From 605ba28540be34d7b0383b74b29784613470be1b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 15 2005 15:34:31 +0000 Subject: more merging from nsa cvs --- diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 7dc2c5f..61f46ad 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -9,9 +9,12 @@ policy_module(consoletype, 1.0) type consoletype_t; #, mlsfileread, mlsfilewrite type consoletype_exec_t; init_domain(consoletype_t,consoletype_exec_t) -init_system_domain(consoletype_t,consoletype_exec_t) role system_r types consoletype_t; +ifdef(`targeted_policy',`',` + init_system_domain(consoletype_t,consoletype_exec_t) +') + ######################################## # # Local declarations @@ -54,7 +57,7 @@ userdom_use_sysadm_terms(consoletype_t) userdom_use_sysadm_fd(consoletype_t) userdom_rw_sysadm_pipe(consoletype_t) -ifdef(`distro_redhat', ` +ifdef(`distro_redhat',` fs_use_tmpfs_chr_dev(consoletype_t) ') @@ -99,8 +102,10 @@ allow consoletype_t xdm_tmp_t:file rw_file_perms; ') # this goes to xdm module -optional_policy(`consoletype.te',` - consoletype_domtrans(xdm_t) +ifdef(`targeted_policy',` + optional_policy(`consoletype.te',` + consoletype_domtrans(xdm_t) + ') ') optional_policy(`lpd.te', ` diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index aaf5090..8f19fa6 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -10,6 +10,7 @@ type firstboot_t; type firstboot_exec_t; init_system_domain(firstboot_t,firstboot_exec_t) domain_obj_id_change_exempt(firstboot_t) +domain_subj_id_change_exempt(firstboot_t) role system_r types firstboot_t; type firstboot_etc_t; #, usercanread; @@ -103,8 +104,10 @@ userdom_manage_user_home_files(firstboot_t) userdom_manage_user_home_symlinks(firstboot_t) userdom_manage_user_home_pipes(firstboot_t) userdom_manage_user_home_sockets(firstboot_t) -usermanage_domtrans_useradd(firstboot_t) -usermanage_domtrans_groupadd(firstboot_t) + +ifdef(`targeted_policy',` + unconfined_domtrans(firstboot_t) +') optional_policy(`kerberos.te',` kerberos_rw_config(firstboot_t) @@ -114,6 +117,11 @@ optional_policy(`nis.te',` nis_use_ypbind(firstboot_t) ') +optional_policy(`usermanage.te',` + usermanage_domtrans_useradd(firstboot_t) + usermanage_domtrans_groupadd(firstboot_t) +') + ifdef(`TODO',` allow firstboot_t proc_t:file write; diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index ad6ffc9..f429e86 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -116,4 +116,12 @@ ifdef(`TODO',` optional_policy(`rhgb.te',` rhgb_domain(updfstab_t) ') +ifdef(`dbusd.te',` +allow initrc_t updfstab_t:dbus send_msg; +allow updfstab_t initrc_t:dbus send_msg; +') +allow updfstab_t tmpfs_t:dir getattr; +ifdef(`hald.te', ` +can_unix_connect(updfstab_t, hald_t) +') ') diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 8f6ed38..3d1a165 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -520,6 +520,7 @@ logging_send_syslog_msg(useradd_t) miscfiles_read_localization(useradd_t) seutil_read_config(useradd_t) +seutil_read_file_contexts(useradd_t) userdom_use_unpriv_users_fd(useradd_t) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 2c306ca..0f0904e 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -395,12 +395,12 @@ interface(`dev_del_generic_symlinks',` interface(`dev_manage_generic_symlinks',` gen_require(` type device_t; - class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; - class lnk_file { create read getattr setattr link unlink rename }; + class dir rw_dir_perms; + class lnk_file create_lnk_perms; ') - allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; - allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1 device_t:dir rw_dir_perms; + allow $1 device_t:lnk_file create_lnk_perms; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index e74c2d2..02d3827 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -1492,7 +1492,7 @@ interface(`kernel_use_shared_libs_from',` gen_require(` type kernel_t; class lnk_file r_file_perms; - class file rx_dir_perms; + class file rx_file_perms; ') allow kernel_t $1:dir r_dir_perms; diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 94f7780..282f5d0 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -25,7 +25,7 @@ attribute sysctl_type; # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. # -type kernel_t, can_load_kernmodule; +type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans role system_r types kernel_t; domain_base_type(kernel_t) sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127) @@ -169,6 +169,9 @@ allow kernel_t sysctl_t:dir r_dir_perms; allow kernel_t sysctl_kernel_t:dir r_dir_perms; allow kernel_t sysctl_kernel_t:file r_file_perms; +# cjp: this seems questionable +allow kernel_t unlabeled_t:fifo_file rw_file_perms; + # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) corenet_raw_sendrecv_all_nodes(kernel_t) @@ -176,20 +179,24 @@ corenet_raw_sendrecv_all_nodes(kernel_t) corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) -selinux_load_policy(kernel_t) - -term_use_console(kernel_t) +dev_read_sysfs(kernel_t) +dev_search_usbfs(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) +selinux_load_policy(kernel_t) + +term_use_console(kernel_t) + corecmd_exec_shell(kernel_t) corecmd_list_sbin(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. corecmd_exec_bin(kernel_t) domain_signal_all_domains(kernel_t) +domain_search_all_domains_state(kernel_t) files_list_root(kernel_t) files_list_etc(kernel_t) diff --git a/refpolicy/policy/modules/services/cron.fc b/refpolicy/policy/modules/services/cron.fc index 04937cf..2d705aa 100644 --- a/refpolicy/policy/modules/services/cron.fc +++ b/refpolicy/policy/modules/services/cron.fc @@ -10,8 +10,6 @@ /usr/sbin/cron(d)? -- context_template(system_u:object_r:crond_exec_t,s0) /usr/sbin/fcron -- context_template(system_u:object_r:crond_exec_t,s0) -/var/log/cron.* -- context_template(system_u:object_r:crond_log_t,s0) - /var/run/atd\.pid -- context_template(system_u:object_r:crond_var_run_t,s0) /var/run/crond?\.pid -- context_template(system_u:object_r:crond_var_run_t,s0) /var/run/crond\.reboot -- context_template(system_u:object_r:crond_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 44fd2c1..b01cbfd 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -188,8 +188,6 @@ template(`cron_per_userdomain_template',` # crontab signals crond by updating the mtime on the spooldir allow $1_crontab_t cron_spool_t:dir setattr; - allow $1_crontab_t crond_log_t:file ra_file_perms; - # for the checks used by crontab -u selinux_dontaudit_search_fs($1_crontab_t) @@ -386,24 +384,6 @@ interface(`cron_rw_pipe',` ######################################## ## -## Read and write the cron daemon log files. -## -## -## The type of the process to performing this action. -## -# -interface(`cron_rw_log',` - gen_require(` - type crond_log_t; - class file rw_file_perms; - ') - - logging_search_logs($1) - allow $1 crond_log_t:file rw_file_perms; -') - -######################################## -## ## Search the directory containing user cron tables. ## ## diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 998f73c..a20b616 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -19,9 +19,6 @@ init_daemon_domain(crond_t,crond_exec_t) domain_wide_inherit_fd(crond_t) domain_cron_exemption_source(crond_t) -type crond_log_t; -logging_log_file(crond_log_t) - type crond_tmp_t; files_tmp_file(crond_tmp_t) @@ -65,8 +62,6 @@ allow crond_t self:sem create_sem_perms; allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; -allow crond_t crond_log_t:file create_file_perms; - allow crond_t crond_var_run_t:file create_file_perms; files_create_pid(crond_t,crond_var_run_t) @@ -228,10 +223,6 @@ type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t; allow system_crond_t cron_spool_t:dir r_dir_perms; allow system_crond_t cron_spool_t:file r_file_perms; -# Access crond log files -allow system_crond_t crond_log_t:file create_file_perms; -logging_create_log(system_crond_t,crond_log_t) - kernel_read_kernel_sysctl(system_crond_t) kernel_read_system_state(system_crond_t) kernel_read_software_raid_state(system_crond_t) @@ -372,7 +363,7 @@ allow system_crond_su_t crond_t:fifo_file ioctl; # Required for webalizer # ifdef(`apache.te', ` -allow system_crond_t httpd_log_t:file r_file_perms; +allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms; ') ifdef(`mta.te', ` diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 46dbce6..21620db 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -342,9 +342,8 @@ optional_policy(`nscd.te',` nscd_use_socket(utempter_t) ') -optional_policy(`xdm.te', ` - #allow utempter_t xdm_t:fd use; - xdm_use_fd(utempter_t) - #allow utempter_t xdm_t:fifo_file { write getattr }; - xdm_write_pipe(utempter_t) +ifdef(`TODO',` +optional_policy(`xdm.te',` + can_pipe_xdm(utempter_t) +') ') diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 45bb6e8..7ecdbf7 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -423,13 +423,30 @@ interface(`domain_kill_all_domains',` allow $1 domain:process sigkill; allow $1 self:capability kill; ') +######################################## +## +## Search the process state directory (/proc/pid) of all domains. +## +## +## Domain allowed access. +## +# +interface(`domain_search_all_domains_state',` + gen_require(` + attribute domain; + class dir search; + ') + + kernel_search_proc($1) + allow $1 domain:dir search; +') ######################################## ## ## Read the process state (/proc/pid) of all domains. