[COMMIT]refpolicy branch, master, updated. contrib-5-g1c5dacd

cpebenito at oss.tresys.com cpebenito at oss.tresys.com
Tue Sep 13 14:23:53 CDT 2011 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "refpolicy".

The branch, master has been updated
       via  1c5dacd2c0eb571e42a811cae5131789058ff721 (commit)
      from  f71818193008cad39e280db257507d540220a501 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1c5dacd2c0eb571e42a811cae5131789058ff721
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Sep 13 14:45:14 2011 -0400

    Change secure_mode_insmod to control sys_module capability rather than controlling domain transitions to insmod.
    
    Based on a patch from Dan Walsh.

-----------------------------------------------------------------------

Summary of changes:
 Changelog                           |    2 ++
 policy/global_booleans              |    7 -------
 policy/modules/admin/bootloader.te  |    4 ++--
 policy/modules/contrib              |    2 +-
 policy/modules/kernel/kernel.if     |    7 +------
 policy/modules/kernel/kernel.te     |   27 ++++++++++++++++++++++++---
 policy/modules/system/modutils.if   |    7 +++----
 policy/modules/system/modutils.te   |   10 ++--------
 policy/modules/system/unconfined.if |    4 ++--
 policy/modules/system/unconfined.te |    2 +-
 10 files changed, 38 insertions(+), 34 deletions(-)

Detailed diffset:
:100644 100644 4736da4... 1fa54a3... M	Changelog
:100644 100644 111d004... 71ff141... M	policy/global_booleans
:100644 100644 d3da8f2... 1e771ba... M	policy/modules/admin/bootloader.te
:160000 160000 9401ae1... f0f7b65... M	policy/modules/contrib
:100644 100644 6346378... 4bf45cb... M	policy/modules/kernel/kernel.if
:100644 100644 eac9961... 15f7ea2... M	policy/modules/kernel/kernel.te
:100644 100644 9c0faab... b492674... M	policy/modules/system/modutils.if
:100644 100644 da014ed... 2e1c522... M	policy/modules/system/modutils.te
:100644 100644 416e668... db7aabb... M	policy/modules/system/unconfined.if
:100644 100644 eae5001... eefcba3... M	policy/modules/system/unconfined.te

diff --git a/Changelog b/Changelog
index 4736da4..1fa54a3 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Change secure_mode_insmod to control sys_module capability rather than
+  controlling domain transitions to insmod.
 - Openrc and portage updates from Sven Vermeulen.
 - Allow user and role changes on dynamic transitions with the same
   constraints as regular transitions.
diff --git a/policy/global_booleans b/policy/global_booleans
index 111d004..71ff141 100644
--- a/policy/global_booleans
+++ b/policy/global_booleans
@@ -15,13 +15,6 @@ gen_bool(secure_mode,false)
 
 ## <desc>
 ## <p>
-## Disable transitions to insmod.
-## </p>
-## </desc>
-gen_bool(secure_mode_insmod,false)
-
-## <desc>
-## <p>
 ## boolean to determine whether the system permits loading policy, setting
 ## enforcing mode, and changing boolean values.  Set this to true and you
 ## have to reboot to set it back
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index d3da8f2..1e771ba 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,4 +1,4 @@
-policy_module(bootloader, 1.12.0)
+policy_module(bootloader, 1.12.1)
 
 ########################################
 #
@@ -121,7 +121,7 @@ logging_rw_generic_logs(bootloader_t)
 
 miscfiles_read_localization(bootloader_t)
 
-modutils_domtrans_insmod_uncond(bootloader_t)
+modutils_domtrans_insmod(bootloader_t)
 
 seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
diff --git a/policy/modules/contrib b/policy/modules/contrib
index 9401ae1..f0f7b65 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit 9401ae10439194149e43f840803281590111978f
+Subproject commit f0f7b65d39c33c76773ef405ab0e7fe4b35d8371
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6346378..4bf45cb 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,7 @@ interface(`kernel_load_module',`
 		attribute can_load_kernmodule;
 	')
 
-	allow $1 self:capability sys_module;
 	typeattribute $1 can_load_kernmodule;
-
-	# load_module() calls stop_machine() which
-	# calls sched_setscheduler()
-	allow $1 self:capability sys_nice;
-	kernel_setsched($1)
 ')
 
 ########################################
@@ -2962,4 +2956,5 @@ interface(`kernel_unconfined',`
 	')
 
 	typeattribute $1 kern_unconfined;
+	kernel_load_module($1)
 ')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index eac9961..15f7ea2 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,16 +1,23 @@
-policy_module(kernel, 1.14.0)
+policy_module(kernel, 1.14.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Disable kernel module loading.
+## </p>
+## </desc>
+gen_bool(secure_mode_insmod, false)
+
 # assertion related attributes
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
 attribute can_dump_kernel;
 
-neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
+neverallow ~can_load_kernmodule self:capability sys_module;
 
 # domains with unconfined access to kernel resources
 attribute kern_unconfined;
@@ -181,7 +188,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 # kernel local policy
 #
 
-allow kernel_t self:capability *;
+allow kernel_t self:capability ~sys_module;
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
 allow kernel_t self:sem create_sem_perms;
@@ -374,6 +381,20 @@ optional_policy(`
 
 ########################################
 #
+# Kernel module loading policy
+#
+
+if( ! secure_mode_insmod ) {
+	allow can_load_kernmodule self:capability sys_module;
+
+	# load_module() calls stop_machine() which
+	# calls sched_setscheduler()
+	allow can_load_kernmodule self:capability sys_nice;
+	kernel_setsched(can_load_kernmodule)
+}
+
+########################################
+#
 # Rules for unconfined acccess to this module
 #
 
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..b492674 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -153,12 +153,11 @@ interface(`modutils_domtrans_insmod_uncond',`
 #
 interface(`modutils_domtrans_insmod',`
 	gen_require(`
-		bool secure_mode_insmod;
+		type insmod_t, insmod_exec_t;
 	')
 
-	if (!secure_mode_insmod) {
-		modutils_domtrans_insmod_uncond($1)
-	}
+	corecmd_search_bin($1)
+	domtrans_pattern($1, insmod_exec_t, insmod_t)
 ')
 
 ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index da014ed..2e1c522 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,8 +1,4 @@
-policy_module(modutils, 1.11.0)
-
-gen_require(`
-	bool secure_mode_insmod;
-')
+policy_module(modutils, 1.11.1)
 
 ########################################
 #
@@ -178,9 +174,7 @@ userdom_use_user_terminals(insmod_t)
 
 userdom_dontaudit_search_user_home_dirs(insmod_t)
 
-if( ! secure_mode_insmod ) {
-	kernel_domtrans_to(insmod_t, insmod_exec_t)
-}
+kernel_domtrans_to(insmod_t, insmod_exec_t)
 
 optional_policy(`
 	alsa_domtrans(insmod_t)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 416e668..db7aabb 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -18,8 +18,8 @@ interface(`unconfined_domain_noaudit',`
 		class passwd all_passwd_perms;
 	')
 
-	# Use any Linux capability.
-	allow $1 self:capability *;
+	# Use most Linux capabilities
+	allow $1 self:capability ~sys_module;
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae5001..eefcba3 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.3.0)
+policy_module(unconfined, 3.3.1)
 
 ########################################
 #


hooks/post-receive
--
refpolicy

More information about the Refpolicy-commits mailing list