2010-10-04 18:23:11

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 01/44] acct: unused.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 e66c296... 86e1a14... M policy/modules/admin/acct.if
policy/modules/admin/acct.if | 19 -------------------
1 files changed, 0 insertions(+), 19 deletions(-)

diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
index e66c296..86e1a14 100644
--- a/policy/modules/admin/acct.if
+++ b/policy/modules/admin/acct.if
@@ -21,25 +21,6 @@ interface(`acct_domtrans',`

########################################
## <summary>
-## Execute accounting management tools in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`acct_exec',`
- gen_require(`
- type acct_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, acct_exec_t)
-')
-
-########################################
-## <summary>
## Execute accounting management data in the caller domain.
## </summary>
## <param name="domain">
--
1.7.2.3


2010-10-04 18:23:12

by domg472

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Initial hadoop policy.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 2ecdde8... 7a1b5de... M policy/modules/kernel/corenetwork.te.in
:000000 100644 0000000... d88b5ff... A policy/modules/services/hadoop.fc
:000000 100644 0000000... 5c66ae4... A policy/modules/services/hadoop.if
:000000 100644 0000000... e947a6b... A policy/modules/services/hadoop.te
policy/modules/kernel/corenetwork.te.in | 4 +
policy/modules/services/hadoop.fc | 40 ++++
policy/modules/services/hadoop.if | 241 +++++++++++++++++++++
policy/modules/services/hadoop.te | 347 +++++++++++++++++++++++++++++++
4 files changed, 632 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 2ecdde8..7a1b5de 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -105,6 +105,7 @@ network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
+network_port(hadoop_namenode, tcp, 8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
@@ -211,6 +212,9 @@ network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
network_port(xserver, tcp,6000-6020,s0)
+network_port(zookeeper_client, tcp, 2181,s0)
+network_port(zookeeper_election, tcp, 3888,s0)
+network_port(zookeeper_leader, tcp, 2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)

diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
new file mode 100644
index 0000000..d88b5ff
--- /dev/null
+++ b/policy/modules/services/hadoop.fc
@@ -0,0 +1,40 @@
+/etc/hadoop.*(/.*)? gen_context(system_u:object_r:hadoop_etc_t,s0)
+
+/etc/rc\.d/init\.d/hadoop-(.*)?-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*)?-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*)?-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*)?-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*)?-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
+
+/etc/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0)
+/etc/zookeeper\.dist(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0)
+
+/usr/lib/hadoop(.*)?/bin/hadoop -- gen_context(system_u:object_r:hadoop_exec_t,s0)
+
+/usr/bin/zookeeper-client -- gen_context(system_u:object_r:zookeeper_exec_t,s0)
+/usr/bin/zookeeper-server -- gen_context(system_u:object_r:zookeeper_server_exec_t,s0)
+
+/var/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
+
+/var/lib/hadoop(.*)? gen_context(system_u:object_r:hadoop_var_lib_t,s0)
+/var/lib/hadoop(.*)?/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop(.*)?/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop(.*)?/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
+/var/lib/hadoop(.*)?/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop(.*)?/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_t,s0)
+
+/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_lock_t,s0)
+/var/lock/subsys/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_lock_t,s0)
+
+/var/log/hadoop(.*)? gen_context(system_u:object_r:hadoop_log_t,s0)
+/var/log/hadoop(.*)?/hadoop-hadoop-datanode-(.*)? gen_context(system_u:object_r:hadoop_datanode_log_t,s0)
+/var/log/hadoop(.*)?/hadoop-hadoop-jobtracker-(.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0)
+/var/log/hadoop(.*)?/hadoop-hadoop-namenode-(.*)? gen_context(system_u:object_r:hadoop_namenode_log_t,s0)
+/var/log/hadoop(.*)?/hadoop-hadoop-secondarynamenode-(.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_log_t,s0)
+/var/log/hadoop(.*)?/hadoop-hadoop-tasktracker-(.*)? gen_context(system_u:object_r:hadoop_tasktracker_log_t,s0)
+/var/log/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_log_t,s0)
+
+/var/run/hadoop -d gen_context(system_u:object_r:hadoop_var_run_t,s0)
+/var/run/hadoop/hadoop-hadoop-datanode.pid -- gen_context(system_u:object_r:hadoop_datanode_var_run_t,s0)
+/var/run/hadoop/hadoop-hadoop-namenode.pid -- gen_context(system_u:object_r:hadoop_namenode_var_run_t,s0)
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
new file mode 100644
index 0000000..5c66ae4
--- /dev/null
+++ b/policy/modules/services/hadoop.if
@@ -0,0 +1,241 @@
+## <summary>Software for reliable, scalable, distributed computing.</summary>
+
+#######################################
+## <summary>
+## The template to define a hadoop domain.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## Domain prefix to be used.
+## </summary>
+## </param>
+#
+template(`hadoop_domain_template',`
+ gen_require(`
+ attribute hadoop_domain;
+ type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t;
+ type hadoop_exec_t;
+ ')
+
+ ########################################
+ #
+ # Shared declarations.
+ #
+
+ type hadoop_$1_t, hadoop_domain;
+ domain_type(hadoop_$1_t)
+ domain_entry_file(hadoop_$1_t, hadoop_exec_t)
+
+ type hadoop_$1_initrc_t;
+ type hadoop_$1_initrc_exec_t;
+ init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t)
+
+ role system_r types { hadoop_$1_initrc_t hadoop_$1_t };
+
+ # This will need a file context specification.
+ type hadoop_$1_initrc_lock_t;
+ files_lock_file(hadoop_$1_initrc_lock_t)
+
+ type hadoop_$1_log_t;
+ logging_log_file(hadoop_$1_log_t)
+
+ type hadoop_$1_var_lib_t;
+ files_type(hadoop_$1_var_lib_t)
+
+ # This will need a file context specification.
+ type hadoop_$1_var_run_t;
+ files_pid_file(hadoop_$1_var_run_t)
+
+ type hadoop_$1_tmp_t;
+ files_tmp_file(hadoop_$1_tmp_t)
+
+ # permissive hadoop_$1_t;
+ # permissive hadoop_$1_initrc_t;
+
+ ####################################
+ #
+ # Shared hadoop_$1 initrc policy.
+ #
+
+ allow hadoop_$1_initrc_t self:capability { setuid setgid };
+ dontaudit hadoop_$1_initrc_t self:capability sys_tty_config;
+
+ allow hadoop_$1_initrc_t hadoop_$1_initrc_lock_t:file manage_file_perms;
+ files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_initrc_lock_t, file)
+
+ allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull };
+
+ domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t)
+
+ kernel_read_sysctl(hadoop_$1_initrc_t)
+
+ init_rw_utmp(hadoop_$1_initrc_t)
+
+ # This can be removed on anything post-el5
+ libs_use_ld_so(hadoop_$1_initrc_t)
+ libs_use_shared_libs(hadoop_$1_initrc_t)
+
+ ####################################
+ #
+ # Shared hadoop_$1 policy.
+ #
+
+ allow hadoop_$1_t hadoop_domain:process signull;
+
+ append_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
+ create_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
+ read_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
+ setattr_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
+ filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, file)
+ logging_search_logs(hadoop_$1_t)
+
+ allow hadoop_$1_t hadoop_$1_var_run_t:file manage_file_perms;
+ filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_var_run_t, file)
+ files_search_pids(hadoop_$1_t)
+
+ # This can be removed on anything post-el5
+ libs_use_ld_so(hadoop_$1_t)
+ libs_use_shared_libs(hadoop_$1_t)
+')
+
+########################################
+## <summary>
+## Execute hadoop in the
+## hadoop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hadoop_domtrans',`
+ gen_require(`
+ type hadoop_t, hadoop_exec_t;
+ ')
+
+ files_search_usr($1)
+ libs_search_lib($1)
+ domtrans_pattern($1, hadoop_exec_t, hadoop_t)
+')
+
+########################################
+## <summary>
+## Execute hadoop in the hadoop domain,
+## and allow the specified role the
+## hadoop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hadoop_run',`
+ gen_require(`
+ type hadoop_t;
+ ')
+
+ hadoop_domtrans($1)
+ role $2 types hadoop_t;
+
+ allow $1 hadoop_t:process { ptrace signal_perms };
+ ps_process_pattern($1, hadoop_t)
+')
+
+########################################
+## <summary>
+## Execute zookeeper client in the
+## zookeeper client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zookeeper_domtrans_client',`
+ gen_require(`
+ type zookeeper_t, zookeeper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ files_search_usr($1)
+ domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
+')
+
+########################################
+## <summary>
+## Execute zookeeper server in the
+## zookeeper server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zookeeper_domtrans_server',`
+ gen_require(`
+ type zookeeper_server_t, zookeeper_server_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ files_search_usr($1)
+ domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
+')
+
+########################################
+## <summary>
+## Execute zookeeper server in the
+## zookeeper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zookeeper_initrc_domtrans_server',`
+ gen_require(`
+ type zookeeper_server_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute zookeeper client in the
+## zookeeper client domain, and allow the
+## specified role the zookeeper client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zookeeper_run_client',`
+ gen_require(`
+ type zookeeper_t;
+ ')
+
+ zookeeper_domtrans_client($1)
+ role $2 types zookeeper_t;
+
+ allow $1 zookeeper_t:process { ptrace signal_perms };
+ ps_process_pattern($1, zookeeper_t)
+')
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
new file mode 100644
index 0000000..e947a6b
--- /dev/null
+++ b/policy/modules/services/hadoop.te
@@ -0,0 +1,347 @@
+policy_module(hadoop, 1.0.0)
+
+########################################
+#
+# Hadoop declarations.
+#
+
+attribute hadoop_domain;
+
+type hadoop_t;
+type hadoop_exec_t;
+application_domain(hadoop_t, hadoop_exec_t)
+ubac_constrained(hadoop_t)
+
+type hadoop_etc_t;
+files_config_file(hadoop_etc_t)
+
+type hadoop_var_lib_t;
+files_type(hadoop_var_lib_t)
+
+type hadoop_log_t;
+logging_log_file(hadoop_log_t)
+
+type hadoop_var_run_t;
+files_pid_file(hadoop_var_run_t)
+
+type hadoop_tmp_t;
+files_tmp_file(hadoop_tmp_t)
+ubac_constrained(hadoop_tmp_t)
+
+# permissive hadoop_t;
+
+hadoop_domain_template(datanode)
+hadoop_domain_template(jobtracker)
+hadoop_domain_template(namenode)
+hadoop_domain_template(secondarynamenode)
+hadoop_domain_template(tasktracker)
+
+########################################
+#
+# Hadoop zookeeper client declarations.
+#
+
+type zookeeper_t;
+type zookeeper_exec_t;
+application_domain(zookeeper_t, zookeeper_exec_t)
+ubac_constrained(zookeeper_t)
+
+type zookeeper_etc_t;
+files_config_file(zookeeper_etc_t)
+
+type zookeeper_log_t;
+logging_log_file(zookeeper_log_t)
+
+type zookeeper_tmp_t;
+files_tmp_file(zookeeper_tmp_t)
+ubac_constrained(zookeeper_tmp_t)
+
+# permissive zookeeper_t;
+
+########################################
+#
+# Hadoop zookeeper server declarations.
+#
+
+type zookeeper_server_t;
+type zookeeper_server_exec_t;
+init_daemon_domain(zookeeper_server_t, zookeeper_server_exec_t)
+
+type zookeeper_server_initrc_exec_t;
+init_script_file(zookeeper_server_initrc_exec_t)
+
+type zookeeper_server_var_t;
+files_type(zookeeper_server_var_t)
+
+# This will need a file context specification.
+type zookeeper_server_var_run_t;
+files_pid_file(zookeeper_server_var_run_t)
+
+type zookeeper_server_tmp_t;
+files_tmp_file(zookeeper_server_tmp_t)
+
+# permissive zookeeper_server_t;
+
+########################################
+#
+# Hadoop policy.
+#
+
+allow hadoop_t self:capability sys_resource;
+allow hadoop_t self:process { getsched setsched signal signull setrlimit };
+allow hadoop_t self:fifo_file rw_fifo_file_perms;
+allow hadoop_t self:key write;
+# This probably needs to be allowed.
+dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
+allow hadoop_t self:tcp_socket create_stream_socket_perms;
+allow hadoop_t self:udp_socket create_socket_perms;
+
+read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
+read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
+can_exec(hadoop_t, hadoop_etc_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t)
+manage_files_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_log_t, hadoop_log_t)
+
+# Who or what creates /var/run/hadoop?
+getattr_dirs_pattern(hadoop_t, hadoop_var_run_t, hadoop_var_run_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t)
+manage_files_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t)
+files_tmp_filetrans(hadoop_t, hadoop_tmp_t, { dir file })
+
+allow hadoop_t hadoop_domain:process signull;
+
+kernel_read_network_state(hadoop_t)
+kernel_read_system_state(hadoop_t)
+
+corecmd_exec_bin(hadoop_t)
+corecmd_exec_shell(hadoop_t)
+
+corenet_all_recvfrom_unlabeled(hadoop_t)
+corenet_all_recvfrom_netlabel(hadoop_t)
+corenet_sendrecv_hadoop_namenode_client_packets(hadoop_t)
+corenet_sendrecv_portmap_client_packets(hadoop_t)
+corenet_sendrecv_zope_client_packets(hadoop_t)
+corenet_tcp_bind_all_nodes(hadoop_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_t)
+corenet_tcp_connect_portmap_port(hadoop_t)
+corenet_tcp_connect_zope_port(hadoop_t)
+corenet_tcp_sendrecv_all_nodes(hadoop_t)
+corenet_tcp_sendrecv_all_ports(hadoop_t)
+corenet_tcp_sendrecv_generic_if(hadoop_t)
+corenet_udp_bind_all_nodes(hadoop_t)
+corenet_udp_sendrecv_all_nodes(hadoop_t)
+corenet_udp_sendrecv_all_ports(hadoop_t)
+corenet_udp_sendrecv_generic_if(hadoop_t)
+
+dev_read_rand(hadoop_t)
+dev_read_sysfs(hadoop_t)
+dev_read_urand(hadoop_t)
+
+files_dontaudit_search_spool(hadoop_t)
+files_read_usr_files(hadoop_t)
+files_read_all_files(hadoop_t)
+
+fs_getattr_xattr_fs(hadoop_t)
+
+# This can be removed on anything post-el5
+libs_use_ld_so(hadoop_t)
+libs_use_shared_libs(hadoop_t)
+
+miscfiles_read_localization(hadoop_t)
+
+userdom_dontaudit_search_user_home_dirs(hadoop_t)
+
+optional_policy(`
+ # Java might not be optional
+ java_exec(hadoop_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(hadoop_t)
+')
+
+optional_policy(`
+ nscd_socket_use(hadoop_t)
+')
+
+########################################
+#
+# Hadoop datanode policy.
+#
+
+########################################
+#
+# Hadoop jobtracker policy.
+#
+
+########################################
+#
+# Hadoop namenode policy.
+#
+
+########################################
+#
+# Hadoop secondary namenode policy.
+#
+
+########################################
+#
+# Hadoop tasktracker policy.
+#
+
+########################################
+#
+# Hadoop zookeeper client policy.
+#
+
+allow zookeeper_t self:process { getsched sigkill signal signull };
+allow zookeeper_t self:fifo_file rw_fifo_file_perms;
+allow zookeeper_t self:tcp_socket create_stream_socket_perms;
+allow zookeeper_t self:udp_socket create_socket_perms;
+
+read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
+read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
+
+setattr_dirs_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t)
+append_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t)
+create_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t)
+read_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t)
+setattr_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t)
+logging_log_filetrans(zookeeper_t, zookeeper_log_t, file)
+
+manage_files_pattern(zookeeper_t, zookeeper_tmp_t, zookeeper_tmp_t)
+files_tmp_filetrans(zookeeper_t, zookeeper_tmp_t, file)
+
+allow zookeeper_t zookeeper_server_t:process signull;
+
+can_exec(zookeeper_t, zookeeper_exec_t)
+
+kernel_read_network_state(zookeeper_t)
+kernel_read_system_state(zookeeper_t)
+
+corecmd_exec_bin(zookeeper_t)
+corecmd_exec_shell(zookeeper_t)
+
+corenet_all_recvfrom_unlabeled(zookeeper_t)
+corenet_all_recvfrom_netlabel(zookeeper_t)
+corenet_sendrecv_zookeeper_client_client_packets(zookeeper_t)
+corenet_tcp_bind_all_nodes(zookeeper_t)
+corenet_tcp_connect_zookeeper_client_port(zookeeper_t)
+corenet_tcp_sendrecv_all_nodes(zookeeper_t)
+corenet_tcp_sendrecv_all_ports(zookeeper_t)
+corenet_tcp_sendrecv_generic_if(zookeeper_t)
+corenet_udp_bind_all_nodes(zookeeper_t)
+corenet_udp_sendrecv_all_nodes(zookeeper_t)
+corenet_udp_sendrecv_all_ports(zookeeper_t)
+corenet_udp_sendrecv_generic_if(zookeeper_t)
+
+dev_read_rand(zookeeper_t)
+dev_read_sysfs(zookeeper_t)
+dev_read_urand(zookeeper_t)
+
+files_read_etc_files(zookeeper_t)
+files_read_usr_files(zookeeper_t)
+
+# This can be removed on anything post-el5
+libs_use_ld_so(zookeeper_t)
+libs_use_shared_libs(zookeeper_t)
+
+miscfiles_read_localization(zookeeper_t)
+
+sysnet_read_config(zookeeper_t)
+
+userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+userdom_use_user_terminals(zookeeper_t)
+
+optional_policy(`
+ # Java might not be optional
+ java_exec(zookeeper_t)
+')
+
+optional_policy(`
+ nscd_socket_use(zookeeper_t)
+')
+
+########################################
+#
+# Hadoop zookeeper server policy.
+#
+
+allow zookeeper_server_t self:capability kill;
+allow zookeeper_server_t self:process { execmem getsched sigkill signal signull };
+allow zookeeper_server_t self:fifo_file rw_fifo_file_perms;
+allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t)
+read_lnk_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t)
+
+manage_dirs_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t)
+manage_files_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t)
+files_var_lib_filetrans(zookeeper_server_t, zookeeper_server_var_t, { dir file })
+
+setattr_dirs_pattern(zookeeper_server_t, zookeeper_log_t, zookeeper_log_t)
+append_files_pattern(zookeeper_server_t, zookeeper_log_t, zookeeper_log_t)
+create_files_pattern(zookeeper_server_t, zookeeper_log_t, zookeeper_log_t)
+read_files_pattern(zookeeper_server_t, zookeeper_log_t, zookeeper_log_t)
+setattr_files_pattern(zookeeper_server_t, zookeeper_log_t, zookeeper_log_t)
+logging_log_filetrans(zookeeper_server_t, zookeeper_log_t, file)
+
+manage_files_pattern(zookeeper_server_t, zookeeper_server_var_run_t, zookeeper_server_var_run_t)
+files_pid_filetrans(zookeeper_server_t, zookeeper_server_var_run_t, file)
+
+manage_files_pattern(zookeeper_server_t, zookeeper_server_tmp_t, zookeeper_server_tmp_t)
+files_tmp_filetrans(zookeeper_server_t, zookeeper_server_tmp_t, file)
+
+can_exec(zookeeper_server_t, zookeeper_server_exec_t)
+
+kernel_read_network_state(zookeeper_server_t)
+kernel_read_system_state(zookeeper_server_t)
+
+corecmd_exec_bin(zookeeper_server_t)
+corecmd_exec_shell(zookeeper_server_t)
+
+corenet_all_recvfrom_unlabeled(zookeeper_server_t)
+corenet_all_recvfrom_netlabel(zookeeper_server_t)
+corenet_sendrecv_zookeeper_election_client_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_leader_client_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_client_server_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_election_server_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_leader_server_packets(zookeeper_server_t)
+corenet_tcp_bind_all_nodes(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_client_port(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_election_port(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_leader_port(zookeeper_server_t)
+corenet_tcp_connect_zookeeper_election_port(zookeeper_server_t)
+corenet_tcp_connect_zookeeper_leader_port(zookeeper_server_t)
+corenet_tcp_sendrecv_generic_if(zookeeper_server_t)
+corenet_tcp_sendrecv_generic_node(zookeeper_server_t)
+corenet_tcp_sendrecv_all_ports(zookeeper_server_t)
+
+dev_read_rand(zookeeper_server_t)
+dev_read_sysfs(zookeeper_server_t)
+dev_read_urand(zookeeper_server_t)
+
+files_read_etc_files(zookeeper_server_t)
+files_read_usr_files(zookeeper_server_t)
+
+fs_getattr_xattr_fs(zookeeper_server_t)
+
+# This can be removed on anything post-el5
+libs_use_ld_so(zookeeper_server_t)
+libs_use_shared_libs(zookeeper_server_t)
+
+logging_send_syslog_msg(zookeeper_server_t)
+
+miscfiles_read_localization(zookeeper_server_t)
+
+sysnet_read_config(zookeeper_server_t)
+
+optional_policy(`
+ # Java might not be optional
+ java_exec(zookeeper_server_t)
+')
--
1.7.2.3

