From: domg472@gmail.com (Dominick Grift) Date: Fri, 3 Sep 2010 21:46:25 +0200 Subject: [refpolicy] [Various 1/1] Add nfctool module and its dependencies. Message-ID: <20100903194621.GA4338@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add brctl_run interface to cleaned up brctl module. Add brctl domtrans and run calls to new ncftool module, modutils. Implement system conf type for manageable system configuration files. Add /replace calls to system configuration interfaces in virt, init, iptables. Add network configuration interfaces and add calls to these interfaces in various modules. Signed-off-by: Dominick Grift --- :100644 100644 5b43db5... 8f1ee2c... M policy/modules/admin/brctl.if :100644 100644 0ff3679... 45b26c9... M policy/modules/admin/brctl.te :000000 100644 0000000... 19710b5... A policy/modules/admin/ncftool.fc :000000 100644 0000000... 5b9318b... A policy/modules/admin/ncftool.if :000000 100644 0000000... 2e2f551... A policy/modules/admin/ncftool.te :100644 100644 a22e546... 157f6ff... M policy/modules/admin/shorewall.te :100644 100644 3517db2... ba92739... M policy/modules/kernel/files.fc :100644 100644 5302dac... 17e7a6a... M policy/modules/kernel/files.if :100644 100644 07352a5... ec07a47... M policy/modules/kernel/files.te :100644 100644 3cce663... 57c0f15... M policy/modules/services/virt.te :100644 100644 abab4cf... c038370... M policy/modules/system/init.te :100644 100644 13f62a6... e0813a1... M policy/modules/system/iptables.fc :100644 100644 5c94dfe... 68cd2d2... M policy/modules/system/iptables.if :100644 100644 a3fdcb3... 8e644c4... M policy/modules/system/iptables.te :100644 100644 9c0faab... 565e5bc... M policy/modules/system/modutils.if :100644 100644 8e71fb7... 1e4892d... M policy/modules/system/sysnetwork.if :100644 100644 dfbe736... ab27920... M policy/modules/system/sysnetwork.te policy/modules/admin/brctl.if | 34 ++++++++++++- policy/modules/admin/brctl.te | 1 - policy/modules/admin/ncftool.fc | 1 + policy/modules/admin/ncftool.if | 80 +++++++++++++++++++++++++++++++ policy/modules/admin/ncftool.te | 82 ++++++++++++++++++++++++++++++++ policy/modules/admin/shorewall.te | 4 ++ policy/modules/kernel/files.fc | 89 +++-------------------------------- policy/modules/kernel/files.if | 74 +++++++++++++++++++++++++++++ policy/modules/kernel/files.te | 8 +++ policy/modules/services/virt.te | 7 ++- policy/modules/system/init.te | 2 + policy/modules/system/iptables.fc | 2 - policy/modules/system/iptables.if | 78 ------------------------------ policy/modules/system/iptables.te | 4 +- policy/modules/system/modutils.if | 20 ++++++++ policy/modules/system/sysnetwork.if | 38 +++++++++++++++ policy/modules/system/sysnetwork.te | 4 ++ 17 files changed, 357 insertions(+), 171 deletions(-) diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if index 5b43db5..8f1ee2c 100644 --- a/policy/modules/admin/brctl.if +++ b/policy/modules/admin/brctl.if @@ -1,13 +1,13 @@ -## Utilities for configuring the linux ethernet bridge +## Utilities for configuring the linux ethernet bridge. ######################################## ## ## Execute a domain transition to run brctl. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`brctl_domtrans',` @@ -15,5 +15,33 @@ interface(`brctl_domtrans',` type brctl_t, brctl_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, brctl_exec_t, brctl_t) ') + +##################################### +## +## Execute a domain transition to run +## Brctl, and allow the specified role +## the Brctl domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`brctl_run',` + gen_require(` + type brctl_t, brctl_exec_t; + ') + + brctl_domtrans($1) + role $2 types brctl_t; +') diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te index 0ff3679..45b26c9 100644 --- a/policy/modules/admin/brctl.te +++ b/policy/modules/admin/brctl.te @@ -30,7 +30,6 @@ corenet_rw_tun_tap_dev(brctl_t) dev_rw_sysfs(brctl_t) dev_write_sysfs_dirs(brctl_t) -# Init script handling domain_use_interactive_fds(brctl_t) files_read_etc_files(brctl_t) diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc new file mode 100644 index 0000000..19710b5 --- /dev/null +++ b/policy/modules/admin/ncftool.fc @@ -0,0 +1 @@ +/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if new file mode 100644 index 0000000..5b9318b --- /dev/null +++ b/policy/modules/admin/ncftool.if @@ -0,0 +1,80 @@ +## Network Interface Management. + +######################################## +## +## Execute a domain transition to run Ncftool. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ncftool_domtrans',` + gen_require(` + type ncftool_t, ncftool_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ncftool_exec_t, ncftool_t) +') + +######################################## +## +## Execute a domain transition to run +## Ncftool, and allow the specified role +## the Ncftool domain. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`ncftool_run',` + gen_require(` + type ncftool_t; + ') + + ncftool_domtrans($1) + role $2 types ncftool_t; + + optional_policy(` + brctl_run(ncftool_t, $2) + ') +') + +######################################## +## +## Role access for Ncftool. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +## +# +interface(`ncftool_role',` + gen_require(` + type ncftool_t; + ') + + role $1 types ncftool_t; + + ncftool_domtrans($2) + + ps_process_pattern($2, ncftool_t) + allow $2 ncftool_t:process { ptrace signal_perms }; +') diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te new file mode 100644 index 0000000..2e2f551 --- /dev/null +++ b/policy/modules/admin/ncftool.te @@ -0,0 +1,82 @@ +policy_module(ncftool, 1.0.0) + +######################################## +# +# Declarations +# + +type ncftool_t; +type ncftool_exec_t; +application_domain(ncftool_t, ncftool_exec_t) +domain_obj_id_change_exemption(ncftool_t) +domain_system_change_exemption(ncftool_t) +role system_r types ncftool_t; + +######################################## +# +# local policy +# + +allow ncftool_t self:capability { net_admin sys_ptrace }; +allow ncftool_t self:process signal; +allow ncftool_t self:fifo_file manage_fifo_file_perms; +allow ncftool_t self:unix_stream_socket create_stream_socket_perms; +allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; +allow ncftool_t self:tcp_socket create_stream_socket_perms; + +kernel_read_kernel_sysctls(ncftool_t) +kernel_read_modprobe_sysctls(ncftool_t) +kernel_read_network_state(ncftool_t) +kernel_read_system_state(ncftool_t) +kernel_request_load_module(ncftool_t) +kernel_rw_net_sysctls(ncftool_t) + +corecmd_exec_bin(ncftool_t) +corecmd_exec_shell(ncftool_t) + +domain_read_all_domains_state(ncftool_t) + +dev_read_sysfs(ncftool_t) + +files_manage_system_conf_files(ncftool_t) +files_relabelto_system_conf_files(ncftool_t) +files_read_etc_files(ncftool_t) +files_read_etc_runtime_files(ncftool_t) +files_read_usr_files(ncftool_t) + +term_use_all_terms(ncftool_t) + +miscfiles_read_localization(ncftool_t) + +modutils_list_module_config(ncftool_t) +modutils_read_module_config(ncftool_t) +modutils_domtrans_insmod(ncftool_t) + +sysnet_delete_dhcpc_pid(ncftool_t) +sysnet_domtrans_dhcpc(ncftool_t) +sysnet_domtrans_ifconfig(ncftool_t) +sysnet_etc_filetrans_config(ncftool_t) +sysnet_manage_config(ncftool_t) +sysnet_read_dhcpc_state(ncftool_t) +sysnet_relabelfrom_net_conf(ncftool_t) +sysnet_relabelto_net_conf(ncftool_t) +sysnet_read_dhcpc_pid(ncftool_t) +sysnet_signal_dhcpc(ncftool_t) + +userdom_read_user_tmp_files(ncftool_t) + +optional_policy(` + consoletype_exec(ncftool_t) +') + +optional_policy(` + dbus_system_bus_client(ncftool_t) +') + +optional_policy(` + iptables_initrc_domtrans(ncftool_t) +') + +optional_policy(` + netutils_domtrans(ncftool_t) +') diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te index a22e546..157f6ff 100644 --- a/policy/modules/admin/shorewall.te +++ b/policy/modules/admin/shorewall.te @@ -89,6 +89,10 @@ sysnet_domtrans_ifconfig(shorewall_t) userdom_dontaudit_list_user_home_dirs(shorewall_t) optional_policy(` + brctl_domtrans(shorewall_t) +') + +optional_policy(` hostname_exec(shorewall_t) ') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 3517db2..ba92739 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -1,15 +1,9 @@ - -# -# / -# /.* gen_context(system_u:object_r:default_t,s0) / -d gen_context(system_u:object_r:root_t,s0) /\.journal <> /afs -d gen_context(system_u:object_r:mnt_t,s0) /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) - -ifdef(`distro_redhat',` /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0) /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0) /\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -18,15 +12,8 @@ ifdef(`distro_redhat',` /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) -') - -ifdef(`distro_suse',` /success -- gen_context(system_u:object_r:etc_runtime_t,s0) -') -# -# /boot -# /boot -d gen_context(system_u:object_r:boot_t,s0) /boot/.* gen_context(system_u:object_r:boot_t,s0) /boot/\.journal <> @@ -35,15 +22,9 @@ ifdef(`distro_suse',` /boot/lost\+found/.* <> /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) -# -# /emul -# /emul -d gen_context(system_u:object_r:usr_t,s0) /emul/.* gen_context(system_u:object_r:usr_t,s0) -# -# /etc -# /etc -d gen_context(system_u:object_r:etc_t,s0) /etc/.