Hello,
I have created a set of two patches to update the git reference policy
to run on a generic modern Linux system.
Most changes are relative to the dbus system (send_msg capability). Some
interfaces and a few file contexts have also been added for convenience.
In particular /sbin/upstart is now labelled correctly (many
distributions nowadays link /sbin/init to /sbin/upstart to leave some
choice, so it is necessary to label the latter appropriately).
Please send your comments and feel free to test intensively. Thanks.
Regards,
Guido
diff -pruN refpolicy-git-18012011/policy/modules/services/dbus.fc refpolicy-git-18012011-new/policy/modules/services/dbus.fc
--- refpolicy-git-18012011/policy/modules/services/dbus.fc 2011-01-08 19:07:21.238740722 +0100
+++ refpolicy-git-18012011-new/policy/modules/services/dbus.fc 2011-01-17 20:53:01.132703217 +0100
@@ -1,11 +1,24 @@
/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
diff -pruN refpolicy-git-18012011/policy/modules/system/init.fc refpolicy-git-18012011-new/policy/modules/system/init.fc
--- refpolicy-git-18012011/policy/modules/system/init.fc 2011-01-08 19:07:21.350758412 +0100
+++ refpolicy-git-18012011-new/policy/modules/system/init.fc 2011-01-17 20:35:02.785918606 +0100
@@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
# /sbin
#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+# because nowadays, /sbin/init is often a symlink to /sbin/upstart
+/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te
--- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
@@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
auth_dontaudit_read_shadow(readahead_t)
+init_read_fifo_file(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if
--- refpolicy-git-18012011/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if 2011-01-18 23:13:49.755846822 +0100
@@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
########################################
## <summary>
+## Allow mmap_file_perms on a shell
+## executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_mmap_file_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ allow $1 shell_exec_t:file mmap_file_perms;
+')
+
+########################################
+## <summary>
## Execute shells in the caller domain.
## </summary>
## <desc>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if
--- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100
@@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
########################################
## <summary>
+## Set the attributes of the /bin directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_bin_dirs',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Search the content of /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ getattr_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read generic files in /bin.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read generic
+## files in /bin. These files are various program
+## files that do not have more specific SELinux types.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir list_dir_perms;
+ read_files_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Execute generic programs in /bin in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir list_dir_perms;
+ exec_files_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_bin_symlinks',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
## Set the attributes of the /usr directory.
## </summary>
## <param name="domain">
@@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
########################################
## <summary>
-## Search the content of /etc.
+## Search the content of /usr.
## </summary>
## <param name="domain">
## <summary>
@@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
')
########################################
+## <summary>
+## Get the attributes of the /var/log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_var_log_dirs',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ getattr_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Search the /var/log directory.
+## </summary>
+## <desc>
+## <p>
+## Search the /var/log directory. This is
+## necessary to access files or directories under
+## /var/log that have a private type. For example, a
+## domain accessing a private log file in the
+## /var/log directory:
+## </p>
+## <p>
+## allow mydomain_t mylogfile_t:file read_file_perms;
+## files_search_var_log(mydomain_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_search_var_log',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## contents of /var/log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_log',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ dontaudit $1 var_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the /var/log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_var_log',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_log_t)
+')
+
+###########################################
+## <summary>
+## Read-write /var/log directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_var_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ rw_dirs_pattern($1, var_log_t, var_log_t)
+')
+
+###########################################
+## <summary>
+## Append to files in the /var/log directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_var_log_append',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ append_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Create objects in the /var/log directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_var_log_filetrans',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read generic files in /var/log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_log_files',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ allow $1 var_log_t:dir list_dir_perms;
+ read_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
+## <summary>
+## Read generic symbolic links in /var/log
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_log_symlinks',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
## <summary>
## Search the locks directory (/var/lock).
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if
--- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if 2011-01-18 23:13:49.763847950 +0100
@@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
########################################
## <summary>
+## Allows to search the base
+## directory of sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_search_sysctl',`
+ gen_require(`
+ type sysctl_t;
+ ')
+
+ allow $1 sysctl_t:dir search;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
')
########################################
+## <summary>
+## Allow caller to search filesystem sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_fs_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
## <summary>
## Read filesystem sysctls.
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if
--- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if 2011-01-18 23:38:58.297498219 +0100
@@ -75,6 +75,25 @@ interface(`avahi_signull',`
########################################
## <summary>
+## Send a dbus message to avahi.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_dbus_send',`
+ gen_require(`
+ type avahi_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 avahi_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## avahi over dbus.
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te
--- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te 2011-01-19 01:20:50.132124585 +0100
@@ -104,9 +104,17 @@ optional_policy(`
')
optional_policy(`
+ ntp_dbus_send(avahi_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
optional_policy(`
udev_read_db(avahi_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(avahi_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if
--- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if 2011-01-18 23:13:49.767848514 +0100
@@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
########################################
## <summary>
+## Send a dbus message to
+## consolekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_dbus_send',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 consolekit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## consolekit over dbus.
## </summary>
@@ -93,5 +113,6 @@ interface(`consolekit_read_pid_files',`
')
files_search_pids($1)
+ allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te
--- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te 2011-01-18 23:13:49.790851763 +0100
@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -115,9 +115,14 @@ corecmd_read_bin_sockets(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
+files_search_default(system_dbusd_t)
+files_read_default_files(system_dbusd_t)
files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+files_exec_bin_files(system_dbusd_t)
+files_exec_usr_files(system_dbusd_t)
+files_read_var_lib_files(system_dbusd_t)
+files_var_log_append(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -141,6 +146,24 @@ optional_policy(`
')
optional_policy(`
+ consolekit_read_pid_files(system_dbusd_t)
+ consolekit_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ devicekit_dbus_send_disk(system_dbusd_t)
+ devicekit_dbus_send_power(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ ntp_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
@@ -154,6 +177,10 @@ optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ xserver_xdm_dbus_chat(system_dbusd_t)
+')
+
########################################
#
# Unconfined access to this module
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if
--- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if 2011-01-18 23:13:49.791851900 +0100
@@ -39,6 +39,25 @@ interface(`devicekit_dgram_send',`
########################################
## <summary>
+## Send a dbus message to devicekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_send',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## devicekit over dbus.
## </summary>
@@ -60,6 +79,25 @@ interface(`devicekit_dbus_chat',`
########################################
## <summary>
+## Send a dbus message to devicekit disk.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_send_disk',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_disk_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## devicekit disk over dbus.
## </summary>
@@ -99,6 +137,25 @@ interface(`devicekit_signal_power',`
########################################
## <summary>
+## Send a dbus message to devicekit power.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_send_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## devicekit power over dbus.