2010-10-04 18:23:13

by domg472

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] Trying to make it work on fedora minimal install.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 2b12a37... aa9f935... M policy/modules/admin/consoletype.te
:100644 100644 39e901a... 0bfab9b... M policy/modules/services/dbus.if
:100644 100644 b354128... 052f0a6... M policy/modules/services/dbus.te
:100644 100644 b3ace16... 58a4736... M policy/modules/services/modemmanager.te
:100644 100644 0619395... 2f9a857... M policy/modules/services/networkmanager.te
:100644 100644 c61adc8... b4a1419... M policy/modules/services/ntp.te
:100644 100644 2dad3c8... a20543a... M policy/modules/services/ssh.te
:100644 100644 54d122b... 25bfbd4... M policy/modules/system/authlogin.te
:100644 100644 fca6947... 5f5f331... M policy/modules/system/mount.te
:100644 100644 dfbe736... eac173f... M policy/modules/system/sysnetwork.te
:100644 100644 f976344... fbf02ec... M policy/modules/system/unconfined.te
:100644 100644 2aa8928... 5cb411a... M policy/modules/system/userdomain.if
policy/modules/admin/consoletype.te | 4 ++++
policy/modules/services/dbus.if | 18 ++++++++++++++++++
policy/modules/services/dbus.te | 9 +++++----
policy/modules/services/modemmanager.te | 2 +-
policy/modules/services/networkmanager.te | 1 +
policy/modules/services/ntp.te | 1 +
policy/modules/services/ssh.te | 4 ++++
policy/modules/system/authlogin.te | 1 +
policy/modules/system/mount.te | 11 ++++++++++-
policy/modules/system/sysnetwork.te | 4 ++++
policy/modules/system/unconfined.te | 7 +++++++
policy/modules/system/userdomain.if | 18 ++++++++++++++++++
12 files changed, 74 insertions(+), 6 deletions(-)

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 2b12a37..aa9f935 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -75,6 +75,10 @@ optional_policy(`
')

optional_policy(`
+ dbus_use_fd(consoletype_t)
+')
+
+optional_policy(`
files_read_etc_files(consoletype_t)
firstboot_use_fds(consoletype_t)
firstboot_rw_pipes(consoletype_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 39e901a..0bfab9b 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -479,3 +479,21 @@ interface(`dbus_unconfined',`

typeattribute $1 dbusd_unconfined;
')
+
+########################################
+## <summary>
+## Use and inherit system DBUS file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_use_fd',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:fd use;
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b354128..052f0a6 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -108,10 +108,6 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)

-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)

@@ -141,6 +137,11 @@ optional_policy(`
')

optional_policy(`
+ # should this be dbus_system_domain instead?
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index b3ace16..58a4736 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -16,7 +16,7 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
# ModemManager local policy
#

-allow modemmanager_t self:process signal;
+allow modemmanager_t self:process { getsched setsched signal };
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 0619395..2f9a857 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -141,6 +141,7 @@ sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_pid(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
# in /etc created by NetworkManager will be labelled net_conf_t.
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c61adc8..b4a1419 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -74,6 +74,7 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)

kernel_read_kernel_sysctls(ntpd_t)
+kernel_read_crypto_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..a20543a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })

+kernel_read_crypto_sysctls(sshd_t)
+kernel_request_load_module(sshd_t)
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)

@@ -249,6 +251,8 @@ term_relabelto_all_ptys(sshd_t)
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)

+userdom_write_all_users_keys(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 54d122b..25bfbd4 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -90,6 +90,7 @@ files_list_etc(chkpwd_t)

# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
+kernel_read_crypto_sysctls(chkpwd_t)

domain_dontaudit_use_interactive_fds(chkpwd_t)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fca6947..5f5f331 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -36,6 +36,7 @@ application_domain(unconfined_mount_t, mount_exec_t)

# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:fifo_file rw_fifo_file_perms;

allow mount_t mount_loopback_t:file read_file_perms;

@@ -48,13 +49,16 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })

kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
+kernel_setsched(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)

# required for mount.smbfs
corecmd_exec_bin(mount_t)
+corecmd_exec_shell(mount_t)

dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
+dev_read_sysfs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
-fs_list_auto_mountpoints(mount_t)
+# wants to list usbfs_t
+fs_list_all(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)

@@ -180,6 +185,10 @@ optional_policy(`
')
')

+optional_policy(`
+ dbus_use_fd(mount_t)
+')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dfbe736..eac173f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
')

optional_policy(`
+ dbus_use_fd(ifconfig_t)
+')
+
+optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index f976344..fbf02ec 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)

+ubac_process_exempt(unconfined_t)
+ubac_file_exempt(unconfined_t)
+ubac_fd_exempt(unconfined_t)
+
init_run_daemon(unconfined_t, unconfined_r)

libs_run_ldconfig(unconfined_t, unconfined_r)
@@ -42,6 +46,7 @@ logging_run_auditctl(unconfined_t, unconfined_r)

mount_run_unconfined(unconfined_t, unconfined_r)

+seutil_run_runinit(unconfined_t, unconfined_r)
seutil_run_setfiles(unconfined_t, unconfined_r)
seutil_run_semanage(unconfined_t, unconfined_r)

@@ -192,6 +197,8 @@ optional_policy(`

optional_policy(`
usermanage_run_admin_passwd(unconfined_t, unconfined_r)
+ usermanage_run_groupadd(unconfined_t, unconfined_r)
+ usermanage_run_useradd(unconfined_t, unconfined_r)
')

optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2aa8928..5cb411a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3112,6 +3112,24 @@ interface(`userdom_create_all_users_keys',`

########################################
## <summary>
+## Write and link keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key { search write link };
+')
+
+########################################
+## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
--
1.7.2.3

2010-10-04 18:23:14

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 02/44] bootloader: unused.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 ebe8570... 2242ecd... M policy/modules/admin/bootloader.if
policy/modules/admin/bootloader.if | 38 ------------------------------------
1 files changed, 0 insertions(+), 38 deletions(-)

diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index ebe8570..2242ecd 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -52,44 +52,6 @@ interface(`bootloader_run',`

########################################
## <summary>
-## Read the bootloader configuration file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bootloader_read_config',`
- gen_require(`
- type bootloader_etc_t;
- ')
-
- allow $1 bootloader_etc_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the bootloader
-## configuration file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`bootloader_rw_config',`
- gen_require(`
- type bootloader_etc_t;
- ')
-
- allow $1 bootloader_etc_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
## Read and write the bootloader
## temporary data in /tmp.
## </summary>
--
1.7.2.3

2010-10-04 18:23:17

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 05/44] bootloader: permission set.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 fee70d9... 8ae18db... M policy/modules/admin/bootloader.te
policy/modules/admin/bootloader.te | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index fee70d9..8ae18db 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -39,7 +39,7 @@ dev_node(bootloader_tmp_t)
#

allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
-allow bootloader_t self:process { sigkill sigstop signull signal execmem };
+allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;

allow bootloader_t bootloader_etc_t:file read_file_perms;
@@ -153,7 +153,7 @@ ifdef(`distro_redhat',`
allow bootloader_t self:capability ipc_lock;

# new file system defaults to file_t, granting file_t access is still bad.
- allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
+ allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };

# new file system defaults to file_t, granting file_t access is still bad.
files_manage_isid_type_dirs(bootloader_t)
--
1.7.2.3

