From: domg472@gmail.com (Dominick Grift) Date: Mon, 4 Oct 2010 20:28:53 +0200 Subject: [refpolicy] [patch 1/1] Trying to make it work on fedora minimal install. In-Reply-To: <1286216569-28164-3-git-send-email-domg472@gmail.com> References: <1286216569-28164-2-git-send-email-domg472@gmail.com> <1286216569-28164-3-git-send-email-domg472@gmail.com> Message-ID: <20101004182851.GC28085@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Oct 04, 2010 at 08:22:06PM +0200, Dominick Grift wrote: Please ignore this message. (this was still sitting in my tmp) > > Signed-off-by: Dominick Grift > --- > :100644 100644 2b12a37... aa9f935... M policy/modules/admin/consoletype.te > :100644 100644 39e901a... 0bfab9b... M policy/modules/services/dbus.if > :100644 100644 b354128... 052f0a6... M policy/modules/services/dbus.te > :100644 100644 b3ace16... 58a4736... M policy/modules/services/modemmanager.te > :100644 100644 0619395... 2f9a857... M policy/modules/services/networkmanager.te > :100644 100644 c61adc8... b4a1419... M policy/modules/services/ntp.te > :100644 100644 2dad3c8... a20543a... M policy/modules/services/ssh.te > :100644 100644 54d122b... 25bfbd4... M policy/modules/system/authlogin.te > :100644 100644 fca6947... 5f5f331... M policy/modules/system/mount.te > :100644 100644 dfbe736... eac173f... M policy/modules/system/sysnetwork.te > :100644 100644 f976344... fbf02ec... M policy/modules/system/unconfined.te > :100644 100644 2aa8928... 5cb411a... M policy/modules/system/userdomain.if > policy/modules/admin/consoletype.te | 4 ++++ > policy/modules/services/dbus.if | 18 ++++++++++++++++++ > policy/modules/services/dbus.te | 9 +++++---- > policy/modules/services/modemmanager.te | 2 +- > policy/modules/services/networkmanager.te | 1 + > policy/modules/services/ntp.te | 1 + > policy/modules/services/ssh.te | 4 ++++ > policy/modules/system/authlogin.te | 1 + > policy/modules/system/mount.te | 11 ++++++++++- > policy/modules/system/sysnetwork.te | 4 ++++ > policy/modules/system/unconfined.te | 7 +++++++ > policy/modules/system/userdomain.if | 18 ++++++++++++++++++ > 12 files changed, 74 insertions(+), 6 deletions(-) > > diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te > index 2b12a37..aa9f935 100644 > --- a/policy/modules/admin/consoletype.te > +++ b/policy/modules/admin/consoletype.te > @@ -75,6 +75,10 @@ optional_policy(` > ') > > optional_policy(` > + dbus_use_fd(consoletype_t) > +') > + > +optional_policy(` > files_read_etc_files(consoletype_t) > firstboot_use_fds(consoletype_t) > firstboot_rw_pipes(consoletype_t) > diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if > index 39e901a..0bfab9b 100644 > --- a/policy/modules/services/dbus.if > +++ b/policy/modules/services/dbus.if > @@ -479,3 +479,21 @@ interface(`dbus_unconfined',` > > typeattribute $1 dbusd_unconfined; > ') > + > +######################################## > +## > +## Use and inherit system DBUS file descriptors. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dbus_use_fd',` > + gen_require(` > + type system_dbusd_t; > + ') > + > + allow $1 system_dbusd_t:fd use; > +') > diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te > index b354128..052f0a6 100644 > --- a/policy/modules/services/dbus.te > +++ b/policy/modules/services/dbus.te > @@ -108,10 +108,6 @@ term_dontaudit_use_console(system_dbusd_t) > auth_use_nsswitch(system_dbusd_t) > auth_read_pam_console_data(system_dbusd_t) > > -corecmd_list_bin(system_dbusd_t) > -corecmd_read_bin_pipes(system_dbusd_t) > -corecmd_read_bin_sockets(system_dbusd_t) > - > domain_use_interactive_fds(system_dbusd_t) > domain_read_all_domains_state(system_dbusd_t) > > @@ -141,6 +137,11 @@ optional_policy(` > ') > > optional_policy(` > + # should this be dbus_system_domain instead? > + networkmanager_initrc_domtrans(system_dbusd_t) > +') > + > +optional_policy(` > policykit_dbus_chat(system_dbusd_t) > policykit_domtrans_auth(system_dbusd_t) > policykit_search_lib(system_dbusd_t) > diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te > index b3ace16..58a4736 100644 > --- a/policy/modules/services/modemmanager.te > +++ b/policy/modules/services/modemmanager.te > @@ -16,7 +16,7 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; > # ModemManager local policy > # > > -allow modemmanager_t self:process signal; > +allow modemmanager_t self:process { getsched setsched signal }; > allow modemmanager_t self:fifo_file rw_file_perms; > allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; > allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; > diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te > index 0619395..2f9a857 100644 > --- a/policy/modules/services/networkmanager.te > +++ b/policy/modules/services/networkmanager.te > @@ -141,6 +141,7 @@ sysnet_domtrans_ifconfig(NetworkManager_t) > sysnet_domtrans_dhcpc(NetworkManager_t) > sysnet_signal_dhcpc(NetworkManager_t) > sysnet_read_dhcpc_pid(NetworkManager_t) > +sysnet_read_dhcpc_state(NetworkManager_t) > sysnet_delete_dhcpc_pid(NetworkManager_t) > sysnet_search_dhcp_state(NetworkManager_t) > # in /etc created by NetworkManager will be labelled net_conf_t. > diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te > index c61adc8..b4a1419 100644 > --- a/policy/modules/services/ntp.te > +++ b/policy/modules/services/ntp.te > @@ -74,6 +74,7 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) > files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) > > kernel_read_kernel_sysctls(ntpd_t) > +kernel_read_crypto_sysctls(ntpd_t) > kernel_read_system_state(ntpd_t) > kernel_read_network_state(ntpd_t) > kernel_request_load_module(ntpd_t) > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > index 2dad3c8..a20543a 100644 > --- a/policy/modules/services/ssh.te > +++ b/policy/modules/services/ssh.te > @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) > manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) > files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) > > +kernel_read_crypto_sysctls(sshd_t) > +kernel_request_load_module(sshd_t) > kernel_search_key(sshd_t) > kernel_link_key(sshd_t) > > @@ -249,6 +251,8 @@ term_relabelto_all_ptys(sshd_t) > corenet_tcp_bind_xserver_port(sshd_t) > corenet_sendrecv_xserver_server_packets(sshd_t) > > +userdom_write_all_users_keys(sshd_t) > + > tunable_policy(`ssh_sysadm_login',` > # Relabel and access ptys created by sshd > # ioctl is necessary for logout() processing for utmp entry and for w to > diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te > index 54d122b..25bfbd4 100644 > --- a/policy/modules/system/authlogin.te > +++ b/policy/modules/system/authlogin.te > @@ -90,6 +90,7 @@ files_list_etc(chkpwd_t) > > # is_selinux_enabled > kernel_read_system_state(chkpwd_t) > +kernel_read_crypto_sysctls(chkpwd_t) > > domain_dontaudit_use_interactive_fds(chkpwd_t) > > diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te > index fca6947..5f5f331 100644 > --- a/policy/modules/system/mount.te > +++ b/policy/modules/system/mount.te > @@ -36,6 +36,7 @@ application_domain(unconfined_mount_t, mount_exec_t) > > # setuid/setgid needed to mount cifs > allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; > +allow mount_t self:fifo_file rw_fifo_file_perms; > > allow mount_t mount_loopback_t:file read_file_perms; > > @@ -48,13 +49,16 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) > > kernel_read_system_state(mount_t) > kernel_read_kernel_sysctls(mount_t) > +kernel_setsched(mount_t) > kernel_dontaudit_getattr_core_if(mount_t) > > # required for mount.smbfs > corecmd_exec_bin(mount_t) > +corecmd_exec_shell(mount_t) > > dev_getattr_all_blk_files(mount_t) > dev_list_all_dev_nodes(mount_t) > +dev_read_sysfs(mount_t) > dev_rw_lvm_control(mount_t) > dev_dontaudit_getattr_all_chr_files(mount_t) > dev_dontaudit_getattr_memory_dev(mount_t) > @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t) > fs_unmount_all_fs(mount_t) > fs_remount_all_fs(mount_t) > fs_relabelfrom_all_fs(mount_t) > -fs_list_auto_mountpoints(mount_t) > +# wants to list usbfs_t > +fs_list_all(mount_t) > fs_rw_tmpfs_chr_files(mount_t) > fs_read_tmpfs_symlinks(mount_t) > > @@ -180,6 +185,10 @@ optional_policy(` > ') > ') > > +optional_policy(` > + dbus_use_fd(mount_t) > +') > + > # for kernel package installation > optional_policy(` > rpm_rw_pipes(mount_t) > diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te > index dfbe736..eac173f 100644 > --- a/policy/modules/system/sysnetwork.te > +++ b/policy/modules/system/sysnetwork.te > @@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',` > ') > > optional_policy(` > + dbus_use_fd(ifconfig_t) > +') > + > +optional_policy(` > hal_dontaudit_rw_pipes(ifconfig_t) > hal_dontaudit_rw_dgram_sockets(ifconfig_t) > ') > diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te > index f976344..fbf02ec 100644 > --- a/policy/modules/system/unconfined.te > +++ b/policy/modules/system/unconfined.te > @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t) > mcs_killall(unconfined_t) > mcs_ptrace_all(unconfined_t) > > +ubac_process_exempt(unconfined_t) > +ubac_file_exempt(unconfined_t) > +ubac_fd_exempt(unconfined_t) > + > init_run_daemon(unconfined_t, unconfined_r) > > libs_run_ldconfig(unconfined_t, unconfined_r) > @@ -42,6 +46,7 @@ logging_run_auditctl(unconfined_t, unconfined_r) > > mount_run_unconfined(unconfined_t, unconfined_r) > > +seutil_run_runinit(unconfined_t, unconfined_r) > seutil_run_setfiles(unconfined_t, unconfined_r) > seutil_run_semanage(unconfined_t, unconfined_r) > > @@ -192,6 +197,8 @@ optional_policy(` > > optional_policy(` > usermanage_run_admin_passwd(unconfined_t, unconfined_r) > + usermanage_run_groupadd(unconfined_t, unconfined_r) > + usermanage_run_useradd(unconfined_t, unconfined_r) > ') > > optional_policy(` > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 2aa8928..5cb411a 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -3112,6 +3112,24 @@ interface(`userdom_create_all_users_keys',` > > ######################################## > ## > +## Write and link keys for all user domains. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_write_all_users_keys',` > + gen_require(` > + attribute userdomain; > + ') > + > + allow $1 userdomain:key { search write link }; > +') > + > +######################################## > +## > ## Send a dbus message to all user domains. > ## > ## > -- > 1.7.2.3 > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101004/27150995/attachment-0001.bin