From 27eab81f2f73121c52731006941d466791fa9c14 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Feb 08 2010 18:38:48 +0000 Subject: Misc fixes for 1031ee6. --- diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index f853bf5..1cdf376 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1504,7 +1504,7 @@ interface(`files_dontaudit_getattr_boot_dirs',` ######################################## ## -## List the /boot directory. +## Search the /boot directory. ## ## ## @@ -1512,17 +1512,17 @@ interface(`files_dontaudit_getattr_boot_dirs',` ## ## # -interface(`files_list_boot',` +interface(`files_search_boot',` gen_require(` type boot_t; ') - allow $1 boot_t:dir list_dir_perms; + allow $1 boot_t:dir search_dir_perms; ') ######################################## ## -## Search the /boot directory. +## Do not audit attempts to search the /boot directory. ## ## ## @@ -1530,17 +1530,17 @@ interface(`files_list_boot',` ## ## # -interface(`files_search_boot',` +interface(`files_dontaudit_search_boot',` gen_require(` type boot_t; ') - allow $1 boot_t:dir search_dir_perms; + dontaudit $1 boot_t:dir search_dir_perms; ') ######################################## ## -## Do not audit attempts to search the /boot directory. +## List the /boot directory. ## ## ## @@ -1548,12 +1548,12 @@ interface(`files_search_boot',` ## ## # -interface(`files_dontaudit_search_boot',` +interface(`files_list_boot',` gen_require(` type boot_t; ') - dontaudit $1 boot_t:dir search_dir_perms; + allow $1 boot_t:dir list_dir_perms; ') ######################################## diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index c1139e4..2dc0a81 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -773,7 +773,6 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) files_search_var($1) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 3deb7cb..014ee44 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -451,7 +451,7 @@ optional_policy(` ') optional_policy(` - cobbler_search_var_lib(httpd_t) + cobbler_search_lib(httpd_t) ') optional_policy(` diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index aef64b7..31032a6 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -6,11 +6,10 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # -# interface(`bind_initrc_domtrans',` gen_require(` type named_initrc_exec_t; @@ -211,25 +210,6 @@ interface(`bind_manage_config_dirs',` ######################################## ## -## Manage BIND zone files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_manage_zone',` - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - manage_files_pattern($1, named_zone_t, named_zone_t) -') - -######################################## -## ## Search the BIND cache directory. ## ## @@ -311,6 +291,25 @@ interface(`bind_read_zone',` ######################################## ## +## Manage BIND zone files. +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_manage_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + manage_files_pattern($1, named_zone_t, named_zone_t) +') + +######################################## +## ## Send and receive datagrams to and from named. (Deprecated) ## ## diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc index 0a811f6..1cf6c4e 100644 --- a/policy/modules/services/cobbler.fc +++ b/policy/modules/services/cobbler.fc @@ -1,7 +1,7 @@ -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) -/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if index 433099f..1f2c492 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if @@ -12,45 +12,43 @@ ######################################## ## -## Read Cobbler content in /etc +## Execute a domain transition to run cobblerd. ## ## -## -## Domain allowed access. -## +## +## Domain allowed to transition. +## ## # -interface(`cobbler_read_config',` +interface(`cobblerd_domtrans',` gen_require(` - type cobbler_etc_t; + type cobblerd_t, cobblerd_exec_t; ') - read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); - files_search_etc($1) + domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) ') ######################################## ## -## Do not audit attempts to read and write -## Cobbler log files (leaked fd). +## Execute cobblerd server in the cobblerd domain. ## ## ## -## Domain allowed access. +## The type of the process performing this action. ## ## # -interface(`cobbler_dontaudit_rw_log',` +interface(`cobblerd_initrc_domtrans',` gen_require(` - type