2010-10-04 18:23:16

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 04/44] bootloader: unused.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 a9bc854... fee70d9... M policy/modules/admin/bootloader.te
policy/modules/admin/bootloader.te | 7 -------
1 files changed, 0 insertions(+), 7 deletions(-)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index a9bc854..fee70d9 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -33,13 +33,6 @@ type bootloader_tmp_t;
files_tmp_file(bootloader_tmp_t)
dev_node(bootloader_tmp_t)

-#
-# /var/log/ksyms
-# cjp: this probably can be removed, I do not
-# think it is used on 2.6 kernels
-type var_log_ksyms_t;
-logging_log_file(var_log_ksyms_t)
-
########################################
#
# bootloader local policy
--
1.7.2.3

2010-10-04 18:23:18

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 06/44] brctl: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 5b43db5... 2c2cdb6... M policy/modules/admin/brctl.if
policy/modules/admin/brctl.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
index 5b43db5..2c2cdb6 100644
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
@@ -15,5 +15,6 @@ interface(`brctl_domtrans',`
type brctl_t, brctl_exec_t;
')

+ corecmd_search_bin($1)
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
--
1.7.2.3

2010-10-04 18:23:19

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 07/44] brctl: redundant.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 0ff3679... e67adc4... M policy/modules/admin/brctl.te
policy/modules/admin/brctl.te | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
index 0ff3679..e67adc4 100644
--- a/policy/modules/admin/brctl.te
+++ b/policy/modules/admin/brctl.te
@@ -7,7 +7,6 @@ policy_module(brctl, 1.5.0)

type brctl_t;
type brctl_exec_t;
-domain_type(brctl_t)
init_system_domain(brctl_t, brctl_exec_t)

########################################
--
1.7.2.3

2010-10-04 18:23:20

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 08/44] brctl: permission sets.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 e67adc4... 9612763... M policy/modules/admin/brctl.te
policy/modules/admin/brctl.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
index e67adc4..9612763 100644
--- a/policy/modules/admin/brctl.te
+++ b/policy/modules/admin/brctl.te
@@ -15,7 +15,7 @@ init_system_domain(brctl_t, brctl_exec_t)
#

allow brctl_t self:capability net_admin;
-allow brctl_t self:fifo_file rw_file_perms;
+allow brctl_t self:fifo_file rw_fifo_file_perms;
allow brctl_t self:unix_stream_socket create_stream_socket_perms;
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
--
1.7.2.3

2010-10-04 18:23:21

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 09/44] consoletype: redundant.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 2b12a37... 38987f3... M policy/modules/admin/consoletype.te
policy/modules/admin/consoletype.te | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 2b12a37..38987f3 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -10,7 +10,6 @@ type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
init_domain(consoletype_t, consoletype_exec_t)
init_system_domain(consoletype_t, consoletype_exec_t)
-role system_r types consoletype_t;

########################################
#
--
1.7.2.3

2010-10-04 18:23:22

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 10/44] consoletype: in fedora13 /dev/console is not labeled properly early in the boot process.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 38987f3... f0ad9f4... M policy/modules/admin/consoletype.te
policy/modules/admin/consoletype.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 38987f3..f0ad9f4 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -48,6 +48,8 @@ init_use_script_ptys(consoletype_t)
init_use_script_fds(consoletype_t)
init_rw_script_pipes(consoletype_t)

+dev_dontaudit_rw_generic_chr_files(consoletype_t)
+
domain_use_interactive_fds(consoletype_t)

files_dontaudit_read_root_files(consoletype_t)
--
1.7.2.3

2010-10-04 18:23:23

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 11/44] consoletype: needs to use system dbus file descriptors.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 f0ad9f4... 2a3da08... M policy/modules/admin/consoletype.te
:100644 100644 39e901a... 8a405e0... M policy/modules/services/dbus.if
policy/modules/admin/consoletype.te | 4 ++++
policy/modules/services/dbus.if | 18 ++++++++++++++++++
2 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index f0ad9f4..2a3da08 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -76,6 +76,10 @@ optional_policy(`
')

optional_policy(`
+ dbus_use_fds(consoletype_t)
+')
+
+optional_policy(`
files_read_etc_files(consoletype_t)
firstboot_use_fds(consoletype_t)
firstboot_rw_pipes(consoletype_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 39e901a..8a405e0 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -445,6 +445,24 @@ interface(`dbus_system_domain',`

########################################
## <summary>
+## Use and inherit system DBUS file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_use_fds',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
## Dontaudit Read, and write system dbus TCP sockets.
## </summary>
## <param name="domain">
--
1.7.2.3

2010-10-04 18:23:24

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 12/44] logrotate: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 6672183... 9cd6b0b... M policy/modules/admin/logrotate.if
policy/modules/admin/logrotate.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
index 6672183..9cd6b0b 100644
--- a/policy/modules/admin/logrotate.if
+++ b/policy/modules/admin/logrotate.if
@@ -15,6 +15,7 @@ interface(`logrotate_domtrans',`
type logrotate_t, logrotate_exec_t;
')

+ corecmd_search_bin($1)
domtrans_pattern($1, logrotate_exec_t, logrotate_t)
')

@@ -59,6 +60,7 @@ interface(`logrotate_exec',`
type logrotate_exec_t;
')

+ corecmd_search_bin($1)
can_exec($1, logrotate_exec_t)
')

--
1.7.2.3

2010-10-04 18:23:25

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 13/44] netutils: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 a005782... c6ca761... M policy/modules/admin/netutils.if
policy/modules/admin/netutils.if | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index a005782..c6ca761 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -15,6 +15,7 @@ interface(`netutils_domtrans',`
type netutils_t, netutils_exec_t;
')

+ corecmd_search_bin($1)
domtrans_pattern($1, netutils_exec_t, netutils_t)
')

@@ -59,6 +60,7 @@ interface(`netutils_exec',`
type netutils_exec_t;
')

+ corecmd_search_bin($1)
can_exec($1, netutils_exec_t)
')

@@ -95,6 +97,7 @@ interface(`netutils_domtrans_ping',`
type ping_t, ping_exec_t;
')

+ corecmd_search_bin($1)
domtrans_pattern($1, ping_exec_t, ping_t)
')

@@ -205,6 +208,7 @@ interface(`netutils_exec_ping',`
type ping_exec_t;
')

+ corecmd_search_bin($1)
can_exec($1, ping_exec_t)
')

@@ -223,6 +227,7 @@ interface(`netutils_domtrans_traceroute',`
type traceroute_t, traceroute_exec_t;
')

+ corecmd_search_bin($1)
domtrans_pattern($1, traceroute_exec_t, traceroute_t)
')

@@ -297,5 +302,6 @@ interface(`netutils_exec_traceroute',`
type traceroute_exec_t;
')

+ corecmd_search_bin($1)
can_exec($1, traceroute_exec_t)
')
--
1.7.2.3

2010-10-04 18:23:15

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 03/44] bootloader: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 2242ecd... a4a47af... M policy/modules/admin/bootloader.if
policy/modules/admin/bootloader.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 2242ecd..a4a47af 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -15,6 +15,7 @@ interface(`bootloader_domtrans',`
type bootloader_t, bootloader_exec_t;
')

+ corecmd_search_bin($1)
domtrans_pattern($1, bootloader_exec_t, bootloader_t)
')

@@ -67,6 +68,7 @@ interface(`bootloader_rw_tmp_files',`
')

# FIXME: read tmp_t dir
+ files_search_tmp($1)
allow $1 bootloader_tmp_t:file rw_file_perms;
')

--
1.7.2.3

2010-10-04 18:23:26

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 14/44] netutils: redundant.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 b687b5d... aea8626... M policy/modules/admin/netutils.te
policy/modules/admin/netutils.te | 3 ---
1 files changed, 0 insertions(+), 3 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b687b5d..aea8626 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -15,7 +15,6 @@ gen_tunable(user_ping, false)
type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t, netutils_exec_t)
-role system_r types netutils_t;

type netutils_tmp_t;
files_tmp_file(netutils_tmp_t)
@@ -23,12 +22,10 @@ files_tmp_file(netutils_tmp_t)
type ping_t;
type ping_exec_t;
init_system_domain(ping_t, ping_exec_t)
-role system_r types ping_t;

type traceroute_t;
type traceroute_exec_t;
init_system_domain(traceroute_t, traceroute_exec_t)
-role system_r types traceroute_t;

########################################
#
--
1.7.2.3

2010-10-04 18:23:27

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 15/44] netutils: permission sets.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 aea8626... de06947... M policy/modules/admin/netutils.te
policy/modules/admin/netutils.te | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index aea8626..de06947 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -35,8 +35,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
dontaudit netutils_t self:capability sys_tty_config;
-allow netutils_t self:process { sigkill sigstop signull signal };
-allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow netutils_t self:process signal_perms;
+allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
--
1.7.2.3

2010-10-04 18:23:28

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 16/44] netutils: nmap is optional.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 de06947... a4323c6... M policy/modules/admin/netutils.te
policy/modules/admin/netutils.te | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index de06947..a4323c6 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -206,7 +206,9 @@ miscfiles_read_localization(traceroute_t)

userdom_use_user_terminals(traceroute_t)

-#rules needed for nmap
-dev_read_rand(traceroute_t)
-dev_read_urand(traceroute_t)
-files_read_usr_files(traceroute_t)
+optional_policy(`
+ #rules needed for nmap
+ dev_read_rand(traceroute_t)
+ dev_read_urand(traceroute_t)
+ files_read_usr_files(traceroute_t)
+')
--
1.7.2.3

2010-10-04 18:23:29

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 17/44] quota: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 6382d3c... 6ae583d... M policy/modules/admin/quota.if
policy/modules/admin/quota.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
index 6382d3c..6ae583d 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@@ -15,6 +15,7 @@ interface(`quota_domtrans',`
type quota_t, quota_exec_t;
')

+ corecmd_search_bin($1)
domtrans_pattern($1, quota_exec_t, quota_t)
')

--
1.7.2.3

2010-10-04 18:23:30

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 18/44] quota: permission sets.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 6ae583d... bf75d99... M policy/modules/admin/quota.if
policy/modules/admin/quota.if | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
index 6ae583d..bf75d99 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@@ -61,7 +61,7 @@ interface(`quota_dontaudit_getattr_db',`
type quota_db_t;
')

- dontaudit $1 quota_db_t:file getattr;
+ dontaudit $1 quota_db_t:file getattr_file_perms;
')

########################################
--
1.7.2.3

2010-10-04 18:23:31

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 19/44] rpm: redundant.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 86463e3... 9ffe1b2... M policy/modules/admin/rpm.if
policy/modules/admin/rpm.if | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 86463e3..9ffe1b2 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -15,7 +15,6 @@ interface(`rpm_domtrans',`
type rpm_t, rpm_exec_t;
')

- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
')
@@ -36,7 +35,6 @@ interface(`rpm_debuginfo_domtrans',`
type debuginfo_exec_t;
')

- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, debuginfo_exec_t, rpm_t)
')
--
1.7.2.3

2010-10-04 18:23:32

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 20/44] rpm: (brace) expansion.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 9ffe1b2... 56397a4... M policy/modules/admin/rpm.if
policy/modules/admin/rpm.if | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 9ffe1b2..56397a4 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -31,8 +31,7 @@ interface(`rpm_domtrans',`
#
interface(`rpm_debuginfo_domtrans',`
gen_require(`
- type rpm_t;
- type debuginfo_exec_t;
+ type rpm_t, debuginfo_exec_t;
')

corecmd_search_bin($1)
@@ -83,8 +82,7 @@ interface(`rpm_run',`
')

rpm_domtrans($1)
- role $2 types rpm_t;
- role $2 types rpm_script_t;
+ role $2 types { rpm_t rpm_script_t };
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
--
1.7.2.3

2010-10-04 18:23:33

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 21/44] rpm: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 56397a4... d33daa8... M policy/modules/admin/rpm.if
policy/modules/admin/rpm.if | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 56397a4..d33daa8 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -257,6 +257,7 @@ interface(`rpm_search_log',`
type rpm_log_t;
')

+ logging_search_logs($1)
allow $1 rpm_log_t:dir search_dir_perms;
')

@@ -392,6 +393,7 @@ interface(`rpm_read_script_tmp_files',`
type rpm_script_tmp_t;
')

+ files_search_tmp($1)
read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
@@ -474,6 +476,7 @@ interface(`rpm_delete_db',`
type rpm_var_lib_t;
')

+ files_search_var_lib($1)
delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')

--
1.7.2.3

2010-10-04 18:23:34

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 22/44] rpm: redundant.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 95dbcf3... efc0c37... M policy/modules/admin/rpm.te
policy/modules/admin/rpm.te | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 95dbcf3..efc0c37 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -15,7 +15,6 @@ domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
domain_interactive_fd(rpm_t)
-role system_r types rpm_t;

type rpm_file_t;
files_type(rpm_file_t)
--
1.7.2.3

2010-10-04 18:23:35

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 23/44] rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 efc0c37... 2b6fd87... M policy/modules/admin/rpm.te
policy/modules/admin/rpm.te | 16 ++++++++++++++--
1 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index efc0c37..2b6fd87 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -43,6 +43,7 @@ type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
domain_system_change_exemption(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
+corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
@@ -59,8 +60,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
# rpm Local policy
#

-allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
-
+allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
@@ -83,6 +83,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file)
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+can_exec(rpm_t, rpm_tmp_t)

manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
@@ -90,6 +91,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_t, rpm_tmpfs_t)

manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
@@ -102,6 +104,7 @@ files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
files_pid_filetrans(rpm_t, rpm_var_run_t, file)

+kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
@@ -241,7 +244,10 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
+can_exec(rpm_script_t, rpm_script_tmp_t)

manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
@@ -249,7 +255,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_script_t, rpm_script_tmpfs_t)

+kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
@@ -356,6 +364,10 @@ optional_policy(`
')

optional_policy(`
+ ntp_domtrans(rpm_script_t)
+')
+
+optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
--
1.7.2.3

2010-10-04 18:23:36

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 24/44] shutdown: Fedora change.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 9174268... 97671a3... M policy/modules/admin/shutdown.fc
policy/modules/admin/shutdown.fc | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
index 9174268..97671a3 100644
--- a/policy/modules/admin/shutdown.fc
+++ b/policy/modules/admin/shutdown.fc
@@ -1,5 +1,7 @@
/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)

+/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)

