[refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

Dominick Grift domg472 at gmail.com
Fri Sep 24 14:37:57 CDT 2010 

I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.

Signed-off-by: Dominick Grift <domg472 at gmail.com>
---
:100644 100644 2b12a37... aa9f935... M	policy/modules/admin/consoletype.te
:100644 100644 39e901a... 0bfab9b... M	policy/modules/services/dbus.if
:100644 100644 b354128... 052f0a6... M	policy/modules/services/dbus.te
:100644 100644 b3ace16... 58a4736... M	policy/modules/services/modemmanager.te
:100644 100644 0619395... 2f9a857... M	policy/modules/services/networkmanager.te
:100644 100644 c61adc8... b4a1419... M	policy/modules/services/ntp.te
:100644 100644 2dad3c8... a20543a... M	policy/modules/services/ssh.te
:100644 100644 54d122b... 25bfbd4... M	policy/modules/system/authlogin.te
:100644 100644 fca6947... 5f5f331... M	policy/modules/system/mount.te
:100644 100644 dfbe736... eac173f... M	policy/modules/system/sysnetwork.te
:100644 100644 f976344... fbf02ec... M	policy/modules/system/unconfined.te
:100644 100644 2aa8928... 5cb411a... M	policy/modules/system/userdomain.if
 policy/modules/admin/consoletype.te       |    4 ++++
 policy/modules/services/dbus.if           |   18 ++++++++++++++++++
 policy/modules/services/dbus.te           |    9 +++++----
 policy/modules/services/modemmanager.te   |    2 +-
 policy/modules/services/networkmanager.te |    1 +
 policy/modules/services/ntp.te            |    1 +
 policy/modules/services/ssh.te            |    4 ++++
 policy/modules/system/authlogin.te        |    1 +
 policy/modules/system/mount.te            |   11 ++++++++++-
 policy/modules/system/sysnetwork.te       |    4 ++++
 policy/modules/system/unconfined.te       |    7 +++++++
 policy/modules/system/userdomain.if       |   18 ++++++++++++++++++
 12 files changed, 74 insertions(+), 6 deletions(-)

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 2b12a37..aa9f935 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -75,6 +75,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_use_fd(consoletype_t)
+')
+
+optional_policy(`
 	files_read_etc_files(consoletype_t)
 	firstboot_use_fds(consoletype_t)
 	firstboot_rw_pipes(consoletype_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 39e901a..0bfab9b 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -479,3 +479,21 @@ interface(`dbus_unconfined',`
 
 	typeattribute $1 dbusd_unconfined;
 ')
+
+########################################
+## <summary>
+##	Use and inherit system DBUS file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_use_fd',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:fd use;
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b354128..052f0a6 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -108,10 +108,6 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
 
-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-
 domain_use_interactive_fds(system_dbusd_t)
 domain_read_all_domains_state(system_dbusd_t)
 
@@ -141,6 +137,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# should this be dbus_system_domain instead?
+	networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
 	policykit_dbus_chat(system_dbusd_t)
 	policykit_domtrans_auth(system_dbusd_t)
 	policykit_search_lib(system_dbusd_t)
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index b3ace16..58a4736 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -16,7 +16,7 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
 # ModemManager local policy
 #
 
-allow modemmanager_t self:process signal;
+allow modemmanager_t self:process { getsched setsched signal };
 allow modemmanager_t self:fifo_file rw_file_perms;
 allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
 allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 0619395..2f9a857 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -141,6 +141,7 @@ sysnet_domtrans_ifconfig(NetworkManager_t)
 sysnet_domtrans_dhcpc(NetworkManager_t)
 sysnet_signal_dhcpc(NetworkManager_t)
 sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
 sysnet_delete_dhcpc_pid(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
 # in /etc created by NetworkManager will be labelled net_conf_t.
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c61adc8..b4a1419 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -74,6 +74,7 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
 files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
 
 kernel_read_kernel_sysctls(ntpd_t)
+kernel_read_crypto_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
 kernel_read_network_state(ntpd_t)
 kernel_request_load_module(ntpd_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..a20543a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
 
+kernel_read_crypto_sysctls(sshd_t)
+kernel_request_load_module(sshd_t)
 kernel_search_key(sshd_t)
 kernel_link_key(sshd_t)
 
@@ -249,6 +251,8 @@ term_relabelto_all_ptys(sshd_t)
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
+userdom_write_all_users_keys(sshd_t)
+
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 54d122b..25bfbd4 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -90,6 +90,7 @@ files_list_etc(chkpwd_t)
 
 # is_selinux_enabled
 kernel_read_system_state(chkpwd_t)
+kernel_read_crypto_sysctls(chkpwd_t)
 
 domain_dontaudit_use_interactive_fds(chkpwd_t)
 
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fca6947..5f5f331 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -36,6 +36,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
 
 # setuid/setgid needed to mount cifs 
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:fifo_file rw_fifo_file_perms;
 
 allow mount_t mount_loopback_t:file read_file_perms;
 
@@ -48,13 +49,16 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
+kernel_setsched(mount_t)
 kernel_dontaudit_getattr_core_if(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
+corecmd_exec_shell(mount_t)
 
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
+dev_read_sysfs(mount_t)
 dev_rw_lvm_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
 fs_relabelfrom_all_fs(mount_t)
-fs_list_auto_mountpoints(mount_t)
+# wants to list usbfs_t
+fs_list_all(mount_t)
 fs_rw_tmpfs_chr_files(mount_t)
 fs_read_tmpfs_symlinks(mount_t)
 
@@ -180,6 +185,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	dbus_use_fd(mount_t)
+')
+
 # for kernel package installation
 optional_policy(`
 	rpm_rw_pipes(mount_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dfbe736..eac173f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
+	dbus_use_fd(ifconfig_t)
+')
+
+optional_policy(`
 	hal_dontaudit_rw_pipes(ifconfig_t)
 	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
 ')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index f976344..fbf02ec 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
 mcs_killall(unconfined_t)
 mcs_ptrace_all(unconfined_t)
 
+ubac_process_exempt(unconfined_t)
+ubac_file_exempt(unconfined_t)
+ubac_fd_exempt(unconfined_t)
+
 init_run_daemon(unconfined_t, unconfined_r)
 
 libs_run_ldconfig(unconfined_t, unconfined_r)
@@ -42,6 +46,7 @@ logging_run_auditctl(unconfined_t, unconfined_r)
 
 mount_run_unconfined(unconfined_t, unconfined_r)
 
+seutil_run_runinit(unconfined_t, unconfined_r)
 seutil_run_setfiles(unconfined_t, unconfined_r)
 seutil_run_semanage(unconfined_t, unconfined_r)
 
@@ -192,6 +197,8 @@ optional_policy(`
 
 optional_policy(`
 	usermanage_run_admin_passwd(unconfined_t, unconfined_r)
+	usermanage_run_groupadd(unconfined_t, unconfined_r)
+	usermanage_run_useradd(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2aa8928..5cb411a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3112,6 +3112,24 @@ interface(`userdom_create_all_users_keys',`
 
 ########################################
 ## <summary>
+##	Write and link keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_all_users_keys',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:key { search write link };
+')
+
+########################################
+## <summary>
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-- 
1.7.2.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100924/a752884d/attachment.bin

More information about the refpolicy mailing list