Navigation

← Previous Changeset
Next Changeset →

Changeset 142

Timestamp:

11/27/06 11:51:16 (2 years ago)

Author:

ccase

Message:

Updated to upstream.

Files:

upstream/refpolicy/Changelog (modified) (2 diffs)
upstream/refpolicy/policy/flask/access_vectors (modified) (1 diff)
upstream/refpolicy/policy/mls (modified) (2 diffs)
upstream/refpolicy/policy/modules/admin/logrotate.te (modified) (2 diffs)
upstream/refpolicy/policy/modules/admin/portage.if (modified) (1 diff)
upstream/refpolicy/policy/modules/admin/portage.te (modified) (1 diff)
upstream/refpolicy/policy/modules/kernel/corenetwork.te.in (modified) (4 diffs)
upstream/refpolicy/policy/modules/kernel/filesystem.if (modified) (1 diff)
upstream/refpolicy/policy/modules/kernel/filesystem.te (modified) (1 diff)
upstream/refpolicy/policy/modules/kernel/kernel.te (modified) (3 diffs)
upstream/refpolicy/policy/modules/services/aide.fc (added)
upstream/refpolicy/policy/modules/services/aide.if (added)
upstream/refpolicy/policy/modules/services/aide.te (added)
upstream/refpolicy/policy/modules/services/ccs.fc (added)
upstream/refpolicy/policy/modules/services/ccs.if (added)
upstream/refpolicy/policy/modules/services/ccs.te (added)
upstream/refpolicy/policy/modules/services/dnsmasq.te (modified) (2 diffs)
upstream/refpolicy/policy/modules/services/ricci.fc (added)
upstream/refpolicy/policy/modules/services/ricci.if (added)
upstream/refpolicy/policy/modules/services/ricci.te (added)
upstream/refpolicy/policy/modules/system/hotplug.if (modified) (1 diff)
upstream/refpolicy/policy/modules/system/hotplug.te (modified) (1 diff)
upstream/refpolicy/policy/modules/system/init.fc (modified) (1 diff)
upstream/refpolicy/policy/modules/system/init.if (modified) (1 diff)
upstream/refpolicy/policy/modules/system/init.te (modified) (1 diff)
upstream/refpolicy/policy/modules/system/lvm.fc (modified) (1 diff)
upstream/refpolicy/policy/modules/system/lvm.te (modified) (1 diff)
upstream/refpolicy/policy/modules/system/selinuxutil.te (modified) (2 diffs)
upstream/refpolicy/policy/modules/system/udev.te (modified) (4 diffs)
upstream/refpolicy/policy/modules/system/userdomain.if (modified) (3 diffs)
upstream/refpolicy/policy/modules/system/userdomain.te (modified) (1 diff)
upstream/refpolicy/support/Makefile.devel (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

upstream/refpolicy/Changelog

r119	r142
	1	- Association polmatch MLS constraint making unlabeled_t an exception
	2	is no longer needed, patch from Venkat Yekkirala.
	3	- Context contains checking for PAM and cron from James Antill.
	4	- Add a reload target to Modules.devel and change the load
	5	target to only insert modules that were changed.
	6	- Allow semanage to read from /root on strict non-MLS for
	7	local policy modules.
	8	- Gentoo init script fixes for udev.
	9	- Allow udev to read kernel modules.inputmap.
	10	- Dnsmasq fixes from testing.
	11	- Allow kernel NFS server to getattr filesystems so df can work
	12	on clients.
1	13	- Patch from Matt Anderson for a MLS constraint exemption on a
2	14	file that can be written to from a subject whose range is
…	…
6	18	Tue, 24 Oct 2006
7	19	- Added modules:
	20	aide (Matt Anderson)
	21	ccs (Dan Walsh)
8	22	iscsi (Dan Walsh)
	23	ricci (Dan Walsh)
9	24
10	25	* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018

upstream/refpolicy/policy/flask/access_vectors

r119 r142

636 636 {
637 637 translate
638 }
638 contains
639 }

upstream/refpolicy/policy/mls

r119	r142
586	586
587	587	mlsconstrain association { polmatch }
588		((( l1 dom l2 ) and ( h1 domby h2 )) or
589		( t2 == unlabeled_t ));
	588	(( l1 dom l2 ) and ( h1 domby h2 ));
590	589
591	590
…	…
598	597	(( h1 dom h2 ) or ( t1 == mlstranslate ));
599	598
	599	mlsconstrain context contains
	600	( h1 dom h2 );
	601
600	602	') dnl end enable_mls