-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
--
1.7.2.3

2010-10-04 18:23:37

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 25/44] shutdown: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 d2c068d... 300d741... M policy/modules/admin/shutdown.if
policy/modules/admin/shutdown.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index d2c068d..300d741 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -15,6 +15,7 @@ interface(`shutdown_domtrans',`
type shutdown_t, shutdown_exec_t;
')

+ corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)

ifdef(`hide_broken_symptoms', `
--
1.7.2.3

2010-10-04 18:23:38

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 26/44] shutdown: permission sets.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 300d741... b301c61... M policy/modules/admin/shutdown.if
policy/modules/admin/shutdown.if | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index 300d741..b301c61 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -64,5 +64,5 @@ interface(`shutdown_getattr_exec_files',`
type shutdown_exec_t;
')

- allow $1 shutdown_exec_t:file getattr;
+ allow $1 shutdown_exec_t:file getattr_file_perms;
')
--
1.7.2.3

2010-10-04 18:23:39

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 27/44] shutdown: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 b301c61... d0604cf... M policy/modules/admin/shutdown.if
policy/modules/admin/shutdown.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index b301c61..d0604cf 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -64,5 +64,6 @@ interface(`shutdown_getattr_exec_files',`
type shutdown_exec_t;
')

+ corecmd_search_bin($1)
allow $1 shutdown_exec_t:file getattr_file_perms;
')
--
1.7.2.3

2010-10-04 18:23:40

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 28/44] shutdown: for sudo.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 51f7c3a... 7824539... M policy/modules/admin/shutdown.te
policy/modules/admin/shutdown.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
index 51f7c3a..7824539 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -33,6 +33,8 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)

+domain_use_interactive_fds(shutdown_t)
+
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)

--
1.7.2.3

2010-10-04 18:23:41

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 29/44] shutdown: needs to connect to init with a unix stream socket.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 7824539... cf81d13... M policy/modules/admin/shutdown.te
:100644 100644 f6aafe7... 8419a01... M policy/modules/system/init.if
policy/modules/admin/shutdown.te | 1 +
policy/modules/system/init.if | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
index 7824539..cf81d13 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -45,6 +45,7 @@ auth_write_login_records(shutdown_t)

init_dontaudit_write_utmp(shutdown_t)
init_read_utmp(shutdown_t)
+init_stream_connect(shutdown_t)
init_telinit(shutdown_t)

logging_send_audit_msgs(shutdown_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f6aafe7..8419a01 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -508,6 +508,24 @@ interface(`init_sigchld',`

########################################
## <summary>
+## Connect to init with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_stream_connect',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
## Inherit and use file descriptors from init.
## </summary>
## <desc>
--
1.7.2.3

2010-10-04 18:23:42

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 30/44] shutdown: search generic log directories.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 cf81d13... 97e6b23... M policy/modules/admin/shutdown.te
policy/modules/admin/shutdown.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
index cf81d13..97e6b23 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -48,6 +48,7 @@ init_read_utmp(shutdown_t)
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)

+logging_search_logs(shutdown_t)
logging_send_audit_msgs(shutdown_t)

miscfiles_read_localization(shutdown_t)
--
1.7.2.3

2010-10-04 18:23:43

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 31/44] su: do not audit attempts to search /root.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 a0aa8c5... 9337ed7... M policy/modules/admin/su.if
policy/modules/admin/su.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index a0aa8c5..9337ed7 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -223,6 +223,7 @@ template(`su_role_template',`
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
files_dontaudit_getattr_tmp_dirs($1_su_t)
+ files_dontaudit_list_default($1_su_t)

init_dontaudit_use_fds($1_su_t)
# Write to utmp.
--
1.7.2.3

2010-10-04 18:23:44

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 32/44] su: wants to read inits keyring.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 9337ed7... dd9c7bf... M policy/modules/admin/su.if
:100644 100644 8419a01... b80886e... M policy/modules/system/init.if
policy/modules/admin/su.if | 1 +
policy/modules/system/init.if | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 9337ed7..dd9c7bf 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -228,6 +228,7 @@ template(`su_role_template',`
init_dontaudit_use_fds($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
+ init_search_key_script($1_su_t)

mls_file_write_all_levels($1_su_t)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 8419a01..b80886e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1176,6 +1176,24 @@ interface(`init_dontaudit_use_script_fds',`

########################################
## <summary>
+## Search init script keys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_key_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:key search;
+')
+
+########################################
+## <summary>
## Get the process group ID of init scripts.
## </summary>
## <param name="domain">
--
1.7.2.3

2010-10-04 18:23:45

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 33/44] su: wants to search callers keyring.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 dd9c7bf... 2a4e0db... M policy/modules/admin/su.if
policy/modules/admin/su.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index dd9c7bf..2a4e0db 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -186,6 +186,8 @@ template(`su_role_template',`
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:key { search write };

+ allow $1_su_t $3:key search;
+
# Transition from the user domain to this domain.
domtrans_pattern($3, su_exec_t, $1_su_t)

--
1.7.2.3

2010-10-04 18:23:46

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 34/44] su: permission sets.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 2a4e0db... 800852f... M policy/modules/admin/su.if
policy/modules/admin/su.if | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 2a4e0db..800852f 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -138,7 +138,7 @@ template(`su_restricted_domain_template', `

ifdef(`TODO',`
# Caused by su - init scripts
- dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+ dontaudit $1_su_t initrc_devpts_t:chr_file { getattr_chr_file_perms ioctl };
') dnl end TODO
')

--
1.7.2.3

2010-10-04 18:23:47

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 35/44] su: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 800852f... e108d2a... M policy/modules/admin/su.if
policy/modules/admin/su.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 800852f..e108d2a 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -338,5 +338,6 @@ interface(`su_exec',`
type su_exec_t;
')

+ corecmd_search_bin($1)
can_exec($1, su_exec_t)
')
--
1.7.2.3

2010-10-04 18:23:48

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 36/44] sudo: wants to get attributes of device_t filesystems.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 5f44f1b... ca36b15... M policy/modules/admin/sudo.if
:100644 100644 8b09281... f1f6809... M policy/modules/kernel/devices.if
policy/modules/admin/sudo.if | 1 +
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 5f44f1b..ca36b15 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -87,6 +87,7 @@ template(`sudo_role_template',`
corecmd_read_bin_symlinks($1_sudo_t)
corecmd_exec_all_executables($1_sudo_t)

+ dev_getattr_device_fs($1_sudo_t)
dev_read_urand($1_sudo_t)
dev_rw_generic_usb_dev($1_sudo_t)
dev_read_sysfs($1_sudo_t)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 8b09281..f1f6809 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -92,6 +92,24 @@ interface(`dev_associate',`

########################################
## <summary>
+## Get attributes of device filesystems.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_device_fs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Mount a filesystem on /dev
## </summary>
## <param name="domain">
--
1.7.2.3

2010-10-04 18:23:49

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 ca36b15... da2afce... M policy/modules/admin/sudo.if
policy/modules/admin/sudo.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index ca36b15..da2afce 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -101,6 +101,7 @@ template(`sudo_role_template',`
files_read_usr_symlinks($1_sudo_t)
files_getattr_usr_files($1_sudo_t)
# for some PAM modules and for cwd
+ files_dontaudit_list_default($1_sudo_t)
files_dontaudit_search_home($1_sudo_t)
files_list_tmp($1_sudo_t)

--
1.7.2.3

2010-10-04 18:23:50

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 38/44] sudo: wants to get attributes of generic pts filesystems.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 da2afce... b194b6d... M policy/modules/admin/sudo.if
policy/modules/admin/sudo.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index da2afce..b194b6d 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -111,6 +111,7 @@ template(`sudo_role_template',`
selinux_validate_context($1_sudo_t)
selinux_compute_relabel_context($1_sudo_t)

+ term_getattr_pty_fs($1_sudo_t)
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)

--
1.7.2.3

2010-10-04 18:23:51

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 39/44] sudo: wants to manage keys of users besides caller.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 b194b6d... 1a9e25b... M policy/modules/admin/sudo.if
:100644 100644 35f1476... 595c6f3... M policy/modules/system/userdomain.if
policy/modules/admin/sudo.if | 2 ++
policy/modules/system/userdomain.if | 18 ++++++++++++++++++
2 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index b194b6d..1a9e25b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -121,6 +121,7 @@ template(`sudo_role_template',`
auth_use_nsswitch($1_sudo_t)

init_rw_utmp($1_sudo_t)
+ init_search_key_script($1_sudo_t)

logging_send_audit_msgs($1_sudo_t)
logging_send_syslog_msg($1_sudo_t)
@@ -131,6 +132,7 @@ template(`sudo_role_template',`
seutil_libselinux_linked($1_sudo_t)

userdom_spec_domtrans_all_users($1_sudo_t)
+ userdom_manage_all_users_keys($1_sudo_t)
userdom_manage_user_home_content_files($1_sudo_t)
userdom_manage_user_home_content_symlinks($1_sudo_t)
userdom_manage_user_tmp_files($1_sudo_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 35f1476..595c6f3 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3119,6 +3119,24 @@ interface(`userdom_create_all_users_keys',`

########################################
## <summary>
+## Manage keys of all users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+########################################
+## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
--
1.7.2.3

2010-10-04 18:23:52

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 40/44] tzdata: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 7747b16... 01c6c86... M policy/modules/admin/tzdata.if
policy/modules/admin/tzdata.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if
index 7747b16..01c6c86 100644
--- a/policy/modules/admin/tzdata.if
+++ b/policy/modules/admin/tzdata.if
@@ -15,6 +15,7 @@ interface(`tzdata_domtrans',`
type tzdata_t, tzdata_exec_t;
')

+ corecmd_search_bin($1)
domtrans_pattern($1, tzdata_exec_t, tzdata_t)
')

--
1.7.2.3

2010-10-04 18:23:53

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 41/44] usermanage: redundant.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 aecbf1c... 55e19f4... M policy/modules/admin/usermanage.if
policy/modules/admin/usermanage.if | 5 -----
1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index aecbf1c..55e19f4 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -15,7 +15,6 @@ interface(`usermanage_domtrans_chfn',`
type chfn_t, chfn_exec_t;
')

- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, chfn_exec_t, chfn_t)

@@ -64,7 +63,6 @@ interface(`usermanage_domtrans_groupadd',`
type groupadd_t, groupadd_exec_t;
')

- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, groupadd_exec_t, groupadd_t)

@@ -118,7 +116,6 @@ interface(`usermanage_domtrans_passwd',`
type passwd_t, passwd_exec_t;
')

- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, passwd_exec_t, passwd_t)

@@ -187,7 +184,6 @@ interface(`usermanage_domtrans_admin_passwd',`
type sysadm_passwd_t, admin_passwd_exec_t;
')

- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t)
')
@@ -256,7 +252,6 @@ interface(`usermanage_domtrans_useradd',`
type useradd_t, useradd_exec_t;
')

- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, useradd_exec_t, useradd_t)

--
1.7.2.3

2010-10-04 18:23:54

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 42/44] usermanage: search parent.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 55e19f4... 81fb26f... M policy/modules/admin/usermanage.if
policy/modules/admin/usermanage.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 55e19f4..81fb26f 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -307,5 +307,6 @@ interface(`usermanage_read_crack_db',`
type crack_db_t;
')

+ files_search_var($1)
read_files_pattern($1, crack_db_t, crack_db_t)
')
--
1.7.2.3

2010-10-04 18:23:55

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 43/44] usermanage: redundant.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 c35d801... 5c61351... M policy/modules/admin/usermanage.te
policy/modules/admin/usermanage.te | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index c35d801..5c61351 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -29,7 +29,6 @@ type groupadd_t;
type groupadd_exec_t;
domain_obj_id_change_exemption(groupadd_t)
init_system_domain(groupadd_t, groupadd_exec_t)
-role system_r types groupadd_t;

type passwd_t;
type passwd_exec_t;
@@ -49,7 +48,6 @@ type useradd_t;
type useradd_exec_t;
domain_obj_id_change_exemption(useradd_t)
init_system_domain(useradd_t, useradd_exec_t)
-role system_r types useradd_t;

########################################
#
--
1.7.2.3

2010-10-04 18:23:56

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 44/44] usermanage: permission sets.


Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 5c61351... 381a5e4... M policy/modules/admin/usermanage.te
policy/modules/admin/usermanage.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 5c61351..381a5e4 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -123,7 +123,7 @@ userdom_dontaudit_search_user_home_content(chfn_t)
# Crack local policy
#

-allow crack_t self:process { sigkill sigstop signull signal };
+allow crack_t self:process signal_perms;
allow crack_t self:fifo_file rw_fifo_file_perms;

manage_files_pattern(crack_t, crack_db_t, crack_db_t)
--
1.7.2.3

2010-10-05 17:41:34

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 02/44] bootloader: unused.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 ebe8570... 2242ecd... M policy/modules/admin/bootloader.if
> policy/modules/admin/bootloader.if | 38 ------------------------------------
> 1 files changed, 0 insertions(+), 38 deletions(-)

I'll make a blanket statement on all of the patches that are like this.
We're not removing unused interfaces. Its good to have interfaces
available for 3rd parties to use, so they don't have to resort to using
raw allow rules and require blocks.


> diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
> index ebe8570..2242ecd 100644
> --- a/policy/modules/admin/bootloader.if
> +++ b/policy/modules/admin/bootloader.if
> @@ -52,44 +52,6 @@ interface(`bootloader_run',`
>
> ########################################
> ##<summary>
> -## Read the bootloader configuration file.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -#
> -interface(`bootloader_read_config',`
> - gen_require(`
> - type bootloader_etc_t;
> - ')
> -
> - allow $1 bootloader_etc_t:file read_file_perms;
> -')
> -
> -########################################
> -##<summary>
> -## Read and write the bootloader
> -## configuration file.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -##<rolecap/>
> -#
> -interface(`bootloader_rw_config',`
> - gen_require(`
> - type bootloader_etc_t;
> - ')
> -
> - allow $1 bootloader_etc_t:file rw_file_perms;
> -')
> -
> -########################################
> -##<summary>
> ## Read and write the bootloader
> ## temporary data in /tmp.
> ##</summary>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 17:57:22

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 03/44] bootloader: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> ---
> :100644 100644 2242ecd... a4a47af... M policy/modules/admin/bootloader.if
> policy/modules/admin/bootloader.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
> index 2242ecd..a4a47af 100644
> --- a/policy/modules/admin/bootloader.if
> +++ b/policy/modules/admin/bootloader.if
> @@ -15,6 +15,7 @@ interface(`bootloader_domtrans',`
> type bootloader_t, bootloader_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, bootloader_exec_t, bootloader_t)
> ')
>
> @@ -67,6 +68,7 @@ interface(`bootloader_rw_tmp_files',`
> ')
>
> # FIXME: read tmp_t dir
> + files_search_tmp($1)
> allow $1 bootloader_tmp_t:file rw_file_perms;
> ')
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 17:57:55

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 04/44] bootloader: unused.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> ---
> :100644 100644 a9bc854... fee70d9... M policy/modules/admin/bootloader.te
> policy/modules/admin/bootloader.te | 7 -------
> 1 files changed, 0 insertions(+), 7 deletions(-)
>
> diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
> index a9bc854..fee70d9 100644
> --- a/policy/modules/admin/bootloader.te
> +++ b/policy/modules/admin/bootloader.te
> @@ -33,13 +33,6 @@ type bootloader_tmp_t;
> files_tmp_file(bootloader_tmp_t)
> dev_node(bootloader_tmp_t)
>
> -#
> -# /var/log/ksyms
> -# cjp: this probably can be removed, I do not
> -# think it is used on 2.6 kernels
> -type var_log_ksyms_t;
> -logging_log_file(var_log_ksyms_t)
> -
> ########################################
> #
> # bootloader local policy


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 17:59:13

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 05/44] bootloader: permission set.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 fee70d9... 8ae18db... M policy/modules/admin/bootloader.te
> policy/modules/admin/bootloader.te | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
> index fee70d9..8ae18db 100644
> --- a/policy/modules/admin/bootloader.te
> +++ b/policy/modules/admin/bootloader.te
> @@ -39,7 +39,7 @@ dev_node(bootloader_tmp_t)
> #
>
> allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
> -allow bootloader_t self:process { sigkill sigstop signull signal execmem };
> +allow bootloader_t self:process { signal_perms execmem };
> allow bootloader_t self:fifo_file rw_fifo_file_perms;
>
> allow bootloader_t bootloader_etc_t:file read_file_perms;
> @@ -153,7 +153,7 @@ ifdef(`distro_redhat',`
> allow bootloader_t self:capability ipc_lock;
>
> # new file system defaults to file_t, granting file_t access is still bad.
> - allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
> + allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };
>
> # new file system defaults to file_t, granting file_t access is still bad.
> files_manage_isid_type_dirs(bootloader_t)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:05:50

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 08/44] brctl: permission sets.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 e67adc4... 9612763... M policy/modules/admin/brctl.te
> policy/modules/admin/brctl.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
> index e67adc4..9612763 100644
> --- a/policy/modules/admin/brctl.te
> +++ b/policy/modules/admin/brctl.te
> @@ -15,7 +15,7 @@ init_system_domain(brctl_t, brctl_exec_t)
> #
>
> allow brctl_t self:capability net_admin;
> -allow brctl_t self:fifo_file rw_file_perms;
> +allow brctl_t self:fifo_file rw_fifo_file_perms;
> allow brctl_t self:unix_stream_socket create_stream_socket_perms;
> allow brctl_t self:unix_dgram_socket create_socket_perms;
> allow brctl_t self:tcp_socket create_socket_perms;


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:05:59

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 07/44] brctl: redundant.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 0ff3679... e67adc4... M policy/modules/admin/brctl.te
> policy/modules/admin/brctl.te | 1 -
> 1 files changed, 0 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
> index 0ff3679..e67adc4 100644
> --- a/policy/modules/admin/brctl.te
> +++ b/policy/modules/admin/brctl.te
> @@ -7,7 +7,6 @@ policy_module(brctl, 1.5.0)
>
> type brctl_t;
> type brctl_exec_t;
> -domain_type(brctl_t)
> init_system_domain(brctl_t, brctl_exec_t)
>
> ########################################


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:06:10

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 06/44] brctl: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 5b43db5... 2c2cdb6... M policy/modules/admin/brctl.if
> policy/modules/admin/brctl.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
> index 5b43db5..2c2cdb6 100644
> --- a/policy/modules/admin/brctl.if
> +++ b/policy/modules/admin/brctl.if
> @@ -15,5 +15,6 @@ interface(`brctl_domtrans',`
> type brctl_t, brctl_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, brctl_exec_t, brctl_t)
> ')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:09:02

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 12/44] logrotate: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 6672183... 9cd6b0b... M policy/modules/admin/logrotate.if
> policy/modules/admin/logrotate.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
> index 6672183..9cd6b0b 100644
> --- a/policy/modules/admin/logrotate.if
> +++ b/policy/modules/admin/logrotate.if
> @@ -15,6 +15,7 @@ interface(`logrotate_domtrans',`
> type logrotate_t, logrotate_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, logrotate_exec_t, logrotate_t)
> ')
>
> @@ -59,6 +60,7 @@ interface(`logrotate_exec',`
> type logrotate_exec_t;
> ')
>
> + corecmd_search_bin($1)
> can_exec($1, logrotate_exec_t)
> ')
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:10:24

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 16/44] netutils: nmap is optional.

On 10/04/10 14:23, Dominick Grift wrote:
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index de06947..a4323c6 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -206,7 +206,9 @@ miscfiles_read_localization(traceroute_t)
>
> userdom_use_user_terminals(traceroute_t)
>
> -#rules needed for nmap
> -dev_read_rand(traceroute_t)
> -dev_read_urand(traceroute_t)
> -files_read_usr_files(traceroute_t)
> +optional_policy(`
> + #rules needed for nmap
> + dev_read_rand(traceroute_t)
> + dev_read_urand(traceroute_t)
> + files_read_usr_files(traceroute_t)
> +')

This doesn't accomplish anything since devices and files are in all
policies.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:11:35

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 15/44] netutils: permission sets.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 aea8626... de06947... M policy/modules/admin/netutils.te
> policy/modules/admin/netutils.te | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index aea8626..de06947 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -35,8 +35,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
> # Perform network administration operations and have raw access to the network.
> allow netutils_t self:capability { net_admin net_raw setuid setgid };
> dontaudit netutils_t self:capability sys_tty_config;
> -allow netutils_t self:process { sigkill sigstop signull signal };
> -allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
> +allow netutils_t self:process signal_perms;
> +allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
> allow netutils_t self:packet_socket create_socket_perms;
> allow netutils_t self:udp_socket create_socket_perms;
> allow netutils_t self:tcp_socket create_stream_socket_perms;


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:11:42

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 14/44] netutils: redundant.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 b687b5d... aea8626... M policy/modules/admin/netutils.te
> policy/modules/admin/netutils.te | 3 ---
> 1 files changed, 0 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index b687b5d..aea8626 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -15,7 +15,6 @@ gen_tunable(user_ping, false)
> type netutils_t;
> type netutils_exec_t;
> init_system_domain(netutils_t, netutils_exec_t)
> -role system_r types netutils_t;
>
> type netutils_tmp_t;
> files_tmp_file(netutils_tmp_t)
> @@ -23,12 +22,10 @@ files_tmp_file(netutils_tmp_t)
> type ping_t;
> type ping_exec_t;
> init_system_domain(ping_t, ping_exec_t)
> -role system_r types ping_t;
>
> type traceroute_t;
> type traceroute_exec_t;
> init_system_domain(traceroute_t, traceroute_exec_t)
> -role system_r types traceroute_t;
>
> ########################################
> #


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:11:52

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 13/44] netutils: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 a005782... c6ca761... M policy/modules/admin/netutils.if
> policy/modules/admin/netutils.if | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
> index a005782..c6ca761 100644
> --- a/policy/modules/admin/netutils.if
> +++ b/policy/modules/admin/netutils.if
> @@ -15,6 +15,7 @@ interface(`netutils_domtrans',`
> type netutils_t, netutils_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, netutils_exec_t, netutils_t)
> ')
>
> @@ -59,6 +60,7 @@ interface(`netutils_exec',`
> type netutils_exec_t;
> ')
>
> + corecmd_search_bin($1)
> can_exec($1, netutils_exec_t)
> ')
>
> @@ -95,6 +97,7 @@ interface(`netutils_domtrans_ping',`
> type ping_t, ping_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, ping_exec_t, ping_t)
> ')
>
> @@ -205,6 +208,7 @@ interface(`netutils_exec_ping',`
> type ping_exec_t;
> ')
>
> + corecmd_search_bin($1)
> can_exec($1, ping_exec_t)
> ')
>
> @@ -223,6 +227,7 @@ interface(`netutils_domtrans_traceroute',`
> type traceroute_t, traceroute_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, traceroute_exec_t, traceroute_t)
> ')
>
> @@ -297,5 +302,6 @@ interface(`netutils_exec_traceroute',`
> type traceroute_exec_t;
> ')
>
> + corecmd_search_bin($1)
> can_exec($1, traceroute_exec_t)
> ')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:22:02

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 40/44] tzdata: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 7747b16... 01c6c86... M policy/modules/admin/tzdata.if
> policy/modules/admin/tzdata.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if
> index 7747b16..01c6c86 100644
> --- a/policy/modules/admin/tzdata.if
> +++ b/policy/modules/admin/tzdata.if
> @@ -15,6 +15,7 @@ interface(`tzdata_domtrans',`
> type tzdata_t, tzdata_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, tzdata_exec_t, tzdata_t)
> ')
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:27:21

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 44/44] usermanage: permission sets.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 5c61351... 381a5e4... M policy/modules/admin/usermanage.te
> policy/modules/admin/usermanage.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 5c61351..381a5e4 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -123,7 +123,7 @@ userdom_dontaudit_search_user_home_content(chfn_t)
> # Crack local policy
> #
>
> -allow crack_t self:process { sigkill sigstop signull signal };
> +allow crack_t self:process signal_perms;
> allow crack_t self:fifo_file rw_fifo_file_perms;
>
> manage_files_pattern(crack_t, crack_db_t, crack_db_t)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:27:29

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 43/44] usermanage: redundant.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 c35d801... 5c61351... M policy/modules/admin/usermanage.te
> policy/modules/admin/usermanage.te | 2 --
> 1 files changed, 0 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index c35d801..5c61351 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -29,7 +29,6 @@ type groupadd_t;
> type groupadd_exec_t;
> domain_obj_id_change_exemption(groupadd_t)
> init_system_domain(groupadd_t, groupadd_exec_t)
> -role system_r types groupadd_t;
>
> type passwd_t;
> type passwd_exec_t;
> @@ -49,7 +48,6 @@ type useradd_t;
> type useradd_exec_t;
> domain_obj_id_change_exemption(useradd_t)
> init_system_domain(useradd_t, useradd_exec_t)
> -role system_r types useradd_t;
>
> ########################################
> #


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:27:37

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 42/44] usermanage: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 55e19f4... 81fb26f... M policy/modules/admin/usermanage.if
> policy/modules/admin/usermanage.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
> index 55e19f4..81fb26f 100644
> --- a/policy/modules/admin/usermanage.if
> +++ b/policy/modules/admin/usermanage.if
> @@ -307,5 +307,6 @@ interface(`usermanage_read_crack_db',`
> type crack_db_t;
> ')
>
> + files_search_var($1)
> read_files_pattern($1, crack_db_t, crack_db_t)
> ')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-05 19:27:45

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 41/44] usermanage: redundant.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 aecbf1c... 55e19f4... M policy/modules/admin/usermanage.if
> policy/modules/admin/usermanage.if | 5 -----
> 1 files changed, 0 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
> index aecbf1c..55e19f4 100644
> --- a/policy/modules/admin/usermanage.if
> +++ b/policy/modules/admin/usermanage.if
> @@ -15,7 +15,6 @@ interface(`usermanage_domtrans_chfn',`
> type chfn_t, chfn_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, chfn_exec_t, chfn_t)
>
> @@ -64,7 +63,6 @@ interface(`usermanage_domtrans_groupadd',`
> type groupadd_t, groupadd_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, groupadd_exec_t, groupadd_t)
>
> @@ -118,7 +116,6 @@ interface(`usermanage_domtrans_passwd',`
> type passwd_t, passwd_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, passwd_exec_t, passwd_t)
>
> @@ -187,7 +184,6 @@ interface(`usermanage_domtrans_admin_passwd',`
> type sysadm_passwd_t, admin_passwd_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t)
> ')
> @@ -256,7 +252,6 @@ interface(`usermanage_domtrans_useradd',`
> type useradd_t, useradd_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, useradd_exec_t, useradd_t)
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 12:34:42

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 18/44] quota: permission sets.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 6ae583d... bf75d99... M policy/modules/admin/quota.if
> policy/modules/admin/quota.if | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
> index 6ae583d..bf75d99 100644
> --- a/policy/modules/admin/quota.if
> +++ b/policy/modules/admin/quota.if
> @@ -61,7 +61,7 @@ interface(`quota_dontaudit_getattr_db',`
> type quota_db_t;
> ')
>
> - dontaudit $1 quota_db_t:file getattr;
> + dontaudit $1 quota_db_t:file getattr_file_perms;
> ')
>
> ########################################


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 12:34:52

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 17/44] quota: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 6382d3c... 6ae583d... M policy/modules/admin/quota.if
> policy/modules/admin/quota.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
> index 6382d3c..6ae583d 100644
> --- a/policy/modules/admin/quota.if
> +++ b/policy/modules/admin/quota.if
> @@ -15,6 +15,7 @@ interface(`quota_domtrans',`
> type quota_t, quota_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, quota_exec_t, quota_t)
> ')
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 12:38:02

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 11/44] consoletype: needs to use system dbus file descriptors.