## </summary>
@@ -183,3 +240,22 @@ interface(`devicekit_admin',`
admin_pattern($1, devicekit_var_run_t)
files_search_pids($1)
')
+
+########################################
+## <summary>
+## DeviceKit power getattr on APM
+## bios character device node files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_getattr_apm_bios_files_power',`
+ gen_require(`
+ type apm_bios_t;
+ ')
+
+ getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te
--- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te 2011-01-18 23:13:49.792852039 +0100
@@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
files_read_etc_files(devicekit_t)
+files_read_etc_runtime_files(devicekit_t)
miscfiles_read_localization(devicekit_t)
@@ -178,6 +179,10 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(devicekit_disk_t)
+')
+
########################################
#
# DeviceKit-Power local policy
@@ -193,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+kernel_search_fs_sysctl(devicekit_power_t)
+kernel_rw_vm_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
+kernel_setsched(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
@@ -215,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
+files_rw_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
+fs_remount_xattr_fs(devicekit_power_t)
term_use_all_terms(devicekit_power_t)
@@ -230,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
userdom_read_all_users_state(devicekit_power_t)
+devicekit_getattr_apm_bios_files_power(devicekit_power_t)
+
+mount_exec_getattr(devicekit_power_t)
+mount_exec(devicekit_power_t)
+
optional_policy(`
bootloader_domtrans(devicekit_power_t)
')
@@ -276,9 +291,17 @@ optional_policy(`
')
optional_policy(`
+ storage_raw_read_fixed_disk(devicekit_power_t)
+')
+
+optional_policy(`
udev_read_db(devicekit_power_t)
')
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(devicekit_power_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te
--- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te 2011-01-18 23:13:49.794852319 +0100
@@ -338,6 +338,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(hald_t)
+')
+
########################################
#
# Hal acl local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if
--- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if 2011-01-18 23:13:49.795852460 +0100
@@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
########################################
## <summary>
+## Send a dbus message to NetworkManager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dbus_send',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 NetworkManager_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## NetworkManager over dbus.
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te
--- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te 2011-01-18 23:13:49.796852601 +0100
@@ -140,6 +140,7 @@ seutil_read_config(NetworkManager_t)
sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_read_dhcpc_pid(NetworkManager_t)
sysnet_delete_dhcpc_pid(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -265,6 +266,10 @@ optional_policy(`
vpn_signull(NetworkManager_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(NetworkManager_t)
+')
+
########################################
#
# wpa_cli local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if
--- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if 2011-01-18 23:13:49.798852883 +0100
@@ -163,3 +163,62 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
')
+
+########################################
+## <summary>
+## Send a dbus message to ntpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_send',`
+ gen_require(`
+ type ntpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## ntpd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_chat',`
+ gen_require(`
+ type ntpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to dbus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_stream_connect',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+')
Binary files refpolicy-git-18012011/policy/modules/services/.ntp.if.swp and refpolicy-git-18012011-minimum-update/policy/modules/services/.ntp.if.swp differ
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te
--- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te 2011-01-18 23:40:27.459838030 +0100
@@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
userdom_list_user_home_dirs(ntpd_t)
optional_policy(`
+ avahi_dbus_send(ntpd_t)
+')
+
+optional_policy(`
# for cron jobs
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
optional_policy(`
+ ntp_dbus_stream_connect(ntpd_t)
+')
+
+optional_policy(`
gpsd_rw_shm(ntpd_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/plymouthd.te refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te
--- refpolicy-git-18012011/policy/modules/services/plymouthd.te 2011-01-08 19:07:21.280747356 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te 2011-01-18 23:13:49.800853165 +0100
@@ -29,7 +29,7 @@ files_pid_file(plymouthd_var_run_t)
allow plymouthd_t self:capability { sys_admin sys_tty_config };
dontaudit plymouthd_t self:capability dac_override;
-allow plymouthd_t self:process signal;
+allow plymouthd_t self:process { signal getsched };
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if 2011-01-18 23:13:49.801853306 +0100
@@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
########################################
## <summary>
+## Send a dbus message to
+## setroubleshoot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_send',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshootd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## setroubleshoot over dbus.
## </summary>
@@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
########################################
## <summary>
+## Send a dbus message to
+## setroubleshoot fixit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_send_fixit',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshoot_fixit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
-## setroubleshoot over dbus.
+## setroubleshoot fixit over dbus.
## </summary>
## <param name="domain">
## <summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te 2011-01-18 23:13:49.802853447 +0100
@@ -125,12 +125,24 @@ optional_policy(`
')
optional_policy(`
+ locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
+ logging_dbus_send_dispatcher(setroubleshootd_t)
+')
+
+optional_policy(`
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(setroubleshootd_t)
+')
+
########################################
#
# setroubleshoot_fixit local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/smartmon.te refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te
--- refpolicy-git-18012011/policy/modules/services/smartmon.te 2011-01-08 19:07:21.326754622 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te 2011-01-18 23:13:49.803853588 +0100
@@ -73,6 +73,8 @@ files_read_etc_runtime_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
+files_read_usr_files(fsdaemon_t)
+
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if
--- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if 2011-01-18 23:13:49.804853729 +0100
@@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Send a dbus message to xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_dbus_send',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## xdm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_dbus_chat',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te
--- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te 2011-01-18 23:13:49.806854011 +0100
@@ -508,6 +508,10 @@ optional_policy(`
')
optional_policy(`
+ avahi_dbus_send(xdm_t)
+')
+
+optional_policy(`
consolekit_dbus_chat(xdm_t)
')
@@ -516,12 +520,21 @@ optional_policy(`
')
optional_policy(`
+ devicekit_dbus_send_disk(xdm_t)
+ devicekit_dbus_send_power(xdm_t)
+')
+
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`
+ hal_dbus_send(xdm_t)
+')
+
+optional_policy(`
hostname_exec(xdm_t)
')
@@ -539,10 +552,18 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_send(xdm_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
optional_policy(`
+ setroubleshoot_dbus_send(xdm_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/authlogin.te refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te
--- refpolicy-git-18012011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te 2011-01-18 23:13:49.808854293 +0100
@@ -91,6 +91,8 @@ files_list_etc(chkpwd_t)
# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
+kernel_search_sysctl(chkpwd_t)
+
domain_dontaudit_use_interactive_fds(chkpwd_t)
dev_read_rand(chkpwd_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-minimum-update/policy/modules/system/init.if
--- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/init.if 2011-01-18 23:13:49.809854434 +0100
@@ -947,6 +947,24 @@ interface(`init_read_state',`
########################################
## <summary>
+## Read init fifo file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_fifo_file',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ read_fifo_files_pattern($1, init_t, init_t)
+')
+
+########################################
+## <summary>
## Ptrace init
## </summary>
## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if
--- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if 2011-01-18 23:13:49.812854857 +0100
@@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
########################################
## <summary>
+## Send a dbus message to the audit
+## dispatcher.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_dbus_send_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 audisp_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the audit dispatcher over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_dbus_chat_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 audisp_t:dbus send_msg;
+ allow audisp_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Manage the auditd configuration files.
