[DSE-Dev] pre-systemd patch
Russell Coker
russell at coker.com.au
Tue Jan 14 00:51:55 UTC 2014
The attached patch makes the changes to base modules which I previously
described work. It also has some other changes that were in the systemd patch
but which aren't part of the core systemd policy.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
-------------- next part --------------
Description: Misc stuff from the systemd patch that isn't all systemd specific
Author: Russell Coker <russell at coker.com.au>
Last-Update: 2014-01-12
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,6 +6,13 @@
## <desc>
## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(deny_ptrace, false)
+
+## <desc>
+## <p>
## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -7,7 +7,6 @@
type portslave_t;
type portslave_exec_t;
-init_domain(portslave_t, portslave_exec_t)
init_daemon_domain(portslave_t, portslave_exec_t)
type portslave_etc_t;
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -96,6 +96,8 @@
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+# for systemd
+dev_associate(hugetlbfs_t)
type ibmasmfs_t;
fs_type(ibmasmfs_t)
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -42,11 +42,23 @@
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+# because nowadays, /sbin/init is often a symlink to /sbin/upstart
+/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+
+/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
+
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+
+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0)
#
# /var
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -118,7 +118,9 @@
init_dontaudit_use_fds(auditctl_t)
-locallogin_dontaudit_use_fds(auditctl_t)
+optional_policy(`
+ locallogin_dontaudit_use_fds(auditctl_t)
+')
logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -28,6 +28,7 @@
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
#
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -293,6 +293,9 @@
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+# for systemd-cryptsetup
+dev_write_kmsg(lvm_t)
+
logging_send_syslog_msg(lvm_t)
miscfiles_read_localization(lvm_t)
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -172,6 +172,24 @@
########################################
## <summary>
+## Allow process to read the table dir
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`udev_list_table_dir',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ allow $1 udev_tbl_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Read the udev device table.
## </summary>
## <desc>
@@ -263,6 +281,25 @@
########################################
## <summary>
+## Allow process to modify relabelto udev database
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_relabelto_db',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 udev_var_run_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
## Read udev pid files.
## </summary>
## <param name="domain">
@@ -322,3 +359,22 @@
files_pid_filetrans($1, udev_var_run_t, dir, $2)
')
+
+#######################################
+## <summary>
+## Allow caller to create kobject uevent socket for udev
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_create_kobject_uevent_socket',`
+ gen_require(`
+ type udev_t;
+ role system_r;
+ ')
+
+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2855,6 +2855,35 @@
########################################
## <summary>
+## Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read and write inherited user
+## TTYs and PTYs. This will allow the domain to
+## interact with the user via the terminal. Typically
+## all interactive applications will require this
+## access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
## Read and write a user TTYs and PTYs.
## </summary>
## <desc>
@@ -3405,6 +3434,42 @@
allow $1 userdomain:process signal;
')
+#######################################
+## <summary>
+## Send signull to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signull_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process signull;
+')
+
+########################################
+## <summary>
+## Send kill signals to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_kill_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process sigkill;
+')
+
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
@@ -3459,3 +3524,41 @@
allow $1 userdomain:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to write users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_stream',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4456,6 +4456,42 @@
########################################
## <summary>
+## Relabel a dir from the type used in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+## Relabel a file from the type used in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
@@ -6249,6 +6285,43 @@
########################################
## <summary>
+## Relable all pid directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+## manage all pidfile directories
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_dirs_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
## Read all process ID files.
## </summary>
## <param name="domain">
@@ -6271,6 +6344,42 @@
########################################
## <summary>
+## Relable all pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_files',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+## Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
## Delete all process IDs.
## </summary>
## <param name="domain">
@@ -6580,3 +6689,153 @@
typeattribute $1 files_unconfined_type;
')
+
+########################################
+## <summary>
+## Create a core files in /
+## </summary>
+## <desc>
+## <p>
+## Create a core file in /,
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+## Create all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Create all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to delete to all files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ allow $1 non_security_file_type:file_class_set unlink;
+')
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -586,3 +586,22 @@
allow $1 unconfined_t:dbus acquire_svc;
')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unconfined domain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -412,6 +412,24 @@
########################################
## <summary>
+## Send a generic signal to cron daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_signal',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:process signal;
+')