On 10/04/10 14:23, Dominick Grift wrote:
> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
> index 39e901a..8a405e0 100644
> --- a/policy/modules/services/dbus.if
> +++ b/policy/modules/services/dbus.if
> @@ -445,6 +445,24 @@ interface(`dbus_system_domain',`
>
> ########################################
> ##<summary>
> +## Use and inherit system DBUS file descriptors.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`dbus_use_fds',`

dbus_use_system_bus_fds()

> + gen_require(`
> + type system_dbusd_t;
> + ')
> +
> + allow $1 system_dbusd_t:fd use;
> +')
> +
> +########################################
> +##<summary>
> ## Dontaudit Read, and write system dbus TCP sockets.
> ##</summary>
> ##<param name="domain">


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 12:42:38

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 10/44] consoletype: in fedora13 /dev/console is not labeled properly early in the boot process.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 38987f3... f0ad9f4... M policy/modules/admin/consoletype.te
> policy/modules/admin/consoletype.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
> index 38987f3..f0ad9f4 100644
> --- a/policy/modules/admin/consoletype.te
> +++ b/policy/modules/admin/consoletype.te
> @@ -48,6 +48,8 @@ init_use_script_ptys(consoletype_t)
> init_use_script_fds(consoletype_t)
> init_rw_script_pipes(consoletype_t)
>
> +dev_dontaudit_rw_generic_chr_files(consoletype_t)
> +
> domain_use_interactive_fds(consoletype_t)
>
> files_dontaudit_read_root_files(consoletype_t)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 12:42:45

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 09/44] consoletype: redundant.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 2b12a37... 38987f3... M policy/modules/admin/consoletype.te
> policy/modules/admin/consoletype.te | 1 -
> 1 files changed, 0 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
> index 2b12a37..38987f3 100644
> --- a/policy/modules/admin/consoletype.te
> +++ b/policy/modules/admin/consoletype.te
> @@ -10,7 +10,6 @@ type consoletype_exec_t;
> application_executable_file(consoletype_exec_t)
> init_domain(consoletype_t, consoletype_exec_t)
> init_system_domain(consoletype_t, consoletype_exec_t)
> -role system_r types consoletype_t;
>
> ########################################
> #


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 12:59:21

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 22/44] rpm: redundant.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 95dbcf3... efc0c37... M policy/modules/admin/rpm.te
> policy/modules/admin/rpm.te | 1 -
> 1 files changed, 0 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index 95dbcf3..efc0c37 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -15,7 +15,6 @@ domain_obj_id_change_exemption(rpm_t)
> domain_role_change_exemption(rpm_t)
> domain_system_change_exemption(rpm_t)
> domain_interactive_fd(rpm_t)
> -role system_r types rpm_t;
>
> type rpm_file_t;
> files_type(rpm_file_t)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 12:59:28

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 21/44] rpm: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 56397a4... d33daa8... M policy/modules/admin/rpm.if
> policy/modules/admin/rpm.if | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
> index 56397a4..d33daa8 100644
> --- a/policy/modules/admin/rpm.if
> +++ b/policy/modules/admin/rpm.if
> @@ -257,6 +257,7 @@ interface(`rpm_search_log',`
> type rpm_log_t;
> ')
>
> + logging_search_logs($1)
> allow $1 rpm_log_t:dir search_dir_perms;
> ')
>
> @@ -392,6 +393,7 @@ interface(`rpm_read_script_tmp_files',`
> type rpm_script_tmp_t;
> ')
>
> + files_search_tmp($1)
> read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
> read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
> ')
> @@ -474,6 +476,7 @@ interface(`rpm_delete_db',`
> type rpm_var_lib_t;
> ')
>
> + files_search_var_lib($1)
> delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
> ')
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 12:59:33

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 20/44] rpm: (brace) expansion.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 9ffe1b2... 56397a4... M policy/modules/admin/rpm.if
> policy/modules/admin/rpm.if | 6 ++----
> 1 files changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
> index 9ffe1b2..56397a4 100644
> --- a/policy/modules/admin/rpm.if
> +++ b/policy/modules/admin/rpm.if
> @@ -31,8 +31,7 @@ interface(`rpm_domtrans',`
> #
> interface(`rpm_debuginfo_domtrans',`
> gen_require(`
> - type rpm_t;
> - type debuginfo_exec_t;
> + type rpm_t, debuginfo_exec_t;
> ')
>
> corecmd_search_bin($1)
> @@ -83,8 +82,7 @@ interface(`rpm_run',`
> ')
>
> rpm_domtrans($1)
> - role $2 types rpm_t;
> - role $2 types rpm_script_t;
> + role $2 types { rpm_t rpm_script_t };
> seutil_run_loadpolicy(rpm_script_t, $2)
> seutil_run_semanage(rpm_script_t, $2)
> seutil_run_setfiles(rpm_script_t, $2)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 12:59:39

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 19/44] rpm: redundant.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 86463e3... 9ffe1b2... M policy/modules/admin/rpm.if
> policy/modules/admin/rpm.if | 2 --
> 1 files changed, 0 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
> index 86463e3..9ffe1b2 100644
> --- a/policy/modules/admin/rpm.if
> +++ b/policy/modules/admin/rpm.if
> @@ -15,7 +15,6 @@ interface(`rpm_domtrans',`
> type rpm_t, rpm_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, rpm_exec_t, rpm_t)
> ')
> @@ -36,7 +35,6 @@ interface(`rpm_debuginfo_domtrans',`
> type debuginfo_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, debuginfo_exec_t, rpm_t)
> ')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-06 13:04:04

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 23/44] rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 efc0c37... 2b6fd87... M policy/modules/admin/rpm.te
> policy/modules/admin/rpm.te | 16 ++++++++++++++--
> 1 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index efc0c37..2b6fd87 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -43,6 +43,7 @@ type rpm_script_exec_t;
> domain_obj_id_change_exemption(rpm_script_t)
> domain_system_change_exemption(rpm_script_t)
> corecmd_shell_entry_type(rpm_script_t)
> +corecmd_bin_entry_type(rpm_script_t)
> domain_type(rpm_script_t)
> domain_entry_file(rpm_t, rpm_script_exec_t)
> domain_interactive_fd(rpm_script_t)
> @@ -59,8 +60,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
> # rpm Local policy
> #
>
> -allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
> -
> +allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
> allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
> allow rpm_t self:process { getattr setexec setfscreate setrlimit };
> allow rpm_t self:fd use;
> @@ -83,6 +83,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file)
> manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
> manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
> files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
> +can_exec(rpm_t, rpm_tmp_t)
>
> manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
> manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
> @@ -90,6 +91,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
> manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
> manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
> fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
> +can_exec(rpm_t, rpm_tmpfs_t)
>
> manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
> manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
> @@ -102,6 +104,7 @@ files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
> manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
> files_pid_filetrans(rpm_t, rpm_var_run_t, file)
>
> +kernel_read_crypto_sysctls(rpm_t)
> kernel_read_network_state(rpm_t)
> kernel_read_system_state(rpm_t)
> kernel_read_kernel_sysctls(rpm_t)
> @@ -241,7 +244,10 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms;
> allow rpm_script_t rpm_script_tmp_t:dir mounton;
> manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
> manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
> +manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
> +manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
> files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
> +can_exec(rpm_script_t, rpm_script_tmp_t)
>
> manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
> manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
> @@ -249,7 +255,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
> manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
> manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
> fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
> +can_exec(rpm_script_t, rpm_script_tmpfs_t)
>
> +kernel_read_crypto_sysctls(rpm_script_t)
> kernel_read_kernel_sysctls(rpm_script_t)
> kernel_read_system_state(rpm_script_t)
> kernel_read_network_state(rpm_script_t)
> @@ -356,6 +364,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ntp_domtrans(rpm_script_t)
> +')
> +
> +optional_policy(`
> tzdata_domtrans(rpm_t)
> tzdata_domtrans(rpm_script_t)
> ')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-07 17:07:22

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 30/44] shutdown: search generic log directories.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 cf81d13... 97e6b23... M policy/modules/admin/shutdown.te
> policy/modules/admin/shutdown.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
> index cf81d13..97e6b23 100644
> --- a/policy/modules/admin/shutdown.te
> +++ b/policy/modules/admin/shutdown.te
> @@ -48,6 +48,7 @@ init_read_utmp(shutdown_t)
> init_stream_connect(shutdown_t)
> init_telinit(shutdown_t)
>
> +logging_search_logs(shutdown_t)
> logging_send_audit_msgs(shutdown_t)
>
> miscfiles_read_localization(shutdown_t)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-07 17:08:18

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 29/44] shutdown: needs to connect to init with a unix stream socket.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 7824539... cf81d13... M policy/modules/admin/shutdown.te
> :100644 100644 f6aafe7... 8419a01... M policy/modules/system/init.if
> policy/modules/admin/shutdown.te | 1 +
> policy/modules/system/init.if | 18 ++++++++++++++++++
> 2 files changed, 19 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
> index 7824539..cf81d13 100644
> --- a/policy/modules/admin/shutdown.te
> +++ b/policy/modules/admin/shutdown.te
> @@ -45,6 +45,7 @@ auth_write_login_records(shutdown_t)
>
> init_dontaudit_write_utmp(shutdown_t)
> init_read_utmp(shutdown_t)
> +init_stream_connect(shutdown_t)
> init_telinit(shutdown_t)
>
> logging_send_audit_msgs(shutdown_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index f6aafe7..8419a01 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -508,6 +508,24 @@ interface(`init_sigchld',`
>
> ########################################
> ##<summary>
> +## Connect to init with a unix socket.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`init_stream_connect',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:unix_stream_socket connectto;
> +')
> +
> +########################################
> +##<summary>
> ## Inherit and use file descriptors from init.
> ##</summary>
> ##<desc>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-07 17:08:28

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 28/44] shutdown: for sudo.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 51f7c3a... 7824539... M policy/modules/admin/shutdown.te
> policy/modules/admin/shutdown.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
> index 51f7c3a..7824539 100644
> --- a/policy/modules/admin/shutdown.te
> +++ b/policy/modules/admin/shutdown.te
> @@ -33,6 +33,8 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
> manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
> files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
>
> +domain_use_interactive_fds(shutdown_t)
> +
> files_read_etc_files(shutdown_t)
> files_read_generic_pids(shutdown_t)
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-07 17:08:36

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 27/44] shutdown: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 b301c61... d0604cf... M policy/modules/admin/shutdown.if
> policy/modules/admin/shutdown.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
> index b301c61..d0604cf 100644
> --- a/policy/modules/admin/shutdown.if
> +++ b/policy/modules/admin/shutdown.if
> @@ -64,5 +64,6 @@ interface(`shutdown_getattr_exec_files',`
> type shutdown_exec_t;
> ')
>
> + corecmd_search_bin($1)
> allow $1 shutdown_exec_t:file getattr_file_perms;
> ')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-07 17:08:42

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 26/44] shutdown: permission sets.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 300d741... b301c61... M policy/modules/admin/shutdown.if
> policy/modules/admin/shutdown.if | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
> index 300d741..b301c61 100644
> --- a/policy/modules/admin/shutdown.if
> +++ b/policy/modules/admin/shutdown.if
> @@ -64,5 +64,5 @@ interface(`shutdown_getattr_exec_files',`
> type shutdown_exec_t;
> ')
>
> - allow $1 shutdown_exec_t:file getattr;
> + allow $1 shutdown_exec_t:file getattr_file_perms;
> ')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-07 17:09:41

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 25/44] shutdown: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 d2c068d... 300d741... M policy/modules/admin/shutdown.if
> policy/modules/admin/shutdown.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
> index d2c068d..300d741 100644
> --- a/policy/modules/admin/shutdown.if
> +++ b/policy/modules/admin/shutdown.if
> @@ -15,6 +15,7 @@ interface(`shutdown_domtrans',`
> type shutdown_t, shutdown_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, shutdown_exec_t, shutdown_t)
>
> ifdef(`hide_broken_symptoms', `


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-07 17:09:49

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 24/44] shutdown: Fedora change.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 9174268... 97671a3... M policy/modules/admin/shutdown.fc
> policy/modules/admin/shutdown.fc | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
> index 9174268..97671a3 100644
> --- a/policy/modules/admin/shutdown.fc
> +++ b/policy/modules/admin/shutdown.fc
> @@ -1,5 +1,7 @@
> /etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
>
> +/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
> +
> /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
>
> -/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
> +/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 12:45:30

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 32/44] su: wants to read inits keyring.

On 10/04/10 14:23, Dominick Grift wrote:
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 8419a01..b80886e 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1176,6 +1176,24 @@ interface(`init_dontaudit_use_script_fds',`
>
> ########################################
> ##<summary>
> +## Search init script keys.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`init_search_key_script',`

What you said in the IRC channel is right, init_search_script_key() is a
better interface name.

> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:key search;
> +')
> +
> +########################################
> +##<summary>
> ## Get the process group ID of init scripts.
> ##</summary>
> ##<param name="domain">


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 12:46:27

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 34/44] su: permission sets.

On 10/04/10 14:23, Dominick Grift wrote:
> diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
> index 2a4e0db..800852f 100644
> --- a/policy/modules/admin/su.if
> +++ b/policy/modules/admin/su.if
> @@ -138,7 +138,7 @@ template(`su_restricted_domain_template', `
>
> ifdef(`TODO',`
> # Caused by su - init scripts
> - dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
> + dontaudit $1_su_t initrc_devpts_t:chr_file { getattr_chr_file_perms ioctl };
> ') dnl end TODO
> ')

It would be best to create an interface so the TODO can be removed.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 12:51:20

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 35/44] su: search parent.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 800852f... e108d2a... M policy/modules/admin/su.if
> policy/modules/admin/su.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
> index 800852f..e108d2a 100644
> --- a/policy/modules/admin/su.if
> +++ b/policy/modules/admin/su.if
> @@ -338,5 +338,6 @@ interface(`su_exec',`
> type su_exec_t;
> ')
>
> + corecmd_search_bin($1)
> can_exec($1, su_exec_t)
> ')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 12:51:27

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 33/44] su: wants to search callers keyring.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 dd9c7bf... 2a4e0db... M policy/modules/admin/su.if
> policy/modules/admin/su.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
> index dd9c7bf..2a4e0db 100644
> --- a/policy/modules/admin/su.if
> +++ b/policy/modules/admin/su.if
> @@ -186,6 +186,8 @@ template(`su_role_template',`
> allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
> allow $1_su_t self:key { search write };
>
> + allow $1_su_t $3:key search;
> +
> # Transition from the user domain to this domain.
> domtrans_pattern($3, su_exec_t, $1_su_t)
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 12:51:33

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 31/44] su: do not audit attempts to search /root.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Merged.

> :100644 100644 a0aa8c5... 9337ed7... M policy/modules/admin/su.if
> policy/modules/admin/su.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
> index a0aa8c5..9337ed7 100644
> --- a/policy/modules/admin/su.if
> +++ b/policy/modules/admin/su.if
> @@ -223,6 +223,7 @@ template(`su_role_template',`
> files_read_etc_runtime_files($1_su_t)
> files_search_var_lib($1_su_t)
> files_dontaudit_getattr_tmp_dirs($1_su_t)
> + files_dontaudit_list_default($1_su_t)
>
> init_dontaudit_use_fds($1_su_t)
> # Write to utmp.


