Subject: [PATCH] add rules for the symlink of /var/cache /var/cache is a symlink in poky, so we need allow rules for files to read lnk_file while doing search/list/delete/rw.. in /var/cache/ directory. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang --- policy/modules/contrib/abrt.te | 2 ++ policy/modules/contrib/afs.te | 1 + policy/modules/contrib/apache.if | 5 +++++ policy/modules/contrib/apache.te | 1 + policy/modules/contrib/apt.if | 2 ++ policy/modules/contrib/apt.te | 1 + policy/modules/contrib/bind.if | 2 ++ policy/modules/contrib/bind.te | 1 + policy/modules/contrib/logwatch.if | 2 ++ policy/modules/contrib/logwatch.te | 1 + policy/modules/contrib/podsleuth.te | 1 + policy/modules/contrib/portage.te | 1 + policy/modules/contrib/rpm.if | 4 ++++ policy/modules/contrib/rpm.te | 1 + policy/modules/contrib/squid.if | 2 ++ policy/modules/contrib/squid.te | 1 + policy/modules/contrib/virt.if | 2 ++ policy/modules/contrib/virt.te | 2 ++ policy/modules/services/xserver.if | 6 ++++++ policy/modules/system/authlogin.if | 10 ++++++++++ policy/modules/system/miscfiles.if | 8 ++++++++ 21 files changed, 56 insertions(+) diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te index 30861ec..10c941a 100644 --- a/policy/modules/contrib/abrt.te +++ b/policy/modules/contrib/abrt.te @@ -73,6 +73,7 @@ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) +allow abrt_t var_t:lnk_file read_lnk_file_perms; manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) @@ -193,6 +194,7 @@ read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) files_search_spool(abrt_helper_t) manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +allow abrt_helper_t var_t:lnk_file read_lnk_file_perms; manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te index a496fde..a739e1d 100644 --- a/policy/modules/contrib/afs.te +++ b/policy/modules/contrib/afs.te @@ -78,6 +78,7 @@ allow afs_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(afs_t, afs_cache_t, afs_cache_t) manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t) +allow afs_t var_t:lnk_file read_lnk_file_perms; files_var_filetrans(afs_t, afs_cache_t, { file dir }) kernel_rw_afs_state(afs_t) diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if index 6480167..1b3c593 100644 --- a/policy/modules/contrib/apache.if +++ b/policy/modules/contrib/apache.if @@ -485,9 +485,11 @@ interface(`apache_manage_all_content',` interface(`apache_setattr_cache_dirs',` gen_require(` type httpd_cache_t; + type var_t; ') allow $1 httpd_cache_t:dir setattr; + allow $1 var_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -504,9 +506,11 @@ interface(`apache_setattr_cache_dirs',` interface(`apache_list_cache',` gen_require(` type httpd_cache_t; + type var_t; ') list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) + allow $1 var_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -777,6 +781,7 @@ interface(`apache_list_modules',` interface(`apache_exec_modules',` gen_require(` type httpd_modules_t; + type var_t; ') allow $1 httpd_modules_t:dir list_dir_perms; diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index 0833afb..1115d37 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -291,6 +291,7 @@ allow httpd_t self:udp_socket create_socket_perms; # Allow httpd_t to put files in /var/cache/httpd etc manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +allow httpd_t var_t:lnk_file read_lnk_file_perms; manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if index e696b80..c6cc149 100644 --- a/policy/modules/contrib/apt.if +++ b/policy/modules/contrib/apt.if @@ -152,10 +152,12 @@ interface(`apt_use_ptys',` interface(`apt_read_cache',` gen_require(` type apt_var_cache_t; + type var_t; ') files_search_var($1) allow $1 apt_var_cache_t:dir list_dir_perms; + allow $1 var_t:lnk_file read_lnk_file_perms; dontaudit $1 apt_var_cache_t:dir write; allow $1 apt_var_cache_t:file read_file_perms; ') diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te index 8555315..8bfd892 100644 --- a/policy/modules/contrib/apt.te +++ b/policy/modules/contrib/apt.te @@ -78,6 +78,7 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file } # Access /var/cache/apt files manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) files_var_filetrans(apt_t, apt_var_cache_t, dir) +allow apt_t var_t:lnk_file read_lnk_file_perms; # Access /var/lib/apt files manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if index 44a1e3d..9b93562 100644 --- a/policy/modules/contrib/bind.if +++ b/policy/modules/contrib/bind.if @@ -221,12 +221,14 @@ interface(`bind_manage_config_dirs',` interface(`bind_search_cache',` gen_require(` type named_conf_t, named_cache_t, named_zone_t; + type var_t; ') files_search_var($1) allow $1 named_conf_t:dir search_dir_perms; allow $1 named_zone_t:dir search_dir_perms; allow $1 named_cache_t:dir search_dir_perms; + allow $1 var_t:lnk_file read_lnk_file_perms; ') ######################################## diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te index 0968cb4..15c605c 100644 --- a/policy/modules/contrib/bind.te +++ b/policy/modules/contrib/bind.te @@ -79,6 +79,7 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) # write cache for secondary zones manage_files_pattern(named_t, named_cache_t, named_cache_t) manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) +allow named_t var_t:lnk_file read_lnk_file_perms; can_exec(named_t, named_exec_t) diff --git a/policy/modules/contrib/logwatch.if b/policy/modules/contrib/logwatch.if index d878e75..1484c1e 100644 --- a/policy/modules/contrib/logwatch.if +++ b/policy/modules/contrib/logwatch.if @@ -32,7 +32,9 @@ interface(`logwatch_read_tmp_files',` interface(`logwatch_search_cache_dir',` gen_require(` type logwatch_cache_t; + type var_t; ') allow $1 logwatch_cache_t:dir search_dir_perms; + allow $1 var_t:lnk_file read_lnk_file_perms; ') diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te index 75ce30f..31bff65 100644 --- a/policy/modules/contrib/logwatch.te +++ b/policy/modules/contrib/logwatch.te @@ -30,6 +30,7 @@ allow logwatch_t self:fifo_file rw_file_perms; allow logwatch_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) +allow logwatch_t var_t:lnk_file read_lnk_file_perms; manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) allow logwatch_t logwatch_lock_t:file manage_file_perms; diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te index 4cffb07..32ab27e 100644 --- a/policy/modules/contrib/podsleuth.te +++ b/policy/modules/contrib/podsleuth.te @@ -33,6 +33,7 @@ allow podsleuth_t self:tcp_socket create_stream_socket_perms; allow podsleuth_t self:udp_socket create_socket_perms; manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) +allow podsleuth_t var_t:lnk_file read_lnk_file_perms; manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te index 630f16f..f4e43be 100644 --- a/policy/modules/contrib/portage.te +++ b/policy/modules/contrib/portage.te @@ -339,5 +339,6 @@ portage_compile_domain(portage_sandbox_t) ifdef(`hide_broken_symptoms',` # leaked descriptors dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; + allow portage_sandbox_t var_t:lnk_file read_lnk_file_perms; dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; ') diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if index 951d8f6..f4c6825 100644 --- a/policy/modules/contrib/rpm.if +++ b/policy/modules/contrib/rpm.if @@ -408,10 +408,12 @@ interface(`rpm_read_script_tmp_files',` interface(`rpm_read_cache',` gen_require(` type rpm_var_cache_t; + type var_t; ') files_search_var($1) allow $1 rpm_var_cache_t:dir list_dir_perms; + allow $1 var_t:lnk_file read_lnk_file_perms; read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) ') @@ -429,10 +431,12 @@ interface(`rpm_read_cache',` interface(`rpm_manage_cache',` gen_require(` type rpm_var_cache_t; + type var_t; ') files_search_var_lib($1) manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) + allow $1 var_t:lnk_file read_lnk_file_perms; manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) ') diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te index 60149a5..f3f0640 100644 --- a/policy/modules/contrib/rpm.te +++ b/policy/modules/contrib/rpm.te @@ -98,6 +98,7 @@ fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file } can_exec(rpm_t, rpm_tmpfs_t) manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) +allow rpm_t var_t:lnk_file read_lnk_file_perms; manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) files_var_filetrans(rpm_t, rpm_var_cache_t, dir) diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if index d2496bd..28f8e2e 100644 --- a/policy/modules/contrib/squid.if +++ b/policy/modules/contrib/squid.if @@ -88,9 +88,11 @@ interface(`squid_rw_stream_sockets',` interface(`squid_dontaudit_search_cache',` gen_require(` type squid_cache_t; + type var_t; ') dontaudit $1 squid_cache_t:dir search_dir_perms; + allow $1 var_t:lnk_file read_lnk_file_perms; ') ######################################## diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te index c38de7a..01e1222 100644 --- a/policy/modules/contrib/squid.te +++ b/policy/modules/contrib/squid.te @@ -67,6 +67,7 @@ allow squid_t self:udp_socket create_socket_perms; # Grant permissions to create, access, and delete cache files. manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) +allow squid_t var_t:lnk_file read_lnk_file_perms; manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if index 6f0736b..2fcd979 100644 --- a/policy/modules/contrib/virt.if +++ b/policy/modules/contrib/virt.if @@ -438,10 +438,12 @@ interface(`virt_read_images',` interface(`virt_manage_svirt_cache',` gen_require(` type svirt_cache_t; + type var_t; ') files_search_var($1) manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t) + allow $1 var_t:lnk_file read_lnk_file_perms; manage_files_pattern($1, svirt_cache_t, svirt_cache_t) manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) ') diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 947bbc6..659abcc 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -108,6 +108,7 @@ ifdef(`enable_mls',` allow svirt_t self:udp_socket