upstream/refpolicy/policy/modules/admin/logrotate.te

r73	r142
1	1
2		policy_module(logrotate,1.3.0)
	2	policy_module(logrotate,1.3.1)
3	3
4	4	########################################
…	…
119	119	sysnet_read_config(logrotate_t)
120	120
	121	userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
121	122	userdom_use_unpriv_users_fds(logrotate_t)
122	123

upstream/refpolicy/policy/modules/admin/portage.if

r73	r142
326	326	# run setfiles -r
327	327	seutil_domtrans_setfiles($1)
	328	# run semodule
	329	seutil_domtrans_semanage($1)
328	330
329	331	portage_domtrans_gcc_config($1)

upstream/refpolicy/policy/modules/admin/portage.te

r73 r142

1 1
2 policy_module(portage,1.1.0)
2 policy_module(portage,1.1.1)
3 3
4 4 ########################################

upstream/refpolicy/policy/modules/kernel/corenetwork.te.in

r119	r142
1	1
2		policy_module(corenetwork,1.2.1)
	2	policy_module(corenetwork,1.2.2)
3	3
4	4	########################################
…	…
67	67	network_port(clamd, tcp,3310,s0)
68	68	network_port(clockspeed, udp,4041,s0)
	69	network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
69	70	network_port(comsat, udp,512,s0)
70	71	network_port(cvs, tcp,2401,s0, udp,2401,s0)
…	…
107	108	network_port(mysqld, tcp,3306,s0)
108	109	network_port(nessus, tcp,1241,s0)
	110	network_port(netsupport, tcp,5405,s0, udp,5405,s0)
109	111	network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
110	112	network_port(ntp, udp,123,s0)
…	…
123	125	network_port(radius, udp,1645,s0, udp,1812,s0)
124	126	network_port(razor, tcp,2703,s0)
	127	network_port(ricci, tcp,11111,s0, udp,11111,s0)
	128	network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
125	129	network_port(rlogind, tcp,513,s0)
126	130	network_port(rndc, tcp,953,s0)

upstream/refpolicy/policy/modules/kernel/filesystem.if

r119	r142
628	628	allow $1 cifs_t:dir r_dir_perms;
629	629	allow $1 cifs_t:file r_file_perms;
	630	')
	631
	632	########################################
	633	## <summary>
	634	## Get the attributes of filesystems that
	635	## do not have extended attribute support.
	636	## </summary>
	637	## <param name="domain">
	638	## <summary>
	639	## Domain allowed access.
	640	## </summary>
	641	## </param>
	642	## <rolecap/>
	643	#
	644	interface(`fs_getattr_noxattr_fs',`
	645	gen_require(`
	646	attribute noxattrfs;
	647	')
	648
	649	allow $1 noxattrfs:filesystem getattr;
630	650	')
631	651

upstream/refpolicy/policy/modules/kernel/filesystem.te

r119 r142

1 1
2 policy_module(filesystem,1.4.1)
2 policy_module(filesystem,1.4.2)
3 3
4 4 ########################################

upstream/refpolicy/policy/modules/kernel/kernel.te

r73	r142
1	1
2		policy_module(kernel,1.4.0)
	2	policy_module(kernel,1.4.1)
3	3
4	4	########################################
…	…
288	288	corenet_sendrecv_generic_server_packets(kernel_t)
289	289
	290	fs_getattr_xattr_fs(kernel_t)
	291
290	292	auth_dontaudit_getattr_shadow(kernel_t)
291	293
…	…
297	299
298	300	tunable_policy(`nfs_export_all_ro',`
299		fs_list_noxattr_fs(kernel_t)
300		fs_read_noxattr_fs_files(kernel_t)
301		fs_read_noxattr_fs_symlinks(kernel_t)
302
303		auth_read_all_dirs_except_shadow(kernel_t)
304		auth_read_all_files_except_shadow(kernel_t)
305		auth_read_all_symlinks_except_shadow(kernel_t)
	301	fs_getattr_noxattr_fs(kernel_t)
	302	fs_list_noxattr_fs(kernel_t)
	303	fs_read_noxattr_fs_files(kernel_t)
	304	fs_read_noxattr_fs_symlinks(kernel_t)
	305
	306	auth_read_all_dirs_except_shadow(kernel_t)
	307	auth_read_all_files_except_shadow(kernel_t)
	308	auth_read_all_symlinks_except_shadow(kernel_t)
306	309	')
307	310
308	311	tunable_policy(`nfs_export_all_rw',`
309		fs_list_noxattr_fs(kernel_t)
310		fs_read_noxattr_fs_files(kernel_t)
311		fs_read_noxattr_fs_symlinks(kernel_t)
	312	fs_getattr_noxattr_fs(kernel_t)
	313	fs_list_noxattr_fs(kernel_t)
	314	fs_read_noxattr_fs_files(kernel_t)
	315	fs_read_noxattr_fs_symlinks(kernel_t)
312	316
313	317	auth_manage_all_files_except_shadow(kernel_t)