## </summary>
## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te
--- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te 2011-01-18 23:13:49.813854998 +0100
@@ -223,6 +223,8 @@ allow audisp_t self:unix_dgram_socket cr
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
+allow audisp_t proc_t:file read_file_perms;
+
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
@@ -246,6 +248,10 @@ optional_policy(`
dbus_system_bus_client(audisp_t)
')
+optional_policy(`
+ setroubleshoot_dbus_send(audisp_t)
+')
+
########################################
#
# Audit remote logger local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if
--- refpolicy-git-18012011/policy/modules/system/mount.if 2011-01-08 19:07:21.358759676 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if 2011-01-18 23:13:49.814855139 +0100
@@ -51,6 +51,25 @@ interface(`mount_run',`
########################################
## <summary>
+## Get the attributes of mount
+## executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_exec_getattr',`
+ gen_require(`
+ type mount_exec_t;
+ ')
+
+ allow $1 mount_exec_t:file getattr;
+')
+
+########################################
+## <summary>
## Execute mount in the caller domain.
## </summary>
## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te
--- refpolicy-git-18012011/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te 2011-01-19 01:01:20.531005215 +0100
@@ -51,12 +51,17 @@ kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
+kernel_setsched(mount_t)
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
+# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
+# from initscripts
+corecmd_mmap_file_exec_shell(mount_t)
+
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_read_sysfs(mount_t)
@@ -108,6 +113,8 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+# needed for example by ntfs-3g
+storage_rw_fuse(mount_t)
term_use_all_terms(mount_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if
--- refpolicy-git-18012011/policy/modules/system/sysnetwork.if 2011-01-08 19:07:21.362760308 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if 2011-01-18 23:13:49.817855562 +0100
@@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',`
########################################
## <summary>
+## Search dhcp client state directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_search_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+########################################
+## <summary>
## Read dhcp client state files.
## </summary>
## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.te refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te
--- refpolicy-git-18012011/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te 2011-01-18 23:13:49.818855703 +0100
@@ -325,6 +325,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
+ hal_read_pid_files(ifconfig_t)
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5186 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110119/fa7ea8bb/attachment-0001.bin
On 01/18/11 19:40, Guido Trentalancia wrote:
> Hello,
>
> I have created a set of two patches to update the git reference policy
> to run on a generic modern Linux system.
>
> Most changes are relative to the dbus system (send_msg capability). Some
> interfaces and a few file contexts have also been added for convenience.
> In particular /sbin/upstart is now labelled correctly (many
> distributions nowadays link /sbin/init to /sbin/upstart to leave some
> choice, so it is necessary to label the latter appropriately).
>
> Please send your comments and feel free to test intensively. Thanks.
There are too many changes in this patch and the other. Can you
resubmit, breaking each logically separate change into a different patch?
> diff -pruN refpolicy-git-18012011/policy/modules/services/dbus.fc refpolicy-git-18012011-new/policy/modules/services/dbus.fc
> --- refpolicy-git-18012011/policy/modules/services/dbus.fc 2011-01-08 19:07:21.238740722 +0100
> +++ refpolicy-git-18012011-new/policy/modules/services/dbus.fc 2011-01-17 20:53:01.132703217 +0100
> @@ -1,11 +1,24 @@
> /etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
>
> /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> /lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +
> /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
> diff -pruN refpolicy-git-18012011/policy/modules/system/init.fc refpolicy-git-18012011-new/policy/modules/system/init.fc
> --- refpolicy-git-18012011/policy/modules/system/init.fc 2011-01-08 19:07:21.350758412 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/init.fc 2011-01-17 20:35:02.785918606 +0100
> @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
> # /sbin
> #
> /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> +# because nowadays, /sbin/init is often a symlink to /sbin/upstart
> +/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
>
> ifdef(`distro_gentoo', `
> /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te
> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>
> auth_dontaudit_read_shadow(readahead_t)
>
> +init_read_fifo_file(readahead_t)
> init_use_fds(readahead_t)
> init_use_script_ptys(readahead_t)
> init_getattr_initctl(readahead_t)
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if
> --- refpolicy-git-18012011/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if 2011-01-18 23:13:49.755846822 +0100
> @@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
>
> ########################################
> ## <summary>
> +## Allow mmap_file_perms on a shell
> +## executable.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corecmd_mmap_file_exec_shell',`
> + gen_require(`
> + type bin_t, shell_exec_t;
> + ')
> +
> + list_dirs_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> + allow $1 shell_exec_t:file mmap_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Execute shells in the caller domain.
> ## </summary>
> ## <desc>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if
> --- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100
> @@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
>
> ########################################
> ## <summary>
> +## Set the attributes of the /bin directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_setattr_bin_dirs',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir setattr;
> +')
> +
> +########################################
> +## <summary>
> +## Search the content of /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_search_bin',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of files in /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + getattr_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic files in /bin.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read generic
> +## files in /bin. These files are various program
> +## files that do not have more specific SELinux types.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`files_read_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir list_dir_perms;
> + read_files_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute generic programs in /bin in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir list_dir_perms;
> + exec_files_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read symbolic links in /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_bin_symlinks',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> ## Set the attributes of the /usr directory.
> ## </summary>
> ## <param name="domain">
> @@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
>
> ########################################
> ## <summary>
> -## Search the content of /etc.
> +## Search the content of /usr.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
> ')
>
> ########################################
> +## <summary>
> +## Get the attributes of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_var_log_dirs',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + getattr_dirs_pattern($1, var_t, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Search the /var/log directory.
> +## </summary>
> +## <desc>
> +## <p>
> +## Search the /var/log directory. This is
> +## necessary to access files or directories under
> +## /var/log that have a private type. For example, a
> +## domain accessing a private log file in the
> +## /var/log directory:
> +## </p>
> +## <p>
> +## allow mydomain_t mylogfile_t:file read_file_perms;
> +## files_search_var_log(mydomain_t)
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_search_var_log',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + search_dirs_pattern($1, var_t, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to search the
> +## contents of /var/log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_dontaudit_search_var_log',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + dontaudit $1 var_log_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## List the contents of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_list_var_log',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + list_dirs_pattern($1, var_t, var_log_t)
> +')
> +
> +###########################################
> +## <summary>
> +## Read-write /var/log directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_rw_var_log_dirs',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + rw_dirs_pattern($1, var_log_t, var_log_t)
> +')
> +
> +###########################################
> +## <summary>
> +## Append to files in the /var/log directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_var_log_append',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + append_files_pattern($1, var_log_t, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the /var/log directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="file_type">
> +## <summary>
> +## The type of the object to be created
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The object class.
