diff options
25 files changed, 92 insertions, 174 deletions
@@ -236,7 +236,7 @@ else VERBOSE_FLAG = --verbose endif -M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms=true +M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) # we need exuberant ctags; unfortunately it is named # differently on different distros diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if index 0f57d3bc0..82f6bb168 100644 --- a/policy/modules/admin/consoletype.if +++ b/policy/modules/admin/consoletype.if @@ -20,9 +20,7 @@ interface(`consoletype_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, consoletype_exec_t, consoletype_t) - ifdef(`hide_broken_symptoms', ` - dontaudit consoletype_t $1:socket_class_set { read write }; - ') + dontaudit consoletype_t $1:socket_class_set { read write }; ') ######################################## diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index e6bf18cc1..3f85d1a57 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -133,23 +133,21 @@ kernel_read_system_state(ping_t) auth_use_nsswitch(ping_t) +init_dontaudit_use_fds(ping_t) + logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) userdom_use_inherited_user_terminals(ping_t) -ifdef(`hide_broken_symptoms',` - init_dontaudit_use_fds(ping_t) - - optional_policy(` - nagios_dontaudit_rw_log(ping_t) - nagios_dontaudit_rw_pipes(ping_t) - ') +optional_policy(` + munin_append_log(ping_t) ') optional_policy(` - munin_append_log(ping_t) + nagios_dontaudit_rw_log(ping_t) + nagios_dontaudit_rw_pipes(ping_t) ') ######################################## diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 9abbdc376..869667052 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -257,6 +257,8 @@ allow portage_fetch_t self:fifo_file rw_fifo_file_perms; allow portage_fetch_t self:tcp_socket { accept listen }; allow portage_fetch_t self:unix_stream_socket { connectto create_stream_socket_perms }; +dontaudit portage_fetch_t portage_cache_t:file read; + allow portage_fetch_t portage_conf_t:dir list_dir_perms; allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; @@ -329,10 +331,6 @@ userdom_use_user_terminals(portage_fetch_t) rsync_exec(portage_fetch_t) -ifdef(`hide_broken_symptoms',` - dontaudit portage_fetch_t portage_cache_t:file read; -') - tunable_policy(`portage_use_nfs',` fs_getattr_nfs(portage_fetch_t) fs_manage_nfs_dirs(portage_fetch_t) @@ -367,6 +365,10 @@ allow portage_sandbox_t self:capability setfcap; allow portage_sandbox_t self:process ptrace; dontaudit portage_sandbox_t self:netlink_route_socket create_netlink_socket_perms; +# leaked descriptors +dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms }; +dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write }; + allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms }; logging_log_filetrans(portage_sandbox_t, portage_log_t, file) @@ -374,12 +376,6 @@ portage_compile_domain(portage_sandbox_t) auth_use_nsswitch(portage_sandbox_t) -ifdef(`hide_broken_symptoms',` - # leaked descriptors - dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms }; - dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write }; -') - ifdef(`distro_gentoo',` ## <desc> diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if index 20d469793..b92cc10cd 100644 --- a/policy/modules/admin/prelink.if +++ b/policy/modules/admin/prelink.if @@ -18,10 +18,8 @@ interface(`prelink_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, prelink_exec_t, prelink_t) - ifdef(`hide_broken_symptoms',` - dontaudit prelink_t $1:socket_class_set { read write }; - dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; - ') + dontaudit prelink_t $1:socket_class_set { read write }; + dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; ') ######################################## diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index 0c48b78df..6acb35de4 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -102,6 +102,7 @@ libs_relabel_shared_libs(prelink_t) libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) +miscfiles_read_man_pages(prelink_t) userdom_use_user_terminals(prelink_t) userdom_manage_user_home_content_files(prelink_t) @@ -110,14 +111,6 @@ userdom_manage_user_home_content_files(prelink_t) # userdom_execmod_user_home_content_files(prelink_t) userdom_exec_user_home_content_files(prelink_t) -ifdef(`hide_broken_symptoms',` - miscfiles_read_man_pages(prelink_t) - - optional_policy(` - dbus_read_config(prelink_t) - ') -') - tunable_policy(`use_nfs_home_dirs',` fs_exec_nfs_files(prelink_t) fs_manage_nfs_files(prelink_t) @@ -137,6 +130,10 @@ optional_policy(` ') optional_policy(` + dbus_read_config(prelink_t) +') + +optional_policy(` gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) ') diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index bab07e310..d4249ec08 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -73,6 +73,8 @@ template(`sudo_role_template',` allow $1_sudo_t self:key manage_key_perms; dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace }; + dontaudit $1_sudo_t $3:socket_class_set { read write }; + # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $2) corecmd_bin_domtrans($1_sudo_t, $2) @@ -143,10 +145,6 @@ template(`sudo_role_template',` userdom_dontaudit_search_user_home_content($1_sudo_t) userdom_dontaudit_search_user_home_dirs($1_sudo_t) - ifdef(`hide_broken_symptoms', ` - dontaudit $1_sudo_t $3:socket_class_set { read write }; - ') - tunable_policy(`sudo_allow_user_exec_domains',` allow $1_sudo_t $3:key search; diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 99e3903ea..340d02456 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -18,9 +18,7 @@ interface(`usermanage_domtrans_chfn',` corecmd_search_bin($1) domtrans_pattern($1, chfn_exec_t, chfn_t) - ifdef(`hide_broken_symptoms',` - dontaudit chfn_t $1:socket_class_set { read write }; - ') + dontaudit chfn_t $1:socket_class_set { read write }; ') ######################################## @@ -66,9 +64,7 @@ interface(`usermanage_domtrans_groupadd',` corecmd_search_bin($1) domtrans_pattern($1, groupadd_exec_t, groupadd_t) - ifdef(`hide_broken_symptoms',` - dontaudit groupadd_t $1:socket_class_set { read write }; - ') + dontaudit groupadd_t $1:socket_class_set { read write }; ') ######################################## @@ -115,9 +111,7 @@ interface(`usermanage_domtrans_passwd',` corecmd_search_bin($1) domtrans_pattern($1, passwd_exec_t, passwd_t) - ifdef(`hide_broken_symptoms',` - dontaudit passwd_t $1:socket_class_set { read write }; - ') + dontaudit passwd_t $1:socket_class_set { read write }; ') ######################################## @@ -264,9 +258,7 @@ interface(`usermanage_domtrans_useradd',` corecmd_search_bin($1) domtrans_pattern($1, useradd_exec_t, useradd_t) - ifdef(`hide_broken_symptoms',` - dontaudit useradd_t $1:socket_class_set { read write }; - ') + dontaudit useradd_t $1:socket_class_set { read write }; ') ######################################## diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 94675d81b..5c0d465b5 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -264,12 +264,9 @@ miscfiles_read_localization(gpg_agent_t) userdom_use_user_terminals(gpg_agent_t) userdom_search_user_home_dirs(gpg_agent_t) userdom_search_user_runtime(gpg_agent_t) +userdom_dontaudit_read_user_tmp_files(gpg_agent_t) userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file }) -ifdef(`hide_broken_symptoms',` - userdom_dontaudit_read_user_tmp_files(gpg_agent_t) -') - tunable_policy(`gpg_agent_env_file',` userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 9fd6b96bd..513c006d0 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -44,11 +44,9 @@ interface(`seunshare_run',` allow $1 seunshare_t:process signal_perms; - ifdef(`hide_broken_symptoms', ` - dontaudit seunshare_t $1:tcp_socket rw_socket_perms; - dontaudit seunshare_t $1:udp_socket rw_socket_perms; - dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; - ') + dontaudit seunshare_t $1:tcp_socket rw_socket_perms; + dontaudit seunshare_t $1:udp_socket rw_socket_perms; + dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; ') ######################################## diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te index 906ab03ab..6269237e8 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te @@ -27,6 +27,8 @@ corecmd_exec_bin(seunshare_t) files_read_etc_files(seunshare_t) files_mounton_all_poly_members(seunshare_t) +fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + auth_use_nsswitch(seunshare_t) logging_send_syslog_msg(seunshare_t) @@ -35,10 +37,6 @@ miscfiles_read_localization(seunshare_t) userdom_use_user_terminals(seunshare_t) -ifdef(`hide_broken_symptoms', ` - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) - - optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_t) - ') +optional_policy(` + mozilla_dontaudit_manage_user_home_files(seunshare_t) ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 2eff1d345..338c1b86a 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -103,6 +103,12 @@ kernel_dontaudit_link_key(domain) # create child processes in the domain allow domain self:process { fork sigchld }; +# This check is in the general socket +# listen code, before protocol-specific +# listen function is called, so bad calls +# to listen on UDP sockets should be silenced +dontaudit domain self:udp_socket listen; + # lockdown checks were removed in 5.16. The class will be removed # from the policy in the future. For reference: # https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly @@ -119,14 +125,6 @@ term_use_controlling_term(domain) # list the root directory files_list_root(domain) -ifdef(`hide_broken_symptoms',` - # This check is in the general socket - # listen code, before protocol-specific - # listen function is called, so bad calls - # to listen on UDP sockets should be silenced - dontaudit domain self:udp_socket listen; -') - ifdef(`init_systemd',` optional_policy(` shutdown_sigchld(domain) diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te index 28e127b61..7f8940abf 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -281,25 +281,24 @@ read_lnk_files_pattern(abrt_helper_t, abrt_runtime_t, abrt_runtime_t) corecmd_read_all_executables(abrt_helper_t) +dev_dontaudit_read_all_blk_files(abrt_helper_t) +dev_dontaudit_read_all_chr_files(abrt_helper_t) +dev_dontaudit_write_all_chr_files(abrt_helper_t) +dev_dontaudit_write_all_blk_files(abrt_helper_t) + domain_read_all_domains_state(abrt_helper_t) fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) +fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) auth_use_nsswitch(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) -ifdef(`hide_broken_symptoms',` - userdom_dontaudit_read_user_home_content_files(abrt_helper_t) - userdom_dontaudit_read_user_tmp_files(abrt_helper_t) - dev_dontaudit_read_all_blk_files(abrt_helper_t) - dev_dontaudit_read_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_blk_files(abrt_helper_t) - fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) -') +userdom_dontaudit_read_user_home_content_files(abrt_helper_t) +userdom_dontaudit_read_user_tmp_files(abrt_helper_t) ####################################### # diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 5fce60b0e..51b51b019 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -515,7 +515,7 @@ auth_use_nsswitch(httpd_t) init_rw_inherited_script_tmp_files(httpd_t) -libs_read_lib_files(httpd_t) +libs_exec_lib_files(httpd_t) logging_send_syslog_msg(httpd_t) @@ -536,10 +536,6 @@ ifdef(`TODO',` ') ') -ifdef(`hide_broken_symptoms',` - libs_exec_lib_files(httpd_t) -') - ifdef(`init_systemd', ` systemd_use_passwd_agent(httpd_t) ') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 083bce728..3dfeadf96 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -91,6 +91,7 @@ template(`dbus_role_template',` dontaudit $1_dbusd_t self:cap_userns sys_ptrace; allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; @@ -109,10 +110,6 @@ template(`dbus_role_template',` auth_use_nsswitch($1_dbusd_t) - ifdef(`hide_broken_symptoms',` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; - ') - ifdef(`distro_gentoo',` optional_policy(` xdg_read_data_home_files($1_dbusd_t) @@ -578,6 +575,8 @@ interface(`dbus_system_domain',` role system_r types $1; + dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; + domtrans_pattern(system_dbusd_t, $2, $1) dbus_system_bus_client($1) @@ -590,10 +589,6 @@ interface(`dbus_system_domain',` ifdef(`init_systemd',` init_daemon_domain($1, $2) ') - - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') ') ######################################## diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 56b5c8074..1eeb0cd03 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -216,10 +216,7 @@ optional_policy(` optional_policy(` arpwatch_manage_tmp_files(system_mail_t) - - ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(system_mail_t) - ') + arpwatch_dontaudit_rw_packet_sockets(system_mail_t) ') optional_policy(` @@ -316,10 +313,7 @@ optional_policy(` optional_policy(` arpwatch_manage_tmp_files(mta_user_agent) - - ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) - ') + arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) optional_policy(` cron_read_system_job_tmp_files(mta_user_agent) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 3ceaff424..8ec3a1c62 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -363,6 +363,8 @@ files_search_spool(smbd_t) files_dontaudit_getattr_all_dirs(smbd_t) files_dontaudit_list_all_mountpoints(smbd_t) files_list_mnt(smbd_t) +files_dontaudit_getattr_default_dirs(smbd_t) +files_dontaudit_getattr_boot_dirs(smbd_t) fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) @@ -396,12 +398,6 @@ userdom_signal_all_users(smbd_t) userdom_home_filetrans_user_home_dir(smbd_t) userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) -ifdef(`hide_broken_symptoms',` - files_dontaudit_getattr_default_dirs(smbd_t) - files_dontaudit_getattr_boot_dirs(smbd_t) - fs_dontaudit_getattr_tmpfs_dirs(smbd_t) -') - tunable_policy(`allow_smbd_anon_write',` miscfiles_manage_public_files(smbd_t) ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 24fcda6d4..0885260b7 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -454,6 +454,7 @@ tunable_policy(`virt_use_evdev',` # allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace }; +dontaudit virtd_t self:capability { sys_module sys_ptrace }; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; @@ -695,10 +696,6 @@ sysnet_domtrans_ifconfig(virtd_t) userdom_read_all_users_state(virtd_t) -ifdef(`hide_broken_symptoms',` - dontaudit virtd_t self:capability { sys_module sys_ptrace }; -') - tunable_policy(`virt_use_fusefs',` fs_manage_fusefs_dirs(virtd_t) fs_manage_fusefs_files(virtd_t) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index 2c03d1b78..32e1697d6 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -18,9 +18,7 @@ interface(`iptables_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, iptables_exec_t, iptables_t) - ifdef(`hide_broken_symptoms', ` - dontaudit iptables_t $1:socket_class_set { read write }; - ') + dontaudit iptables_t $1:socket_class_set { read write }; ') ######################################## diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 39ce924d5..9e80a9ecc 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -70,6 +70,7 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) +dev_dontaudit_write_mtrr(iptables_t) fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) @@ -101,9 +102,7 @@ sysnet_dns_name_resolve(iptables_t) userdom_use_inherited_user_terminals(iptables_t) -ifdef(`hide_broken_symptoms',` - dev_dontaudit_write_mtrr(iptables_t) -') + optional_policy(` # iptables may try to rw /ptmx in a container diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 34a8ae79c..5d3c5a45b 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -98,26 +98,14 @@ logging_send_syslog_msg(ldconfig_t) userdom_use_user_terminals(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(ldconfig_t) - ') -') - -ifdef(`hide_broken_symptoms',` - ifdef(`distro_gentoo',` - # leaked