From 06099da657d3e71f2df002addbb0c2c7d002f1d5 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 09 2008 18:06:24 +0000 Subject: trunk: 3 patches from dan. --- diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 2cec5d3..bf155f2 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.2.20) +policy_module(corenetwork, 1.2.21) ######################################## # @@ -75,6 +75,7 @@ network_port(amavisd_send, tcp,10025,s0) network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) +network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index b7492cf..366f395 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -313,7 +313,7 @@ interface(`kerberos_admin',` type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; type krb5kdc_principal_t, krb5kdc_tmp_t; type krb5kdc_var_run_t, krb5_host_rcache_t; - type kadmind_spool_t, kadmind_var_lib_t, kpropd_t; + type kpropd_t; ') allow $1 kadmind_t:process { ptrace signal_perms }; @@ -333,15 +333,9 @@ interface(`kerberos_admin',` logging_list_logs($1) admin_pattern($1, kadmind_log_t) - files_list_spool($1) - admin_pattern($1, kadmind_spool_t) - files_list_tmp($1) admin_pattern($1, kadmind_tmp_t) - files_list_var_lib($1) - admin_pattern($1, kadmind_var_lib_t) - files_list_pids($1) admin_pattern($1, kadmind_var_run_t) diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc index 2bc1dd8..ff0ce69 100644 --- a/policy/modules/services/sasl.fc +++ b/policy/modules/services/sasl.fc @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) # # /usr diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if index 90fb069..5a70491 100644 --- a/policy/modules/services/sasl.if +++ b/policy/modules/services/sasl.if @@ -34,14 +34,20 @@ interface(`sasl_connect',` interface(`sasl_admin',` gen_require(` type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t; + type saslauthd_initrc_exec_t; ') allow $1 saslauthd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, saslauthd_t) - + + init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 saslauthd_initrc_exec_t system_r; + allow $2 system_r; + files_list_tmp($1) - manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t) + admin_pattern($1, saslauthd_tmp_t) files_list_pids($1) - manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t) + admin_pattern($1, saslauthd_var_run_t) ') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 2547e75..7ba2b17 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -1,5 +1,5 @@ -policy_module(sasl, 1.9.0) +policy_module(sasl, 1.9.1) ######################################## # @@ -17,6 +17,9 @@ type saslauthd_t; type saslauthd_exec_t; init_daemon_domain(saslauthd_t, saslauthd_exec_t) +type saslauthd_initrc_exec_t; +init_script_file(saslauthd_initrc_exec_t) + type saslauthd_tmp_t; files_tmp_file(saslauthd_tmp_t) @@ -99,7 +102,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` ') optional_policy(` - kerberos_read_keytab(saslauthd_t) + kerberos_keytab_template(saslauthd, saslauthd_t) ') optional_policy(` diff --git a/policy/modules/services/snort.fc b/policy/modules/services/snort.fc index cfd80ff..7bedd2f 100644 --- a/policy/modules/services/snort.fc +++ b/policy/modules/services/snort.fc @@ -1,6 +1,9 @@ +/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0) +/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) -/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) +/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) +/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) -/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) +/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) -/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) +/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if index a32cfc8..170da36 100644 --- a/policy/modules/services/snort.if +++ b/policy/modules/services/snort.if @@ -1 +1,60 @@ ## Snort network intrusion detection system + +######################################## +## +## Execute a domain transition to run snort. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`snort_domtrans',` + gen_require(` + type snort_t, snort_exec_t; + ') + + domtrans_pattern($1, snort_exec_t, snort_t) +') + +######################################## +## +## All of the rules required to administrate +## an snort environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the snort domain. +## +## +## +# +interface(`snort_admin',` + gen_require(` + type snort_t, snort_var_run_t, snort_log_t; + type snort_initrc_exec_t; + ') + + allow $1 snort_t:process { ptrace signal_perms }; + ps_process_pattern($1, snort_t) + + init_labeled_script_domtrans($1, snort_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 snort_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, snort_etc_t) + files_search_etc($1) + + admin_pattern($1, snort_log_t) + logging_search_logs($1) + + admin_pattern($1, snort_var_run_t) + files_search_pids($1) +') diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te index e3a4619..550c90b 100644 --- a/policy/modules/services/snort.te +++ b/policy/modules/services/snort.te @@ -1,5 +1,5 @@ -policy_module(snort, 1.5.0) +policy_module(snort, 1.5.1) ######################################## # @@ -11,7 +11,10 @@ type snort_exec_t; init_daemon_domain(snort_t, snort_exec_t) type snort_etc_t; -files_type(snort_etc_t) +files_config_file(snort_etc_t) + +type snort_initrc_exec_t; +init_script_file(snort_initrc_exec_t) type snort_log_t; logging_log_file(snort_log_t) @@ -34,6 +37,8 @@ allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read wr allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; allow snort_t self:packet_socket create_socket_perms; +# Snort IPS node. unverified. +allow snort_t self:netlink_firewall_socket { bind create getattr }; allow snort_t snort_etc_t:dir list_dir_perms; allow snort_t snort_etc_t:file read_file_perms; @@ -67,6 +72,8 @@ corenet_tcp_sendrecv_all_ports(snort_t) corenet_udp_sendrecv_all_ports(snort_t) dev_read_sysfs(snort_t) +dev_read_rand(snort_t) +dev_read_urand(snort_t) domain_use_interactive_fds(snort_t) @@ -76,6 +83,8 @@ files_dontaudit_read_etc_runtime_files(snort_t) fs_getattr_all_fs(snort_t) fs_search_auto_mountpoints(snort_t) +init_read_utmp(snort_t) + libs_use_ld_so(snort_t) libs_use_shared_libs(snort_t) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 05d6d69..86b1851 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -847,6 +847,7 @@ interface(`logging_admin_audit',` gen_require(` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; + type auditd_initrc_exec_t; ') allow $1 auditd_t:process { ptrace signal_perms }; @@ -862,6 +863,11 @@ interface(`logging_admin_audit',` manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) logging_run_auditctl($1, $2, $3) + + init_labeled_script_domtrans($1, auditd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 auditd_initrc_exec_t system_r; + allow $2 system_r; ') ######################################## @@ -874,6 +880,11 @@ interface(`logging_admin_audit',` ## Domain allowed access. ## ## +## +## +## User role allowed access. +## +## ## # interface(`logging_admin_syslog',` @@ -882,6 +893,7 @@ interface(`logging_admin_syslog',` type syslogd_tmp_t, syslogd_var_lib_t; type syslogd_var_run_t, klogd_var_run_t; type klogd_tmp_t, var_log_t; + type syslogd_initrc_exec_t; ') allow $1 syslogd_t:process { ptrace signal_perms }; @@ -909,6 +921,11 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) + + init_labeled_script_domtrans($1, syslogd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 syslogd_initrc_exec_t system_r; + allow $2 system_r; ') ######################################## @@ -935,5 +952,5 @@ interface(`logging_admin_syslog',` # interface(`logging_admin',` logging_admin_audit($1, $2, $3) - logging_admin_syslog($1) + logging_admin_syslog($1, $2) ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index ab4edef..588cb95 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging, 1.11.4) +policy_module(logging, 1.11.5) ######################################## # @@ -130,6 +130,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file { getattr read write }; allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:fifo_file rw_file_perms; +allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file read_file_perms; @@ -151,9 +152,19 @@ dev_read_sysfs(auditd_t) fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) +fs_rw_anon_inodefs_files(auditd_t) selinux_search_fs(auditctl_t) +corenet_all_recvfrom_unlabeled(auditd_t) +corenet_all_recvfrom_netlabel(auditd_t) +corenet_tcp_sendrecv_generic_if(auditd_t) +corenet_tcp_sendrecv_all_nodes(auditd_t) +corenet_tcp_sendrecv_all_ports(auditd_t) +corenet_tcp_bind_all_nodes(auditd_t) +corenet_tcp_bind_audit_port(auditd_t) +corenet_sendrecv_audit_server_packets(auditd_t) + # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app corecmd_exec_bin(auditd_t) @@ -236,6 +247,8 @@ logging_send_syslog_msg(audisp_t) miscfiles_read_localization(audisp_t) +sysnet_dns_name_resolve(audisp_t) + ######################################## # # Audit remote logger local policy @@ -247,6 +260,8 @@ corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_all_if(audisp_remote_t) corenet_tcp_sendrecv_all_nodes(audisp_remote_t) +corenet_tcp_connect_audit_port(audisp_remote_t) +corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t)