From: Daniel J Walsh <dwalsh@redhat.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>,
SE Linux <selinux@tycho.nsa.gov>
Subject: Latest changes to policy
Date: Thu, 23 Feb 2006 14:26:05 -0500 [thread overview]
Message-ID: <43FE0C4D.1000003@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 882 bytes --]
Change build.conf to
TYPE ?= $(TYPE)
to allow overriding at the command line
Logwatch needs to resolve
VPNc needs to be able to talk to the FD of locallogin
Make vpnc work with NetworkManager
Java always needs execmem so give it to it by default
File context for policygentool
file context for /dev/efirtc
Make polyinstantiation work for /tmp
Fix cacti file_context
allow httpd to transition to httpd_sys_script_t when running a shell
Allow scripts to read eventpollfs
Allow cron to look at httpd_sys_content_t
New version of automount needs sys_resource
Allow automount to run showmount
Automount now needs to getattr on all directories.
crond needs to look at a lot of apache stuff.
Mount and Hal now needs to read autofs_t directories
dontaudit execmem for xserver, we know it needs it.
Make swapon work.
load_policy mls needs to be able to read up
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 13722 bytes --]
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.2.21/Makefile
--- nsaserefpolicy/Makefile 2006-02-17 14:46:10.000000000 -0500
+++ serefpolicy-2.2.21/Makefile 2006-02-23 12:35:04.000000000 -0500
@@ -446,14 +446,14 @@
$(MODDIR)/$$i/metadata.xml \
$(HEADERDIR)/$$i ;\
done
- $(verbose) echo "TYPE=$(TYPE)" > $(HEADERDIR)/build.conf
- $(verbose) echo "NAME=$(NAME)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "TYPE ?= $(TYPE)" > $(HEADERDIR)/build.conf
+ $(verbose) echo "NAME ?= $(NAME)" >> $(HEADERDIR)/build.conf
ifneq "$(DISTRO)" ""
- $(verbose) echo "DISTRO=$(DISTRO)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(HEADERDIR)/build.conf
endif
- $(verbose) echo "MONOLITHIC=n" >> $(HEADERDIR)/build.conf
- $(verbose) echo "DIRECT_INITRC=$(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
- $(verbose) echo "POLY=$(POLY)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "MONOLITHIC ?= n" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "POLY ?= $(POLY)" >> $(HEADERDIR)/build.conf
$(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.21/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-02-21 14:40:22.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/admin/logwatch.te 2006-02-23 09:41:46.000000000 -0500
@@ -71,6 +71,8 @@
selinux_dontaudit_getattr_dir(logwatch_t)
+sysnet_dns_name_resolve(logwatch_t)
+
userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-2.2.21/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/admin/vpn.te 2006-02-23 12:21:59.000000000 -0500
@@ -91,6 +91,8 @@
libs_use_ld_so(vpnc_t)
libs_use_shared_libs(vpnc_t)
+locallogin_use_fd(vpnc_t)
+
logging_send_syslog_msg(vpnc_t)
miscfiles_read_localization(vpnc_t)
@@ -106,6 +108,10 @@
optional_policy(`dbus',`
dbus_system_bus_client_template(vpnc,vpnc_t)
+ dbus_send_system_bus(vpnc_t)
+ optional_policy(`networkmanager',`
+ networkmanager_dbus_chat(vpnc_t)
+ ')
')
optional_policy(`mount',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.2.21/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/apps/java.if 2006-02-23 09:41:46.000000000 -0500
@@ -149,13 +149,9 @@
userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
- # libdeploy.so legacy
- tunable_policy(`allow_execmem',`
- allow $1_javaplugin_t self:process execmem;
- ')
-
+ allow $1_javaplugin_t self:process execmem;
tunable_policy(`allow_java_execstack',`
- allow $1_javaplugin_t self:process { execmem execstack };
+ allow $1_javaplugin_t self:process execstack;
allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.21/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-01-19 16:02:10.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/kernel/corecommands.fc 2006-02-23 13:32:13.000000000 -0500
@@ -135,6 +135,7 @@
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.21/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-02-14 07:20:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/kernel/devices.fc 2006-02-23 10:01:17.000000000 -0500
@@ -39,6 +39,7 @@
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.21/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/kernel/files.if 2006-02-23 09:41:46.000000000 -0500
@@ -3358,10 +3358,11 @@
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr };
allow $1 polydir: dir { write add_name };
- allow $1 polyparent:dir { write add_name };
+ allow $1 polyparent:dir { write add_name relabelfrom relabelto };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
+ fs_unmount_xattr_fs($1)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.2.21/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2006-02-14 07:20:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/kernel/files.te 2006-02-23 09:41:46.000000000 -0500
@@ -125,6 +125,7 @@
#
type tmp_t, mountpoint; #, polydir
files_tmp_file(tmp_t)
+files_poly_parent(tmp_t)
#
# usr_t is the type for /usr.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.21/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-02-14 07:20:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/apache.fc 2006-02-23 09:41:46.000000000 -0500
@@ -45,7 +45,7 @@