+
+########################################
+## <summary>
## Set the attributes of cron log files.
## </summary>
## <param name="domain">
@@ -534,6 +552,46 @@
########################################
## <summary>
+## Read crond state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_state_crond',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, crond_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## crond over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_dbus_chat_crond',`
+ gen_require(`
+ type crond_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 crond_t:dbus send_msg;
+ allow crond_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write
## cron daemon unnamed pipes.
## </summary>
@@ -833,3 +891,22 @@
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
')
+
+########################################
+## <summary>
+## Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type cron_system_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -550,6 +550,26 @@
########################################
## <summary>
+## Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_create_devlog_dev',`
+ gen_require(`
+ type devlog_t;
+ ')
+
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file)
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
+')
+
+########################################
+## <summary>
## Read the auditd configuration files.
## </summary>
## <param name="domain">
@@ -780,6 +800,24 @@
')
########################################
+## <summary>
+## Append to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_inherit_append_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file { getattr append ioctl lock };
+')
+
+########################################
## <summary>
## Read all log files.
## </summary>
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -154,6 +154,25 @@
########################################
## <summary>
+## Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ relabel_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## List all of the device nodes in a device directory.
## </summary>
## <param name="domain">
@@ -462,6 +481,24 @@
########################################
## <summary>
+## write generic sock files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_write_generic_sock_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ write_sock_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## Dontaudit getattr on generic block devices.
## </summary>
## <param name="domain">
@@ -4016,6 +4053,44 @@
########################################
## <summary>
+## Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+## Relabel hardware state files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+ relabel_files_pattern($1, sysfs_t, sysfs_t)
+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
## Read and write the TPM device.
## </summary>
## <param name="domain">
@@ -4851,3 +4926,103 @@
typeattribute $1 devices_unconfined_type;
')
+
+########################################
+## <summary>
+## Read cpu online hardware state information.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read /sys/devices/system/cpu/online file.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+ gen_require(`
+ type cpu_online_t;
+ ')
+
+ dev_search_sysfs($1)
+ read_files_pattern($1, cpu_online_t, cpu_online_t)
+')
+
+########################################
+## <summary>
+## Relabel cpu online hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
+ gen_require(`
+ type cpu_online_t;
+ type sysfs_t;
+ ')
+
+ dev_search_sysfs($1)
+ allow $1 cpu_online_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel the printer device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_printer',`
+ gen_require(`
+ type printer_device_t;
+ ')
+
+ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the printer device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_printer',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, printer_device_t)
+')
+
+########################################
+## <summary>
+## Create FIFO pipes in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_generic_pipes',`
+ gen_require(`
+ type device_t;
+ ')
+ allow $1 device_t:dir add_entry_dir_perms;
+ allow $1 device_t:fifo_file { getattr create };
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 device_t:file setattr_file_perms;
+')
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@
########################################
## <summary>
+## Get attributes of cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ getattr_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Search cgroup directories.
## </summary>
## <param name="domain">
@@ -651,6 +672,25 @@
########################################
## <summary>
+## Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
## list cgroup directories.
## </summary>
## <param name="domain">
@@ -3998,6 +4038,42 @@
')
########################################
+## <summary>
+## Relabel directory on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Relabel files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
## <summary>
## Create, read, write, and delete
## tmpfs directories
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -481,6 +481,24 @@
########################################
## <summary>
+## Relabel the /dev/pts directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_ptys_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -123,3 +123,39 @@
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
+
+########################################
+## <summary>
+## Read and write a lvm unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_rw_pipes',`
+ gen_require(`
+ type lvm_var_run_t;
+ ')
+
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send lvm a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_signull',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ allow $1 lvm_t:process signull;
+')
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -192,7 +192,8 @@
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -259,7 +260,8 @@
#
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
#
# Sockets
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
@@ -189,6 +189,24 @@
########################################
## <summary>
+## Send kill signals to all application domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`application_sigkill',`
+ gen_require(`
+ attribute application_domain_type;
+ ')
+
+ allow $1 application_domain_type:process sigkill;
+')