create_socket_perms; manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +allow svirt_t var_t:lnk_file read_lnk_file_perms; manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) @@ -186,6 +187,7 @@ allow virtd_t self:tun_socket create_socket_perms; allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) +allow virtd_t var_t:lnk_file read_lnk_file_perms; manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t) manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 130ced9..ffef982 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -22,6 +22,7 @@ interface(`xserver_restricted_role',` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; + type var_t; ') role $1 types { xserver_t xauth_t iceauth_t }; @@ -41,6 +42,7 @@ interface(`xserver_restricted_role',` allow $2 user_fonts_config_t:file read_file_perms; manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) + allow $2 var_t:lnk_file read_lnk_file_perms; manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -134,6 +136,7 @@ interface(`xserver_role',` gen_require(` type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; + type var_t; ') xserver_restricted_role($1, $2) @@ -154,6 +157,7 @@ interface(`xserver_role',` relabel_files_pattern($2, user_fonts_t, user_fonts_t) manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) + allow $2 var_t:lnk_file read_lnk_file_perms; manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) @@ -512,6 +516,7 @@ template(`xserver_user_x_domain_template',` interface(`xserver_use_user_fonts',` gen_require(` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; + type var_t; ') # Read per user fonts @@ -520,6 +525,7 @@ interface(`xserver_use_user_fonts',` # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) + allow $1 var_t:lnk_file read_lnk_file_perms; manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) # Read per user font config diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index f416ce9..00a209d 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -95,6 +95,7 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; + type var_t; ') domain_type($1) @@ -116,6 +117,7 @@ interface(`auth_login_pgm_domain',` manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) + allow $1 var_t:lnk_file read_lnk_file_perms; manage_files_pattern($1, auth_cache_t, auth_cache_t) manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) files_var_filetrans($1, auth_cache_t, dir) @@ -279,9 +281,11 @@ interface(`auth_ranged_domtrans_login_program',` interface(`auth_search_cache',` gen_require(` type auth_cache_t; + type var_t; ') allow $1 auth_cache_t:dir search_dir_perms; + allow $1 var_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -333,9 +337,11 @@ interface(`auth_rw_cache',` interface(`auth_manage_cache',` gen_require(` type auth_cache_t; + type var_t; ') manage_dirs_pattern($1, auth_cache_t, auth_cache_t) + allow $1 var_t:lnk_file read_lnk_file_perms; manage_files_pattern($1, auth_cache_t, auth_cache_t) ') @@ -352,9 +358,11 @@ interface(`auth_manage_cache',` interface(`auth_var_filetrans_cache',` gen_require(` type auth_cache_t; + type var_t; ') files_var_filetrans($1, auth_cache_t, { file dir } ) + allow $1 var_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -371,9 +379,11 @@ interface(`auth_domtrans_chk_passwd',` gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; type auth_cache_t; + type var_t; ') allow $1 auth_cache_t:dir search_dir_perms; + allow $1 var_t:lnk_file read_lnk_file_perms; corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 926ba65..e2eaee6 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -183,6 +183,7 @@ interface(`miscfiles_manage_cert_files',` interface(`miscfiles_read_fonts',` gen_require(` type fonts_t, fonts_cache_t; + type var_t; ') # cjp: fonts can be in either of these dirs @@ -194,6 +195,7 @@ interface(`miscfiles_read_fonts',` read_lnk_files_pattern($1, fonts_t, fonts_t) allow $1 fonts_cache_t:dir list_dir_perms; + allow $1 var_t:lnk_file read_lnk_file_perms; read_files_pattern($1, fonts_cache_t, fonts_cache_t) read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) ') @@ -295,9 +297,11 @@ interface(`miscfiles_manage_fonts',` interface(`miscfiles_setattr_fonts_cache_dirs',` gen_require(` type fonts_cache_t; + type var_t; ') allow $1 fonts_cache_t:dir setattr; + allow $1 var_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -314,9 +318,11 @@ interface(`miscfiles_setattr_fonts_cache_dirs',` interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` gen_require(` type fonts_cache_t; + type var_t; ') dontaudit $1 fonts_cache_t:dir setattr; + allow $1 var_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -333,11 +339,13 @@ interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` interface(`miscfiles_manage_fonts_cache',` gen_require(` type fonts_cache_t; + type var_t; ') files_search_var($1) manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t) + allow $1 var_t:lnk_file read_lnk_file_perms; manage_files_pattern($1, fonts_cache_t, fonts_cache_t) manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) ') -- 1.7.9.5