upstream/refpolicy/policy/modules/services/dnsmasq.te

r73	r142
1	1
2		policy_module(dnsmasq,1.1.0)
	2	policy_module(dnsmasq,1.1.1)
3	3
4	4	########################################
…	…
22	22	#
23	23
24		allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
	24	allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
25	25	dontaudit dnsmasq_t self:capability sys_tty_config;
26		allow dnsmasq_t self:process signal_perms;
	26	allow dnsmasq_t self:process { setcap signal_perms };
	27	allow dnsmasq_t self:fifo_file { read write };
	28	allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
27	29	allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
28	30	allow dnsmasq_t self:udp_socket create_socket_perms;

upstream/refpolicy/policy/modules/system/hotplug.if

r48	r142
161	161	')
162	162
	163	########################################
	164	## <summary>
	165	## Search the hotplug PIDs.
	166	## </summary>
	167	## <param name="domain">
	168	## <summary>
	169	## Domain allowed access.
	170	## </summary>
	171	## </param>
	172	#
	173	interface(`hotplug_search_pids',`
	174	gen_require(`
	175	type hotplug_var_run_t;
	176	')
	177
	178	allow $1 hotplug_var_run_t:dir search_dir_perms;
	179	files_search_pids($1)
	180	')

upstream/refpolicy/policy/modules/system/hotplug.te

r73 r142

1 1
2 policy_module(hotplug,1.3.0)
2 policy_module(hotplug,1.3.1)
3 3
4 4 ########################################

upstream/refpolicy/policy/modules/system/init.fc

r48	r142
12	12	ifdef(`distro_gentoo',`
13	13	/etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0)
	14	/etc/x11/startDM.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
14	15	')
15	16

upstream/refpolicy/policy/modules/system/init.if

r73	r142
1075	1075	########################################
1076	1076	## <summary>
	1077	## Get the attributes of init script
	1078	## status files.
	1079	## </summary>
	1080	## <param name="domain">
	1081	## <summary>
	1082	## Domain allowed access.
	1083	## </summary>
	1084	## </param>
	1085	#
	1086	interface(`init_getattr_script_status_files',`
	1087	gen_require(`
	1088	type initrc_state_t;
	1089	')
	1090
	1091	allow $1 initrc_state_t:dir search_dir_perms;
	1092	allow $1 initrc_state_t:file getattr;
	1093	')
	1094
	1095	########################################
	1096	## <summary>
1077	1097	## Do not audit attempts to read init script
1078	1098	## status files.

upstream/refpolicy/policy/modules/system/init.te

r119 r142

1 1
2 policy_module(init,1.4.1)
2 policy_module(init,1.4.3)
3 3
4 4 gen_require(`

upstream/refpolicy/policy/modules/system/lvm.fc

r48	r142
3	3	# configure LVM to put lockfiles in /etc/lvm/lock instead
4	4	# for this policy to work (unless you have no separate /var)
	5
	6	#
	7	# /bin
	8	#
	9	ifdef(`distro_gentoo',`
	10	/bin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
	11	')
5	12
6	13	#

upstream/refpolicy/policy/modules/system/lvm.te

r73 r142

1 1
2 policy_module(lvm,1.4.0)
2 policy_module(lvm,1.4.1)
3 3
4 4 ########################################

upstream/refpolicy/policy/modules/system/selinuxutil.te

r119	r142
1	1
2		policy_module(selinuxutil,1.3.3)
	2	policy_module(selinuxutil,1.3.4)
3	3
4	4	ifdef(`strict_policy',`
…	…
618	618	userdom_search_sysadm_home_dirs(semanage_t)
619	619
620		ifdef(`targeted_policy',`
	620	# cjp: need a more general way to handle this:
	621	ifdef(`enable_mls',`
	622	# read secadm tmp files
	623	',`
621	624	# Handle pp files created in homedir and /tmp
622		~~files_read_generic_tmp~~_files(semanage_t)
623		userdom_read_~~generic_user_home_content~~_files(semanage_t)
	625	userdom_read_sysadm_home_content_files(semanage_t)
	626	userdom_read_sysadm_tmp_files(semanage_t)
624	627	')
625	628