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/lib/cacti(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.21/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/apache.if 2006-02-23 09:41:46.000000000 -0500
@@ -94,6 +94,7 @@
corecmd_exec_bin(httpd_$1_script_t)
corecmd_exec_sbin(httpd_$1_script_t)
+ corecmd_shell_entry_type(httpd_$1_script_t)
domain_exec_all_entry_files(httpd_$1_script_t)
@@ -174,6 +175,7 @@
dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t)
+ fs_read_eventpollfs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t)
@@ -798,3 +800,22 @@
allow $1 httpd_sys_script_t:dir search;
')
+
+
+########################################
+## <summary>
+## Read apache system content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_read_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+ allow $1 httpd_sys_content_t:dir r_dir_perms;
+ allow $1 httpd_sys_content_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.21/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/automount.te 2006-02-23 10:09:09.000000000 -0500
@@ -28,7 +28,7 @@
# Local policy
#
-allow automount_t self:capability { net_bind_service sys_nice dac_override };
+allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched };
allow automount_t self:fifo_file rw_file_perms;
@@ -83,6 +83,9 @@
corenet_tcp_connect_portmap_port(automount_t)
corenet_tcp_connect_all_ports(automount_t)
corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
+# Automount execs showmount when you browse /net. This is required until
+# Someone writes a showmount policy
+corenet_tcp_bind_reserved_port(automount_t)
dev_read_sysfs(automount_t)
# for SSP
@@ -91,7 +94,7 @@
domain_use_interactive_fds(automount_t)
files_dontaudit_write_var_dirs(automount_t)
-files_search_var_lib(automount_t)
+files_getattr_all_dirs(automount_t)
files_list_mnt(automount_t)
files_getattr_home_dir(automount_t)
files_read_etc_files(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.21/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-02-23 09:25:09.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/cron.te 2006-02-23 09:41:46.000000000 -0500
@@ -360,6 +360,9 @@
optional_policy(`apache',`
# Needed for certwatch
apache_exec_modules(system_crond_t)
+ apache_read_config(system_crond_t)
+ apache_read_log(system_crond_t)
+ apache_read_sys_content(system_crond_t)
')
optional_policy(`cyrus',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.21/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/hal.te 2006-02-23 10:11:00.000000000 -0500
@@ -93,7 +93,7 @@
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
-fs_search_auto_mountpoints(hald_t)
+fs_list_auto_mountpoints(hald_t)
mls_file_read_up(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.2.21/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2006-02-21 14:40:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/xserver.te 2006-02-23 14:10:50.000000000 -0500
@@ -425,7 +425,7 @@
ifdef(`targeted_policy',`
allow xdm_xserver_t self:process { execheap execmem };
- unconfined_domain(xdm_xserver_t)
+ unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.21/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-02-21 14:40:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/system/fstools.te 2006-02-23 09:41:46.000000000 -0500
@@ -45,7 +45,7 @@
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
# Enable swapping to files
-allow fsadm_t swapfile_t:file { getattr swapon };
+allow fsadm_t swapfile_t:file { read write getattr swapon };
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.21/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-02-21 14:40:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/system/mount.te 2006-02-23 10:11:48.000000000 -0500
@@ -46,7 +46,7 @@
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
-fs_search_auto_mountpoints(mount_t)
+fs_list_auto_mountpoints(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.21/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-02-23 09:25:09.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/system/selinuxutil.te 2006-02-23 09:41:46.000000000 -0500
@@ -199,6 +199,7 @@
libs_use_ld_so(load_policy_t)
libs_use_shared_libs(load_policy_t)
+mls_file_read_up(load_policy_t)
miscfiles_read_localization(load_policy_t)
userdom_use_all_users_fds(load_policy_t)
@@ -319,10 +320,6 @@
nscd_socket_use(newrole_t)
')
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
-') dnl ifdef TODO
-
########################################
#
# Restorecon local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-2.2.21/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2006-02-22 14:09:04.000000000 -0500
+++ serefpolicy-2.2.21/support/Makefile.devel 2006-02-23 12:38:25.000000000 -0500
@@ -6,10 +6,7 @@
SED ?= sed
EINFO ?= echo
PYTHON ?= python
-
-NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
-SHAREDIR ?= /usr/share/selinux
-HEADERDIR ?= $(SHAREDIR)/$(NAME)/include
+HEADERDIR ?= .
include $(HEADERDIR)/build.conf
next reply other threads:[~2006-02-23 19:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-23 19:26 Daniel J Walsh [this message]
2006-02-27 16:29 ` Latest changes to policy Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43FE0C4D.1000003@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.