattr }; ####################################### # +# authlogin_pam_transition(domain) +# +define(`authlogin_pam_transition',` +requires_block_template(`$0'_depend) +allow $1 pam_exec_t:file { getattr read execute }; +allow $1 pam_t:process transition; +type_transition $1 pam_exec_t:file pam_t; +dontaudit $1 pam_t:process { noatsecure siginh rlimitinh }; +') + +define(`authlogin_pam_transition_depend',` +type pam_t, pam_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +####################################### +# +# authlogin_pam_execute(domain) +# +define(`authlogin_pam_execute',` +requires_block_template(`$0'_depend) +allow $1 pam_exec_t:file { getattr read execute execute_no_trans }; +') + +define(`authlogin_pam_execute_depend',` +type pam_exec_t; +class file { getattr read execute execute_no_trans }; +') + +####################################### +# # authlogin_pam_read_runtime_data(domain) # define(`authlogin_pam_read_runtime_data',` @@ -225,3 +256,59 @@ type pam_var_run_t; class dir { getattr search read write remove_name }; class file { getattr unlink }; ') + +####################################### +# +# authlogin_pam_console_transition(domain) +# +define(`authlogin_pam_console_transition',` +requires_block_template(`$0'_depend) +allow $1 pam_console_exec_t:file { getattr read execute }; +allow $1 pam_console_t:process transition; +type_transition $1 pam_console_exec_t:file pam_console_t; +dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh }; +') + +define(`authlogin_pam_console_transition_depend',` +type pam_console_t, pam_console_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +####################################### +# +# authlogin_pam_console_read_runtime_data(domain) +# +define(`authlogin_pam_console_read_runtime_data',` +requires_block_template(`$0'_depend) +files_search_system_state_data_directory($1) +files_search_runtime_data_directory($1) +allow $1 pam_var_console_t:dir { getattr search read }; +allow $1 pam_var_console_t:file { getattr read }; +') + +define(`authlogin_pam_console_read_runtime_data_depend',` +type pam_var_console_t; +class dir { getattr search read }; +class file { getattr read }; +') + +####################################### +# +# authlogin_pam_console_manage_runtime_data(domain) +# +define(`authlogin_pam_console_manage_runtime_data',` +requires_block_template(`$0'_depend) +files_search_system_state_data_directory($1) +files_search_runtime_data_directory($1) +allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write }; +allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename }; +') + +define(`authlogin_pam_console_manage_runtime_data_depend',` +type pam_var_console_t; +class dir { read getattr lock search ioctl add_name remove_name write }; +class file { create ioctl read getattr lock write setattr append link unlink rename }; +class lnk_file { create read getattr setattr link unlink rename }; +') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index ca11f84..d3cd88b 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -172,6 +172,11 @@ terminal_ignore_use_general_pseudoterminal(pam_console_t) files_ignore_read_rootfs_file(pam_console_t) ') +optional_policy(`hotplug.te', ` +hotplug_use_file_descriptors(pam_console_t) +hotplug_ignore_search_config_directory(pam_console_t) +') + optional_policy(`selinux.te',` selinux_newrole_sigchld(pam_console_t) ') @@ -210,11 +215,6 @@ ifdef(`gpm.te', ` allow pam_console_t gpmctl_t:sock_file { getattr setattr }; ') -optional_policy(`hotplug.te', ` -dontaudit pam_console_t hotplug_etc_t:dir search; -hotplug_use_file_descriptors(pam_console_t) -') - ifdef(`xdm.te', ` allow pam_console_t xdm_var_run_t:file { getattr read }; ') @@ -236,6 +236,7 @@ terminal_get_all_users_physical_terminal_attributes(utempter_t) terminal_get_all_users_pseudoterminal_attributes(utempter_t) terminal_ignore_use_all_users_physical_terminals(utempter_t) terminal_ignore_use_all_users_pseudoterminals(utempter_t) +terminal_ignore_use_pseudoterminal_multiplexer(utempter_t) init_script_modify_runtime_data(utempter_t) @@ -253,9 +254,6 @@ in_user_role(utempter_t) role sysadm_r types utempter_t; domain_auto_trans(userdomain, utempter_exec_t, utempter_t) -# dontaudit