From: domg472@gmail.com (Dominick Grift)
Date: Mon, 24 Jan 2011 15:18:50 +0100
Subject: [refpolicy] [PATCH/RFC 5/19]: patch set to update the git
reference policy
In-Reply-To: <1295829842.3862.64.camel@tesla.lan>
References: <1295829842.3862.64.camel@tesla.lan>
Message-ID: <4D3D8A4A.5090901@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-new/policy/modules/kernel/corecommands.if
> --- refpolicy-git-18012011/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
> +++ refpolicy-git-18012011-new/policy/modules/kernel/corecommands.if 2011-01-18 23:13:49.755846822 +0100
> @@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
>
> ########################################
> ##
> +## Allow mmap_file_perms on a shell
> +## executable.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`corecmd_mmap_file_exec_shell',`
> + gen_require(`
> + type bin_t, shell_exec_t;
> + ')
> +
> + list_dirs_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> + allow $1 shell_exec_t:file mmap_file_perms;
> +')
listing bin_t directories is not strictly required to mmap shell_exec_t
files.
> +
> +########################################
> +##
> ## Execute shells in the caller domain.
> ##
> ##
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-new/policy/modules/system/mount.if
> --- refpolicy-git-18012011/policy/modules/system/mount.if 2011-01-08 19:07:21.358759676 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/mount.if 2011-01-18 23:13:49.814855139 +0100
> @@ -51,6 +51,25 @@ interface(`mount_run',`
>
> ########################################
> ##
> +## Get the attributes of mount
> +## executable files.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`mount_exec_getattr',`
> + gen_require(`
> + type mount_exec_t;
> + ')
> +
> + allow $1 mount_exec_t:file getattr;
> +')
mount_getattr_executable_file() or something. use permission sets
(getattr_file_perms) and provide access to the location of the mount
executable file (corecmd_search_bin($1)
> +
> +########################################
> +##
> ## Execute mount in the caller domain.
> ##
> ##
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-new/policy/modules/system/mount.te
> --- refpolicy-git-18012011/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/mount.te 2011-01-23 20:46:59.057098397 +0100
> @@ -37,6 +37,11 @@ application_domain(unconfined_mount_t, m
> # setuid/setgid needed to mount cifs
> allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>
> +ifdef(`distro_redhat',`
> + # needed by /sbin/mount.tmpfs bash script
> + allow mount_t self:fifo_file rw_fifo_file_perms;
> +')
> +
> allow mount_t mount_loopback_t:file read_file_perms;
>
> allow mount_t mount_tmp_t:file manage_file_perms;
> @@ -51,12 +56,17 @@ kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
> kernel_dontaudit_write_debugfs_dirs(mount_t)
> kernel_dontaudit_write_proc_dirs(mount_t)
> +kernel_setsched(mount_t)
> # To load binfmt_misc kernel module
> kernel_request_load_module(mount_t)
>
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
>
> +# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
> +# from initscripts
> +corecmd_mmap_file_exec_shell(mount_t)
> +
> dev_getattr_all_blk_files(mount_t)
> dev_list_all_dev_nodes(mount_t)
> dev_read_sysfs(mount_t)
> @@ -65,6 +75,7 @@ dev_rw_lvm_control(mount_t)
> dev_dontaudit_getattr_all_chr_files(mount_t)
> dev_dontaudit_getattr_memory_dev(mount_t)
> dev_getattr_sound_dev(mount_t)
> +dev_read_usbfs(mount_t)
> # Early devtmpfs, before udev relabel
> dev_dontaudit_rw_generic_chr_files(mount_t)
>
> @@ -108,6 +119,8 @@ storage_raw_read_fixed_disk(mount_t)
> storage_raw_write_fixed_disk(mount_t)
> storage_raw_read_removable_device(mount_t)
> storage_raw_write_removable_device(mount_t)
> +# needed for example by ntfs-3g
> +storage_rw_fuse(mount_t)
>
> term_use_all_terms(mount_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09ikoACgkQMlxVo39jgT9k6QCeKUwULKR8M+BlnwazqYkgohev
X74AoI/BP3BQ+MENrYIO472Xq8NCyt2Y
=Tr48
-----END PGP SIGNATURE-----