cobbler_var_log_t; + type cobblerd_initrc_exec_t; ') - dontaudit $1 cobbler_var_log_t:file rw_file_perms; + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) ') ######################################## ## -## Read cobbler files in /var/lib +## Read Cobbler content in /etc ## ## ## @@ -58,18 +56,19 @@ interface(`cobbler_dontaudit_rw_log',` ## ## # -interface(`cobbler_read_var_lib_files',` +interface(`cobbler_read_config',` gen_require(` - type cobbler_var_lib_t; + type cobbler_etc_t; ') - read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) + read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); + files_search_etc($1) ') ######################################## ## -## Manage cobbler files in /var/lib +## Do not audit attempts to read and write +## Cobbler log files (leaked fd). ## ## ## @@ -77,13 +76,12 @@ interface(`cobbler_read_var_lib_files',` ## ## # -interface(`cobbler_manage_var_lib_files',` +interface(`cobbler_dontaudit_rw_log',` gen_require(` - type cobbler_var_lib_t; + type cobbler_var_log_t; ') - manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) + dontaudit $1 cobbler_var_log_t:file rw_file_perms; ') ######################################## @@ -96,7 +94,7 @@ interface(`cobbler_manage_var_lib_files',` ## ## # -interface(`cobbler_search_var_lib',` +interface(`cobbler_search_lib',` gen_require(` type cobbler_var_lib_t; ') @@ -107,38 +105,40 @@ interface(`cobbler_search_var_lib',` ######################################## ## -## Execute a domain transition to run cobblerd. +## Read cobbler files in /var/lib ## ## -## -## Domain allowed to transition. -## +## +## Domain allowed access. +## ## # -interface(`cobblerd_domtrans',` +interface(`cobbler_read_lib_files',` gen_require(` - type cobblerd_t, cobblerd_exec_t; + type cobbler_var_lib_t; ') - domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) ') ######################################## ## -## Execute cobblerd server in the cobblerd domain. +## Manage cobbler files in /var/lib ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # -interface(`cobblerd_initrc_domtrans',` +interface(`cobbler_manage_lib_files',` gen_require(` - type cobblerd_initrc_exec_t; + type cobbler_var_lib_t; ') - init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) ') ######################################## diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te index 7e5c614..a267c2f 100644 --- a/policy/modules/services/cobbler.te +++ b/policy/modules/services/cobbler.te @@ -52,6 +52,8 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) +kernel_read_system_state(cobblerd_t) + corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) @@ -67,13 +69,9 @@ corenet_tcp_sendrecv_generic_port(cobblerd_t) dev_read_urand(cobblerd_t) files_read_usr_files(cobblerd_t) - files_list_boot(cobblerd_t) - files_list_tmp(cobblerd_t) -kernel_read_system_state(cobblerd_t) - miscfiles_read_localization(cobblerd_t) miscfiles_read_public_files(cobblerd_t) @@ -119,6 +117,5 @@ optional_policy(` ') optional_policy(` - tftp_manage_tftpdir_dirs(cobblerd_t) - tftp_manage_tftpdir_files(cobblerd_t) + tftp_manage_rw_content(cobblerd_t) ') diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc index 89e2e66..21089ca 100644 --- a/policy/modules/services/dnsmasq.fc +++ b/policy/modules/services/dnsmasq.fc @@ -1,4 +1,4 @@ -/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) +/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if index 09e1efd..5681e65 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if @@ -98,78 +98,78 @@ interface(`dnsmasq_kill',` ######################################## ## -## Delete dnsmasq pid files +## Read dnsmasq config files. ## ## -## -## Domain allowed access. -## +## +## Domain allowed. +## ## # -# -interface(`dnsmasq_delete_pid_files',` +interface(`dnsmasq_read_config',` gen_require(` - type dnsmasq_var_run_t; + type dnsmasq_etc_t; ') - delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + allow $1 dnsmasq_etc_t:file read_file_perms; + files_search_etc($1) ') ######################################## ## -## Read dnsmasq pid files +## Write to dnsmasq config files. ## ## -## -## Domain allowed access. -## +## +## Domain allowed. +## ## # -# -interface(`dnsmasq_read_pid_files',` +interface(`dnsmasq_write_config',` gen_require(` - type dnsmasq_var_run_t; + type