On Mon, Oct 04, 2010 at 08:22:06PM +0200, Dominick Grift wrote:
Please ignore this message. (this was still sitting in my tmp)
>
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 2b12a37... aa9f935... M policy/modules/admin/consoletype.te
> :100644 100644 39e901a... 0bfab9b... M policy/modules/services/dbus.if
> :100644 100644 b354128... 052f0a6... M policy/modules/services/dbus.te
> :100644 100644 b3ace16... 58a4736... M policy/modules/services/modemmanager.te
> :100644 100644 0619395... 2f9a857... M policy/modules/services/networkmanager.te
> :100644 100644 c61adc8... b4a1419... M policy/modules/services/ntp.te
> :100644 100644 2dad3c8... a20543a... M policy/modules/services/ssh.te
> :100644 100644 54d122b... 25bfbd4... M policy/modules/system/authlogin.te
> :100644 100644 fca6947... 5f5f331... M policy/modules/system/mount.te
> :100644 100644 dfbe736... eac173f... M policy/modules/system/sysnetwork.te
> :100644 100644 f976344... fbf02ec... M policy/modules/system/unconfined.te
> :100644 100644 2aa8928... 5cb411a... M policy/modules/system/userdomain.if
> policy/modules/admin/consoletype.te | 4 ++++
> policy/modules/services/dbus.if | 18 ++++++++++++++++++
> policy/modules/services/dbus.te | 9 +++++----
> policy/modules/services/modemmanager.te | 2 +-
> policy/modules/services/networkmanager.te | 1 +
> policy/modules/services/ntp.te | 1 +
> policy/modules/services/ssh.te | 4 ++++
> policy/modules/system/authlogin.te | 1 +
> policy/modules/system/mount.te | 11 ++++++++++-
> policy/modules/system/sysnetwork.te | 4 ++++
> policy/modules/system/unconfined.te | 7 +++++++
> policy/modules/system/userdomain.if | 18 ++++++++++++++++++
> 12 files changed, 74 insertions(+), 6 deletions(-)
>
> diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
> index 2b12a37..aa9f935 100644
> --- a/policy/modules/admin/consoletype.te
> +++ b/policy/modules/admin/consoletype.te
> @@ -75,6 +75,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dbus_use_fd(consoletype_t)
> +')
> +
> +optional_policy(`
> files_read_etc_files(consoletype_t)
> firstboot_use_fds(consoletype_t)
> firstboot_rw_pipes(consoletype_t)
> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
> index 39e901a..0bfab9b 100644
> --- a/policy/modules/services/dbus.if
> +++ b/policy/modules/services/dbus.if
> @@ -479,3 +479,21 @@ interface(`dbus_unconfined',`
>
> typeattribute $1 dbusd_unconfined;
> ')
> +
> +########################################
> +## <summary>
> +## Use and inherit system DBUS file descriptors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dbus_use_fd',`
> + gen_require(`
> + type system_dbusd_t;
> + ')
> +
> + allow $1 system_dbusd_t:fd use;
> +')
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index b354128..052f0a6 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -108,10 +108,6 @@ term_dontaudit_use_console(system_dbusd_t)
> auth_use_nsswitch(system_dbusd_t)
> auth_read_pam_console_data(system_dbusd_t)
>
> -corecmd_list_bin(system_dbusd_t)
> -corecmd_read_bin_pipes(system_dbusd_t)
> -corecmd_read_bin_sockets(system_dbusd_t)
> -
> domain_use_interactive_fds(system_dbusd_t)
> domain_read_all_domains_state(system_dbusd_t)
>
> @@ -141,6 +137,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # should this be dbus_system_domain instead?
> + networkmanager_initrc_domtrans(system_dbusd_t)
> +')
> +
> +optional_policy(`
> policykit_dbus_chat(system_dbusd_t)
> policykit_domtrans_auth(system_dbusd_t)
> policykit_search_lib(system_dbusd_t)
> diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
> index b3ace16..58a4736 100644
> --- a/policy/modules/services/modemmanager.te
> +++ b/policy/modules/services/modemmanager.te
> @@ -16,7 +16,7 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
> # ModemManager local policy
> #
>
> -allow modemmanager_t self:process signal;
> +allow modemmanager_t self:process { getsched setsched signal };
> allow modemmanager_t self:fifo_file rw_file_perms;
> allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
> allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
> diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
> index 0619395..2f9a857 100644
> --- a/policy/modules/services/networkmanager.te
> +++ b/policy/modules/services/networkmanager.te
> @@ -141,6 +141,7 @@ sysnet_domtrans_ifconfig(NetworkManager_t)
> sysnet_domtrans_dhcpc(NetworkManager_t)
> sysnet_signal_dhcpc(NetworkManager_t)
> sysnet_read_dhcpc_pid(NetworkManager_t)
> +sysnet_read_dhcpc_state(NetworkManager_t)
> sysnet_delete_dhcpc_pid(NetworkManager_t)
> sysnet_search_dhcp_state(NetworkManager_t)
> # in /etc created by NetworkManager will be labelled net_conf_t.
> diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
> index c61adc8..b4a1419 100644
> --- a/policy/modules/services/ntp.te
> +++ b/policy/modules/services/ntp.te
> @@ -74,6 +74,7 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
> files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
>
> kernel_read_kernel_sysctls(ntpd_t)
> +kernel_read_crypto_sysctls(ntpd_t)
> kernel_read_system_state(ntpd_t)
> kernel_read_network_state(ntpd_t)
> kernel_request_load_module(ntpd_t)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 2dad3c8..a20543a 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>
> +kernel_read_crypto_sysctls(sshd_t)
> +kernel_request_load_module(sshd_t)
> kernel_search_key(sshd_t)
> kernel_link_key(sshd_t)
>
> @@ -249,6 +251,8 @@ term_relabelto_all_ptys(sshd_t)
> corenet_tcp_bind_xserver_port(sshd_t)
> corenet_sendrecv_xserver_server_packets(sshd_t)
>
> +userdom_write_all_users_keys(sshd_t)
> +
> tunable_policy(`ssh_sysadm_login',`
> # Relabel and access ptys created by sshd
> # ioctl is necessary for logout() processing for utmp entry and for w to
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 54d122b..25bfbd4 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -90,6 +90,7 @@ files_list_etc(chkpwd_t)
>
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
> +kernel_read_crypto_sysctls(chkpwd_t)
>
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index fca6947..5f5f331 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -36,6 +36,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
>
> # setuid/setgid needed to mount cifs
> allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
> +allow mount_t self:fifo_file rw_fifo_file_perms;
>
> allow mount_t mount_loopback_t:file read_file_perms;
>
> @@ -48,13 +49,16 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>
> kernel_read_system_state(mount_t)
> kernel_read_kernel_sysctls(mount_t)
> +kernel_setsched(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
>
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
> +corecmd_exec_shell(mount_t)
>
> dev_getattr_all_blk_files(mount_t)
> dev_list_all_dev_nodes(mount_t)
> +dev_read_sysfs(mount_t)
> dev_rw_lvm_control(mount_t)
> dev_dontaudit_getattr_all_chr_files(mount_t)
> dev_dontaudit_getattr_memory_dev(mount_t)
> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
> fs_unmount_all_fs(mount_t)
> fs_remount_all_fs(mount_t)
> fs_relabelfrom_all_fs(mount_t)
> -fs_list_auto_mountpoints(mount_t)
> +# wants to list usbfs_t
> +fs_list_all(mount_t)
> fs_rw_tmpfs_chr_files(mount_t)
> fs_read_tmpfs_symlinks(mount_t)
>
> @@ -180,6 +185,10 @@ optional_policy(`
> ')
> ')
>
> +optional_policy(`
> + dbus_use_fd(mount_t)
> +')
> +
> # for kernel package installation
> optional_policy(`
> rpm_rw_pipes(mount_t)
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index dfbe736..eac173f 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> optional_policy(`
> + dbus_use_fd(ifconfig_t)
> +')
> +
> +optional_policy(`
> hal_dontaudit_rw_pipes(ifconfig_t)
> hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> ')
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index f976344..fbf02ec 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
> mcs_killall(unconfined_t)
> mcs_ptrace_all(unconfined_t)
>
> +ubac_process_exempt(unconfined_t)
> +ubac_file_exempt(unconfined_t)
> +ubac_fd_exempt(unconfined_t)
> +
> init_run_daemon(unconfined_t, unconfined_r)
>
> libs_run_ldconfig(unconfined_t, unconfined_r)
> @@ -42,6 +46,7 @@ logging_run_auditctl(unconfined_t, unconfined_r)
>
> mount_run_unconfined(unconfined_t, unconfined_r)
>
> +seutil_run_runinit(unconfined_t, unconfined_r)
> seutil_run_setfiles(unconfined_t, unconfined_r)
> seutil_run_semanage(unconfined_t, unconfined_r)
>
> @@ -192,6 +197,8 @@ optional_policy(`
>
> optional_policy(`
> usermanage_run_admin_passwd(unconfined_t, unconfined_r)
> + usermanage_run_groupadd(unconfined_t, unconfined_r)
> + usermanage_run_useradd(unconfined_t, unconfined_r)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 2aa8928..5cb411a 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -3112,6 +3112,24 @@ interface(`userdom_create_all_users_keys',`
>
> ########################################
> ## <summary>
> +## Write and link keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_write_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key { search write link };
> +')
> +
> +########################################
> +## <summary>
> ## Send a dbus message to all user domains.
> ## </summary>
> ## <param name="domain">
> --
> 1.7.2.3
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101004/27150995/attachment-0001.bin