Latest changes to policy

Latest changes to policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

Change build.conf to
TYPE ?= $(TYPE)

to allow overriding at the command line

Logwatch needs to resolve

VPNc needs to be able to talk to the FD of locallogin

Make vpnc work with NetworkManager

Java always needs execmem so give it to it by default

File context for policygentool

file context for /dev/efirtc

Make polyinstantiation work for /tmp

Fix cacti file_context

allow httpd to transition to httpd_sys_script_t when running a shell

Allow scripts to read eventpollfs

Allow cron to look at httpd_sys_content_t

New version of automount needs sys_resource

Allow automount to run showmount

Automount now needs to getattr on all directories.

crond needs to look at a lot of apache stuff.

Mount and Hal now needs to read autofs_t directories

dontaudit execmem for xserver, we know it needs it.

Make swapon work.

load_policy mls needs to be able to read up











[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 13722 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.2.21/Makefile
--- nsaserefpolicy/Makefile	2006-02-17 14:46:10.000000000 -0500
+++ serefpolicy-2.2.21/Makefile	2006-02-23 12:35:04.000000000 -0500
@@ -446,14 +446,14 @@
 			$(MODDIR)/$$i/metadata.xml \
 			$(HEADERDIR)/$$i ;\
 	done
-	$(verbose) echo "TYPE=$(TYPE)" > $(HEADERDIR)/build.conf
-	$(verbose) echo "NAME=$(NAME)" >> $(HEADERDIR)/build.conf
+	$(verbose) echo "TYPE ?= $(TYPE)" > $(HEADERDIR)/build.conf
+	$(verbose) echo "NAME ?= $(NAME)" >> $(HEADERDIR)/build.conf
 ifneq "$(DISTRO)" ""
-	$(verbose) echo "DISTRO=$(DISTRO)" >> $(HEADERDIR)/build.conf
+	$(verbose) echo "DISTRO ?= $(DISTRO)" >> $(HEADERDIR)/build.conf
 endif
-	$(verbose) echo "MONOLITHIC=n" >> $(HEADERDIR)/build.conf
-	$(verbose) echo "DIRECT_INITRC=$(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
-	$(verbose) echo "POLY=$(POLY)" >> $(HEADERDIR)/build.conf
+	$(verbose) echo "MONOLITHIC ?= n" >> $(HEADERDIR)/build.conf
+	$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
+	$(verbose) echo "POLY ?= $(POLY)" >> $(HEADERDIR)/build.conf
 	$(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.21/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te	2006-02-21 14:40:22.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/admin/logwatch.te	2006-02-23 09:41:46.000000000 -0500
@@ -71,6 +71,8 @@
 
 selinux_dontaudit_getattr_dir(logwatch_t)
 
+sysnet_dns_name_resolve(logwatch_t)
+
 userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
 userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-2.2.21/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te	2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/admin/vpn.te	2006-02-23 12:21:59.000000000 -0500
@@ -91,6 +91,8 @@
 libs_use_ld_so(vpnc_t)
 libs_use_shared_libs(vpnc_t)
 
+locallogin_use_fd(vpnc_t)
+
 logging_send_syslog_msg(vpnc_t)
 
 miscfiles_read_localization(vpnc_t)
@@ -106,6 +108,10 @@
 
 optional_policy(`dbus',`
 	dbus_system_bus_client_template(vpnc,vpnc_t)
+	dbus_send_system_bus(vpnc_t)
+	optional_policy(`networkmanager',`
+		networkmanager_dbus_chat(vpnc_t)
+	')
 ')
 
 optional_policy(`mount',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.2.21/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if	2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/apps/java.if	2006-02-23 09:41:46.000000000 -0500
@@ -149,13 +149,9 @@
 	userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
 	userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
 