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 12:59:53

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

On 10/04/10 14:23, Dominick Grift wrote:
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index ca36b15..da2afce 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -101,6 +101,7 @@ template(`sudo_role_template',`
> files_read_usr_symlinks($1_sudo_t)
> files_getattr_usr_files($1_sudo_t)
> # for some PAM modules and for cwd
> + files_dontaudit_list_default($1_sudo_t)
> files_dontaudit_search_home($1_sudo_t)
> files_list_tmp($1_sudo_t)

I'm confused, /root shouldn't be default_t.


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 13:01:05

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito wrote:
> On 10/04/10 14:23, Dominick Grift wrote:
> >diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> >index ca36b15..da2afce 100644
> >--- a/policy/modules/admin/sudo.if
> >+++ b/policy/modules/admin/sudo.if
> >@@ -101,6 +101,7 @@ template(`sudo_role_template',`
> > files_read_usr_symlinks($1_sudo_t)
> > files_getattr_usr_files($1_sudo_t)
> > # for some PAM modules and for cwd
> >+ files_dontaudit_list_default($1_sudo_t)
> > files_dontaudit_search_home($1_sudo_t)
> > files_list_tmp($1_sudo_t)
>
> I'm confused, /root shouldn't be default_t.

Why not, what do you think it should be?
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/4cde7434/attachment.bin

2010-10-08 13:01:36

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 39/44] sudo: wants to manage keys of users besides caller.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>

Were you hitting this because of a role change? I can't think of any
other reason why it might modify other user's keys.

> :100644 100644 b194b6d... 1a9e25b... M policy/modules/admin/sudo.if
> :100644 100644 35f1476... 595c6f3... M policy/modules/system/userdomain.if
> policy/modules/admin/sudo.if | 2 ++
> policy/modules/system/userdomain.if | 18 ++++++++++++++++++
> 2 files changed, 20 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index b194b6d..1a9e25b 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -121,6 +121,7 @@ template(`sudo_role_template',`
> auth_use_nsswitch($1_sudo_t)
>
> init_rw_utmp($1_sudo_t)
> + init_search_key_script($1_sudo_t)
>
> logging_send_audit_msgs($1_sudo_t)
> logging_send_syslog_msg($1_sudo_t)
> @@ -131,6 +132,7 @@ template(`sudo_role_template',`
> seutil_libselinux_linked($1_sudo_t)
>
> userdom_spec_domtrans_all_users($1_sudo_t)
> + userdom_manage_all_users_keys($1_sudo_t)
> userdom_manage_user_home_content_files($1_sudo_t)
> userdom_manage_user_home_content_symlinks($1_sudo_t)
> userdom_manage_user_tmp_files($1_sudo_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 35f1476..595c6f3 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -3119,6 +3119,24 @@ interface(`userdom_create_all_users_keys',`
>
> ########################################
> ##<summary>
> +## Manage keys of all users.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`userdom_manage_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key manage_key_perms;
> +')
> +
> +########################################
> +##<summary>
> ## Send a dbus message to all user domains.
> ##</summary>
> ##<param name="domain">


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 13:03:07

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

On 10/08/10 09:01, Dominick Grift wrote:
> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito wrote:
>> On 10/04/10 14:23, Dominick Grift wrote:
>>> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
>>> index ca36b15..da2afce 100644
>>> --- a/policy/modules/admin/sudo.if
>>> +++ b/policy/modules/admin/sudo.if
>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',`
>>> files_read_usr_symlinks($1_sudo_t)
>>> files_getattr_usr_files($1_sudo_t)
>>> # for some PAM modules and for cwd
>>> + files_dontaudit_list_default($1_sudo_t)
>>> files_dontaudit_search_home($1_sudo_t)
>>> files_list_tmp($1_sudo_t)
>>
>> I'm confused, /root shouldn't be default_t.
>
> Why not, what do you think it should be?

There shouldn't be any default_t files if it can be helped. I would
expect user_home_dir_t or admin_home_dir_t if you're on Fedora.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 13:07:46

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote:
> On 10/08/10 09:01, Dominick Grift wrote:
> >On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito wrote:
> >>On 10/04/10 14:23, Dominick Grift wrote:
> >>>diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> >>>index ca36b15..da2afce 100644
> >>>--- a/policy/modules/admin/sudo.if
> >>>+++ b/policy/modules/admin/sudo.if
> >>>@@ -101,6 +101,7 @@ template(`sudo_role_template',`
> >>> files_read_usr_symlinks($1_sudo_t)
> >>> files_getattr_usr_files($1_sudo_t)
> >>> # for some PAM modules and for cwd
> >>>+ files_dontaudit_list_default($1_sudo_t)
> >>> files_dontaudit_search_home($1_sudo_t)
> >>> files_list_tmp($1_sudo_t)
> >>
> >>I'm confused, /root shouldn't be default_t.
> >
> >Why not, what do you think it should be?
>
> There shouldn't be any default_t files if it can be helped. I would
> expect user_home_dir_t or admin_home_dir_t if you're on Fedora.

This patch set is to make "refpolicy" work on minimal fedora installations. Its not so much about trying to merge every fedora change to refpolicy.

However if you are interested in implementing Fedora's admin_home_t i guess i could try that instead. That would mean that for now you can disregard all " default" patches.

I just was of the opinion that refpolicy is not interested in implementing fedoras admin_home_t solution, and rather stick to default_t for /root

>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/cd9559ba/attachment-0001.bin

2010-10-08 13:11:23

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

On 10/08/10 09:07, Dominick Grift wrote:
> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote:
>> On 10/08/10 09:01, Dominick Grift wrote:
>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito wrote:
>>>> On 10/04/10 14:23, Dominick Grift wrote:
>>>>> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
>>>>> index ca36b15..da2afce 100644
>>>>> --- a/policy/modules/admin/sudo.if
>>>>> +++ b/policy/modules/admin/sudo.if
>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',`
>>>>> files_read_usr_symlinks($1_sudo_t)
>>>>> files_getattr_usr_files($1_sudo_t)
>>>>> # for some PAM modules and for cwd
>>>>> + files_dontaudit_list_default($1_sudo_t)
>>>>> files_dontaudit_search_home($1_sudo_t)
>>>>> files_list_tmp($1_sudo_t)
>>>>
>>>> I'm confused, /root shouldn't be default_t.
>>>
>>> Why not, what do you think it should be?
>>
>> There shouldn't be any default_t files if it can be helped. I would
>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora.
>
> This patch set is to make "refpolicy" work on minimal fedora installations. Its not so much about trying to merge every fedora change to refpolicy.
>
> However if you are interested in implementing Fedora's admin_home_t i guess i could try that instead. That would mean that for now you can disregard all " default" patches.
>
> I just was of the opinion that refpolicy is not interested in implementing fedoras admin_home_t solution, and rather stick to default_t for /root

No, /root should definitely not be default_t. If thats what you're
getting out of refpolicy head, we need to figure out why.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 13:13:57

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

On 10/08/10 09:11, Christopher J. PeBenito wrote:
> On 10/08/10 09:07, Dominick Grift wrote:
>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote:
>>> On 10/08/10 09:01, Dominick Grift wrote:
>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito
>>>> wrote:
>>>>> On 10/04/10 14:23, Dominick Grift wrote:
>>>>>> diff --git a/policy/modules/admin/sudo.if
>>>>>> b/policy/modules/admin/sudo.if
>>>>>> index ca36b15..da2afce 100644
>>>>>> --- a/policy/modules/admin/sudo.if
>>>>>> +++ b/policy/modules/admin/sudo.if
>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',`
>>>>>> files_read_usr_symlinks($1_sudo_t)
>>>>>> files_getattr_usr_files($1_sudo_t)
>>>>>> # for some PAM modules and for cwd
>>>>>> + files_dontaudit_list_default($1_sudo_t)
>>>>>> files_dontaudit_search_home($1_sudo_t)
>>>>>> files_list_tmp($1_sudo_t)
>>>>>
>>>>> I'm confused, /root shouldn't be default_t.
>>>>
>>>> Why not, what do you think it should be?
>>>
>>> There shouldn't be any default_t files if it can be helped. I would
>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora.
>>
>> This patch set is to make "refpolicy" work on minimal fedora
>> installations. Its not so much about trying to merge every fedora
>> change to refpolicy.
>>
>> However if you are interested in implementing Fedora's admin_home_t i
>> guess i could try that instead. That would mean that for now you can
>> disregard all " default" patches.
>>
>> I just was of the opinion that refpolicy is not interested in
>> implementing fedoras admin_home_t solution, and rather stick to
>> default_t for /root
>
> No, /root should definitely not be default_t. If thats what you're
> getting out of refpolicy head, we need to figure out why.

To clarify, I would expect it to be user_home_dir_t in refpolicy.


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 13:19:04

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/08/2010 09:13 AM, Christopher J. PeBenito wrote:
> On 10/08/10 09:11, Christopher J. PeBenito wrote:
>> On 10/08/10 09:07, Dominick Grift wrote:
>>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote:
>>>> On 10/08/10 09:01, Dominick Grift wrote:
>>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito
>>>>> wrote:
>>>>>> On 10/04/10 14:23, Dominick Grift wrote:
>>>>>>> diff --git a/policy/modules/admin/sudo.if
>>>>>>> b/policy/modules/admin/sudo.if
>>>>>>> index ca36b15..da2afce 100644
>>>>>>> --- a/policy/modules/admin/sudo.if
>>>>>>> +++ b/policy/modules/admin/sudo.if
>>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',`
>>>>>>> files_read_usr_symlinks($1_sudo_t)
>>>>>>> files_getattr_usr_files($1_sudo_t)
>>>>>>> # for some PAM modules and for cwd
>>>>>>> + files_dontaudit_list_default($1_sudo_t)
>>>>>>> files_dontaudit_search_home($1_sudo_t)
>>>>>>> files_list_tmp($1_sudo_t)
>>>>>>
>>>>>> I'm confused, /root shouldn't be default_t.
>>>>>
>>>>> Why not, what do you think it should be?
>>>>
>>>> There shouldn't be any default_t files if it can be helped. I would
>>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora.
>>>
>>> This patch set is to make "refpolicy" work on minimal fedora
>>> installations. Its not so much about trying to merge every fedora
>>> change to refpolicy.
>>>
>>> However if you are interested in implementing Fedora's admin_home_t i
>>> guess i could try that instead. That would mean that for now you can
>>> disregard all " default" patches.
>>>
>>> I just was of the opinion that refpolicy is not interested in
>>> implementing fedoras admin_home_t solution, and rather stick to
>>> default_t for /root
>>
>> No, /root should definitely not be default_t. If thats what you're
>> getting out of refpolicy head, we need to figure out why.
>
> To clarify, I would expect it to be user_home_dir_t in refpolicy.
>
>
If you are using the latest Fedora libsemanage, it is running
genhomedircon, so this might leave /root without a label.

Edit /etc/selinux/semanage.conf

And change
# semanage fcontext -a -e /home /althome
usepasswd=FALSE




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyvGkgACgkQrlYvE4MpobOzHACfahQzaVd58ejJXbLR5087c7kF
6+gAn3WEnHukjC/7nDeUGi4dBPX+6ncS
=GgzZ
-----END PGP SIGNATURE-----

2010-10-08 13:21:53

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 31/44] su: do not audit attempts to search /root.

On Fri, Oct 08, 2010 at 08:51:33AM -0400, Christopher J. PeBenito wrote:
> On 10/04/10 14:23, Dominick Grift wrote:
> >
> >Signed-off-by: Dominick Grift<[email protected]>
>
> Merged.
Please undo this patch and ignore any do not audit attempts to search /root patches.

>
> >:100644 100644 a0aa8c5... 9337ed7... M policy/modules/admin/su.if
> > policy/modules/admin/su.if | 1 +
> > 1 files changed, 1 insertions(+), 0 deletions(-)
> >
> >diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
> >index a0aa8c5..9337ed7 100644
> >--- a/policy/modules/admin/su.if
> >+++ b/policy/modules/admin/su.if
> >@@ -223,6 +223,7 @@ template(`su_role_template',`
> > files_read_etc_runtime_files($1_su_t)
> > files_search_var_lib($1_su_t)
> > files_dontaudit_getattr_tmp_dirs($1_su_t)
> >+ files_dontaudit_list_default($1_su_t)
> >
> > init_dontaudit_use_fds($1_su_t)
> > # Write to utmp.
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/e94f2dcb/attachment.bin

2010-10-08 13:31:42

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

On Fri, Oct 08, 2010 at 09:13:57AM -0400, Christopher J. PeBenito wrote:
> On 10/08/10 09:11, Christopher J. PeBenito wrote:
> >On 10/08/10 09:07, Dominick Grift wrote:
> >>On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote:
> >>>On 10/08/10 09:01, Dominick Grift wrote:
> >>>>On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito
> >>>>wrote:
> >>>>>On 10/04/10 14:23, Dominick Grift wrote:
> >>>>>>diff --git a/policy/modules/admin/sudo.if
> >>>>>>b/policy/modules/admin/sudo.if
> >>>>>>index ca36b15..da2afce 100644
> >>>>>>--- a/policy/modules/admin/sudo.if
> >>>>>>+++ b/policy/modules/admin/sudo.if
> >>>>>>@@ -101,6 +101,7 @@ template(`sudo_role_template',`
> >>>>>>files_read_usr_symlinks($1_sudo_t)
> >>>>>>files_getattr_usr_files($1_sudo_t)
> >>>>>># for some PAM modules and for cwd
> >>>>>>+ files_dontaudit_list_default($1_sudo_t)
> >>>>>>files_dontaudit_search_home($1_sudo_t)
> >>>>>>files_list_tmp($1_sudo_t)
> >>>>>
> >>>>>I'm confused, /root shouldn't be default_t.
> >>>>
> >>>>Why not, what do you think it should be?
> >>>
> >>>There shouldn't be any default_t files if it can be helped. I would
> >>>expect user_home_dir_t or admin_home_dir_t if you're on Fedora.
> >>
> >>This patch set is to make "refpolicy" work on minimal fedora
> >>installations. Its not so much about trying to merge every fedora
> >>change to refpolicy.
> >>
> >>However if you are interested in implementing Fedora's admin_home_t i
> >>guess i could try that instead. That would mean that for now you can
> >>disregard all " default" patches.
> >>
> >>I just was of the opinion that refpolicy is not interested in
> >>implementing fedoras admin_home_t solution, and rather stick to
> >>default_t for /root
> >
> >No, /root should definitely not be default_t. If thats what you're
> >getting out of refpolicy head, we need to figure out why.
>
> To clarify, I would expect it to be user_home_dir_t in refpolicy.