dnsmasq_etc_t; ') - read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + allow $1 dnsmasq_etc_t:file write_file_perms; + files_search_etc($1) ') ######################################## ## -## Read dnsmasq config files. +## Delete dnsmasq pid files ## ## -## -## Domain allowed. -## +## +## Domain allowed access. +## ## # -interface(`dnsmasq_read_config',` +# +interface(`dnsmasq_delete_pid_files',` gen_require(` - type dnsmasq_etc_t; + type dnsmasq_var_run_t; ') - read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) + delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') ######################################## ## -## Write to dnsmasq config files. +## Read dnsmasq pid files ## ## -## -## Domain allowed. -## +## +## Domain allowed access. +## ## # -interface(`dnsmasq_write_config',` +# +interface(`dnsmasq_read_pid_files',` gen_require(` - type dnsmasq_etc_t; + type dnsmasq_var_run_t; ') - write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) + read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') ######################################## diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 2f9b213..2865f04 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -37,7 +37,7 @@ allow dnsmasq_t self:udp_socket create_socket_perms; allow dnsmasq_t self:packet_socket create_socket_perms; allow dnsmasq_t self:rawip_socket create_socket_perms; -read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) +allow dnsmasq_t dnsmasq_etc_t:file read_file_perms; # dhcp leases manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) @@ -71,6 +71,7 @@ dev_read_urand(dnsmasq_t) domain_use_interactive_fds(dnsmasq_t) +files_read_etc_files(dnsmasq_t) files_read_etc_runtime_files(dnsmasq_t) fs_getattr_all_fs(dnsmasq_t) diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if index 7dc8495..6a2d345 100644 --- a/policy/modules/services/rsync.if +++ b/policy/modules/services/rsync.if @@ -119,7 +119,7 @@ interface(`rsync_read_config',` type rsync_etc_t; ') - read_files_pattern($1, rsync_etc_t, rsync_etc_t) + allow $1 rsync_etc_t:file read_file_perms; files_search_etc($1) ') @@ -138,6 +138,6 @@ interface(`rsync_write_config',` type rsync_etc_t; ') - write_files_pattern($1, rsync_etc_t, rsync_etc_t) + allow $1 rsync_etc_t:file read_file_perms; files_search_etc($1) ') diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index fabe97b..19bbfcb 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -60,7 +60,7 @@ allow rsync_t self:udp_socket connected_socket_perms; allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; #end for identd -read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) +allow rsync_t rsync_etc_t:file read_file_perms; allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index 230c5a6..38bb312 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -2,7 +2,7 @@ ######################################## ## -## Manage tftp /var/lib files. +## Read tftp content ## ## ## @@ -10,13 +10,12 @@ ## ## # -interface(`tftp_manage_tftpdir_dirs',` +interface(`tftp_read_content',` gen_require(` - type tftpdir_rw_t; + type tftpdir_t; ') - files_search_var_lib($1) - manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + read_files_pattern($1, tftpdir_t, tftpdir_t) ') ######################################## @@ -29,35 +28,18 @@ interface(`tftp_manage_tftpdir_dirs',` ## ## # -interface(`tftp_manage_tftpdir_files',` +interface(`tftp_manage_rw_content',` gen_require(` type tftpdir_rw_t; ') files_search_var_lib($1) + manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') ######################################## ## -## Read tftp content -## -## -## -## Domain allowed access. -## -## -# -interface(`tftp_read_content',` - gen_require(` - type tftpdir_t; - ') - - read_files_pattern($1, tftpdir_t, tftpdir_t) -') - -######################################## -## ## All of the rules required to administrate ## an tftp environment ## diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 3051ca7..569c7d0 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -74,8 +74,8 @@ ifdef(`distro_redhat',` /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) -/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) +/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index 0e77e21..b261e3d 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -12,7 +12,7 @@ /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)