The attached patch makes the changes to base modules which I previously described work. It also has some other changes that were in the systemd patch but which aren't part of the core systemd policy.
-- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Description: Misc stuff from the systemd patch that isn't all systemd specific Author: Russell Coker <[email protected]> Last-Update: 2014-01-12 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -6,6 +6,13 @@ ## <desc> ## <p> +## Allow sysadm to debug or ptrace all processes. +## </p> +## </desc> +gen_tunable(deny_ptrace, false) + +## <desc> +## <p> ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ## </p> ## </desc> --- a/policy/modules/contrib/portslave.te +++ b/policy/modules/contrib/portslave.te @@ -7,7 +7,6 @@ type portslave_t; type portslave_exec_t; -init_domain(portslave_t, portslave_exec_t) init_daemon_domain(portslave_t, portslave_exec_t) type portslave_etc_t; --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -96,6 +96,8 @@ fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); +# for systemd +dev_associate(hugetlbfs_t) type ibmasmfs_t; fs_type(ibmasmfs_t) --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -42,11 +42,23 @@ # /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) +# because nowadays, /sbin/init is often a symlink to /sbin/upstart +/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) +/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + +/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) # # /var --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -118,7 +118,9 @@ init_dontaudit_use_fds(auditctl_t) -locallogin_dontaudit_use_fds(auditctl_t) +optional_policy(` + locallogin_dontaudit_use_fds(auditctl_t) +') logging_set_audit_parameters(auditctl_t) logging_send_syslog_msg(auditctl_t) --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -28,6 +28,7 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) +/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) # --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -293,6 +293,9 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) +# for systemd-cryptsetup +dev_write_kmsg(lvm_t) + logging_send_syslog_msg(lvm_t) miscfiles_read_localization(lvm_t) --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -172,6 +172,24 @@ ######################################## ## <summary> +## Allow process to read the table dir +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`udev_list_table_dir',` + gen_require(` + type udev_tbl_t; + ') + + allow $1 udev_tbl_t:dir list_dir_perms; +') + +######################################## +## <summary> ## Read the udev device table. ## </summary> ## <desc> @@ -263,6 +281,25 @@ ######################################## ## <summary> +## Allow process to modify relabelto udev database +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`udev_relabelto_db',` + gen_require(` + type udev_var_run_t; + ') + + files_search_pids($1) + allow $1 udev_var_run_t:file relabelto_file_perms; +') + +######################################## +## <summary> ## Read udev pid files. ## </summary> ## <param name="domain"> @@ -322,3 +359,22 @@ files_pid_filetrans($1, udev_var_run_t, dir, $2) ') + +####################################### +## <summary> +## Allow caller to create kobject uevent socket for udev +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`udev_create_kobject_uevent_socket',` + gen_require(` + type udev_t; + role system_r; + ') + + allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; +') --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2855,6 +2855,35 @@ ######################################## ## <summary> +## Read and write a inherited user TTYs and PTYs. +## </summary> +## <desc> +## <p> +## Allow the specified domain to read and write inherited user +## TTYs and PTYs. This will allow the domain to +## interact with the user via the terminal. Typically +## all interactive applications will require this +## access. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <infoflow type="both" weight="10"/> +# +interface(`userdom_use_inherited_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; + ') + + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') + +######################################## +## <summary> ## Read and write a user TTYs and PTYs. ## </summary> ## <desc> @@ -3405,6 +3434,42 @@ allow $1 userdomain:process signal; ') +####################################### +## <summary> +## Send signull to all user domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_signull_all_users',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process signull; +') + +######################################## +## <summary> +## Send kill signals to all user domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_kill_all_users',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process sigkill; +') + ######################################## ## <summary> ## Send a SIGCHLD signal to all user domains. @@ -3459,3 +3524,41 @@ allow $1 userdomain:dbus send_msg; ') + +######################################## +## <summary> +## Do not audit attempts to write users +## temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + dontaudit $1 user_tmp_t:file write; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## unserdomain stream. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`userdom_dontaudit_rw_stream',` + gen_require(` + attribute userdomain; + ') + + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; +') --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -4456,6 +4456,42 @@ ######################################## ## <summary> +## Relabel a dir from the type used in /tmp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_relabelfrom_tmp_dirs',` + gen_require(` + type tmp_t; + ') + + relabelfrom_dirs_pattern($1, tmp_t, tmp_t) +') + +######################################## +## <summary> +## Relabel a file from the type used in /tmp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_relabelfrom_tmp_files',` + gen_require(` + type tmp_t; + ') + + relabelfrom_files_pattern($1, tmp_t, tmp_t) +') + +######################################## +## <summary> ## Set the attributes of all tmp directories. ## </summary> ## <param name="domain"> @@ -6249,6 +6285,43 @@ ######################################## ## <summary> +## Relable all pid directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_relabel_all_pid_dirs',` + gen_require(` + attribute pidfile; + ') + + relabel_dirs_pattern($1, pidfile, pidfile) +') + +######################################## +## <summary> +## manage all pidfile directories +## in the /var/run directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_manage_all_pid_dirs',` + gen_require(` + attribute pidfile; + ') + + manage_dirs_pattern($1,pidfile,pidfile) +') + +######################################## +## <summary> ## Read all process ID files. ## </summary> ## <param name="domain"> @@ -6271,6 +6344,42 @@ ######################################## ## <summary> +## Relable all pid files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_relabel_all_pid_files',` + gen_require(` + attribute pidfile; + ') + + relabel_files_pattern($1, pidfile, pidfile) +') + +######################################## +## <summary> +## Execute generic programs in /var/run in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_exec_generic_pid_files',` + gen_require(` + type var_run_t; + ') + + exec_files_pattern($1, var_run_t, var_run_t) +') + +######################################## +## <summary> ## Delete all process IDs. ## </summary> ## <param name="domain"> @@ -6580,3 +6689,153 @@ typeattribute $1 files_unconfined_type; ') + +######################################## +## <summary> +## Create a core files in / +## </summary> +## <desc> +## <p> +## Create a core file in /, +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`files_manage_root_files',` + gen_require(` + type root_t; + ') + + manage_files_pattern($1, root_t, root_t) +') + +######################################## +## <summary> +## Create all pid sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_create_all_pid_sockets',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:sock_file create_sock_file_perms; +') + +######################################## +## <summary> +## Create all pid named pipes +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_create_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:fifo_file create_fifo_file_perms; +') + +######################################## +## <summary> +## Create all spool sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_create_all_spool_sockets',` + gen_require(` + attribute spoolfile; + ') + + allow $1 spoolfile:sock_file create_sock_file_perms; +') + +######################################## +## <summary> +## Delete all spool sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_delete_all_spool_sockets',` + gen_require(` + attribute spoolfile; + ') + + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + +######################################## +## <summary> +## Delete all pid sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_delete_all_pid_sockets',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:sock_file delete_sock_file_perms; +') + +######################################## +## <summary> +## Delete all pid named pipes +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_delete_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:fifo_file delete_fifo_file_perms; +') + +######################################## +## <summary> +## Allow domain to delete to all files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`files_delete_all_non_security_files',` + gen_require(` + attribute non_security_file_type; + ') + + allow $1 non_security_file_type:file_class_set unlink; +') --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -586,3 +586,22 @@ allow $1 unconfined_t:dbus acquire_svc; ') + +######################################## +## <summary> +## Do not audit attempts to read and write +## unconfined domain stream. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`unconfined_dontaudit_rw_stream',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; +') --- a/policy/modules/contrib/cron.if +++ b/policy/modules/contrib/cron.if @@ -412,6 +412,24 @@ ######################################## ## <summary> +## Send a generic signal to cron daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_signal',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:process signal; +') + +######################################## +## <summary> ## Set the attributes of cron log files. ## </summary> ## <param name="domain"> @@ -534,6 +552,46 @@ ######################################## ## <summary> +## Read crond state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_read_state_crond',` + gen_require(` + type crond_t; + ') + + kernel_search_proc($1) + ps_process_pattern($1, crond_t) +') + +######################################## +## <summary> +## Send and receive messages from +## crond over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_dbus_chat_crond',` + gen_require(` + type crond_t; + class dbus send_msg; + ') + + allow $1 crond_t:dbus send_msg; + allow crond_t $1:dbus send_msg; +') + +######################################## +## <summary> ## Do not audit attempts to write ## cron daemon unnamed pipes. ## </summary> @@ -833,3 +891,22 @@ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ') + +######################################## +## <summary> +## Search the directory containing user cron tables. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_manage_system_spool',` + gen_require(` + type cron_system_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) +') --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -550,6 +550,26 @@ ######################################## ## <summary> +## Connect to the syslog control unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_create_devlog_dev',` + gen_require(` + type devlog_t; + ') + + allow $1 devlog_t:sock_file manage_sock_file_perms; + dev_filetrans($1, devlog_t, sock_file) + init_pid_filetrans($1, devlog_t, sock_file, "syslog") +') + +######################################## +## <summary> ## Read the auditd configuration files. ## </summary> ## <param name="domain"> @@ -780,6 +800,24 @@ ') ######################################## +## <summary> +## Append to all log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_inherit_append_all_logs',` + gen_require(` + attribute logfile; + ') + + allow $1 logfile:file { getattr append ioctl lock }; +') + +######################################## ## <summary> ## Read all log files. ## </summary> --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -154,6 +154,25 @@ ######################################## ## <summary> +## Allow full relabeling (to and from) of all device files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dev_relabel_all_dev_files',` + gen_require(` + type device_t; + ') + + relabel_files_pattern($1, device_t, device_t) +') + +######################################## +## <summary> ## List all of the device nodes in a device directory. ## </summary> ## <param name="domain"> @@ -462,6 +481,24 @@ ######################################## ## <summary> +## write generic sock files in /dev. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dev_write_generic_sock_files',` + gen_require(` + type device_t; + ') + + write_sock_files_pattern($1, device_t, device_t) +') + +######################################## +## <summary> ## Dontaudit getattr on generic block devices. ## </summary> ## <param name="domain"> @@ -4016,6 +4053,44 @@ ######################################## ## <summary> +## Relabel hardware state directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_relabel_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + relabel_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## <summary> +## Relabel hardware state files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_relabel_all_sysfs',` + gen_require(` + type sysfs_t; + ') + + relabel_dirs_pattern($1, sysfs_t, sysfs_t) + relabel_files_pattern($1, sysfs_t, sysfs_t) + relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## <summary> ## Read and write the TPM device. ## </summary> ## <param name="domain"> @@ -4851,3 +4926,103 @@ typeattribute $1 devices_unconfined_type; ') + +######################################## +## <summary> +## Read cpu online hardware state information. +## </summary> +## <desc> +## <p> +## Allow the specified domain to read /sys/devices/system/cpu/online file. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_read_cpu_online',` + gen_require(` + type cpu_online_t; + ') + + dev_search_sysfs($1) + read_files_pattern($1, cpu_online_t, cpu_online_t) +') + +######################################## +## <summary> +## Relabel cpu online hardware state information. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_relabel_cpu_online',` + gen_require(` + type cpu_online_t; + type sysfs_t; + ') + + dev_search_sysfs($1) + allow $1 cpu_online_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Relabel the printer device. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_relabel_printer',` + gen_require(` + type printer_device_t; + ') + + allow $1 printer_device_t:chr_file relabel_chr_file_perms; +') + +######################################## +## <summary> +## Read and write the printer device. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_manage_printer',` + gen_require(` + type device_t, printer_device_t; + ') + + manage_chr_files_pattern($1, device_t, printer_device_t) +') + +######################################## +## <summary> +## Create FIFO pipes in device directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_create_generic_pipes',` + gen_require(` + type device_t; + ') + allow $1 device_t:dir add_entry_dir_perms; + allow $1 device_t:fifo_file { getattr create }; + allow $1 device_t:dir search_dir_perms; + allow $1 device_t:file setattr_file_perms; +') --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ ######################################## ## <summary> +## Get attributes of cgroup files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_getattr_cgroup_files',` + gen_require(` + type cgroup_t; + + ') + + getattr_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) +') + +######################################## +## <summary> ## Search cgroup directories. ## </summary> ## <param name="domain"> @@ -651,6 +672,25 @@ ######################################## ## <summary> +## Relabel cgroup directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_relabel_cgroup_dirs',` + gen_require(` + type cgroup_t; + + ') + + relabel_dirs_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## <summary> ## list cgroup directories. ## </summary> ## <param name="domain"> @@ -3998,6 +4038,42 @@ ') ######################################## +## <summary> +## Relabel directory on tmpfs filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_relabel_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + + relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## <summary> +## Relabel files on tmpfs filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_relabel_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + relabel_files_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## ## <summary> ## Create, read, write, and delete ## tmpfs directories --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -481,6 +481,24 @@ ######################################## ## <summary> +## Relabel the /dev/pts directory +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`term_relabel_ptys_dirs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:dir relabel_dir_perms; +') + +######################################## +## <summary> ## Do not audit attempts to read the ## /dev/pts directory. ## </summary> --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -123,3 +123,39 @@ corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') + +######################################## +## <summary> +## Read and write a lvm unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lvm_rw_pipes',` + gen_require(` + type lvm_var_run_t; + ') + + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## <summary> +## Send lvm a null signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lvm_signull',` + gen_require(` + type lvm_t; + ') + + allow $1 lvm_t:process signull; +') --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -192,7 +192,8 @@ define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') @@ -259,7 +260,8 @@ # # Use (read and write) terminals # -define(`rw_term_perms', `{ getattr open read write append ioctl }') +define(`rw_inherited_term_perms', `{ getattr read write append ioctl }') +define(`rw_term_perms', `{ rw_inherited_term_perms open }') # # Sockets --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if @@ -189,6 +189,24 @@ ######################################## ## <summary> +## Send kill signals to all application domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`application_sigkill',` + gen_require(` + attribute application_domain_type; + ') + + allow $1 application_domain_type:process sigkill; +') + +######################################## +## <summary> ## Do not audit attempts to send kill signals ## to all application domains. ## </summary> --- a/policy/modules/contrib/dpkg.te +++ b/policy/modules/contrib/dpkg.te @@ -183,13 +183,16 @@ files_read_etc_runtime_files(dpkg_t) files_exec_usr_files(dpkg_t) miscfiles_read_localization(dpkg_t) -modutils_run_depmod(dpkg_t, dpkg_roles) -modutils_run_insmod(dpkg_t, dpkg_roles) seutil_run_loadpolicy(dpkg_t, dpkg_roles) seutil_run_setfiles(dpkg_t, dpkg_roles) userdom_use_all_users_fds(dpkg_t) optional_policy(` +modutils_run_depmod(dpkg_t, dpkg_roles) +modutils_run_insmod(dpkg_t, dpkg_roles) +') + +optional_policy(` mta_send_mail(dpkg_t) ') optional_policy(` @@ -287,8 +290,10 @@ miscfiles_read_localization(dpkg_script_t) +optional_policy(` modutils_run_depmod(dpkg_script_t, dpkg_roles) modutils_run_insmod(dpkg_script_t, dpkg_roles) +') seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) seutil_run_setfiles(dpkg_script_t, dpkg_roles) --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -345,7 +345,9 @@ files_read_non_auth_files(restorecond_t) auth_use_nsswitch(restorecond_t) -locallogin_dontaudit_use_fds(restorecond_t) +optional_policy(` + locallogin_dontaudit_use_fds(restorecond_t) +') logging_send_syslog_msg(restorecond_t) @@ -485,7 +487,9 @@ # Running genhomedircon requires this for finding all users auth_use_nsswitch(semanage_t) -locallogin_use_fds(semanage_t) +optional_policy(` + locallogin_use_fds(semanage_t) +') logging_send_syslog_msg(semanage_t) --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -143,7 +143,9 @@ miscfiles_read_localization(dhcpc_t) -modutils_run_insmod(dhcpc_t, dhcpc_roles) +optional_policy(` + modutils_run_insmod(dhcpc_t, dhcpc_roles) +') sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) @@ -318,7 +320,9 @@ miscfiles_read_localization(ifconfig_t) -modutils_domtrans_insmod(ifconfig_t) +optional_policy(` + modutils_domtrans_insmod(ifconfig_t) +') seutil_use_runinit_fds(ifconfig_t) --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -60,7 +60,7 @@ recv_msg send_msg name_bind -} +} # # Define a common prefix for ipc access vectors. @@ -244,7 +244,7 @@ node_bind } -class node +class node { tcp_recv tcp_send @@ -362,7 +362,7 @@ # -# Define the access vector interpretation for the security server. +# Define the access vector interpretation for the security server. # class security @@ -410,33 +410,33 @@ # Care should be taken to ensure that these are consistent with # those definitions. (Order matters) - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config mknod lease audit_write @@ -444,7 +444,7 @@ setfcap } -class capability2 +class capability2 { mac_override # unused by SELinux mac_admin # unused by SELinux @@ -826,7 +826,7 @@ class kernel_service { use_as_override - create_files_as + create_files_as } class tun_socket --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -1,7 +1,7 @@ # FLASK # -# Define the security object classes +# Define the security object classes # # Classes marked as userspace are classes @@ -117,7 +117,7 @@ class x_application_data # userspace # kernel services that need to override task security, e.g. cachefiles -class kernel_service +class kernel_service class tun_socket --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -199,6 +199,7 @@ /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) +/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0) ifdef(`distro_redhat',` # originally from named.fc --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -35,6 +35,12 @@ init_exec(sysadm_t) +tunable_policy(`init_upstart', `', ` + # Run the shell in the sysadm role for single-user mode. + # causes problems with upstart + init_shell_domtrans(sysadm_t) +') + # for sepolgen-ifgen selinux_read_policy(sysadm_t) --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -219,10 +219,6 @@ tunable_policy(`init_upstart',` corecmd_shell_domtrans(init_t, initrc_t) -',` - # Run the shell in the sysadm role for single-user mode. - # causes problems with upstart - sysadm_shell_domtrans(init_t) ') optional_policy(` @@ -446,8 +442,10 @@ # slapd needs to read cert files from its initscript miscfiles_read_generic_certs(initrc_t) -modutils_read_module_config(initrc_t) -modutils_domtrans_insmod(initrc_t) +optional_policy(` + modutils_read_module_config(initrc_t) + modutils_domtrans_insmod(initrc_t) +') seutil_read_config(initrc_t) --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1858,3 +1858,24 @@ interface(`systemd_unit_file',` files_type($1) ') + +######################################## +## <summary> +## Init will execute a shell in the specified domain. +## </summary> +## <param name="domain"> +## <summary> +## Target domain +## </summary> +## </param> +# +interface(`init_shell_domtrans',` + gen_require(` + type init_t; + ') + + corecmd_shell_domtrans(init_t, $1) + allow $1 init_t:fd use; + allow $1 init_t:fifo_file rw_file_perms; + allow $1 init_t:process sigchld; +')
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