Any particular reason to not implement Fedoras admin_home_t solution instead?
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/53b9f3b9/attachment.bin

2010-10-08 13:41:30

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/08/2010 09:31 AM, Dominick Grift wrote:
> On Fri, Oct 08, 2010 at 09:13:57AM -0400, Christopher J. PeBenito wrote:
>> On 10/08/10 09:11, Christopher J. PeBenito wrote:
>>> On 10/08/10 09:07, Dominick Grift wrote:
>>>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote:
>>>>> On 10/08/10 09:01, Dominick Grift wrote:
>>>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito
>>>>>> wrote:
>>>>>>> On 10/04/10 14:23, Dominick Grift wrote:
>>>>>>>> diff --git a/policy/modules/admin/sudo.if
>>>>>>>> b/policy/modules/admin/sudo.if
>>>>>>>> index ca36b15..da2afce 100644
>>>>>>>> --- a/policy/modules/admin/sudo.if
>>>>>>>> +++ b/policy/modules/admin/sudo.if
>>>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',`
>>>>>>>> files_read_usr_symlinks($1_sudo_t)
>>>>>>>> files_getattr_usr_files($1_sudo_t)
>>>>>>>> # for some PAM modules and for cwd
>>>>>>>> + files_dontaudit_list_default($1_sudo_t)
>>>>>>>> files_dontaudit_search_home($1_sudo_t)
>>>>>>>> files_list_tmp($1_sudo_t)
>>>>>>>
>>>>>>> I'm confused, /root shouldn't be default_t.
>>>>>>
>>>>>> Why not, what do you think it should be?
>>>>>
>>>>> There shouldn't be any default_t files if it can be helped. I would
>>>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora.
>>>>
>>>> This patch set is to make "refpolicy" work on minimal fedora
>>>> installations. Its not so much about trying to merge every fedora
>>>> change to refpolicy.
>>>>
>>>> However if you are interested in implementing Fedora's admin_home_t i
>>>> guess i could try that instead. That would mean that for now you can
>>>> disregard all " default" patches.
>>>>
>>>> I just was of the opinion that refpolicy is not interested in
>>>> implementing fedoras admin_home_t solution, and rather stick to
>>>> default_t for /root
>>>
>>> No, /root should definitely not be default_t. If thats what you're
>>> getting out of refpolicy head, we need to figure out why.
>>
>> To clarify, I would expect it to be user_home_dir_t in refpolicy.
>
> Any particular reason to not implement Fedoras admin_home_t solution instead?
>>
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> http://www.tresys.com | oss.tresys.com
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy

Top Reasons I like labelling /root differently then /home/dwalsh

1. Admins enter the /root directory every time they run su - or sudo.
And execute .bash type scripts.
2. If said admins execute /etc/init.d/BLAH script I get avc saying BLAH
tried to read user_home_dir_t, I can add rule saying dontaudit daemon
admin_home_t:dir search_dir_perms;
3. When someone tries to login via Xwindows as Root, they get denied,
by SELinux. We do not want X Window sessions running as root and
unconfined_t.
4. Over 70 domains in Fedora 15 need to write to user_home_dir_t
depending on boolean settings, I do not want them writing to /root
5. I can turn off genhomedircon, since I have a label for /root as
admin_home_t.
6. I want to have confined administrators tread the directories
differently.
7. Confined apps started in /root need to be treated differently.
8. Setroubleshoot plugins can treat access differently.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyvH4oACgkQrlYvE4MpobP03QCgkqc9QhO8dd++6+wA45pqGMw/
3lYAnjKASWpaZyC3afxMLiWnDhdpwnkJ
=0O7C
-----END PGP SIGNATURE-----

2010-10-08 13:43:39

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

On Fri, Oct 08, 2010 at 09:41:30AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/08/2010 09:31 AM, Dominick Grift wrote:
> > On Fri, Oct 08, 2010 at 09:13:57AM -0400, Christopher J. PeBenito wrote:
> >> On 10/08/10 09:11, Christopher J. PeBenito wrote:
> >>> On 10/08/10 09:07, Dominick Grift wrote:
> >>>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote:
> >>>>> On 10/08/10 09:01, Dominick Grift wrote:
> >>>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito
> >>>>>> wrote:
> >>>>>>> On 10/04/10 14:23, Dominick Grift wrote:
> >>>>>>>> diff --git a/policy/modules/admin/sudo.if
> >>>>>>>> b/policy/modules/admin/sudo.if
> >>>>>>>> index ca36b15..da2afce 100644
> >>>>>>>> --- a/policy/modules/admin/sudo.if
> >>>>>>>> +++ b/policy/modules/admin/sudo.if
> >>>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',`
> >>>>>>>> files_read_usr_symlinks($1_sudo_t)
> >>>>>>>> files_getattr_usr_files($1_sudo_t)
> >>>>>>>> # for some PAM modules and for cwd
> >>>>>>>> + files_dontaudit_list_default($1_sudo_t)
> >>>>>>>> files_dontaudit_search_home($1_sudo_t)
> >>>>>>>> files_list_tmp($1_sudo_t)
> >>>>>>>
> >>>>>>> I'm confused, /root shouldn't be default_t.
> >>>>>>
> >>>>>> Why not, what do you think it should be?
> >>>>>
> >>>>> There shouldn't be any default_t files if it can be helped. I would
> >>>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora.
> >>>>
> >>>> This patch set is to make "refpolicy" work on minimal fedora
> >>>> installations. Its not so much about trying to merge every fedora
> >>>> change to refpolicy.
> >>>>
> >>>> However if you are interested in implementing Fedora's admin_home_t i
> >>>> guess i could try that instead. That would mean that for now you can
> >>>> disregard all " default" patches.
> >>>>
> >>>> I just was of the opinion that refpolicy is not interested in
> >>>> implementing fedoras admin_home_t solution, and rather stick to
> >>>> default_t for /root
> >>>
> >>> No, /root should definitely not be default_t. If thats what you're
> >>> getting out of refpolicy head, we need to figure out why.
> >>
> >> To clarify, I would expect it to be user_home_dir_t in refpolicy.
> >
> > Any particular reason to not implement Fedoras admin_home_t solution instead?
> >>
> >>
> >> --
> >> Chris PeBenito
> >> Tresys Technology, LLC
> >> http://www.tresys.com | oss.tresys.com
> >>
> >>
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> Top Reasons I like labelling /root differently then /home/dwalsh
>
> 1. Admins enter the /root directory every time they run su - or sudo.
> And execute .bash type scripts.
> 2. If said admins execute /etc/init.d/BLAH script I get avc saying BLAH
> tried to read user_home_dir_t, I can add rule saying dontaudit daemon
> admin_home_t:dir search_dir_perms;
> 3. When someone tries to login via Xwindows as Root, they get denied,
> by SELinux. We do not want X Window sessions running as root and
> unconfined_t.
> 4. Over 70 domains in Fedora 15 need to write to user_home_dir_t
> depending on boolean settings, I do not want them writing to /root
> 5. I can turn off genhomedircon, since I have a label for /root as
> admin_home_t.
> 6. I want to have confined administrators tread the directories
> differently.
> 7. Confined apps started in /root need to be treated differently.
> 8. Setroubleshoot plugins can treat access differently.

dwalsh will it not cause any file context specification conflicts on fedora systems/policy if i set usepasswd=false with admin_home_t vs. user_home_dir_t?

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkyvH4oACgkQrlYvE4MpobP03QCgkqc9QhO8dd++6+wA45pqGMw/
> 3lYAnjKASWpaZyC3afxMLiWnDhdpwnkJ
> =0O7C
> -----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/a9c30bca/attachment.bin

2010-10-08 13:51:37

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/08/2010 09:43 AM, Dominick Grift wrote:
> On Fri, Oct 08, 2010 at 09:41:30AM -0400, Daniel J Walsh wrote:
> On 10/08/2010 09:31 AM, Dominick Grift wrote:
>>>> On Fri, Oct 08, 2010 at 09:13:57AM -0400, Christopher J. PeBenito wrote:
>>>>> On 10/08/10 09:11, Christopher J. PeBenito wrote:
>>>>>> On 10/08/10 09:07, Dominick Grift wrote:
>>>>>>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote:
>>>>>>>> On 10/08/10 09:01, Dominick Grift wrote:
>>>>>>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito
>>>>>>>>> wrote:
>>>>>>>>>> On 10/04/10 14:23, Dominick Grift wrote:
>>>>>>>>>>> diff --git a/policy/modules/admin/sudo.if
>>>>>>>>>>> b/policy/modules/admin/sudo.if
>>>>>>>>>>> index ca36b15..da2afce 100644
>>>>>>>>>>> --- a/policy/modules/admin/sudo.if
>>>>>>>>>>> +++ b/policy/modules/admin/sudo.if
>>>>>>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',`
>>>>>>>>>>> files_read_usr_symlinks($1_sudo_t)
>>>>>>>>>>> files_getattr_usr_files($1_sudo_t)
>>>>>>>>>>> # for some PAM modules and for cwd
>>>>>>>>>>> + files_dontaudit_list_default($1_sudo_t)
>>>>>>>>>>> files_dontaudit_search_home($1_sudo_t)
>>>>>>>>>>> files_list_tmp($1_sudo_t)
>>>>>>>>>>
>>>>>>>>>> I'm confused, /root shouldn't be default_t.
>>>>>>>>>
>>>>>>>>> Why not, what do you think it should be?
>>>>>>>>
>>>>>>>> There shouldn't be any default_t files if it can be helped. I would
>>>>>>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora.
>>>>>>>
>>>>>>> This patch set is to make "refpolicy" work on minimal fedora
>>>>>>> installations. Its not so much about trying to merge every fedora
>>>>>>> change to refpolicy.
>>>>>>>
>>>>>>> However if you are interested in implementing Fedora's admin_home_t i
>>>>>>> guess i could try that instead. That would mean that for now you can
>>>>>>> disregard all " default" patches.
>>>>>>>
>>>>>>> I just was of the opinion that refpolicy is not interested in
>>>>>>> implementing fedoras admin_home_t solution, and rather stick to
>>>>>>> default_t for /root
>>>>>>
>>>>>> No, /root should definitely not be default_t. If thats what you're
>>>>>> getting out of refpolicy head, we need to figure out why.
>>>>>
>>>>> To clarify, I would expect it to be user_home_dir_t in refpolicy.
>>>>
>>>> Any particular reason to not implement Fedoras admin_home_t solution instead?
>>>>>
>>>>>
>>>>> --
>>>>> Chris PeBenito
>>>>> Tresys Technology, LLC
>>>>> http://www.tresys.com | oss.tresys.com
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> refpolicy mailing list
>>>>> refpolicy at oss.tresys.com
>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> Top Reasons I like labelling /root differently then /home/dwalsh
>
> 1. Admins enter the /root directory every time they run su - or sudo.
> And execute .bash type scripts.
> 2. If said admins execute /etc/init.d/BLAH script I get avc saying BLAH
> tried to read user_home_dir_t, I can add rule saying dontaudit daemon
> admin_home_t:dir search_dir_perms;
> 3. When someone tries to login via Xwindows as Root, they get denied,
> by SELinux. We do not want X Window sessions running as root and
> unconfined_t.
> 4. Over 70 domains in Fedora 15 need to write to user_home_dir_t
> depending on boolean settings, I do not want them writing to /root
> 5. I can turn off genhomedircon, since I have a label for /root as
> admin_home_t.
> 6. I want to have confined administrators tread the directories
> differently.
> 7. Confined apps started in /root need to be treated differently.
> 8. Setroubleshoot plugins can treat access differently.
>
>> dwalsh will it not cause any file context specification conflicts on fedora systems/policy if i set usepasswd=false with admin_home_t vs. user_home_dir_t?
>
>>
>>
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy

Yes it could be a problem, because I believe the fedora genhomedircon is
ignoring /root in /etc/passwd. So removing this with the Fedora
libsemanage will not help you. (Or I guess you could try.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyvIekACgkQrlYvE4MpobN7HACfQbZFomfJbwTM5l8vqlEBDRMo
LGQAoNDuMOX+z74Db/Hwf+dSOGTkuRL/
=er/k
-----END PGP SIGNATURE-----

2010-10-08 18:33:46

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 38/44] sudo: wants to get attributes of generic pts filesystems.

On 10/04/10 14:23, Dominick Grift wrote:
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index da2afce..b194b6d 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -111,6 +111,7 @@ template(`sudo_role_template',`
> selinux_validate_context($1_sudo_t)
> selinux_compute_relabel_context($1_sudo_t)
>
> + term_getattr_pty_fs($1_sudo_t)
> term_relabel_all_ttys($1_sudo_t)
> term_relabel_all_ptys($1_sudo_t)

Merged.


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-08 18:33:47

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ patch 36/44] sudo: wants to get attributes of device_t filesystems.

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 5f44f1b... ca36b15... M policy/modules/admin/sudo.if
> :100644 100644 8b09281... f1f6809... M policy/modules/kernel/devices.if
> policy/modules/admin/sudo.if | 1 +
> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
> 2 files changed, 19 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 5f44f1b..ca36b15 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -87,6 +87,7 @@ template(`sudo_role_template',`
> corecmd_read_bin_symlinks($1_sudo_t)
> corecmd_exec_all_executables($1_sudo_t)
>
> + dev_getattr_device_fs($1_sudo_t)
> dev_read_urand($1_sudo_t)
> dev_rw_generic_usb_dev($1_sudo_t)
> dev_read_sysfs($1_sudo_t)
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 8b09281..f1f6809 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -92,6 +92,24 @@ interface(`dev_associate',`
>
> ########################################
> ##<summary>
> +## Get attributes of device filesystems.
> +##</summary>
> +##<param name="file_type">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`dev_getattr_device_fs',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:filesystem getattr;
> +')
> +
> +########################################
> +##<summary>
> ## Mount a filesystem on /dev
> ##</summary>
> ##<param name="domain">

Merged, though I renamed the interface.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com