-	# libdeploy.so legacy
-	tunable_policy(`allow_execmem',`
-		allow $1_javaplugin_t self:process execmem;
-	')
-	
+	allow $1_javaplugin_t self:process execmem;
 	tunable_policy(`allow_java_execstack',`
-		allow $1_javaplugin_t self:process { execmem execstack };
+		allow $1_javaplugin_t self:process execstack;
 
 		allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.21/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-01-19 16:02:10.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/kernel/corecommands.fc	2006-02-23 13:32:13.000000000 -0500
@@ -135,6 +135,7 @@
 
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/mc/extfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.21/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2006-02-14 07:20:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/kernel/devices.fc	2006-02-23 10:01:17.000000000 -0500
@@ -39,6 +39,7 @@
 /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/(misc/)?rtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/smpte.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.21/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/kernel/files.if	2006-02-23 09:41:46.000000000 -0500
@@ -3358,10 +3358,11 @@
 	allow $1 self:process setfscreate;
 	allow $1 polymember: dir { create setattr };
 	allow $1 polydir: dir { write add_name };
-	allow $1 polyparent:dir { write add_name };
+	allow $1 polyparent:dir { write add_name relabelfrom relabelto };
 
 	# Default type for mountpoints
 	allow $1 poly_t:dir { create mounton };
+	fs_unmount_xattr_fs($1)
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.2.21/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te	2006-02-14 07:20:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/kernel/files.te	2006-02-23 09:41:46.000000000 -0500
@@ -125,6 +125,7 @@
 #
 type tmp_t, mountpoint; #, polydir
 files_tmp_file(tmp_t)
+files_poly_parent(tmp_t)
 
 #
 # usr_t is the type for /usr.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.21/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc	2006-02-14 07:20:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/apache.fc	2006-02-23 09:41:46.000000000 -0500
@@ -45,7 +45,7 @@
 /var/cache/rt3(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
 
-/var/lib/cacti(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.21/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if	2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/apache.if	2006-02-23 09:41:46.000000000 -0500
@@ -94,6 +94,7 @@
 
 	corecmd_exec_bin(httpd_$1_script_t)
 	corecmd_exec_sbin(httpd_$1_script_t)
+	corecmd_shell_entry_type(httpd_$1_script_t)
 
 	domain_exec_all_entry_files(httpd_$1_script_t)
 
@@ -174,6 +175,7 @@
 		dev_read_urand(httpd_$1_script_t)
 
 		fs_getattr_xattr_fs(httpd_$1_script_t)
+		fs_read_eventpollfs(httpd_$1_script_t)
 
 		files_read_etc_runtime_files(httpd_$1_script_t)
 		files_read_usr_files(httpd_$1_script_t)
@@ -798,3 +800,22 @@
 
 	allow $1 httpd_sys_script_t:dir search;
 ')
+
+
+########################################
+## <summary>
+##	Read apache system content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_read_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t;
+	')
+	allow $1 httpd_sys_content_t:dir r_dir_perms;
+	allow $1 httpd_sys_content_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.21/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/automount.te	2006-02-23 10:09:09.000000000 -0500
@@ -28,7 +28,7 @@
 # Local policy
 #
 
-allow automount_t self:capability { net_bind_service sys_nice dac_override };
+allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
 dontaudit automount_t self:capability sys_tty_config;
 allow automount_t self:process { signal_perms getpgid setpgid setsched };
 allow automount_t self:fifo_file rw_file_perms;
@@ -83,6 +83,9 @@
 corenet_tcp_connect_portmap_port(automount_t)
 corenet_tcp_connect_all_ports(automount_t)
 corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
+# Automount execs showmount when you browse /net.  This is required until
+# Someone writes a showmount policy
+corenet_tcp_bind_reserved_port(automount_t)
 
 dev_read_sysfs(automount_t)
 # for SSP
@@ -91,7 +94,7 @@
 domain_use_interactive_fds(automount_t)
 
