From: domg472@gmail.com (Dominick Grift) Date: Fri, 24 Sep 2010 21:37:57 +0200 Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13. Message-ID: <20100924193754.GA28777@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc. Signed-off-by: Dominick Grift --- :100644 100644 2b12a37... aa9f935... M policy/modules/admin/consoletype.te :100644 100644 39e901a... 0bfab9b... M policy/modules/services/dbus.if :100644 100644 b354128... 052f0a6... M policy/modules/services/dbus.te :100644 100644 b3ace16... 58a4736... M policy/modules/services/modemmanager.te :100644 100644 0619395... 2f9a857... M policy/modules/services/networkmanager.te :100644 100644 c61adc8... b4a1419... M policy/modules/services/ntp.te :100644 100644 2dad3c8... a20543a... M policy/modules/services/ssh.te :100644 100644 54d122b... 25bfbd4... M policy/modules/system/authlogin.te :100644 100644 fca6947... 5f5f331... M policy/modules/system/mount.te :100644 100644 dfbe736... eac173f... M policy/modules/system/sysnetwork.te :100644 100644 f976344... fbf02ec... M policy/modules/system/unconfined.te :100644 100644 2aa8928... 5cb411a... M policy/modules/system/userdomain.if policy/modules/admin/consoletype.te | 4 ++++ policy/modules/services/dbus.if | 18 ++++++++++++++++++ policy/modules/services/dbus.te | 9 +++++---- policy/modules/services/modemmanager.te | 2 +- policy/modules/services/networkmanager.te | 1 + policy/modules/services/ntp.te | 1 + policy/modules/services/ssh.te | 4 ++++ policy/modules/system/authlogin.te | 1 + policy/modules/system/mount.te | 11 ++++++++++- policy/modules/system/sysnetwork.te | 4 ++++ policy/modules/system/unconfined.te | 7 +++++++ policy/modules/system/userdomain.if | 18 ++++++++++++++++++ 12 files changed, 74 insertions(+), 6 deletions(-) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index 2b12a37..aa9f935 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -75,6 +75,10 @@ optional_policy(` ') optional_policy(` + dbus_use_fd(consoletype_t) +') + +optional_policy(` files_read_etc_files(consoletype_t) firstboot_use_fds(consoletype_t) firstboot_rw_pipes(consoletype_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 39e901a..0bfab9b 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -479,3 +479,21 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') + +######################################## +## +## Use and inherit system DBUS file descriptors. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_use_fd',` + gen_require(` + type system_dbusd_t; + ') + + allow $1 system_dbusd_t:fd use; +') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index b354128..052f0a6 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -108,10 +108,6 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) -corecmd_list_bin(system_dbusd_t) -corecmd_read_bin_pipes(system_dbusd_t) -corecmd_read_bin_sockets(system_dbusd_t) - domain_use_interactive_fds(system_dbusd_t) domain_read_all_domains_state(system_dbusd_t) @@ -141,6 +137,11 @@ optional_policy(` ') optional_policy(` + # should this be dbus_system_domain instead? + networkmanager_initrc_domtrans(system_dbusd_t) +') + +optional_policy(` policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te index b3ace16..58a4736 100644 --- a/policy/modules/services/modemmanager.te +++ b/policy/modules/services/modemmanager.te @@ -16,7 +16,7 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; # ModemManager local policy # -allow modemmanager_t self:process signal; +allow modemmanager_t self:process { getsched setsched signal }; allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 0619395..2f9a857 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -141,6 +141,7 @@ sysnet_domtrans_ifconfig(NetworkManager_t) sysnet_domtrans_dhcpc(NetworkManager_t) sysnet_signal_dhcpc(NetworkManager_t) sysnet_read_dhcpc_pid(NetworkManager_t) +sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_pid(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) # in /etc created by NetworkManager will be labelled net_conf_t. diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index c61adc8..b4a1419 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -74,6 +74,7 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) kernel_read_kernel_sysctls(ntpd_t) +kernel_read_crypto_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 2dad3c8..a20543a 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) +kernel_read_crypto_sysctls(sshd_t) +kernel_request_load_module(sshd_t) kernel_search_key(sshd_t) kernel_link_key(sshd_t) @@ -249,6 +251,8 @@ term_relabelto_all_ptys(sshd_t) corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) +userdom_write_all_users_keys(sshd_t) + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 54d122b..25bfbd4 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -90,6 +90,7 @@ files_list_etc(chkpwd_t) # is_selinux_enabled kernel_read_system_state(chkpwd_t) +kernel_read_crypto_sysctls(chkpwd_t) domain_dontaudit_use_interactive_fds(chkpwd_t) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index fca6947..5f5f331 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -36,6 +36,7 @@ application_domain(unconfined_mount_t, mount_exec_t) # setuid/setgid needed to mount cifs allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:fifo_file rw_fifo_file_perms; allow mount_t mount_loopback_t:file read_file_perms; @@ -48,13 +49,16 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) kernel_read_system_state(mount_t) kernel_read_kernel_sysctls(mount_t) +kernel_setsched(mount_t) kernel_dontaudit_getattr_core_if(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) +corecmd_exec_shell(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) +dev_read_sysfs(mount_t) dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) fs_relabelfrom_all_fs(mount_t) -fs_list_auto_mountpoints(mount_t) +# wants to list usbfs_t +fs_list_all(mount_t) fs_rw_tmpfs_chr_files(mount_t) fs_read_tmpfs_symlinks(mount_t) @@ -180,6 +185,10 @@ optional_policy(` ') ') +optional_policy(` + dbus_use_fd(mount_t) +') + # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index dfbe736..eac173f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` + dbus_use_fd(ifconfig_t) +') + +optional_policy(` hal_dontaudit_rw_pipes(ifconfig_t) hal_dontaudit_rw_dgram_sockets(ifconfig_t) ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index f976344..fbf02ec 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t) mcs_killall(unconfined_t) mcs_ptrace_all(unconfined_t) +ubac_process_exempt(unconfined_t) +ubac_file_exempt(unconfined_t) +ubac_fd_exempt(unconfined_t) + init_run_daemon(unconfined_t, unconfined_r) libs_run_ldconfig(unconfined_t, unconfined_r) @@ -42,6 +46,7 @@ logging_run_auditctl(unconfined_t, unconfined_r) mount_run_unconfined(unconfined_t, unconfined_r) +seutil_run_runinit(unconfined_t, unconfined_r) seutil_run_setfiles(unconfined_t, unconfined_r) seutil_run_semanage(unconfined_t, unconfined_r) @@ -192,6 +197,8 @@ optional_policy(` optional_policy(` usermanage_run_admin_passwd(unconfined_t, unconfined_r) + usermanage_run_groupadd(unconfined_t, unconfined_r) + usermanage_run_useradd(unconfined_t, unconfined_r) ') optional_policy(` diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 2aa8928..5cb411a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3112,6 +3112,24 @@ interface(`userdom_create_all_users_keys',` ######################################## ## +## Write and link keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key { search write link }; +') + +######################################## +## ## Send a dbus message to all user domains. ## ## -- 1.7.2.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100924/a752884d/attachment.bin