access to /dev/ptmx. -dontaudit utempter_t ptmx_t:chr_file rw_file_perms; - # Allow utemper to write to /tmp/.xses-* allow utempter_t user_tmpfile:file { getattr write append }; diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 9299c20..d152359 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -45,3 +45,36 @@ define(`hotplug_use_file_descriptors_depend',` type hotplug_t; class fd use; ') + +######################################## +# +# hotplug_ignore_search_config_directory(domain) +# +define(`hotplug_ignore_search_config_directory',` +requires_block_template(`$0'_depend) +dontaudit $1 hotplug_etc_t:dir search; +') + +define(`hotplug_ignore_search_config_directory_depend',` +type hotplug_etc_t; +class dir search; +') + +######################################## +# +# hotplug_read_config(domain) +# +define(`hotplug_read_config',` +requires_block_template(`$0'_depend) +# FIXME: search etc_t +allow $1 hotplug_etc_t:file { read getattr lock ioctl }; +allow $1 hotplug_etc_t:dir { read getattr lock search ioctl }; +allow $1 hotplug_etc_t:lnk_file { getattr read }; +') + +define(`hotplug_read_config_depend',` +type hotplug_etc_t; +class file { read getattr lock ioctl }; +class dir { read getattr lock search ioctl }; +class lnk_file { getattr read }; +') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index d43bca7..372b087 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -289,6 +289,10 @@ modutils_depmod_transition(initrc_t) modutils_update_modules_transition(initrc_t) ') +optional_policy(`mount.te',` +mount_transition(initrc_t) +') + optional_policy(`sysnetwork.te',` sysnetwork_ifconfig_transition(initrc_t) ') diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index ace0030..fb587e1 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -10,6 +10,7 @@ policy_module(iptables, 1.0) type iptables_t; type iptables_exec_t; domain_make_daemon_domain(iptables_t,iptables_exec_t) +role system_r types iptables_t; type iptables_tmp_t; files_make_file(iptables_tmp_t) @@ -23,9 +24,11 @@ files_make_file(iptables_t) # allow iptables_t self:capability { net_admin net_raw }; -allow iptables_t self:process { sigkill sigstop signull signal }; +dontaudit iptables_t self:capability sys_tty_config; +allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t iptables_var_run_t:dir { ioctl read getattr lock write append }; +files_create_daemon_runtime_data(iptables_t,iptables_var_run_t) allow iptables_t iptables_exec_t:file { getattr read execute execute_no_trans }; @@ -35,27 +38,68 @@ files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir }) allow iptables_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -kernel_read_modprobe_sysctl(iptables_t) -kernel_use_file_descriptors(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) +kernel_read_hardware_state(iptables_t) +kernel_read_kernel_sysctl(iptables_t) +kernel_read_modprobe_sysctl(iptables_t) +kernel_use_file_descriptors(iptables_t) filesystem_get_persistent_filesystem_attributes(iptables_t) +devices_discard_data_stream(iptables_t) + +terminal_ignore_use_console(iptables_t) + +init_use_file_descriptors(iptables_t) +init_script_use_pseudoterminal(iptables_t) + +domain_use_widely_inheritable_file_descriptors(iptables_t) + files_read_general_system_config(iptables_t) +libraries_use_dynamic_loader(iptables_t) +libraries_read_shared_libraries(iptables_t) + logging_send_system_log_message(iptables_t) # system-config-network appends to /var/log #logging_append_system_logs(iptables_t) miscfiles_read_localization(iptables_t) +sysnetwork_ifconfig_transition(iptables_t) + optional_policy(`modutils.te', ` modutils_insmod_transition(iptables_t) ') +optional_policy(`selinux.te',` +selinux_newrole_sigchld(iptables_t) +') + +optional_policy(`udev.te', ` +udev_read_database(iptables_t) +') + +tunable_policy(`targeted_policy', ` +terminal_ignore_use_general_physical_terminal(iptables_t) +terminal_ignore_use_general_pseudoterminal(iptables_t) +files_ignore_read_rootfs_file(iptables_t) +') + ifdef(`TODO',` -daemon_base_domain(iptables, `, privmodule') + +optional_policy(`rhgb.te', ` +allow iptables_t rhgb_t:process sigchld; +allow iptables_t rhgb_t:fd use; +allow