> +## </summary>
> +## </param>
> +#
> +interface(`files_var_log_filetrans',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + allow $1 var_t:dir search_dir_perms;
> + filetrans_pattern($1, var_log_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic files in /var/log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_files',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + allow $1 var_log_t:dir list_dir_perms;
> + read_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic symbolic links in /var/log
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_symlinks',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')
> +
> +########################################
> ## <summary>
> ## Search the locks directory (/var/lock).
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if
> --- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if 2011-01-18 23:13:49.763847950 +0100
> @@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
>
> ########################################
> ## <summary>
> +## Allows to search the base
> +## directory of sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`kernel_search_sysctl',`
> + gen_require(`
> + type sysctl_t;
> + ')
> +
> + allow $1 sysctl_t:dir search;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts by caller to search
> ## the base directory of sysctls.
> ## </summary>
> @@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
> ')
>
> ########################################
> +## <summary>
> +## Allow caller to search filesystem sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_search_fs_sysctl',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_fs_t;
> + ')
> +
> + search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
> +')
> +
> +########################################
> ## <summary>
> ## Read filesystem sysctls.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if
> --- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if 2011-01-18 23:38:58.297498219 +0100
> @@ -75,6 +75,25 @@ interface(`avahi_signull',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to avahi.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`avahi_dbus_send',`
> + gen_require(`
> + type avahi_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 avahi_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## avahi over dbus.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te
> --- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te 2011-01-19 01:20:50.132124585 +0100
> @@ -104,9 +104,17 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ntp_dbus_send(avahi_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(avahi_t)
> ')
>
> optional_policy(`
> udev_read_db(avahi_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(avahi_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if
> --- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if 2011-01-18 23:13:49.767848514 +0100
> @@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## consolekit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`consolekit_dbus_send',`
> + gen_require(`
> + type consolekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 consolekit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## consolekit over dbus.
> ## </summary>
> @@ -93,5 +113,6 @@ interface(`consolekit_read_pid_files',`
> ')
>
> files_search_pids($1)
> + allow $1 consolekit_var_run_t:dir list_dir_perms;
> read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
> ')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te
> --- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te 2011-01-18 23:13:49.790851763 +0100
> @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
>
> # dac_override: /var/run/dbus is owned by messagebus on Debian
> # cjp: dac_override should probably go in a distro_debian
> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
> dontaudit system_dbusd_t self:capability sys_tty_config;
> allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
> allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
> @@ -115,9 +115,14 @@ corecmd_read_bin_sockets(system_dbusd_t)
> domain_use_interactive_fds(system_dbusd_t)
> domain_read_all_domains_state(system_dbusd_t)
>
> +files_search_default(system_dbusd_t)
> +files_read_default_files(system_dbusd_t)
> files_read_etc_files(system_dbusd_t)
> files_list_home(system_dbusd_t)
> -files_read_usr_files(system_dbusd_t)
> +files_exec_bin_files(system_dbusd_t)
> +files_exec_usr_files(system_dbusd_t)
> +files_read_var_lib_files(system_dbusd_t)
> +files_var_log_append(system_dbusd_t)
>
> init_use_fds(system_dbusd_t)
> init_use_script_ptys(system_dbusd_t)
> @@ -141,6 +146,24 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_read_pid_files(system_dbusd_t)
> + consolekit_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + devicekit_dbus_send_disk(system_dbusd_t)
> + devicekit_dbus_send_power(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + networkmanager_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + ntp_dbus_chat(system_dbusd_t)
> +')
> +
> +optional_policy(`
> policykit_dbus_chat(system_dbusd_t)
> policykit_domtrans_auth(system_dbusd_t)
> policykit_search_lib(system_dbusd_t)
> @@ -154,6 +177,10 @@ optional_policy(`
> udev_read_db(system_dbusd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_chat(system_dbusd_t)
> +')
> +
> ########################################
> #
> # Unconfined access to this module
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if
> --- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if 2011-01-18 23:13:49.791851900 +0100
> @@ -39,6 +39,25 @@ interface(`devicekit_dgram_send',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send',`
> + gen_require(`
> + type devicekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit over dbus.
> ## </summary>
> @@ -60,6 +79,25 @@ interface(`devicekit_dbus_chat',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit disk.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send_disk',`
> + gen_require(`
> + type devicekit_disk_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_disk_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit disk over dbus.
> ## </summary>
> @@ -99,6 +137,25 @@ interface(`devicekit_signal_power',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit power.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send_power',`
> + gen_require(`
> + type devicekit_power_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_power_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit power over dbus.
> ## </summary>
> @@ -183,3 +240,22 @@ interface(`devicekit_admin',`
> admin_pattern($1, devicekit_var_run_t)
> files_search_pids($1)
> ')
> +
> +########################################
> +## <summary>
> +## DeviceKit power getattr on APM
> +## bios character device node files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_getattr_apm_bios_files_power',`
> + gen_require(`
> + type apm_bios_t;
> + ')
> +
> + getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te
> --- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te 2011-01-18 23:13:49.792852039 +0100
> @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
> dev_read_urand(devicekit_t)
>
> files_read_etc_files(devicekit_t)
> +files_read_etc_runtime_files(devicekit_t)
>
> miscfiles_read_localization(devicekit_t)
>
> @@ -178,6 +179,10 @@ optional_policy(`
> virt_manage_images(devicekit_disk_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_disk_t)
> +')
> +
> ########################################
> #
> # DeviceKit-Power local policy
> @@ -193,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
> manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
> files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
>
> +kernel_search_fs_sysctl(devicekit_power_t)
> +kernel_rw_vm_sysctls(devicekit_power_t)
> kernel_read_network_state(devicekit_power_t)
> kernel_read_system_state(devicekit_power_t)
> kernel_rw_hotplug_sysctls(devicekit_power_t)
> kernel_rw_kernel_sysctl(devicekit_power_t)
