From 134a799c753866e89383287fce4f33710777c549 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 11 2007 19:24:32 +0000 Subject: trunk: 3 patches from dan. --- diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index 88311e1..41e7839 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -1,5 +1,5 @@ -policy_module(inetd,1.4.1) +policy_module(inetd,1.4.2) ######################################## # @@ -80,16 +80,21 @@ corenet_tcp_bind_auth_port(inetd_t) corenet_udp_bind_comsat_port(inetd_t) corenet_tcp_bind_dbskkd_port(inetd_t) corenet_udp_bind_dbskkd_port(inetd_t) +corenet_tcp_bind_ftp_port(inetd_t) corenet_udp_bind_ftp_port(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) +corenet_udp_bind_inetd_child_port(inetd_t) corenet_udp_bind_ktalkd_port(inetd_t) corenet_tcp_bind_printer_port(inetd_t) +corenet_udp_bind_rlogind_port(inetd_t) corenet_udp_bind_rsh_port(inetd_t) +corenet_tcp_bind_rsh_port(inetd_t) corenet_tcp_bind_rsync_port(inetd_t) corenet_udp_bind_rsync_port(inetd_t) #corenet_tcp_bind_stunnel_port(inetd_t) corenet_tcp_bind_swat_port(inetd_t) corenet_udp_bind_swat_port(inetd_t) +corenet_tcp_bind_telnetd_port(inetd_t) corenet_udp_bind_tftp_port(inetd_t) corenet_tcp_bind_ssh_port(inetd_t) @@ -134,6 +139,7 @@ miscfiles_read_localization(inetd_t) # xinetd needs MLS override privileges to work mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) +mls_socket_write_to_clearance(inetd_t) mls_process_set_level(inetd_t) sysnet_read_config(inetd_t) @@ -141,6 +147,11 @@ sysnet_read_config(inetd_t) userdom_dontaudit_use_unpriv_user_fds(inetd_t) userdom_dontaudit_search_sysadm_home_dirs(inetd_t) +ifdef(`enable_mls',` + corenet_tcp_recvfrom_netlabel(inetd_t) + corenet_udp_recvfrom_netlabel(inetd_t) +') + ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(inetd_t) term_dontaudit_use_generic_ptys(inetd_t) @@ -208,6 +219,8 @@ fs_getattr_xattr_fs(inetd_child_t) files_read_etc_files(inetd_child_t) +auth_use_nsswitch(inetd_child_t) + libs_use_ld_so(inetd_child_t) libs_use_shared_libs(inetd_child_t) @@ -225,10 +238,3 @@ optional_policy(` kerberos_use(inetd_child_t) ') -optional_policy(` - nis_use_ypbind(inetd_child_t) -') - -optional_policy(` - nscd_socket_use(inetd_child_t) -') diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc index 9a58550..b85afac 100644 --- a/policy/modules/services/postfix.fc +++ b/policy/modules/services/postfix.fc @@ -14,6 +14,7 @@ ifdef(`distro_redhat', ` /usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) ', ` /usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) @@ -28,6 +29,7 @@ ifdef(`distro_redhat', ` /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) ') /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index 97e9297..bafbdf8 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -41,6 +41,8 @@ template(`postfix_domain_template',` allow postfix_$1_t self:unix_stream_socket connectto; allow postfix_master_t postfix_$1_t:process signal; + #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 + allow postfix_$1_t postfix_master_t:file read; allow postfix_$1_t postfix_etc_t:dir list_dir_perms; read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t) @@ -66,6 +68,7 @@ template(`postfix_domain_template',` fs_search_auto_mountpoints(postfix_$1_t) fs_getattr_xattr_fs(postfix_$1_t) + fs_rw_anon_inodefs_files(postfix_$1_t) term_dontaudit_use_console(postfix_$1_t) @@ -138,10 +141,8 @@ template(`postfix_server_domain_template',` corenet_tcp_connect_all_ports(postfix_$1_t) corenet_sendrecv_all_client_packets(postfix_$1_t) - sysnet_read_config(postfix_$1_t) - optional_policy(` - nis_use_ypbind(postfix_$1_t) + auth_use_nsswitch(postfix_$1_t) ') ') @@ -275,6 +276,42 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',` ######################################## ## +## Allow domain to read postfix local process state +## +## +## +## Domain to not audit. +## +## +# +interface(`postfix_read_local_state',` + gen_require(` + type postfix_local_t; + ') + + read_files_pattern($1,postfix_local_t,postfix_local_t) +') + +######################################## +## +## Allow domain to read postfix master process state +## +## +## +## Domain to not audit. +## +## +# +interface(`postfix_read_master_state',` + gen_require(` + type postfix_master_t; + ') + + read_files_pattern($1,postfix_master_t,postfix_master_t) +') + +######################################## +## ## Do not audit attempts to use ## postfix master process file ## file descriptors. @@ -383,6 +420,25 @@ interface(`postfix_exec_master',` ######################################## ## +## Create a named socket in a postfix private directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_create_pivate_sockets',` + gen_require(` + type postfix_private_t; + ') + + allow $1 postfix_private_t:dir list_dir_perms; + create_sock_files_pattern($1,postfix_private_t,postfix_private_t) +') + +######################################## +## ## Execute the master postfix program in the ## postfix_master domain. ## @@ -440,6 +496,25 @@ interface(`postfix_list_spool',` ######################################## ## +## Read