+
+########################################
+## <summary>
## Do not audit attempts to send kill signals
## to all application domains.
## </summary>
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -183,13 +183,16 @@
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
seutil_run_loadpolicy(dpkg_t, dpkg_roles)
seutil_run_setfiles(dpkg_t, dpkg_roles)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`
+modutils_run_depmod(dpkg_t, dpkg_roles)
+modutils_run_insmod(dpkg_t, dpkg_roles)
+')
+
+optional_policy(`
mta_send_mail(dpkg_t)
')
optional_policy(`
@@ -287,8 +290,10 @@
miscfiles_read_localization(dpkg_script_t)
+optional_policy(`
modutils_run_depmod(dpkg_script_t, dpkg_roles)
modutils_run_insmod(dpkg_script_t, dpkg_roles)
+')
seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
seutil_run_setfiles(dpkg_script_t, dpkg_roles)
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -345,7 +345,9 @@
files_read_non_auth_files(restorecond_t)
auth_use_nsswitch(restorecond_t)
-locallogin_dontaudit_use_fds(restorecond_t)
+optional_policy(`
+ locallogin_dontaudit_use_fds(restorecond_t)
+')
logging_send_syslog_msg(restorecond_t)
@@ -485,7 +487,9 @@
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
-locallogin_use_fds(semanage_t)
+optional_policy(`
+ locallogin_use_fds(semanage_t)
+')
logging_send_syslog_msg(semanage_t)
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -143,7 +143,9 @@
miscfiles_read_localization(dhcpc_t)
-modutils_run_insmod(dhcpc_t, dhcpc_roles)
+optional_policy(`
+ modutils_run_insmod(dhcpc_t, dhcpc_roles)
+')
sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
@@ -318,7 +320,9 @@
miscfiles_read_localization(ifconfig_t)
-modutils_domtrans_insmod(ifconfig_t)
+optional_policy(`
+ modutils_domtrans_insmod(ifconfig_t)
+')
seutil_use_runinit_fds(ifconfig_t)
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -60,7 +60,7 @@
recv_msg
send_msg
name_bind
-}
+}
#
# Define a common prefix for ipc access vectors.
@@ -244,7 +244,7 @@
node_bind
}
-class node
+class node
{
tcp_recv
tcp_send
@@ -362,7 +362,7 @@
#
-# Define the access vector interpretation for the security server.
+# Define the access vector interpretation for the security server.
#
class security
@@ -410,33 +410,33 @@
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
mknod
lease
audit_write
@@ -444,7 +444,7 @@
setfcap
}
-class capability2
+class capability2
{
mac_override # unused by SELinux
mac_admin # unused by SELinux
@@ -826,7 +826,7 @@
class kernel_service
{
use_as_override
- create_files_as
+ create_files_as
}
class tun_socket
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -1,7 +1,7 @@
# FLASK
#
-# Define the security object classes
+# Define the security object classes
#
# Classes marked as userspace are classes
@@ -117,7 +117,7 @@
class x_application_data # userspace
# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
+class kernel_service
class tun_socket
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -199,6 +199,7 @@
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0)
ifdef(`distro_redhat',`
# originally from named.fc
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -35,6 +35,12 @@
init_exec(sysadm_t)
+tunable_policy(`init_upstart', `', `
+ # Run the shell in the sysadm role for single-user mode.
+ # causes problems with upstart
+ init_shell_domtrans(sysadm_t)
+')
+
# for sepolgen-ifgen
selinux_read_policy(sysadm_t)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -219,10 +219,6 @@
tunable_policy(`init_upstart',`
corecmd_shell_domtrans(init_t, initrc_t)
-',`
- # Run the shell in the sysadm role for single-user mode.
- # causes problems with upstart
- sysadm_shell_domtrans(init_t)
')
optional_policy(`
@@ -446,8 +442,10 @@
# slapd needs to read cert files from its initscript
miscfiles_read_generic_certs(initrc_t)
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
+optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
seutil_read_config(initrc_t)
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1858,3 +1858,24 @@
interface(`systemd_unit_file',`
files_type($1)
')
+
+########################################
+## <summary>
+## Init will execute a shell in the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`init_shell_domtrans',`
+ gen_require(`
+ type init_t;
+ ')
+
+ corecmd_shell_domtrans(init_t, $1)
+ allow $1 init_t:fd use;
+ allow $1 init_t:fifo_file rw_file_perms;
+ allow $1 init_t:process sigchld;
+')
More information about the SELinux-devel
mailing list