From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 20 Jan 2011 08:18:31 -0500 Subject: [refpolicy] RFC: patch to update git reference policy In-Reply-To: <1295397630.3377.10.camel@tesla.lan> References: <1295397630.3377.10.camel@tesla.lan> Message-ID: <4D383627.60804@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/18/11 19:40, Guido Trentalancia wrote: > Hello, > > I have created a set of two patches to update the git reference policy > to run on a generic modern Linux system. > > Most changes are relative to the dbus system (send_msg capability). Some > interfaces and a few file contexts have also been added for convenience. > In particular /sbin/upstart is now labelled correctly (many > distributions nowadays link /sbin/init to /sbin/upstart to leave some > choice, so it is necessary to label the latter appropriately). > > Please send your comments and feel free to test intensively. Thanks. There are too many changes in this patch and the other. Can you resubmit, breaking each logically separate change into a different patch? > diff -pruN refpolicy-git-18012011/policy/modules/services/dbus.fc refpolicy-git-18012011-new/policy/modules/services/dbus.fc > --- refpolicy-git-18012011/policy/modules/services/dbus.fc 2011-01-08 19:07:21.238740722 +0100 > +++ refpolicy-git-18012011-new/policy/modules/services/dbus.fc 2011-01-17 20:53:01.132703217 +0100 > @@ -1,11 +1,24 @@ > /etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) > > /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0) > > /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) > /lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) > > /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/usr/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/usr/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/usr/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/usr/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/usr/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0) > +/usr/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0) > + > /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) > > /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) > diff -pruN refpolicy-git-18012011/policy/modules/system/init.fc refpolicy-git-18012011-new/policy/modules/system/init.fc > --- refpolicy-git-18012011/policy/modules/system/init.fc 2011-01-08 19:07:21.350758412 +0100 > +++ refpolicy-git-18012011-new/policy/modules/system/init.fc 2011-01-17 20:35:02.785918606 +0100 > @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', ` > # /sbin > # > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > +# because nowadays, /sbin/init is often a symlink to /sbin/upstart > +/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > > ifdef(`distro_gentoo', ` > /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) > diff -pruN -x .git refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te > --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 > @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) > > auth_dontaudit_read_shadow(readahead_t) > > +init_read_fifo_file(readahead_t) > init_use_fds(readahead_t) > init_use_script_ptys(readahead_t) > init_getattr_initctl(readahead_t) > diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if > --- refpolicy-git-18012011/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if 2011-01-18 23:13:49.755846822 +0100 > @@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',` > > ######################################## > ## > +## Allow mmap_file_perms on a shell > +## executable. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corecmd_mmap_file_exec_shell',` > + gen_require(` > + type bin_t, shell_exec_t; > + ') > + > + list_dirs_pattern($1, bin_t, bin_t) > + read_lnk_files_pattern($1, bin_t, bin_t) > + allow $1 shell_exec_t:file mmap_file_perms; > +') > + > +######################################## > +## > ## Execute shells in the caller domain. > ## > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if > --- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100 > @@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',` > > ######################################## > ## > +## Set the attributes of the /bin directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_setattr_bin_dirs',` > + gen_require(` > + type bin_t; > + ') > + > + allow $1 bin_t:dir setattr; > +') > + > +######################################## > +## > +## Search the content of /bin. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_search_bin',` > + gen_require(` > + type bin_t; > + ') > + > + allow $1 bin_t:dir search_dir_perms; > +') > + > +######################################## > +## > +## Get the attributes of files in /bin. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_getattr_bin_files',` > + gen_require(` > + type bin_t; > + ') > + > + getattr_files_pattern($1, bin_t, bin_t) > +') > + > +######################################## > +## > +## Read generic files in /bin. > +## > +## > +##