> kernel_search_debugfs(devicekit_power_t)
> kernel_write_proc_files(devicekit_power_t)
> +kernel_setsched(devicekit_power_t)
>
> corecmd_exec_bin(devicekit_power_t)
> corecmd_exec_shell(devicekit_power_t)
> @@ -215,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
>
> files_read_kernel_img(devicekit_power_t)
> files_read_etc_files(devicekit_power_t)
> +files_rw_etc_runtime_files(devicekit_power_t)
> files_read_usr_files(devicekit_power_t)
>
> fs_list_inotifyfs(devicekit_power_t)
> +fs_remount_xattr_fs(devicekit_power_t)
>
> term_use_all_terms(devicekit_power_t)
>
> @@ -230,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
>
> userdom_read_all_users_state(devicekit_power_t)
>
> +devicekit_getattr_apm_bios_files_power(devicekit_power_t)
> +
> +mount_exec_getattr(devicekit_power_t)
> +mount_exec(devicekit_power_t)
> +
> optional_policy(`
> bootloader_domtrans(devicekit_power_t)
> ')
> @@ -276,9 +291,17 @@ optional_policy(`
> ')
>
> optional_policy(`
> + storage_raw_read_fixed_disk(devicekit_power_t)
> +')
> +
> +optional_policy(`
> udev_read_db(devicekit_power_t)
> ')
>
> optional_policy(`
> vbetool_domtrans(devicekit_power_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_power_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te
> --- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te 2011-01-18 23:13:49.794852319 +0100
> @@ -338,6 +338,10 @@ optional_policy(`
> virt_manage_images(hald_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(hald_t)
> +')
> +
> ########################################
> #
> # Hal acl local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if 2011-01-18 23:13:49.795852460 +0100
> @@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
>
> ########################################
> ## <summary>
> +## Send a dbus message to NetworkManager.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`networkmanager_dbus_send',`
> + gen_require(`
> + type NetworkManager_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 NetworkManager_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## NetworkManager over dbus.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te 2011-01-18 23:13:49.796852601 +0100
> @@ -140,6 +140,7 @@ seutil_read_config(NetworkManager_t)
> sysnet_domtrans_ifconfig(NetworkManager_t)
> sysnet_domtrans_dhcpc(NetworkManager_t)
> sysnet_signal_dhcpc(NetworkManager_t)
> +sysnet_read_dhcpc_state(NetworkManager_t)
> sysnet_read_dhcpc_pid(NetworkManager_t)
> sysnet_delete_dhcpc_pid(NetworkManager_t)
> sysnet_search_dhcp_state(NetworkManager_t)
> @@ -265,6 +266,10 @@ optional_policy(`
> vpn_signull(NetworkManager_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(NetworkManager_t)
> +')
> +
> ########################################
> #
> # wpa_cli local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if
> --- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if 2011-01-18 23:13:49.798852883 +0100
> @@ -163,3 +163,62 @@ interface(`ntp_admin',`
> files_list_pids($1)
> admin_pattern($1, ntpd_var_run_t)
> ')
> +
> +########################################
> +## <summary>
> +## Send a dbus message to ntpd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_send',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## ntpd over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_chat',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> + allow ntpd_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Connect to dbus using a unix domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_stream_connect',`
> + gen_require(`
> + type system_dbusd_t, system_dbusd_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
> +')
> Binary files refpolicy-git-18012011/policy/modules/services/.ntp.if.swp and refpolicy-git-18012011-minimum-update/policy/modules/services/.ntp.if.swp differ
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te
> --- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te 2011-01-18 23:40:27.459838030 +0100
> @@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
> userdom_list_user_home_dirs(ntpd_t)
>
> optional_policy(`
> + avahi_dbus_send(ntpd_t)
> +')
> +
> +optional_policy(`
> # for cron jobs
> cron_system_entry(ntpd_t, ntpdate_exec_t)
> ')
>
> optional_policy(`
> + ntp_dbus_stream_connect(ntpd_t)
> +')
> +
> +optional_policy(`
> gpsd_rw_shm(ntpd_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/plymouthd.te refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te
> --- refpolicy-git-18012011/policy/modules/services/plymouthd.te 2011-01-08 19:07:21.280747356 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te 2011-01-18 23:13:49.800853165 +0100
> @@ -29,7 +29,7 @@ files_pid_file(plymouthd_var_run_t)
>
> allow plymouthd_t self:capability { sys_admin sys_tty_config };
> dontaudit plymouthd_t self:capability dac_override;
> -allow plymouthd_t self:process signal;
> +allow plymouthd_t self:process { signal getsched };
> allow plymouthd_t self:fifo_file rw_fifo_file_perms;
> allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if 2011-01-18 23:13:49.801853306 +0100
> @@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## setroubleshoot.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`setroubleshoot_dbus_send',`
> + gen_require(`
> + type setroubleshootd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshootd_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## setroubleshoot over dbus.
> ## </summary>
> @@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## setroubleshoot fixit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`setroubleshoot_dbus_send_fixit',`
> + gen_require(`
> + type setroubleshoot_fixit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshoot_fixit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> -## setroubleshoot over dbus.
> +## setroubleshoot fixit over dbus.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te 2011-01-18 23:13:49.802853447 +0100
> @@ -125,12 +125,24 @@ optional_policy(`
> ')
>
> optional_policy(`
> + locate_read_lib_files(setroubleshootd_t)
> +')
> +
> +optional_policy(`
> + logging_dbus_send_dispatcher(setroubleshootd_t)
> +')
> +
> +optional_policy(`
> rpm_signull(setroubleshootd_t)
> rpm_read_db(setroubleshootd_t)
> rpm_dontaudit_manage_db(setroubleshootd_t)
> rpm_use_script_fds(setroubleshootd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(setroubleshootd_t)
> +')
> +
> ########################################
> #
> # setroubleshoot_fixit local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/smartmon.te refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te
> --- refpolicy-git-18012011/policy/modules/services/smartmon.te 2011-01-08 19:07:21.326754622 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te 2011-01-18 23:13:49.803853588 +0100
> @@ -73,6 +73,8 @@ files_read_etc_runtime_files(fsdaemon_t)
> # for config
> files_read_etc_files(fsdaemon_t)
>
> +files_read_usr_files(fsdaemon_t)
> +
> fs_getattr_all_fs(fsdaemon_t)
> fs_search_auto_mountpoints(fsdaemon_t)
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if
> --- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if 2011-01-18 23:13:49.804853729 +0100
> @@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Send a dbus message to xdm.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_xdm_dbus_send',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## xdm over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_xdm_dbus_chat',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> + allow xdm_t $1:dbus send_msg;
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te
> --- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te 2011-01-18 23:13:49.806854011 +0100
> @@ -508,6 +508,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + avahi_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> consolekit_dbus_chat(xdm_t)
> ')
>
> @@ -516,12 +520,21 @@ optional_policy(`
> ')
>
> optional_policy(`
> + devicekit_dbus_send_disk(xdm_t)
> + devicekit_dbus_send_power(xdm_t)
> +')
> +
> +optional_policy(`
> # Talk to the console mouse server.