 files_dontaudit_write_var_dirs(automount_t)
-files_search_var_lib(automount_t)
+files_getattr_all_dirs(automount_t)
 files_list_mnt(automount_t)
 files_getattr_home_dir(automount_t)
 files_read_etc_files(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.21/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2006-02-23 09:25:09.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/cron.te	2006-02-23 09:41:46.000000000 -0500
@@ -360,6 +360,9 @@
 	optional_policy(`apache',`
 		# Needed	 for certwatch
 		apache_exec_modules(system_crond_t)
+		apache_read_config(system_crond_t)
+		apache_read_log(system_crond_t)
+		apache_read_sys_content(system_crond_t)
 	')
 
 	optional_policy(`cyrus',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.21/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-02-21 14:40:23.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/hal.te	2006-02-23 10:11:00.000000000 -0500
@@ -93,7 +93,7 @@
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
-fs_search_auto_mountpoints(hald_t)
+fs_list_auto_mountpoints(hald_t)
 
 mls_file_read_up(hald_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.2.21/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2006-02-21 14:40:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/services/xserver.te	2006-02-23 14:10:50.000000000 -0500
@@ -425,7 +425,7 @@
 ifdef(`targeted_policy',`
 	allow xdm_xserver_t self:process { execheap execmem };
 
-	unconfined_domain(xdm_xserver_t)
+	unconfined_domain_noaudit(xdm_xserver_t)
 	unconfined_domtrans(xdm_xserver_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.21/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2006-02-21 14:40:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/system/fstools.te	2006-02-23 09:41:46.000000000 -0500
@@ -45,7 +45,7 @@
 files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
 
 # Enable swapping to files
-allow fsadm_t swapfile_t:file { getattr swapon };
+allow fsadm_t swapfile_t:file { read write getattr swapon };
 
 kernel_read_system_state(fsadm_t)
 kernel_read_kernel_sysctls(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.21/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-02-21 14:40:25.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/system/mount.te	2006-02-23 10:11:48.000000000 -0500
@@ -46,7 +46,7 @@
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
 fs_relabelfrom_all_fs(mount_t)
-fs_search_auto_mountpoints(mount_t)
+fs_list_auto_mountpoints(mount_t)
 fs_rw_tmpfs_chr_files(mount_t)
 fs_read_tmpfs_symlinks(mount_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.21/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-02-23 09:25:09.000000000 -0500
+++ serefpolicy-2.2.21/policy/modules/system/selinuxutil.te	2006-02-23 09:41:46.000000000 -0500
@@ -199,6 +199,7 @@
 libs_use_ld_so(load_policy_t)
 libs_use_shared_libs(load_policy_t)
 
+mls_file_read_up(load_policy_t)
 miscfiles_read_localization(load_policy_t)
 
 userdom_use_all_users_fds(load_policy_t)
@@ -319,10 +320,6 @@
 	nscd_socket_use(newrole_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
-') dnl ifdef TODO
-
 ########################################
 #
 # Restorecon local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-2.2.21/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel	2006-02-22 14:09:04.000000000 -0500
+++ serefpolicy-2.2.21/support/Makefile.devel	2006-02-23 12:38:25.000000000 -0500
@@ -6,10 +6,7 @@
 SED ?= sed
 EINFO ?= echo
 PYTHON ?= python
-
-NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
-SHAREDIR ?= /usr/share/selinux
-HEADERDIR ?= $(SHAREDIR)/$(NAME)/include
+HEADERDIR ?= .
 
 include $(HEADERDIR)/build.conf
 

Re: Latest changes to policy

[Christopher J. PeBenito]

On Thu, 2006-02-23 at 14:26 -0500, Daniel J Walsh wrote:
> Make polyinstantiation work for /tmp

Why does the files_polyinstantiate_all() need the relabeling?

> Automount now needs to getattr on all directories.

I'd be interested to find out why, this seems like an odd behavior to
me.

The remainder is merged, except the Makefile.devel change; with the
symlink setup you have in FC, it seems like it should work as is.
 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.