iptables_t rhgb_t:fifo_file { read write }; +') +allow iptables_t null_device_t:chr_file r_file_perms; +dontaudit iptables_t unpriv_userdomain:fd use; +allow iptables_t autofs_t:dir { search getattr }; +tunable_policy(`direct_sysadm_daemon', ` +dontaudit iptables_t admin_tty_type:chr_file rw_file_perms; +') domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t) role sysadm_r types iptables_t; @@ -63,11 +107,6 @@ role sysadm_r types iptables_t; # to allow rules to be saved on reboot allow iptables_t initrc_tmp_t:file rw_file_perms; -domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t) - -file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t, $2) -allow iptables_t var_t:dir search; - # for iptables -L can_resolve(iptables_t) can_ypbind(iptables_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 3947470..68899ef 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -3,9 +3,10 @@ # Declarations # -type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, privfd, nscd_client_domain; +type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, nscd_client_domain; domain_make_domain(local_login_t) authlogin_make_login_program_entrypoint(local_login_t) +domain_make_file_descriptors_widely_inheritable(local_login_t) role system_r types local_login_t; type local_login_tmp_t; @@ -34,6 +35,10 @@ kernel_compute_reachable_user_contexts(local_login_t) # for SSP/ProPolice devices_get_pseudorandom_data(local_login_t) +terminal_use_all_users_physical_terminals(local_login_t) +terminal_use_general_physical_terminal(local_login_t) + +init_script_modify_runtime_data(local_login_t) init_ignore_use_file_descriptors(local_login_t) files_read_general_system_config(local_login_t) @@ -50,6 +55,8 @@ selinux_read_default_contexts(local_login_t) authlogin_ignore_read_shadow_passwords(local_login_t) authlogin_modify_login_records(local_login_t) authlogin_modify_last_login_log(local_login_t) +authlogin_pam_execute(local_login_t) +authlogin_pam_console_manage_runtime_data(local_login_t) miscfiles_read_localization(local_login_t) @@ -75,11 +82,6 @@ allow local_login_t exec_type:{ file lnk_file } r_file_perms; # Read /dev directories and any symbolic links. allow local_login_t device_t:lnk_file r_file_perms; -optional_policy(`authlogin.te',` -can_exec(local_login_t, pam_exec_t) -rw_dir_create_file(local_login_t, pam_var_console_t) -') - dontaudit local_login_t sysfs_t:dir search; allow local_login_t autofs_t:dir { search read getattr }; @@ -98,13 +100,6 @@ allow local_login_t crack_db_t:file r_file_perms; allow local_login_t home_root_t:dir search; allow local_login_t home_dir_type:dir search; -# Write to /var/run/utmp. -allow local_login_t var_run_t:dir search; -allow local_login_t initrc_var_run_t:file rw_file_perms; - -# Write to /var/log/wtmp. -allow local_login_t var_log_t:dir search; - # Write to /var/log/btmp allow local_login_t faillog_t:file { append read write }; @@ -143,12 +138,12 @@ allow local_login_t var_lock_t:dir rw_dir_perms; allow local_login_t var_lock_t:file create_file_perms; # Read and write ttys. -allow local_login_t tty_device_t:chr_file { setattr rw_file_perms }; -allow local_login_t ttyfile:chr_file { setattr rw_file_perms }; +allow local_login_t tty_device_t:chr_file setattr; +allow local_login_t ttyfile:chr_file setattr; # Relabel ttys. -allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto }; -allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto }; +allow local_login_t tty_device_t:chr_file { relabelfrom relabelto }; +allow local_login_t ttyfile:chr_file { relabelfrom relabelto }; optional_policy(`gpm.te',` allow local_login_t gpmctl_t:sock_file { getattr setattr }; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 09f102a..9dade39 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -126,10 +126,6 @@ files_read_general_system_config(syslogd_t) files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file) files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file) files_create_private_tmp_data(syslogd_t,syslogd_tmp_t) -tunable_policy(`distro_suse', ` -# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel -file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) -') libraries_use_dynamic_loader(syslogd_t) libraries_read_shared_libraries(syslogd_t) @@ -170,6 +166,7 @@ files_ignore_read_rootfs_file(syslogd_t) ') ifdef(`TODO',` + allow syslogd_t proc_t:dir r_dir_perms; allow syslogd_t proc_t:lnk_file read; allow syslogd_t null_device_t:chr_file r_file_perms; @@ -185,6 +182,11 @@ tunable_policy(`direct_sysadm_daemon',` dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms; ') +tunable_policy(`distro_suse', ` +# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel +file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) +') + # can_network is for the UDP socket can_ypbind(syslogd_t) diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index c019681..a20ac42 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -5,7 +5,7 @@ policy_module(miscfiles,1.0) # # catman_t is the type for /var/catman. # -type catman_t; # , file_type, sysadmfile, tmpfile; +type catman_t; # , tmpfile; files_make_file(catman_t) # @@ -42,5 +42,5 @@ files_make_file(test_file_t) # # for /var/{spool,lib}/texmf index files # -type tetex_data_t; # , file_type, sysadmfile, tmpfile; +type tetex_data_t; # , tmpfile; files_make_file(tetex_data_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index e983a4c..1e017d3 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -69,8 +69,6 @@ ifdef(`TODO',` # nfsv4 has a filesystem to mount for its userspace daemons allow mount_t var_lib_nfs_t:dir mounton; -#domain_auto_trans(initrc_t, mount_exec_t, mount_t) - # for localization allow mount_t lib_t:file { getattr read }; @@ -125,15 +123,24 @@ allow mount_t autofs_t:dir read; optional_policy(`portmap.te', ` # for nfs -can_network(mount_t) can_ypbind(mount_t) +can_udp_send(mount_t, portmap_t) +can_udp_send(portmap_t, mount_t) +allow mount_t rpc_pipefs_t:dir search; +corenetwork_network_tcp_on_all_interfaces(mount_t) +corenetwork_network_raw_on_all_interfaces(mount_t) +corenetwork_network_udp_on_all_interfaces(mount_t) +corenetwork_network_tcp_on_all_nodes(mount_t) +corenetwork_network_raw_on_all_nodes(mount_t) +corenetwork_network_udp_on_all_nodes(mount_t) +corenetwork_network_tcp_on_all_ports(mount_t) +corenetwork_network_udp_on_all_ports(mount_t) +corenetwork_bind_tcp_on_all_nodes(mount_t) +corenetwork_bind_udp_on_all_nodes(mount_t) corenetwork_bind_tcp_on_general_port(mount_t) corenetwork_bind_udp_on_general_port(mount_t) corenetwork_bind_tcp_on_reserved_port(mount_t) corenetwork_bind_udp_on_reserved_port(mount_t) -can_udp_send(mount_t, portmap_t) -can_udp_send(portmap_t, mount_t) -allow mount_t rpc_pipefs_t:dir search; ') ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 42f74c3..7d869e9 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -106,6 +106,8 @@ terminal_use_controlling_terminal(checkpolicy_t) init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) +domain_use_widely_inheritable_file_descriptors(checkpolicy_t) + libraries_use_dynamic_loader(checkpolicy_t) libraries_read_shared_libraries(checkpolicy_t) @@ -117,11 +119,9 @@ domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) # directory search permissions for path to source and binary policy files -allow checkpolicy_t root_t:dir search; allow checkpolicy_t etc_t:dir search; # Read the devpts root directory. -allow checkpolicy_t devpts_t:dir r_dir_perms; ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') # Other access @@ -133,7 +133,8 @@ allow checkpolicy_t sysadm_tmp_t:file { getattr write } ; # so it can be used without privilege to write real binary policy file can_exec(unpriv_userdomain, checkpolicy_exec_t) -allow checkpolicy_t { userdomain privfd }:fd use; +allow checkpolicy_t userdomain:fd use; + ') dnl endif TODO ######################################## @@ -165,6 +166,8 @@ terminal_list_pseudoterminals(load_policy_t) init_script_use_file_descriptors(load_policy_t) init_script_use_pseudoterminal(load_policy_t) +domain_use_widely_inheritable_file_descriptors(load_policy_t) + libraries_use_dynamic_loader(load_policy_t) libraries_read_shared_libraries(load_policy_t) @@ -178,9 +181,9 @@ domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) allow load_policy_t etc_t:dir search; # Other access -allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr }; +allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; -allow load_policy_t { userdomain privfd }:fd use; +allow load_policy_t userdomain:fd use; allow load_policy_t sysadm_tmp_t:file { getattr write } ; ') dnl endif TODO @@ -223,6 +226,11 @@ filesystem_get_persistent_filesystem_attributes(newrole_t) terminal_list_pseudoterminals(newrole_t) terminal_use_controlling_terminal(newrole_t) +# Write to utmp. +init_script_modify_runtime_data(newrole_t) + +domain_use_widely_inheritable_file_descriptors(newrole_t) + files_read_general_system_config(newrole_t) libraries_use_dynamic_loader(newrole_t) @@ -243,9 +251,6 @@ allow newrole_t autofs_t:dir { search getattr }; # for when the user types "exec newrole" at the command line allow newrole_t privfd:process sigchld; -# Inherit descriptors from the current session. -allow newrole_t privfd:fd use; - # Execute /sbin/pwdb_chkpwd to check the password. allow newrole_t sbin_t:dir r_dir_perms; @@ -283,9 +288,6 @@ dontaudit newrole_t { home_root_t home_type }:dir search; # for when the network connection is killed dontaudit unpriv_userdomain newrole_t:process signal; -# Write to utmp. -allow newrole_t var_run_t:dir r_dir_perms; -allow newrole_t initrc_var_run_t:file rw_file_perms; ') dnl ifdef TODO ######################################## @@ -310,9 +312,13 @@ kernel_compute_reachable_user_contexts(restorecon_t) filesystem_get_persistent_filesystem_attributes(restorecon_t) +terminal_use_general_physical_terminal(restorecon_t) + init_use_file_descriptors(restorecon_t) init_script_use_pseudoterminal(restorecon_t) +domain_use_widely_inheritable_file_descriptors(restorecon_t) + files_read_runtime_system_config(restorecon_t) files_read_general_system_config(restorecon_t) @@ -332,12 +338,12 @@ devices_manage_all_devices_labels(restorecon_t) files_manage_all_files_labels(restorecon_t) ifdef(`TODO',` -allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl }; +allow restorecon_t admin_tty_type:chr_file { read write ioctl }; domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t) domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) role sysadm_r types restorecon_t; -allow restorecon_t { userdomain privfd }:fd use; +allow restorecon_t userdomain:fd use; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! @@ -375,11 +381,16 @@ kernel_compute_reachable_user_contexts(setfiles_t) filesystem_get_persistent_filesystem_attributes(setfiles_t) terminal_use_controlling_terminal(setfiles_t) +terminal_use_all_users_physical_terminals(setfiles_t) +terminal_use_all_users_pseudoterminals(setfiles_t) +terminal_use_general_physical_terminal(setfiles_t) init_use_file_descriptors(setfiles_t) init_script_use_file_descriptors(setfiles_t) init_script_use_pseudoterminal(setfiles_t) +domain_use_widely_inheritable_file_descriptors(setfiles_t) + libraries_use_dynamic_loader(setfiles_t) libraries_read_shared_libraries(setfiles_t) @@ -398,12 +409,10 @@ files_manage_all_files_labels(setfiles_t) ifdef(`TODO',` -allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl }; - domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) role sysadm_r types setfiles_t; -allow setfiles_t { userdomain privfd }:fd use; +allow setfiles_t userdomain:fd use; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 42f74c3..7d869e9 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -106,6 +106,8 @@ terminal_use_controlling_terminal(checkpolicy_t) init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) +domain_use_widely_inheritable_file_descriptors(checkpolicy_t) + libraries_use_dynamic_loader(checkpolicy_t) libraries_read_shared_libraries(checkpolicy_t) @@ -117,11 +119,9 @@ domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) # directory search permissions for path to source and binary policy files -allow checkpolicy_t root_t:dir search; allow checkpolicy_t etc_t:dir search; # Read the devpts root directory. -allow checkpolicy_t devpts_t:dir r_dir_perms; ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') # Other access @@ -133,7 +133,8 @@ allow checkpolicy_t sysadm_tmp_t:file { getattr write } ; # so it can be used without privilege to write real binary policy file