fds from portage - files_dontaudit_rw_var_files(ldconfig_t) - - optional_policy(` - portage_dontaudit_search_tmp(ldconfig_t) - portage_dontaudit_rw_tmp_files(ldconfig_t) - ') - ') +ifdef(`distro_gentoo',` + # leaked fds from portage + files_dontaudit_rw_var_files(ldconfig_t) - optional_policy(` - unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) - ') + optional_policy(` + portage_dontaudit_search_tmp(ldconfig_t) + portage_dontaudit_rw_tmp_files(ldconfig_t) + ') ') optional_policy(` diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 0efbdc7fc..10980adab 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -129,6 +129,8 @@ storage_rw_fuse(mount_t) term_use_all_terms(mount_t) term_dontaudit_manage_pty_dirs(mount_t) +# for a bug in the X server +term_dontaudit_use_ptmx(mount_t) auth_use_nsswitch(mount_t) @@ -198,13 +200,6 @@ optional_policy(` ') optional_policy(` - ifdef(`hide_broken_symptoms',` - # for a bug in the X server - term_dontaudit_use_ptmx(mount_t) - ') -') - -optional_policy(` container_getattr_fs(mount_t) ') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index b596ccb53..d3678246a 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -171,6 +171,9 @@ allow load_policy_t self:capability dac_override; read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t) allow load_policy_t policy_config_t:file map; +# leaked file descriptors. +dontaudit load_policy_t selinux_config_t:file write; + dev_read_urand(load_policy_t) domain_use_interactive_fds(load_policy_t) @@ -205,17 +208,13 @@ ifdef(`distro_ubuntu',` ') ') -ifdef(`hide_broken_symptoms',` - # cjp: cover up stray file descriptors. - dontaudit load_policy_t selinux_config_t:file write; - - optional_policy(` - unconfined_dontaudit_read_pipes(load_policy_t) - ') +optional_policy(` + portage_dontaudit_use_fds(load_policy_t) ') optional_policy(` - portage_dontaudit_use_fds(load_policy_t) + # leaked file descriptors + unconfined_dontaudit_read_pipes(load_policy_t) ') ######################################## @@ -690,20 +689,19 @@ ifdef(`distro_ubuntu',` ') ') -ifdef(`hide_broken_symptoms',` - optional_policy(` - udev_dontaudit_rw_dgram_sockets(setfiles_t) - ') +optional_policy(` + apt_use_fds(setfiles_t) +') - # cjp: cover up stray file descriptors. - optional_policy(` - unconfined_dontaudit_read_pipes(setfiles_t) - unconfined_dontaudit_rw_tcp_sockets(setfiles_t) - ') +optional_policy(` + # leaked file descriptors + udev_dontaudit_rw_dgram_sockets(setfiles_t) ') +# cjp: cover up stray file descriptors. optional_policy(` - apt_use_fds(setfiles_t) + unconfined_dontaudit_read_pipes(setfiles_t) + unconfined_dontaudit_rw_tcp_sockets(setfiles_t) ') ifdef(`distro_gentoo',` diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 9ff46e506..155a80595 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -327,6 +327,7 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) dev_read_sysfs(ifconfig_t) +dev_dontaudit_rw_cardmgr(ifconfig_t) # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -376,16 +377,6 @@ ifdef(`distro_ubuntu',` ') ') -ifdef(`hide_broken_symptoms',` - optional_policy(` - dev_dontaudit_rw_cardmgr(ifconfig_t) - ') - - optional_policy(` - udev_dontaudit_rw_dgram_sockets(ifconfig_t) - ') -') - optional_policy(` devicekit_read_runtime_files(ifconfig_t) devicekit_append_inherited_log_files(ifconfig_t) @@ -413,6 +404,10 @@ optional_policy(` ') optional_policy(` + udev_dontaudit_rw_dgram_sockets(ifconfig_t) +') + +optional_policy(` unconfined_dontaudit_rw_pipes(ifconfig_t) ') diff --git a/support/Makefile.devel b/support/Makefile.devel index afb8e48a9..416c9e039 100644 --- a/support/Makefile.devel +++ b/support/Makefile.devel @@ -83,7 +83,7 @@ ifeq ($(QUIET),y) verbose := @ endif -M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) +M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) # policy headers m4support = $(wildcard $(HEADERDIR)/support/*.spt) |