upstream/refpolicy/policy/modules/system/udev.te

r73	r142
1	1
2		policy_module(udev,1.4.0)
	2	policy_module(udev,1.4.1)
3	3
4	4	########################################
…	…
137	137
138	138	modutils_domtrans_insmod(udev_t)
	139	# read modules.inputmap:
	140	modutils_read_module_deps(udev_t)
139	141
140	142	seutil_read_config(udev_t)
…	…
148	150	userdom_use_sysadm_ttys(udev_t)
149	151	userdom_dontaudit_search_all_users_home_content(udev_t)
	152
	153	ifdef(`distro_gentoo',`
	154	# during boot, init scripts use /dev/.rcsysinit
	155	# existance to determine if we are in early booting
	156	init_getattr_script_status_files(udev_t)
	157	')
150	158
151	159	ifdef(`distro_redhat',`
…	…
184	192	optional_policy(`
185	193	hotplug_read_config(udev_t)
	194	# usb.agent searches /var/run/usb
	195	hotplug_search_pids(udev_t)
186	196	')
187	197

upstream/refpolicy/policy/modules/system/userdomain.if

r119	r142
23	23	#
24	24	template(`userdom_base_user_template',`
	25
	26	gen_require(`
	27	class context contains;
	28	')
	29
25	30	attribute $1_file_type;
26	31
…	…
50	55	allow $1_t self:msgq create_msgq_perms;
51	56	allow $1_t self:msg { send receive };
	57	allow $1_t self:context contains;
52	58	dontaudit $1_t self:socket create;
53	59
…	…
4487	4493	#
4488	4494	interface(`userdom_read_sysadm_home_content_files',`
4489		gen_require(`
4490		type sysadm_home_dir_t, sysadm_home_t;
4491		')
4492
4493		files_search_home($1)
4494		allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
4495		allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
	4495	ifdef(`strict_policy',`
	4496	gen_require(`
	4497	type sysadm_home_dir_t, sysadm_home_t;
	4498	')
	4499
	4500	files_search_home($1)
	4501	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
	4502	allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
	4503	',`
	4504	userdom_read_generic_user_home_content_files($1)
	4505	')
	4506	')
	4507
	4508	########################################
	4509	## <summary>
	4510	## Read files in the sysadm users home directory.
	4511	## </summary>
	4512	## <param name="domain">
	4513	## <summary>
	4514	## Domain allowed access.
	4515	## </summary>
	4516	## </param>
	4517	#
	4518	interface(`userdom_read_sysadm_tmp_files',`
	4519	ifdef(`strict_policy',`
	4520	gen_require(`
	4521	type sysadm_tmp_t;
	4522	')
	4523
	4524	files_search_tmp($1)
	4525	allow $1 sysadm_tmp_t:dir list_dir_perms;
	4526	allow $1 sysadm_tmp_t:{ file lnk_file } r_file_perms;
	4527	',`
	4528	files_read_generic_tmp_files($1)
	4529	')
4496	4530	')
4497	4531

upstream/refpolicy/policy/modules/system/userdomain.te

r119 r142

1 1
2 policy_module(userdomain,2.0.1)
2 policy_module(userdomain,2.0.3)
3 3
4 4 gen_require(`

upstream/refpolicy/support/Makefile.devel

r119	r142
134	134	endef
135	135
136		.PHONY: clean all xml load
	136	.PHONY: clean all xml load reload
137	137	.SUFFIXES:
138	138	.SUFFIXES: .pp
…	…
155	155
156	156	load: tmp/loaded
157
158		tmp/loaded reload: $(all_packages)
159		@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $(all_packages)))"
	157	tmp/loaded: $(all_packages)
	158	@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $?))"
	159	$(verbose) $(SEMODULE) $(foreach mod,$?,-i $(mod))
	160	@mkdir -p tmp
	161	@touch tmp/loaded
	162
	163	reload: $(all_packages)
	164	@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $^))"
160	165	$(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod))
161	166	@mkdir -p tmp

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r73	r142
1	1
2		policy_module(portage,1.1.0)
	2	policy_module(portage,1.1.1)
3	3
4	4	########################################

r119	r142
1	1
2		policy_module(filesystem,1.4.1)
	2	policy_module(filesystem,1.4.2)
3	3
4	4	########################################

r73	r142
1	1
2		policy_module(hotplug,1.3.0)
	2	policy_module(hotplug,1.3.1)
3	3
4	4	########################################

r119	r142
1	1
2		policy_module(init,1.4.1)
	2	policy_module(init,1.4.3)
3	3
4	4	gen_require(`

r73	r142
1	1
2		policy_module(lvm,1.4.0)
	2	policy_module(lvm,1.4.1)
3	3
4	4	########################################

r119	r142
1	1
2		policy_module(userdomain,2.0.1)
	2	policy_module(userdomain,2.0.3)
3	3
4	4	gen_require(`