can_exec(unpriv_userdomain, checkpolicy_exec_t) -allow checkpolicy_t { userdomain privfd }:fd use; +allow checkpolicy_t userdomain:fd use; + ') dnl endif TODO ######################################## @@ -165,6 +166,8 @@ terminal_list_pseudoterminals(load_policy_t) init_script_use_file_descriptors(load_policy_t) init_script_use_pseudoterminal(load_policy_t) +domain_use_widely_inheritable_file_descriptors(load_policy_t) + libraries_use_dynamic_loader(load_policy_t) libraries_read_shared_libraries(load_policy_t) @@ -178,9 +181,9 @@ domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) allow load_policy_t etc_t:dir search; # Other access -allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr }; +allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; -allow load_policy_t { userdomain privfd }:fd use; +allow load_policy_t userdomain:fd use; allow load_policy_t sysadm_tmp_t:file { getattr write } ; ') dnl endif TODO @@ -223,6 +226,11 @@ filesystem_get_persistent_filesystem_attributes(newrole_t) terminal_list_pseudoterminals(newrole_t) terminal_use_controlling_terminal(newrole_t) +# Write to utmp. +init_script_modify_runtime_data(newrole_t) + +domain_use_widely_inheritable_file_descriptors(newrole_t) + files_read_general_system_config(newrole_t) libraries_use_dynamic_loader(newrole_t) @@ -243,9 +251,6 @@ allow newrole_t autofs_t:dir { search getattr }; # for when the user types "exec newrole" at the command line allow newrole_t privfd:process sigchld; -# Inherit descriptors from the current session. -allow newrole_t privfd:fd use; - # Execute /sbin/pwdb_chkpwd to check the password. allow newrole_t sbin_t:dir r_dir_perms; @@ -283,9 +288,6 @@ dontaudit newrole_t { home_root_t home_type }:dir search; # for when the network connection is killed dontaudit unpriv_userdomain newrole_t:process signal; -# Write to utmp. -allow newrole_t var_run_t:dir r_dir_perms; -allow newrole_t initrc_var_run_t:file rw_file_perms; ') dnl ifdef TODO ######################################## @@ -310,9 +312,13 @@ kernel_compute_reachable_user_contexts(restorecon_t) filesystem_get_persistent_filesystem_attributes(restorecon_t) +terminal_use_general_physical_terminal(restorecon_t) + init_use_file_descriptors(restorecon_t) init_script_use_pseudoterminal(restorecon_t) +domain_use_widely_inheritable_file_descriptors(restorecon_t) + files_read_runtime_system_config(restorecon_t) files_read_general_system_config(restorecon_t) @@ -332,12 +338,12 @@ devices_manage_all_devices_labels(restorecon_t) files_manage_all_files_labels(restorecon_t) ifdef(`TODO',` -allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl }; +allow restorecon_t admin_tty_type:chr_file { read write ioctl }; domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t) domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) role sysadm_r types restorecon_t; -allow restorecon_t { userdomain privfd }:fd use; +allow restorecon_t userdomain:fd use; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! @@ -375,11 +381,16 @@ kernel_compute_reachable_user_contexts(setfiles_t) filesystem_get_persistent_filesystem_attributes(setfiles_t) terminal_use_controlling_terminal(setfiles_t) +terminal_use_all_users_physical_terminals(setfiles_t) +terminal_use_all_users_pseudoterminals(setfiles_t) +terminal_use_general_physical_terminal(setfiles_t) init_use_file_descriptors(setfiles_t) init_script_use_file_descriptors(setfiles_t) init_script_use_pseudoterminal(setfiles_t) +domain_use_widely_inheritable_file_descriptors(setfiles_t) + libraries_use_dynamic_loader(setfiles_t) libraries_read_shared_libraries(setfiles_t) @@ -398,12 +409,10 @@ files_manage_all_files_labels(setfiles_t) ifdef(`TODO',` -allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl }; - domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) role sysadm_r types setfiles_t; -allow setfiles_t { userdomain privfd }:fd use; +allow setfiles_t userdomain:fd use; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 8f04d2a..28a35e5 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -2,6 +2,24 @@ ######################################## # +# sysnetwork_dhcpc_transition(domain) +# +define(`sysnetwork_dhcpc_transition',` +requires_block_template(`$0'_depend) +allow $1 dhcpc_exec_t:file { getattr read execute }; +allow $1 dhcpc_t:process transition; +type_transition $1 dhcpc_exec_t:file dhcpc_t; +dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh }; +') + +define(`sysnetwork_dhcpc_transition_depend',` +type dhcpc_t, dhcpc_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +######################################## +# # sysnetwork_ifconfig_transition(domain) # define(`sysnetwork_ifconfig_transition',` diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 554e424..652ceab 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -133,6 +133,10 @@ optional_policy(`hostname.te',` hostname_transition(dhcpc_t) ') +optional_policy(`nscd.te',` +nscd_transition(dhcpc_t) +') + optional_policy(`selinux.te',` selinux_newrole_sigchld(dhcpc_t) ') @@ -142,7 +146,7 @@ udev_read_database(dhcpc_t) ') # -# dhclient sometimes starts ypbind and ntdp +# dhclient sometimes starts ypbind and ntpd # init_script_execute(dhcpc_t) optional_policy(`ypbind.te',` @@ -156,6 +160,7 @@ ifdef(`TODO',` allow dhcpc_t null_device_t:chr_file r_file_perms; allow dhcpc_t autofs_t:dir { search getattr }; dontaudit dhcpc_t sysadm_home_dir_t:dir search; + optional_policy(`rhgb.te', ` allow dhcpc_t rhgb_t:process sigchld; allow dhcpc_t rhgb_t:fd use; @@ -164,14 +169,9 @@ allow dhcpc_t rhgb_t:fifo_file { read write }; can_ypbind(dhcpc_t) -allow dhcpc_t devpts_t:dir search; - # for localization allow dhcpc_t lib_t:file { getattr read }; -ifdef(`nscd.te', ` -domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t) -') ifdef(`cardmgr.te', ` domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) allow cardmgr_t dhcpc_var_run_t:file { getattr read }; @@ -261,6 +261,9 @@ kernel_read_network_state(ifconfig_t) filesystem_get_persistent_filesystem_attributes(ifconfig_t) +terminal_ignore_use_all_users_physical_terminals(ifconfig_t) +terminal_ignore_use_all_users_pseudoterminals(ifconfig_t) + init_use_file_descriptors(ifconfig_t) init_script_use_pseudoterminal(ifconfig_t) init_run_init_use_file_descriptors(ifconfig_t) @@ -288,7 +291,6 @@ role sysadm_r types ifconfig_t; allow ifconfig_t userdomain:fd use; # Access terminals. -allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') allow ifconfig_t tun_tap_device_t:chr_file { read write }; diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 9d795cd..a611d9a 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -97,16 +97,30 @@ modutils_insmod_transition(udev_t) logging_send_system_log_message(udev_t) +sysnetwork_ifconfig_transition(udev_t) + +optional_policy(`authlogin.te',` +authlogin_pam_console_read_runtime_data(udev_t) +authlogin_pam_console_transition(udev_t) +') + optional_policy(`consoletype.te',` consoletype_execute(udev_t) ') +optional_policy(`hotplug.te',` +hotplug_read_config(udev_t) +') + +optional_policy(`sysnetwork.te',` +sysnetwork_dhcpc_transition(udev_t) +') + ifdef(`TODO',` allow udev_t var_log_t:dir search; allow udev_t var_lock_t:dir search; allow udev_t var_lock_t:file getattr; -# Mount allow udev_t mnt_t:dir search; allow udev_t devpts_t:dir { getattr search }; @@ -119,8 +133,6 @@ dontaudit udev_t file_t:dir search; dontaudit udev_t domain:dir r_dir_perms; dontaudit udev_t ttyfile:chr_file unlink; -domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t) - allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; dbusd_client(system, udev) @@ -134,7 +146,7 @@ allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_p allow udev_t tmpfs_t:dir search; # for arping used for static IP addresses on PCMCIA ethernet -domain_auto_trans(udev_t, netutils_exec_t, netutils_t) +netutils_transition(udev_t) ') dnl end ifdef distro_redhat tunable_policy(`hide_broken_symptoms',` @@ -146,17 +158,4 @@ optional_policy(`xdm.te',` allow udev_t xdm_var_run_t:file { getattr read }; ') -optional_policy(`hotplug.te',` -r_dir_file(udev_t, hotplug_etc_t) -') - -optional_policy(`authlogin.te',` -allow udev_t pam_var_console_t:dir search; -allow udev_t pam_var_console_t:file { getattr read }; -authlogin_pam_console_transition(udev_t) -') - -optional_policy(`sysnetwork.te',` -domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t) -') ') dnl endif TODO