postfix mail spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_read_spool_files',` + gen_require(` + type postfix_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1,postfix_spool_t, postfix_spool_t) +') + +######################################## +## ## Execute postfix user mail programs ## in their respective domains. ## diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index bbd5002..f86f12f 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.6.1) +policy_module(postfix,1.6.2) ######################################## # @@ -83,6 +83,12 @@ files_type(postfix_public_t) type postfix_var_run_t; files_pid_file(postfix_var_run_t) +postfix_server_domain_template(virtual) +mta_mailserver_delivery(postfix_virtual_t) + +type postfix_virtual_tmp_t; +files_tmp_file(postfix_virtual_tmp_t) + ######################################## # # Postfix master process local policy @@ -158,6 +164,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) +term_dontaudit_search_ptys(postfix_master_t) + miscfiles_read_man_pages(postfix_master_t) seutil_sigchld_newrole(postfix_master_t) @@ -169,6 +177,10 @@ sysnet_read_config(postfix_master_t) mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +optional_policy(` + auth_use_nsswitch(postfix_master_t) +') + ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(postfix_master_t) term_dontaudit_use_generic_ptys(postfix_master_t) @@ -184,9 +196,17 @@ optional_policy(` ') optional_policy(` + mysql_stream_connect(postfix_master_t) +') + +optional_policy(` nis_use_ypbind(postfix_master_t) ') +optional_policy(` + sendmail_signal(postfix_master_t) +') + ########################################################### # # Partially converted rules. THESE ARE ONLY TEMPORARY @@ -387,7 +407,7 @@ delete_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_mai # Postfix pipe local policy # -allow postfix_pipe_t self:fifo_file { read write }; +allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) @@ -441,6 +461,11 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951 +optional_policy(` + fstools_read_pipes(postfix_postdrop_t) +') + optional_policy(` ppp_use_fds(postfix_postqueue_t) ppp_sigchld(postfix_postqueue_t) @@ -520,8 +545,6 @@ sysnet_dns_name_resolve(postfix_showq_t) # Postfix smtp delivery local policy # -allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms; - # connect to master process stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) @@ -529,6 +552,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; +files_dontaudit_getattr_home_dir(postfix_smtp_t) + optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') @@ -553,9 +578,41 @@ files_read_usr_files(postfix_smtpd_t) mta_read_aliases(postfix_smtpd_t) optional_policy(` + mailman_read_data_files(postfix_smtpd_t) +') + +optional_policy(` postgrey_stream_connect(postfix_smtpd_t) ') optional_policy(` sasl_connect(postfix_smtpd_t) ') + +######################################## +# +# Postfix virtual local policy +# + +allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; +allow postfix_virtual_t self:process { setsched setrlimit }; + +allow postfix_virtual_t postfix_spool_t:file rw_file_perms; + +manage_dirs_pattern(postfix_virtual_t,postfix_virtual_tmp_t,postfix_virtual_tmp_t) +manage_files_pattern(postfix_virtual_t,postfix_virtual_tmp_t,postfix_virtual_tmp_t) +files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) + +# connect to master process +stream_connect_pattern(postfix_virtual_t,postfix_public_t,postfix_public_t,postfix_master_t) + +corecmd_exec_shell(postfix_virtual_t) +corecmd_exec_bin(postfix_virtual_t) + +files_read_etc_files(postfix_virtual_t) + +mta_read_aliases(postfix_virtual_t) +mta_delete_spool(postfix_virtual_t) +# For reading spamassasin +mta_read_config(postfix_virtual_t) +mta_manage_spool(postfix_virtual_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index acfe74f..4252c3e 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.4.1) +policy_module(locallogin,1.4.2) ######################################## # @@ -25,6 +25,7 @@ domain_subj_id_change_exemption(sulogin_t) domain_role_change_exemption(sulogin_t) domain_interactive_fd(sulogin_t) init_domain(sulogin_t,sulogin_exec_t) +init_system_domain(sulogin_t,sulogin_exec_t) role system_r types sulogin_t; ######################################## @@ -138,7 +139,6 @@ userdom_sigchld_all_users(local_login_t) userdom_create_all_users_keys(local_login_t) ifdef(`targeted_policy',` - unconfined_domain(local_login_t) unconfined_shell_domtrans(local_login_t) ') @@ -161,6 +161,13 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dbus_system_bus_client_template(local_login,local_login_t) + dbus_send_system_bus(local_login_t) + + consolekit_dbus_chat(local_login_t) +') + +optional_policy(` gpm_getattr_gpmctl(local_login_t) gpm_setattr_gpmctl(local_login_t) ') @@ -186,6 +193,11 @@ optional_policy(` alsa_domtrans(local_login_t) ') +optional_policy(` + xserver_read_xdm_tmp_files(local_login_t) + xserver_rw_xdm_tmp_files(local_login_t) +') + ################################# # # Sulogin local policy