> +## Allow the specified domain to read generic > +## files in /bin. These files are various program > +## files that do not have more specific SELinux types. > +##

> +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`files_read_bin_files',` > + gen_require(` > + type bin_t; > + ') > + > + allow $1 bin_t:dir list_dir_perms; > + read_files_pattern($1, bin_t, bin_t) > + read_lnk_files_pattern($1, bin_t, bin_t) > +') > + > +######################################## > +## > +## Execute generic programs in /bin in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_exec_bin_files',` > + gen_require(` > + type bin_t; > + ') > + > + allow $1 bin_t:dir list_dir_perms; > + exec_files_pattern($1, bin_t, bin_t) > + read_lnk_files_pattern($1, bin_t, bin_t) > +') > + > +######################################## > +## > +## Read symbolic links in /bin. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_read_bin_symlinks',` > + gen_require(` > + type bin_t; > + ') > + > + read_lnk_files_pattern($1, bin_t, bin_t) > +') > + > +######################################## > +## > ## Set the attributes of the /usr directory. > ## > ## > @@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',` > > ######################################## > ## > -## Search the content of /etc. > +## Search the content of /usr. > ## > ## > ## > @@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',` > ') > > ######################################## > +## > +## Get the attributes of the /var/log directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_getattr_var_log_dirs',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + getattr_dirs_pattern($1, var_t, var_log_t) > +') > + > +######################################## > +## > +## Search the /var/log directory. > +## > +## > +##

> +## Search the /var/log directory. This is > +## necessary to access files or directories under > +## /var/log that have a private type. For example, a > +## domain accessing a private log file in the > +## /var/log directory: > +##

> +##

> +## allow mydomain_t mylogfile_t:file read_file_perms; > +## files_search_var_log(mydomain_t) > +##

> +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`files_search_var_log',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + search_dirs_pattern($1, var_t, var_log_t) > +') > + > +######################################## > +## > +## Do not audit attempts to search the > +## contents of /var/log. > +## > +## > +## > +## Domain to not audit. > +## > +## > +## > +# > +interface(`files_dontaudit_search_var_log',` > + gen_require(` > + type var_log_t; > + ') > + > + dontaudit $1 var_log_t:dir search_dir_perms; > +') > + > +######################################## > +## > +## List the contents of the /var/log directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_list_var_log',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + list_dirs_pattern($1, var_t, var_log_t) > +') > + > +########################################### > +## > +## Read-write /var/log directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_rw_var_log_dirs',` > + gen_require(` > + type var_log_t; > + ') > + > + rw_dirs_pattern($1, var_log_t, var_log_t) > +') > + > +########################################### > +## > +## Append to files in the /var/log directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_var_log_append',` > + gen_require(` > + type var_log_t; > + ') > + > + append_files_pattern($1, var_log_t, var_log_t) > +') > + > +######################################## > +## > +## Create objects in the /var/log directory > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to be created > +## > +## > +## > +## > +## The object class. > +## > +## > +# > +interface(`files_var_log_filetrans',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + allow $1 var_t:dir search_dir_perms; > + filetrans_pattern($1, var_log_t, $2, $3) > +') > + > +######################################## > +## > +## Read generic files in /var/log. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_read_var_log_files',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + allow $1 var_log_t:dir list_dir_perms; > + read_files_pattern($1, { var_t var_log_t }, var_log_t) > +') > + > +######################################## > +## > +## Read generic symbolic links in /var/log > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_read_var_log_symlinks',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t) > +') > + > +######################################## > ## > ## Search the locks directory (/var/lock). > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if > --- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if 2011-01-18 23:13:49.763847950 +0100 > @@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro > > ######################################## > ## > +## Allows to search the base > +## directory of sysctls. > +## > +## > +## > +## Domain to not audit. > +## > +## > +## > +# > +interface(`kernel_search_sysctl',` > + gen_require(` > + type sysctl_t; > + ') > + > + allow $1 sysctl_t:dir search; > +') > + > +######################################## > +## > ## Do not audit attempts by caller to search > ## the base directory of sysctls. > ## > @@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',` > ') > > ######################################## > +## > +## Allow caller to search filesystem sysctls. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_search_fs_sysctl',` > + gen_require(` > + type proc_t, sysctl_t, sysctl_fs_t; > + ') > + > + search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) > +') > + > +######################################## > ## > ## Read filesystem sysctls. > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if > --- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if 2011-01-18 23:38:58.297498219 +0100 > @@ -75,6 +75,25 @@ interface(`avahi_signull',` > > ######################################## > ## > +## Send a dbus message to avahi. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`avahi_dbus_send',` > + gen_require(` > + type avahi_t; > + class dbus send_msg; > + ') > + > + allow $1 avahi_t:dbus send_msg; > +') > + > +######################################## > +## > ## Send and receive messages from > ## avahi over dbus. > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te > --- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te 2011-01-19 01:20:50.132124585 +0100 > @@ -104,9 +104,17 @@ optional_policy(` > ') > > optional_policy(` > + ntp_dbus_send(avahi_t) > +') > + > +optional_policy(` > seutil_sigchld_newrole(avahi_t) > ') > > optional_policy(` > udev_read_db(avahi_t) > ') > + > +optional_policy(` > + xserver_xdm_dbus_send(avahi_t) > +') > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if > --- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if 2011-01-18 23:13:49.767848514 +0100 > @@ -20,6 +20,26 @@ interface(`consolekit_domtrans',` > > ######################################## > ## > +## Send a dbus message to > +## consolekit. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`consolekit_dbus_send',` > + gen_require(` > + type consolekit_t; > + class dbus send_msg; > + ') > + > + allow $1 consolekit_t:dbus send_msg; > +') > + > +######################################## > +## > ## Send and receive messages from > ## consolekit over dbus. > ## > @@ -93,5 +113,6 @@ interface(`consolekit_read_pid_files',` > ') > > files_search_pids($1) > + allow $1 consolekit_var_run_t:dir list_dir_perms; > read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) > ') > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te > --- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te 2011-01-18 23:13:49.790851763 +0100 > @@ -52,7 +52,7 @@ ifdef(`enable_mls',` > > # dac_override: /var/run/dbus is owned by messagebus on Debian > # cjp: dac_override should probably go in a distro_debian > -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; > +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace }; > dontaudit system_dbusd_t self:capability sys_tty_config; > allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; > allow system_dbusd_t self:fifo_file rw_fifo_file_perms; > @@ -115,9 +115,14 @@ corecmd_read_bin_sockets(system_dbusd_t) > domain_use_interactive_fds(system_dbusd_t) > domain_read_all_domains_state(system_dbusd_t) > > +files_search_default(system_dbusd_t) > +files_read_default_files(system_dbusd_t) > files_read_etc_files(system_dbusd_t) > files_list_home(system_dbusd_t) > -files_read_usr_files(system_dbusd_t) > +files_exec_bin_files(system_dbusd_t) > +files_exec_usr_files(system_dbusd_t) > +files_read_var_lib_files(system_dbusd_t) > +files_var_log_append(system_dbusd_t) > > init_use_fds(system_dbusd_t) > init_use_script_ptys(system_dbusd_t) > @@ -141,6 +146,24 @@ optional_policy(` > ') > > optional_policy(` > + consolekit_read_pid_files(system_dbusd_t) > + consolekit_dbus_send(system_dbusd_t) > +') > + > +optional_policy(` > + devicekit_dbus_send_disk(system_dbusd_t) > + devicekit_dbus_send_power(system_dbusd_t) > +') > + > +optional_policy(` > + networkmanager_dbus_send(system_dbusd_t) > +') > + > +optional_policy(` > + ntp_dbus_chat(system_dbusd_t) > +') > + > +optional_policy(` > policykit_dbus_chat(system_dbusd_t) > policykit_domtrans_auth(system_dbusd_t) > policykit_search_lib(system_dbusd_t) > @@ -154,6 +177,10 @@ optional_policy(` > udev_read_db(system_dbusd_t) > ') > > +optional_policy(` > + xserver_xdm_dbus_chat(system_dbusd_t) > +') > + > ######################################## > # > # Unconfined access to this module > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if > --- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if 2011-01-18 23:13:49.791851900 +0100 > @@ -39,6 +39,25 @@ interface(`devicekit_dgram_send',` > > ######################################## > ## > +## Send a dbus message to devicekit. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`devicekit_dbus_send',` > + gen_require(` > + type devicekit_t; > + class dbus send_msg; > + ') > + > + allow $1 devicekit_t:dbus send_msg; > +') > + > +######################################## > +## > ## Send and receive messages from > ## devicekit over dbus. > ## > @@ -60,6 +79,25 @@ interface(`devicekit_dbus_chat',` > > ######################################## > ## > +## Send a dbus message to devicekit disk. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`devicekit_dbus_send_disk',` > + gen_require(` > + type devicekit_disk_t; > + class dbus send_msg; > + ') > + > + allow $1 devicekit_disk_t:dbus send_msg; > +') > + > +######################################## > +## > ## Send and receive messages from > ## devicekit disk over dbus. > ## > @@ -99,6 +137,25 @@ interface(`devicekit_signal_power',` > > ######################################## > ## > +## Send a dbus message to devicekit power. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`devicekit_dbus_send_power',` > + gen_require(` > + type devicekit_power_t; > + class dbus send_msg; > + ') > + > + allow $1 devicekit_power_t:dbus send_msg; > +') > + > +######################################## > +## > ## Send and receive messages from > ## devicekit power over dbus. > ## > @@ -183,3 +240,22 @@ interface(`devicekit_admin',` > admin_pattern($1, devicekit_var_run_t) > files_search_pids($1) > ') > + > +######################################## > +## > +## DeviceKit power getattr on APM > +## bios character device node files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`devicekit_getattr_apm_bios_files_power',` > + gen_require(` > + type apm_bios_t; > + ') > + > + getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t) > +') > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te > --- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te 2011-01-18 23:13:49.792852039 +0100 > @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t) > dev_read_urand(devicekit_t) > > files_read_etc_files(devicekit_t) > +files_read_etc_runtime_files(devicekit_t) > > miscfiles_read_localization(devicekit_t) > > @@ -178,6 +179,10 @@ optional_policy(` > virt_manage_images(devicekit_disk_t) > ') > > +optional_policy(` > + xserver_xdm_dbus_send(devicekit_disk_t) > +') > + > ######################################## > # > # DeviceKit-Power local policy > @@ -193,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d > manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) > files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) > > +kernel_search_fs_sysctl(devicekit_power_t) > +kernel_rw_vm_sysctls(devicekit_power_t) > kernel_read_network_state(devicekit_power_t) > kernel_read_system_state(devicekit_power_t) > kernel_rw_hotplug_sysctls(devicekit_power_t) > kernel_rw_kernel_sysctl(devicekit_power_t) > kernel_search_debugfs(devicekit_power_t) > kernel_write_proc_files(devicekit_power_t) > +kernel_setsched(devicekit_power_t) > > corecmd_exec_bin(devicekit_power_t) > corecmd_exec_shell(devicekit_power_t) > @@ -215,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t) > > files_read_kernel_img(devicekit_power_t) > files_read_etc_files(devicekit_power_t) > +files_rw_etc_runtime_files(devicekit_power_t) > files_read_usr_files(devicekit_power_t) > > fs_list_inotifyfs(devicekit_power_t) > +fs_remount_xattr_fs(devicekit_power_t) > > term_use_all_terms(devicekit_power_t) > > @@ -230,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power > > userdom_read_all_users_state(devicekit_power_t) > > +devicekit_getattr_apm_bios_files_power(devicekit_power_t) > + > +mount_exec_getattr(devicekit_power_t) > +mount_exec(devicekit_power_t) > + > optional_policy(` > bootloader_domtrans(devicekit_power_t) > ') > @@ -276,9 +291,17 @@ optional_policy(` > ') > > optional_policy(` > + storage_raw_read_fixed_disk(devicekit_power_t) > +') > + > +optional_policy(` > udev_read_db(devicekit_power_t) > ') > > optional_policy(` > vbetool_domtrans(devicekit_power_t) > ') > + > +optional_policy(` > + xserver_xdm_dbus_send(devicekit_power_t) > +') > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te > --- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te 2011-01-18 23:13:49.794852319 +0100 > @@ -338,6 +338,10 @@ optional_policy(` > virt_manage_images(hald_t) > ') > > +optional_policy(` > + xserver_xdm_dbus_send(hald_t) > +') > + > ######################################## > # > # Hal acl local policy > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if > --- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if 2011-01-18 23:13:49.795852460 +0100 > @@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran > > ######################################## > ## > +## Send a dbus message to NetworkManager. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`networkmanager_dbus_send',` > + gen_require(` > + type NetworkManager_t; > + class dbus send_msg; > + ') > + > + allow $1 NetworkManager_t:dbus send_msg; > +') > + > +######################################## > +## > ## Send and receive messages from > ## NetworkManager over dbus. > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te > --- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te 2011-01-18 23:13:49.796852601 +0100 > @@ -140,6 +140,7 @@ seutil_read_config(NetworkManager_t) > sysnet_domtrans_ifconfig(NetworkManager_t) > sysnet_domtrans_dhcpc(NetworkManager_t) > sysnet_signal_dhcpc(NetworkManager_t) > +sysnet_read_dhcpc_state(NetworkManager_t) > sysnet_read_dhcpc_pid(NetworkManager_t) > sysnet_delete_dhcpc_pid(NetworkManager_t) > sysnet_search_dhcp_state(NetworkManager_t) > @@ -265,6 +266,10 @@ optional_policy(` > vpn_signull(NetworkManager_t) > ') > > +optional_policy(` > + xserver_xdm_dbus_send(NetworkManager_t) > +') > + > ######################################## > # > # wpa_cli local policy > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if > --- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if 2011-01-18 23:13:49.798852883 +0100 > @@ -163,3 +163,62 @@ interface(`ntp_admin',` > files_list_pids($1) > admin_pattern($1, ntpd_var_run_t) > ') > + > +######################################## > +## > +## Send a dbus message to ntpd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`ntp_dbus_send',` > + gen_require(` > + type ntpd_t; > + class dbus send_msg; > + ') > + > + allow $1 ntpd_t:dbus send_msg; > +') > + > +######################################## > +## > +## Send and receive messages from > +## ntpd over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`ntp_dbus_chat',` > + gen_require(` > + type ntpd_t; > + class dbus send_msg; > + ') > + > + allow $1 ntpd_t:dbus send_msg; > + allow ntpd_t $1:dbus send_msg; > +') > + > +######################################## > +## > +## Connect to dbus using a unix domain stream socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`ntp_dbus_stream_connect',` > + gen_require(` > + type system_dbusd_t, system_dbusd_var_run_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) > +') > Binary files refpolicy-git-18012011/policy/modules/services/.ntp.if.swp and refpolicy-git-18012011-minimum-update/policy/modules/services/.ntp.if.swp differ > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te > --- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te 2011-01-18 23:40:27.459838030 +0100 > @@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt > userdom_list_user_home_dirs(ntpd_t) > > optional_policy(` > + avahi_dbus_send(ntpd_t) > +') > + > +optional_policy(` > # for cron jobs > cron_system_entry(ntpd_t, ntpdate_exec_t) > ') > > optional_policy(` > + ntp_dbus_stream_connect(ntpd_t) > +') > + > +optional_policy(` > gpsd_rw_shm(ntpd_t) > ') > > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/plymouthd.te refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te > --- refpolicy-git-18012011/policy/modules/services/plymouthd.te 2011-01-08 19:07:21.280747356 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te 2011-01-18 23:13:49.800853165 +0100 > @@ -29,7 +29,7 @@ files_pid_file(plymouthd_var_run_t) > > allow plymouthd_t self:capability { sys_admin sys_tty_config }; > dontaudit plymouthd_t self:capability dac_override; > -allow plymouthd_t self:process signal; > +allow plymouthd_t self:process { signal getsched }; > allow plymouthd_t self:fifo_file rw_fifo_file_perms; > allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; > > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if > --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if 2011-01-18 23:13:49.801853306 +0100 > @@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre > > ######################################## > ## > +## Send a dbus message to > +## setroubleshoot. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`setroubleshoot_dbus_send',` > + gen_require(` > + type setroubleshootd_t; > + class dbus send_msg; > + ') > + > + allow $1 setroubleshootd_t:dbus send_msg; > +') > + > +######################################## > +## > ## Send and receive messages from > ## setroubleshoot over dbus. > ## > @@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus > > ######################################## > ## > +## Send a dbus message to > +## setroubleshoot fixit. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`setroubleshoot_dbus_send_fixit',` > + gen_require(` > + type setroubleshoot_fixit_t; > + class dbus send_msg; > + ') > + > + allow $1 setroubleshoot_fixit_t:dbus send_msg; > +') > + > +######################################## > +## > ## Send and receive messages from > -## setroubleshoot over dbus. > +## setroubleshoot fixit over dbus. > ## > ## > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te > --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te 2011-01-18 23:13:49.802853447 +0100 > @@ -125,12 +125,24 @@ optional_policy(` > ') > > optional_policy(` > + locate_read_lib_files(setroubleshootd_t) > +') > + > +optional_policy(` > + logging_dbus_send_dispatcher(setroubleshootd_t) > +') > + > +optional_policy(` > rpm_signull(setroubleshootd_t) > rpm_read_db(setroubleshootd_t) > rpm_dontaudit_manage_db(setroubleshootd_t) > rpm_use_script_fds(setroubleshootd_t) > ') > > +optional_policy(` > + xserver_xdm_dbus_send(setroubleshootd_t) > +') > + > ######################################## > # > # setroubleshoot_fixit local policy > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/smartmon.te refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te > --- refpolicy-git-18012011/policy/modules/services/smartmon.te 2011-01-08 19:07:21.326754622 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te 2011-01-18 23:13:49.803853588 +0100 > @@ -73,6 +73,8 @@ files_read_etc_runtime_files(fsdaemon_t) > # for config > files_read_etc_files(fsdaemon_t) > > +files_read_usr_files(fsdaemon_t) > + > fs_getattr_all_fs(fsdaemon_t) > fs_search_auto_mountpoints(fsdaemon_t) > > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if > --- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if 2011-01-18 23:13:49.804853729 +0100 > @@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') > + > +######################################## > +## > +## Send a dbus message to xdm. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_xdm_dbus_send',` > + gen_require(` > + type xdm_t; > + class dbus send_msg; > + ') > + > + allow $1 xdm_t:dbus send_msg; > +') > + > +######################################## > +## > +## Send and receive messages from > +## xdm over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_xdm_dbus_chat',` > + gen_require(` > + type xdm_t; > + class dbus send_msg; > + ') > + > + allow $1 xdm_t:dbus send_msg; > + allow xdm_t $1:dbus send_msg; > +') > diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te > --- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te 2011-01-18 23:13:49.806854011 +0100 > @@ -508,6 +508,10 @@ optional_policy(` > ') > > optional_policy(` > + avahi_dbus_send(xdm_t) > +') > + > +optional_policy(` > consolekit_dbus_chat(xdm_t) > ') > > @@ -516,12 +520,21 @@ optional_policy(` > ') > > optional_policy(` > + devicekit_dbus_send_disk(xdm_t) > + devicekit_dbus_send_power(xdm_t) > +') > + > +optional_policy(` > # Talk to the console mouse server. > gpm_stream_connect(xdm_t) > gpm_setattr_gpmctl(xdm_t) > ') > > optional_policy(` > + hal_dbus_send(xdm_t) > +') > + > +optional_policy(` > hostname_exec(xdm_t) > ') > > @@ -539,10 +552,18 @@ optional_policy(` > ') > > optional_policy(` > + networkmanager_dbus_send(xdm_t) > +') > + > +optional_policy(` > resmgr_stream_connect(xdm_t) > ') > > optional_policy(` > + setroubleshoot_dbus_send(xdm_t) > +') > + > +optional_policy(` > seutil_sigchld_newrole(xdm_t) > ') > > diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/authlogin.te refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te > --- refpolicy-git-18012011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te 2011-01-18 23:13:49.808854293 +0100 > @@ -91,6 +91,8 @@ files_list_etc(chkpwd_t) > # is_selinux_enabled > kernel_read_system_state(chkpwd_t) > > +kernel_search_sysctl(chkpwd_t) > + > domain_dontaudit_use_interactive_fds(chkpwd_t) > > dev_read_rand(chkpwd_t) > diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-minimum-update/policy/modules/system/init.if > --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/system/init.if 2011-01-18 23:13:49.809854434 +0100 > @@ -947,6 +947,24 @@ interface(`init_read_state',` > > ######################################## > ## > +## Read init fifo file. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_read_fifo_file',` > + gen_require(` > + attribute init_t; > + ') > + > + read_fifo_files_pattern($1, init_t, init_t) > +') > + > +######################################## > +## > ## Ptrace init > ## > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if > --- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if 2011-01-18 23:13:49.812854857 +0100 > @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat > > ######################################## > ## > +## Send a dbus message to the audit > +## dispatcher. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`logging_dbus_send_dispatcher',` > + gen_require(` > + type audisp_t; > + class dbus send_msg; > + ') > + > + allow $1 audisp_t:dbus send_msg; > +') > + > +######################################## > +## > +## Send and receive messages from > +## the audit dispatcher over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`logging_dbus_chat_dispatcher',` > + gen_require(` > + type audisp_t; > + class dbus send_msg; > + ') > + > + allow $1 audisp_t:dbus send_msg; > + allow audisp_t $1:dbus send_msg; > +') > + > +######################################## > +## > ## Manage the auditd configuration files. > ## > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te > --- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te 2011-01-18 23:13:49.813854998 +0100 > @@ -223,6 +223,8 @@ allow audisp_t self:unix_dgram_socket cr > > allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; > > +allow audisp_t proc_t:file read_file_perms; > + > manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) > files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) > > @@ -246,6 +248,10 @@ optional_policy(` > dbus_system_bus_client(audisp_t) > ') > > +optional_policy(` > + setroubleshoot_dbus_send(audisp_t) > +') > + > ######################################## > # > # Audit remote logger local policy > diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if > --- refpolicy-git-18012011/policy/modules/system/mount.if 2011-01-08 19:07:21.358759676 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if 2011-01-18 23:13:49.814855139 +0100 > @@ -51,6 +51,25 @@ interface(`mount_run',` > > ######################################## > ## > +## Get the attributes of mount > +## executable files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mount_exec_getattr',` > + gen_require(` > + type mount_exec_t; > + ') > + > + allow $1 mount_exec_t:file getattr; > +') > + > +######################################## > +## > ## Execute mount in the caller domain. > ## > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te > --- refpolicy-git-18012011/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te 2011-01-19 01:01:20.531005215 +0100 > @@ -51,12 +51,17 @@ kernel_read_kernel_sysctls(mount_t) > kernel_dontaudit_getattr_core_if(mount_t) > kernel_dontaudit_write_debugfs_dirs(mount_t) > kernel_dontaudit_write_proc_dirs(mount_t) > +kernel_setsched(mount_t) > # To load binfmt_misc kernel module > kernel_request_load_module(mount_t) > > # required for mount.smbfs > corecmd_exec_bin(mount_t) > > +# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2 > +# from initscripts > +corecmd_mmap_file_exec_shell(mount_t) > + > dev_getattr_all_blk_files(mount_t) > dev_list_all_dev_nodes(mount_t) > dev_read_sysfs(mount_t) > @@ -108,6 +113,8 @@ storage_raw_read_fixed_disk(mount_t) > storage_raw_write_fixed_disk(mount_t) > storage_raw_read_removable_device(mount_t) > storage_raw_write_removable_device(mount_t) > +# needed for example by ntfs-3g > +storage_rw_fuse(mount_t) > > term_use_all_terms(mount_t) > > diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if > --- refpolicy-git-18012011/policy/modules/system/sysnetwork.if 2011-01-08 19:07:21.362760308 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if 2011-01-18 23:13:49.817855562 +0100 > @@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',` > > ######################################## > ## > +## Search dhcp client state directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sysnet_search_dhcpc_state',` > + gen_require(` > + type dhcpc_state_t; > + ') > + > + search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t) > +') > + > +######################################## > +## > ## Read dhcp client state files. > ## > ## > diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.te refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te > --- refpolicy-git-18012011/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100 > +++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te 2011-01-18 23:13:49.818855703 +0100 > @@ -325,6 +325,7 @@ ifdef(`hide_broken_symptoms',` > ') > > optional_policy(` > + hal_read_pid_files(ifconfig_t) > hal_dontaudit_rw_pipes(ifconfig_t) > hal_dontaudit_rw_dgram_sockets(ifconfig_t) > ') > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com