> gpm_stream_connect(xdm_t)
> gpm_setattr_gpmctl(xdm_t)
> ')
>
> optional_policy(`
> + hal_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> hostname_exec(xdm_t)
> ')
>
> @@ -539,10 +552,18 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> resmgr_stream_connect(xdm_t)
> ')
>
> optional_policy(`
> + setroubleshoot_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(xdm_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/authlogin.te refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te
> --- refpolicy-git-18012011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te 2011-01-18 23:13:49.808854293 +0100
> @@ -91,6 +91,8 @@ files_list_etc(chkpwd_t)
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
>
> +kernel_search_sysctl(chkpwd_t)
> +
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> dev_read_rand(chkpwd_t)
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-minimum-update/policy/modules/system/init.if
> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/init.if 2011-01-18 23:13:49.809854434 +0100
> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>
> ########################################
> ## <summary>
> +## Read init fifo file.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_fifo_file',`
> + gen_require(`
> + attribute init_t;
> + ')
> +
> + read_fifo_files_pattern($1, init_t, init_t)
> +')
> +
> +########################################
> +## <summary>
> ## Ptrace init
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if
> --- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if 2011-01-18 23:13:49.812854857 +0100
> @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
>
> ########################################
> ## <summary>
> +## Send a dbus message to the audit
> +## dispatcher.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_dbus_send_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## the audit dispatcher over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_dbus_chat_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> + allow audisp_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Manage the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te
> --- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te 2011-01-18 23:13:49.813854998 +0100
> @@ -223,6 +223,8 @@ allow audisp_t self:unix_dgram_socket cr
>
> allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
>
> +allow audisp_t proc_t:file read_file_perms;
> +
> manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
> files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
>
> @@ -246,6 +248,10 @@ optional_policy(`
> dbus_system_bus_client(audisp_t)
> ')
>
> +optional_policy(`
> + setroubleshoot_dbus_send(audisp_t)
> +')
> +
> ########################################
> #
> # Audit remote logger local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if
> --- refpolicy-git-18012011/policy/modules/system/mount.if 2011-01-08 19:07:21.358759676 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if 2011-01-18 23:13:49.814855139 +0100
> @@ -51,6 +51,25 @@ interface(`mount_run',`
>
> ########################################
> ## <summary>
> +## Get the attributes of mount
> +## executable files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_exec_getattr',`
> + gen_require(`
> + type mount_exec_t;
> + ')
> +
> + allow $1 mount_exec_t:file getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Execute mount in the caller domain.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te
> --- refpolicy-git-18012011/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te 2011-01-19 01:01:20.531005215 +0100
> @@ -51,12 +51,17 @@ kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
> kernel_dontaudit_write_debugfs_dirs(mount_t)
> kernel_dontaudit_write_proc_dirs(mount_t)
> +kernel_setsched(mount_t)
> # To load binfmt_misc kernel module
> kernel_request_load_module(mount_t)
>
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
>
> +# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
> +# from initscripts
> +corecmd_mmap_file_exec_shell(mount_t)
> +
> dev_getattr_all_blk_files(mount_t)
> dev_list_all_dev_nodes(mount_t)
> dev_read_sysfs(mount_t)
> @@ -108,6 +113,8 @@ storage_raw_read_fixed_disk(mount_t)
> storage_raw_write_fixed_disk(mount_t)
> storage_raw_read_removable_device(mount_t)
> storage_raw_write_removable_device(mount_t)
> +# needed for example by ntfs-3g
> +storage_rw_fuse(mount_t)
>
> term_use_all_terms(mount_t)
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if
> --- refpolicy-git-18012011/policy/modules/system/sysnetwork.if 2011-01-08 19:07:21.362760308 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if 2011-01-18 23:13:49.817855562 +0100
> @@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',`
>
> ########################################
> ## <summary>
> +## Search dhcp client state directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_search_dhcpc_state',`
> + gen_require(`
> + type dhcpc_state_t;
> + ')
> +
> + search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read dhcp client state files.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.te refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te
> --- refpolicy-git-18012011/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te 2011-01-18 23:13:49.818855703 +0100
> @@ -325,6 +325,7 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> optional_policy(`
> + hal_read_pid_files(ifconfig_t)
> hal_dontaudit_rw_pipes(ifconfig_t)
> hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> ')
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Hello Christopher,
thanks for getting back !
On Thu, 20/01/2011 at 08.18 -0500, Christopher J. PeBenito wrote:
> On 01/18/11 19:40, Guido Trentalancia wrote:
> > Hello,
> >
> > I have created a set of two patches to update the git reference policy
> > to run on a generic modern Linux system.
>
> There are too many changes in this patch and the other. Can you
> resubmit, breaking each logically separate change into a different patch?
Yes, I think that can be done, although it might take some time. But
what do you mean exactly for "logically separate" ?
In truth both patches are not logically separated, because of their
common aim to update refpolicy to work on a modern installation more or
less by adding some missing permissions.
I could create a separate patch for each module x (x.fc, x.if, x.te)...
I am not sure this is what you meant. For example, I have (almost) never
created a bidirectional dbus:send_msg permission in a module, but rather
split them in two unidirectional dbus:send_msg permissions in the two
modules that are relevant in that case. So, in this example, splitting
the patch according to modules would break that logic because each
module just implements a unidirectional dbus:send_msg (relative to its
own context only) and the single patch won't completely solve the issue.
Please let me know.
Regards,
Guido
On 01/20/11 12:32, Guido Trentalancia wrote:
> Hello Christopher,
>
> thanks for getting back !
>
> On Thu, 20/01/2011 at 08.18 -0500, Christopher J. PeBenito wrote:
>> On 01/18/11 19:40, Guido Trentalancia wrote:
>>> Hello,
>>>
>>> I have created a set of two patches to update the git reference policy
>>> to run on a generic modern Linux system.
>>
>> There are too many changes in this patch and the other. Can you
>> resubmit, breaking each logically separate change into a different patch?
>
> Yes, I think that can be done, although it might take some time. But
> what do you mean exactly for "logically separate" ?
An example is adding a new interface and adding calls for it in other
modules. It looks like you have a bunch of dbus messaging additions;
you can make that one patch.
> In truth both patches are not logically separated, because of their
> common aim to update refpolicy to work on a modern installation more or
> less by adding some missing permissions.
That means its a pile of logical changes.
> I could create a separate patch for each module x (x.fc, x.if, x.te)...
>
> I am not sure this is what you meant. For example, I have (almost) never
> created a bidirectional dbus:send_msg permission in a module, but rather
> split them in two unidirectional dbus:send_msg permissions in the two
> modules that are relevant in that case. So, in this example, splitting
> the patch according to modules would break that logic because each
> module just implements a unidirectional dbus:send_msg (relative to its
> own context only) and the single patch won't completely solve the issue.
Definitely not what I meant.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Hello again !
I am resubmitting the changes that I proposed a few days ago for the
latest reference policy. There are a few additions and now the patch has
been split into a set of 19 logical patches.
However, there might be unavoidable dependencies between a few patches.
