From: domg472@gmail.com (Dominick Grift)
Date: Mon, 4 Oct 2010 20:28:53 +0200
Subject: [refpolicy] [patch 1/1] Trying to make it work on fedora
	minimal install.
In-Reply-To: <1286216569-28164-3-git-send-email-domg472@gmail.com>
References: <1286216569-28164-2-git-send-email-domg472@gmail.com>
	<1286216569-28164-3-git-send-email-domg472@gmail.com>
Message-ID: <20101004182851.GC28085@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Oct 04, 2010 at 08:22:06PM +0200, Dominick Grift wrote:

Please ignore this message. (this was still sitting in my tmp)

> 
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 2b12a37... aa9f935... M	policy/modules/admin/consoletype.te
> :100644 100644 39e901a... 0bfab9b... M	policy/modules/services/dbus.if
> :100644 100644 b354128... 052f0a6... M	policy/modules/services/dbus.te
> :100644 100644 b3ace16... 58a4736... M	policy/modules/services/modemmanager.te
> :100644 100644 0619395... 2f9a857... M	policy/modules/services/networkmanager.te
> :100644 100644 c61adc8... b4a1419... M	policy/modules/services/ntp.te
> :100644 100644 2dad3c8... a20543a... M	policy/modules/services/ssh.te
> :100644 100644 54d122b... 25bfbd4... M	policy/modules/system/authlogin.te
> :100644 100644 fca6947... 5f5f331... M	policy/modules/system/mount.te
> :100644 100644 dfbe736... eac173f... M	policy/modules/system/sysnetwork.te
> :100644 100644 f976344... fbf02ec... M	policy/modules/system/unconfined.te
> :100644 100644 2aa8928... 5cb411a... M	policy/modules/system/userdomain.if
>  policy/modules/admin/consoletype.te       |    4 ++++
>  policy/modules/services/dbus.if           |   18 ++++++++++++++++++
>  policy/modules/services/dbus.te           |    9 +++++----
>  policy/modules/services/modemmanager.te   |    2 +-
>  policy/modules/services/networkmanager.te |    1 +
>  policy/modules/services/ntp.te            |    1 +
>  policy/modules/services/ssh.te            |    4 ++++
>  policy/modules/system/authlogin.te        |    1 +
>  policy/modules/system/mount.te            |   11 ++++++++++-
>  policy/modules/system/sysnetwork.te       |    4 ++++
>  policy/modules/system/unconfined.te       |    7 +++++++
>  policy/modules/system/userdomain.if       |   18 ++++++++++++++++++
>  12 files changed, 74 insertions(+), 6 deletions(-)
> 
> diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
> index 2b12a37..aa9f935 100644
> --- a/policy/modules/admin/consoletype.te
> +++ b/policy/modules/admin/consoletype.te
> @@ -75,6 +75,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dbus_use_fd(consoletype_t)
> +')
> +
> +optional_policy(`
>  	files_read_etc_files(consoletype_t)
>  	firstboot_use_fds(consoletype_t)
>  	firstboot_rw_pipes(consoletype_t)
> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
> index 39e901a..0bfab9b 100644
> --- a/policy/modules/services/dbus.if
> +++ b/policy/modules/services/dbus.if
> @@ -479,3 +479,21 @@ interface(`dbus_unconfined',`
>  
>  	typeattribute $1 dbusd_unconfined;
>  ')
> +
> +########################################
> +## <summary>
> +##	Use and inherit system DBUS file descriptors.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dbus_use_fd',`
> +	gen_require(`
> +		type system_dbusd_t;
> +	')
> +
> +	allow $1 system_dbusd_t:fd use;
> +')
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index b354128..052f0a6 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -108,10 +108,6 @@ term_dontaudit_use_console(system_dbusd_t)
>  auth_use_nsswitch(system_dbusd_t)
>  auth_read_pam_console_data(system_dbusd_t)
>  
> -corecmd_list_bin(system_dbusd_t)
> -corecmd_read_bin_pipes(system_dbusd_t)
> -corecmd_read_bin_sockets(system_dbusd_t)
> -
>  domain_use_interactive_fds(system_dbusd_t)
>  domain_read_all_domains_state(system_dbusd_t)
>  
> @@ -141,6 +137,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	# should this be dbus_system_domain instead?
> +	networkmanager_initrc_domtrans(system_dbusd_t)
> +')
> +
> +optional_policy(`
>  	policykit_dbus_chat(system_dbusd_t)
>  	policykit_domtrans_auth(system_dbusd_t)
>  	policykit_search_lib(system_dbusd_t)
> diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
> index b3ace16..58a4736 100644
> --- a/policy/modules/services/modemmanager.te
> +++ b/policy/modules/services/modemmanager.te
> @@ -16,7 +16,7 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
>  # ModemManager local policy
>  #
>  
> -allow modemmanager_t self:process signal;
> +allow modemmanager_t self:process { getsched setsched signal };
>  allow modemmanager_t self:fifo_file rw_file_perms;
>  allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
>  allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
> diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
> index 0619395..2f9a857 100644
> --- a/policy/modules/services/networkmanager.te
> +++ b/policy/modules/services/networkmanager.te
> @@ -141,6 +141,7 @@ sysnet_domtrans_ifconfig(NetworkManager_t)
>  sysnet_domtrans_dhcpc(NetworkManager_t)
>  sysnet_signal_dhcpc(NetworkManager_t)
>  sysnet_read_dhcpc_pid(NetworkManager_t)
> +sysnet_read_dhcpc_state(NetworkManager_t)
>  sysnet_delete_dhcpc_pid(NetworkManager_t)
>  sysnet_search_dhcp_state(NetworkManager_t)
>  # in /etc created by NetworkManager will be labelled net_conf_t.
> diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
> index c61adc8..b4a1419 100644
> --- a/policy/modules/services/ntp.te
> +++ b/policy/modules/services/ntp.te
> @@ -74,6 +74,7 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
>  files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
>  
>  kernel_read_kernel_sysctls(ntpd_t)
> +kernel_read_crypto_sysctls(ntpd_t)
>  kernel_read_system_state(ntpd_t)
>  kernel_read_network_state(ntpd_t)
>  kernel_request_load_module(ntpd_t)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 2dad3c8..a20543a 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>  manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>  files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>  
> +kernel_read_crypto_sysctls(sshd_t)
> +kernel_request_load_module(sshd_t)
>  kernel_search_key(sshd_t)
>  kernel_link_key(sshd_t)
>  
> @@ -249,6 +251,8 @@ term_relabelto_all_ptys(sshd_t)
>  corenet_tcp_bind_xserver_port(sshd_t)
>  corenet_sendrecv_xserver_server_packets(sshd_t)
>  
> +userdom_write_all_users_keys(sshd_t)
> +
>  tunable_policy(`ssh_sysadm_login',`
>  	# Relabel and access ptys created by sshd
>  	# ioctl is necessary for logout() processing for utmp entry and for w to
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 54d122b..25bfbd4 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -90,6 +90,7 @@ files_list_etc(chkpwd_t)
>  
>  # is_selinux_enabled
>  kernel_read_system_state(chkpwd_t)
> +kernel_read_crypto_sysctls(chkpwd_t)
>  
>  domain_dontaudit_use_interactive_fds(chkpwd_t)
>  
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index fca6947..5f5f331 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -36,6 +36,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
>  
>  # setuid/setgid needed to mount cifs 
>  allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
> +allow mount_t self:fifo_file rw_fifo_file_perms;
>  
>  allow mount_t mount_loopback_t:file read_file_perms;
>  
> @@ -48,13 +49,16 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>  
>  kernel_read_system_state(mount_t)
>  kernel_read_kernel_sysctls(mount_t)
> +kernel_setsched(mount_t)
>  kernel_dontaudit_getattr_core_if(mount_t)
>  
>  # required for mount.smbfs
>  corecmd_exec_bin(mount_t)
> +corecmd_exec_shell(mount_t)
>  
>  dev_getattr_all_blk_files(mount_t)
>  dev_list_all_dev_nodes(mount_t)
> +dev_read_sysfs(mount_t)
>  dev_rw_lvm_control(mount_t)
>  dev_dontaudit_getattr_all_chr_files(mount_t)
>  dev_dontaudit_getattr_memory_dev(mount_t)
> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>  fs_unmount_all_fs(mount_t)
>  fs_remount_all_fs(mount_t)
>  fs_relabelfrom_all_fs(mount_t)
> -fs_list_auto_mountpoints(mount_t)
> +# wants to list usbfs_t
> +fs_list_all(mount_t)
>  fs_rw_tmpfs_chr_files(mount_t)
>  fs_read_tmpfs_symlinks(mount_t)
>  
> @@ -180,6 +185,10 @@ optional_policy(`
>  	')
>  ')
>  
> +optional_policy(`
> +	dbus_use_fd(mount_t)
> +')
> +
>  # for kernel package installation
>  optional_policy(`
>  	rpm_rw_pipes(mount_t)
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index dfbe736..eac173f 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
>  ')
>  
>  optional_policy(`
> +	dbus_use_fd(ifconfig_t)
> +')
> +
> +optional_policy(`
>  	hal_dontaudit_rw_pipes(ifconfig_t)
>  	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
>  ')
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index f976344..fbf02ec 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
>  mcs_killall(unconfined_t)
>  mcs_ptrace_all(unconfined_t)
>  
> +ubac_process_exempt(unconfined_t)
> +ubac_file_exempt(unconfined_t)
> +ubac_fd_exempt(unconfined_t)
> +
>  init_run_daemon(unconfined_t, unconfined_r)
>  
>  libs_run_ldconfig(unconfined_t, unconfined_r)
> @@ -42,6 +46,7 @@ logging_run_auditctl(unconfined_t, unconfined_r)
>  
>  mount_run_unconfined(unconfined_t, unconfined_r)
>  
> +seutil_run_runinit(unconfined_t, unconfined_r)
>  seutil_run_setfiles(unconfined_t, unconfined_r)
>  seutil_run_semanage(unconfined_t, unconfined_r)
>  
> @@ -192,6 +197,8 @@ optional_policy(`
>  
>  optional_policy(`
>  	usermanage_run_admin_passwd(unconfined_t, unconfined_r)
> +	usermanage_run_groupadd(unconfined_t, unconfined_r)
> +	usermanage_run_useradd(unconfined_t, unconfined_r)
>  ')
>  
>  optional_policy(`
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 2aa8928..5cb411a 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -3112,6 +3112,24 @@ interface(`userdom_create_all_users_keys',`
>  
>  ########################################
>  ## <summary>
> +##	Write and link keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_write_all_users_keys',`
> +	gen_require(`
> +		attribute userdomain;
> +	')
> +
> +	allow $1 userdomain:key { search write link };
> +')
> +
> +########################################
> +## <summary>
>  ##	Send a dbus message to all user domains.
>  ## </summary>
>  ## <param name="domain">
> -- 
> 1.7.2.3
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101004/27150995/attachment-0001.bin