--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-08-07 11:15:01.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/kernel/domain.if 2008-08-14 13:53:54.000000000 -0400 @@ -1247,18 +1247,34 @@ ## ## # -interface(`domain_mmap_low',` +interface(`domain_mmap_low_type',` gen_require(` attribute mmap_low_domain_type; ') - allow $1 self:memprotect mmap_zero; - typeattribute $1 mmap_low_domain_type; ') ######################################## ## +## Ability to mmap a low area of the address space, +## as configured by /proc/sys/kernel/mmap_min_addr. +## Preventing such mappings helps protect against +## exploiting null deref bugs in the kernel. +## +## +## +## Domain allowed to mmap low memory. +## +## +# +interface(`domain_mmap_low',` + + allow $1 self:memprotect mmap_zero; +') + +######################################## +## ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/kernel/domain.te 2008-08-14 13:53:54.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations # +## +##

+## Allow all domains to use other domains file descriptors +##

+## +# +gen_tunable(allow_domain_fd_use, true) # Mark process types as domains attribute domain; @@ -85,6 +92,7 @@ # a keyring kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) +userdom_dontaudit_search_all_users_keys(domain) # create child processes in the domain allow domain self:process { fork sigchld }; @@ -131,6 +139,9 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; +allow unconfined_domain_type domain:dbus send_msg; +allow domain unconfined_domain_type:dbus send_msg; + # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; @@ -140,7 +151,7 @@ # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; -allow unconfined_domain_type domain:file read_file_perms; +allow unconfined_domain_type domain:file rw_file_perms; allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys @@ -148,3 +159,38 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + +tunable_policy(`allow_domain_fd_use',` + # Allow all domains to use fds past to them + allow domain domain:fd use; +') + +optional_policy(` + cron_dontaudit_write_system_job_tmp_files(domain) + cron_rw_pipes(domain) +ifdef(`hide_broken_symptoms',` + cron_dontaudit_rw_tcp_sockets(domain) +') +') + +ifdef(`hide_broken_symptoms',` + dbus_dontaudit_system_bus_rw_tcp_sockets(domain) +') + +optional_policy(` + rpm_rw_pipes(domain) + rpm_dontaudit_use_script_fds(domain) + rpm_dontaudit_write_pid_files(domain) +') + +optional_policy(` + rhgb_dontaudit_use_ptys(domain) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(domain) + unconfined_sigchld(domain) +') + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link;