I have applied the patches in the following order (and I cannot
guarantee that they can still be applied in a different order,
especially because of the above mentioned dependencies, e.g. on new
interfaces):
1/19: refpolicy-git-18012011-update-file-contexts.patch
2/19: refpolicy-git-18012011-update-dbus-messaging.patch
3/19: refpolicy-git-18012011-update-readahead.patch
4/19: refpolicy-git-18012011-update-cpufreqselector.patch
5/19: refpolicy-git-18012011-update-mount.patch
6/19: refpolicy-git-18012011-update-kernel-new-interfaces.patch
7/19: refpolicy-git-18012011-update-sysadm-role.patch
8/19: refpolicy-git-18012011-update-dbus.patch
9/19: refpolicy-git-18012011-update-devicekit.patch
10/19: refpolicy-git-18012011-update-networkmanager.patch
11/19: refpolicy-git-18012011-update-setroubleshoot.patch
12/19: refpolicy-git-18012011-update-smartmon.patch
13/19: refpolicy-git-18012011-update-authlogin.patch
14/19: refpolicy-git-18012011-update-logging.patch
15/19: refpolicy-git-18012011-update-selinuxutil.patch
16/19: refpolicy-git-18012011-update-sysnetwork-new-interface.patch
17/19: refpolicy-git-18012011-update-sysnetwork-hal-read-pid-files.patch
18/19: refpolicy-git-18012011-update-consolekit.patch
19/19: refpolicy-git-18012011-update-plymouth.patch
In general, this is a starting point, because I could not test all
available modules, but in the future I might submit other patches for
other modules.
I have only tested the resulting policy with the following build
configuration:
TYPE=mcs DISTRO=redhat MONOLITHIC=n UBAC=n
however I don't expect many issues with other kinds of builds.
As already explained, the patch set aims to update some permissions
needed on a modern generic Linux system. I have not used any specific
distribution and all packages are in general latest upstream versions.
Thanks very much for your attention and for your time. The patch set
follows in separate messages to the Reference Policy mailing list having
the subject "[PATCH/RFC x/19]: patch set to update the git reference
policy", with the integer x varying from 1 to 19.
Regards,
Guido Trentalancia
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> Hello again !
>
> I am resubmitting the changes that I proposed a few days ago for the
> latest reference policy. There are a few additions and now the patch has
> been split into a set of 19 logical patches.
>
> However, there might be unavoidable dependencies between a few patches.
>
> I have applied the patches in the following order (and I cannot
> guarantee that they can still be applied in a different order,
> especially because of the above mentioned dependencies, e.g. on new
> interfaces):
>
> 1/19: refpolicy-git-18012011-update-file-contexts.patch
> 2/19: refpolicy-git-18012011-update-dbus-messaging.patch
> 3/19: refpolicy-git-18012011-update-readahead.patch
> 4/19: refpolicy-git-18012011-update-cpufreqselector.patch
> 5/19: refpolicy-git-18012011-update-mount.patch
> 6/19: refpolicy-git-18012011-update-kernel-new-interfaces.patch
> 7/19: refpolicy-git-18012011-update-sysadm-role.patch
> 8/19: refpolicy-git-18012011-update-dbus.patch
> 9/19: refpolicy-git-18012011-update-devicekit.patch
> 10/19: refpolicy-git-18012011-update-networkmanager.patch
> 11/19: refpolicy-git-18012011-update-setroubleshoot.patch
> 12/19: refpolicy-git-18012011-update-smartmon.patch
> 13/19: refpolicy-git-18012011-update-authlogin.patch
> 14/19: refpolicy-git-18012011-update-logging.patch
> 15/19: refpolicy-git-18012011-update-selinuxutil.patch
> 16/19: refpolicy-git-18012011-update-sysnetwork-new-interface.patch
> 17/19: refpolicy-git-18012011-update-sysnetwork-hal-read-pid-files.patch
> 18/19: refpolicy-git-18012011-update-consolekit.patch
> 19/19: refpolicy-git-18012011-update-plymouth.patch
>
> In general, this is a starting point, because I could not test all
> available modules, but in the future I might submit other patches for
> other modules.
>
> I have only tested the resulting policy with the following build
> configuration:
>
> TYPE=mcs DISTRO=redhat MONOLITHIC=n UBAC=n
>
> however I don't expect many issues with other kinds of builds.
>
> As already explained, the patch set aims to update some permissions
> needed on a modern generic Linux system. I have not used any specific
> distribution and all packages are in general latest upstream versions.
>
> Thanks very much for your attention and for your time. The patch set
> follows in separate messages to the Reference Policy mailing list having
> the subject "[PATCH/RFC x/19]: patch set to update the git reference
> policy", with the integer x varying from 1 to 19.
I did a quick review of your policy and commented inline. I think most
of it is probably not acceptable at this point unfortunately.
It may be beneficial to get even more familiar with reference policy and
the concepts/security goals it uses.
You may also find my latest screencast called: introduction to policy
writing, inspiring and hopefully informative:
http://selinux-mac.blogspot.com/2011/01/yet-another-step-by-step-introduction.html
> Regards,
>
> Guido Trentalancia
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09lFYACgkQMlxVo39jgT9MvACfTXq7jOqVpWjSY9mHMIAaX0fW
GDEAn10cm3cAaJgoxnT+Yyejs0BsehP9
=H55E
-----END PGP SIGNATURE-----
Hello Dominick !
On Mon, 24/01/2011 at 16.01 +0100, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> > Hello again !
> >
> > I am resubmitting the changes that I proposed a few days ago for the
> > latest reference policy. There are a few additions and now the patch has
> > been split into a set of 19 logical patches.
>
> I did a quick review of your policy and commented inline. I think most
> of it is probably not acceptable at this point unfortunately.
Yes, I have started to look at your comments. Of course they are all
good points that you have made and that need to be changed.
But after those issues will have been fixed, what else would prevent the
patch from being committed ?
> It may be beneficial to get even more familiar with reference policy and
> the concepts/security goals it uses.
>
> You may also find my latest screencast called: introduction to policy
> writing, inspiring and hopefully informative:
>
> http://selinux-mac.blogspot.com/2011/01/yet-another-step-by-step-introduction.html
I will have a look at it. Thanks again !
> > Regards,
> >
> > Guido Trentalancia
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 04:56 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> On Mon, 24/01/2011 at 16.01 +0100, Dominick Grift wrote:
>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>> Hello again !
>>>
>>> I am resubmitting the changes that I proposed a few days ago for the
>>> latest reference policy. There are a few additions and now the patch has
>>> been split into a set of 19 logical patches.
>>
>> I did a quick review of your policy and commented inline. I think most
>> of it is probably not acceptable at this point unfortunately.
>
> Yes, I have started to look at your comments. Of course they are all
> good points that you have made and that need to be changed.
>
> But after those issues will have been fixed, what else would prevent the
> patch from being committed ?
For example the way you deal with dbus chat, is not the way refpolicy
usually deas with it.
Where you have dbus_*_send interfaces that only go one way, refpolicy
uses dbus_*_chat interfaces that are bi-directional.
This is because if some process send a message and is allowed that, then
one can be sure that the receiving party will want to reply to that
message and that you will want to allow that reply (why else would you
have allowed the initial party to send a message in the first place?