* gen_context(system_u:object_r:etc_t,s0) /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -72,114 +53,68 @@ ifdef(`distro_suse',` /etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) + +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) -ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -') -ifdef(`distro_redhat',` /etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0) -') -ifdef(`distro_suse',` /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -') -# -# HOME_ROOT -# expanded by genhomedircon -# HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -# -# /initrd -# -# initrd mount point, only used during boot /initrd -d gen_context(system_u:object_r:root_t,s0) -# -# /lib(64)? -# /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) /lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -# -# /lost+found -# /lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /lost\+found/.* <> -# -# /media -# -# Mount points; do not relabel subdirectories, since -# we don't want to change any removable media by default. /media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /media/[^/]*/.* <> /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) -# -# /misc -# /misc -d gen_context(system_u:object_r:mnt_t,s0) -# -# /mnt -# /mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /mnt/[^/]*/.* <> -# -# /net -# /net -d gen_context(system_u:object_r:mnt_t,s0) -# -# /opt -# /opt -d gen_context(system_u:object_r:usr_t,s0) /opt/.* gen_context(system_u:object_r:usr_t,s0) /opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0) -# -# /proc -# /proc -d <> /proc/.* <> -# -# /selinux -# /selinux -d <> /selinux/.* <> -# -# /srv -# /srv -d gen_context(system_u:object_r:var_t,s0) /srv/.* gen_context(system_u:object_r:var_t,s0) -# -# /sys -# /sys -d <> /sys/.* <> -# -# /tmp -# /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /tmp/.* <> /tmp/\.journal <> @@ -187,9 +122,6 @@ HOME_ROOT/lost\+found/.* <> /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /tmp/lost\+found/.* <> -# -# /usr -# /usr -d gen_context(system_u:object_r:usr_t,s0) /usr/.* gen_context(system_u:object_r:usr_t,s0) /usr/\.journal <> @@ -215,16 +147,11 @@ HOME_ROOT/lost\+found/.* <> /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /usr/tmp/.* <> -ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -') -# -# /var -# /var -d gen_context(system_u:object_r:var_t,s0) /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> @@ -255,6 +182,4 @@ ifndef(`distro_redhat',` /var/tmp/lost\+found/.* <> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) -ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) -') diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 5302dac..17e7a6a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1875,6 +1875,80 @@ interface(`files_manage_boot_symlinks',` manage_lnk_files_pattern($1, boot_t, boot_t) ') +################################### +## +## Create manageable system configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') + + filetrans_pattern($1, etc_t, system_conf_t, file) +') + +###################################### +## +## Manage manageable system configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') + + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) +') + +###################################### +## +## Relabel from manageable system configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type system_conf_t; + ') + + files_search_etc($1) + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) +') + +###################################### +## +## Relabel to manageable system configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_system_conf_files',` + gen_require(` + type system_conf_t; + ') + + files_search_etc($1) + relabelto_files_pattern($1, system_conf_t, system_conf_t) +') + ######################################## ## ## Read kernel files in the /boot directory. diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 07352a5..ec07a47 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -128,6 +128,14 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) type src_t; files_mountpoint(src_t) +# system_conf_t is a new type of various +# files in /etc/ that can be managed and +# created by several domains. +# +type system_conf_t, configfile; +files_type(system_conf_t) +typealias system_conf_t alias iptables_conf_t; + # # system_map_t is for the system.map files in /boot # diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 3cce663..57c0f15 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -255,6 +255,10 @@ files_search_all(virtd_t) files_read_kernel_modules(virtd_t) files_read_usr_src_files(virtd_t) files_manage_etc_files(virtd_t) +files_relabelfrom_system_conf_files(virtd_t) +files_relabelto_system_conf_files(virtd_t) +files_manage_system_conf_files(virtd_t) +files_etc_filetrans_system_conf(virtd_t) fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) @@ -339,9 +343,6 @@ optional_policy(` optional_policy(` iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) - - # Manages /etc/sysconfig/system-config-firewall - iptables_manage_config(virtd_t) ') optional_policy(` diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index abab4cf..c038370 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -530,6 +530,8 @@ ifdef(`distro_redhat',` optional_policy(` sysnet_rw_dhcp_config(initrc_t) sysnet_manage_config(initrc_t) + sysnet_relabelfrom_net_conf(initrc_t) + sysnet_relabelto_net_conf(initrc_t) ') optional_policy(` diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc index 13f62a6..e0813a1 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -1,6 +1,4 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index 5c94dfe..68cd2d2 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -87,81 +87,3 @@ interface(`iptables_initrc_domtrans',` init_labeled_script_domtrans($1, iptables_initrc_exec_t) ') - -##################################### -## -## Set the attributes of iptables config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iptables_setattr_config',` - gen_require(` - type iptables_conf_t; - ') - - files_search_etc($1) - allow $1 iptables_conf_t:file setattr; -') - -##################################### -## -## Read iptables config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iptables_read_config',` - gen_require(` - type iptables_conf_t; - ') - - files_search_etc($1) - allow $1 iptables_conf_t:dir list_dir_perms; - read_files_pattern($1, iptables_conf_t, iptables_conf_t) -') - -##################################### -## -## Create files in /etc with the type used for -## the iptables config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iptables_etc_filetrans_config',` - gen_require(` - type iptables_conf_t; - ') - - files_etc_filetrans($1, iptables_conf_t, file) -') - -################################### -## -## Manage iptables config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iptables_manage_config',` - gen_require(` - type iptables_conf_t; - type etc_t; - ') - - files_search_etc($1) - manage_files_pattern($1, iptables_conf_t, iptables_conf_t) -') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index a3fdcb3..8e644c4 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -33,8 +33,8 @@ allow iptables_t self:fifo_file rw_fifo_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:rawip_socket create_socket_perms; -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) -files_etc_filetrans(iptables_t, iptables_conf_t, file) +files_manage_system_conf_files(iptables_t) +files_etc_filetrans_system_conf(iptables_t) manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 9c0faab..565e5bc 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',` ######################################## ## +## List the configuration options used when +## loading modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_list_module_config',` + gen_require(` + type modules_conf_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, modules_conf_t, modules_conf_t) +') + +######################################## +## ## Read the configuration options used when ## loading modules. ## diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 8e71fb7..1e4892d 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -652,6 +652,44 @@ interface(`sysnet_dns_name_resolve',` ') ') +####################################### +## +## Relabel from network configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_relabelfrom_net_conf',` + gen_require(` + type net_conf_t; + ') + + files_search_etc($1) + allow $1 net_conf_t:file relabelfrom; +') + +###################################### +## +## Relabel to network configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_relabelto_net_conf',` + gen_require(` + type net_conf_t; + ') + + files_search_etc($1) + allow $1 net_conf_t:file relabelto; +') + ######################################## ## ## Connect and use a LDAP server. diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index dfbe736..ab27920 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` + brctl_domtrans(ifconfig_t) +') + +optional_policy(` hal_dontaudit_rw_pipes(ifconfig_t) hal_dontaudit_rw_dgram_sockets(ifconfig_t) ') -- 1.7.2.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/4cb758a5/attachment.bin