>
>> It may be beneficial to get even more familiar with reference policy and
>> the concepts/security goals it uses.
>>
>> You may also find my latest screencast called: introduction to policy
>> writing, inspiring and hopefully informative:
>>
>> http://selinux-mac.blogspot.com/2011/01/yet-another-step-by-step-introduction.html
>
> I will have a look at it. Thanks again !
>
>>> Regards,
>>>
>>> Guido Trentalancia
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09ofMACgkQMlxVo39jgT9rUwCeMlrUdoibLRXZDSxj2x+2ro3f
BQcAoM1XAUqXzgT8gDhkPJ7hDGhK2wZq
=rHvp
-----END PGP SIGNATURE-----
Hello Dominick,
thanks for your reply !
On Mon, 24/01/2011 at 16.59 +0100, Dominick Grift wrote:
> On 01/24/2011 04:56 PM, Guido Trentalancia wrote:
> >> I did a quick review of your policy and commented inline. I think most
> >> of it is probably not acceptable at this point unfortunately.
> >
> > Yes, I have started to look at your comments. Of course they are all
> > good points that you have made and that need to be changed.
> >
> > But after those issues will have been fixed, what else would prevent the
> > patch from being committed ?
>
> For example the way you deal with dbus chat, is not the way refpolicy
> usually deas with it.
Yes, I know.
> Where you have dbus_*_send interfaces that only go one way, refpolicy
> uses dbus_*_chat interfaces that are bi-directional.
>
> This is because if some process send a message and is allowed that, then
> one can be sure that the receiving party will want to reply to that
> message and that you will want to allow that reply (why else would you
> have allowed the initial party to send a message in the first place?
This is one thing I definitely not agree with. The way it's implemented
in the patch is better in my opinion. It is more flexible and it is more
in line with the aims of a reference policy.
One should not assume anything. Permissions to send_msg should be given
to each module separately only for what concerns that module (and not
the other party which might eventually be involved in a "chat"). A chat
is a concept too advanced for a reference policy. The policy should just
grant permissions for a module to send out something. It should not even
know that a "chat" is having place.
Of course, this is my point of view. If it necessarily needs to be the
other way to get committed, it can still be changed but I would
certainly do things differently on my side.
There are many changes that you propose. Apart from this latest one
(which is somewhat also mentioned in [2/19]), I am in perfect agreement
with what you say (well, to be honest I still need to look more
carefully at the feasibility of [5/19], [6/19], [8/19] and [13/19] but
there shouldn't be any problem as long as it is feasible).
Because there are many changes to carry out, I would prepare new patches
only if it is then worth committing them... Nobody else has commented
anything. I still think it's really worth applying these changes to the
reference policy (or otherwise it seems that basic functionality of a
generic system is not being guaranteed) !
I would really need to know before I proceed...
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 10:01 PM, Guido Trentalancia wrote:
> Hello Dominick,
>
> thanks for your reply !
>
> On Mon, 24/01/2011 at 16.59 +0100, Dominick Grift wrote:
>> On 01/24/2011 04:56 PM, Guido Trentalancia wrote:
>>>> I did a quick review of your policy and commented inline. I think most
>>>> of it is probably not acceptable at this point unfortunately.
>>>
>>> Yes, I have started to look at your comments. Of course they are all
>>> good points that you have made and that need to be changed.
>>>
>>> But after those issues will have been fixed, what else would prevent the
>>> patch from being committed ?
>>
>> For example the way you deal with dbus chat, is not the way refpolicy
>> usually deas with it.
>
> Yes, I know.
>
>> Where you have dbus_*_send interfaces that only go one way, refpolicy
>> uses dbus_*_chat interfaces that are bi-directional.
>>
>> This is because if some process send a message and is allowed that, then
>> one can be sure that the receiving party will want to reply to that
>> message and that you will want to allow that reply (why else would you
>> have allowed the initial party to send a message in the first place?
>
> This is one thing I definitely not agree with. The way it's implemented
> in the patch is better in my opinion. It is more flexible and it is more
> in line with the aims of a reference policy.
Well, i am not sure about it. Security is a trade off between security
and usability. Ask your self does this added complexity of yours really
add valuable security? Are there any cases where one party sends a
message without getting a reply?
> One should not assume anything. Permissions to send_msg should be given
> to each module separately only for what concerns that module (and not
> the other party which might eventually be involved in a "chat"). A chat
> is a concept too advanced for a reference policy. The policy should just
> grant permissions for a module to send out something. It should not even
> know that a "chat" is having place.
>
> Of course, this is my point of view. If it necessarily needs to be the
> other way to get committed, it can still be changed but I would
> certainly do things differently on my side.
i am just an humble hobbyist with an opinion. I to would be interested
to hear others (especially people with authority) opinion on it. But
from experience i can tell you that it is almost if not always a chat thing.
>
> There are many changes that you propose. Apart from this latest one
> (which is somewhat also mentioned in [2/19]), I am in perfect agreement
> with what you say (well, to be honest I still need to look more
> carefully at the feasibility of [5/19], [6/19], [8/19] and [13/19] but
> there shouldn't be any problem as long as it is feasible).
> Because there are many changes to carry out, I would prepare new patches
> only if it is then worth committing them... Nobody else has commented
> anything. I still think it's really worth applying these changes to the
> reference policy (or otherwise it seems that basic functionality of a
> generic system is not being guaranteed) !
>
My advice is that you send small patches for each functionality and
explain why its needed in as much detail as possible. ofcourse you
should make sure you apply style rules and also make sure you compare
your changes with similar policy in refpolicy to see if your change
complies with refpolicy design. (e.g. the decisions refpolicy made with
regard to how particular issue should be handled)
I have proposed many patches to refpolicy. Several had many revision and
eventually were not accepted. It is in my view not easy to maintain an
upstream policy because there are many things to take into account
before you can accept a patch. That also means that the submitter has to
know alot of properties of refpolicy.
Else the maintainer spends all his time reviewing patches and explaining
people about these properties over and over again.
So before you submit, double... triple check your patches.
The first time one submit a patch that has mistakes is not a big deal,
the second time i guess neither. But one sends many patches that keep
having issues and the maintainer has to review them all, then i can
imagine that after a while the maintainer is not so eager anymore to
review it...
So the point of all this is. Best to spend a little more time getting
familair with the properties of the policy, and be confident that any
patch you submit has a high chance of getting accepted. So verify style,
properties etc.
This also to save yourself some frustration.
Again, though, i am just an hobbyist. I have no authority and i am just
trying to help.
> I would really need to know before I proceed...
>
> Regards,
>
> Guido
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk097bAACgkQMlxVo39jgT+LZgCePiXR6U4rWrMR3EDuQKwDLuyz
lEkAniIuzEAbNKP505VgfIEwQ5NoJTWH
=bsId
-----END PGP SIGNATURE-----