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`domain_read_all_domains_state',` @@ -441,6 +458,7 @@ interface(`domain_read_all_domains_state',` class process { getattr ptrace }; ') + kernel_search_proc($1) allow $1 domain:dir r_dir_perms; allow $1 domain:lnk_file r_file_perms; allow $1 domain:file r_file_perms; @@ -455,6 +473,38 @@ interface(`domain_read_all_domains_state',` ######################################## ## +## Read the process state (/proc/pid) of all domains. +## +## +## Domain allowed access. +## +# +interface(`domain_read_confined_domains_state',` + gen_require(` + attribute domain, unconfined_domain; + class dir r_dir_perms; + class lnk_file r_file_perms; + class file r_file_perms; + class process { getattr ptrace }; + ') + + kernel_search_proc($1) + allow $1 { domain -unconfined_domain }:dir r_dir_perms; + allow $1 { domain -unconfined_domain }:lnk_file r_file_perms; + allow $1 { domain -unconfined_domain }:file r_file_perms; + allow $1 { domain -unconfined_domain }:process getattr; + + dontaudit $1 unconfined_domain:dir search; + + # We need to suppress this denial because procps tries to access + # /proc/pid/environ and this now triggers a ptrace check in recent kernels + # (2.4 and 2.6). Might want to change procps to not do this, or only if + # running in a privileged domain. + dontaudit $1 { domain -unconfined_domain }:process ptrace; +') + +######################################## +## ## Do not audit attempts to read the process ## state (/proc/pid) of all domains. ## @@ -767,6 +817,8 @@ interface(`domain_unconfined',` class lnk_file r_file_perms; ') + typeattribute $1 unconfined_domain; + # pass all constraints typeattribute $1 can_change_process_identity; typeattribute $1 can_change_process_role; diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te index efd8a4b..a368df8 100644 --- a/refpolicy/policy/modules/system/domain.te +++ b/refpolicy/policy/modules/system/domain.te @@ -12,6 +12,9 @@ attribute domain; # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; +# Domains that are unconfined +attribute unconfined_domain; + # Domains that can set their current context # (perform dynamic transitions) attribute set_curr_context; diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 125e95a..b6c33db 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -123,10 +123,10 @@ ifdef(`distro_redhat', ` ifdef(`targeted_policy', ` unconfined_domain_template(hotplug_t) -') -optional_policy(`consoletype.te',` - consoletype_domtrans(hotplug_t) + optional_policy(`consoletype.te',` + consoletype_domtrans(hotplug_t) + ') ') optional_policy(`dbus.te',` diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index dd087c7..5e702c9 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -158,6 +158,23 @@ interface(`init_domtrans',` ') ######################################## +## +## Execute the init program in the caller domain. +## +## +## Domain allowed access. +## +# +interface(`init_exec',` + gen_require(` + type init_exec_t; + ') + + corecmd_search_sbin($1) + can_exec($1,init_exec_t) +') + +######################################## # # init_get_process_group(domain) # diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9941b9c..b105b6e 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -239,6 +239,7 @@ dev_write_snd_mixer_dev(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_read_lvm_control(initrc_t) dev_delete_lvm_control(initrc_t) +dev_manage_generic_symlinks(initrc_t) # Wants to remove udev.tbl: dev_del_generic_symlinks(initrc_t) @@ -317,6 +318,7 @@ logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) +logging_read_auditd_config(initrc_t) miscfiles_read_localization(initrc_t) @@ -386,6 +388,7 @@ ifdef(`distro_redhat',` ') ifdef(`targeted_policy',` + domain_subj_id_change_exempt(initrc_t) unconfined_domain_template(initrc_t) unconfined_shell_domtrans(initrc_t) ') diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index 15991ef..d370d54 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -18,7 +18,7 @@ interface(`locallogin_domtrans',` ######################################## ## -## Allow processes to inherit local login file descriptors +## Allow processes to inherit local login file descriptors. ## ## ## The type of the process performing this action. @@ -35,6 +35,23 @@ interface(`locallogin_use_fd',` ######################################## ## +## Do not audit attempts to inherit local login file descriptors. +## +## +## Domain to not audit. +## +# +interface(`locallogin_dontaudit_use_fd',` + gen_require(` + type local_login_t; + class fd use; + ') + + dontaudit $1 local_login_t:fd use; +') + +######################################## +## ## Send a null signal to local login processes. ## ## diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 4c3c744..5098be3 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -85,6 +85,24 @@ interface(`logging_send_syslog_msg',` ######################################## ## +## Read the auditd configuration files. +## +## +## Domain allowed access. +## +# +interface(`logging_read_auditd_config',` + gen_require(` + type auditd_etc_t; + class file r_file_perms; + ') + + files_search_etc($1) + allow $1 auditd_etc_t:file r_file_perms; +') + +######################################## +## ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 039d8ea..4dabd10 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -8,7 +8,15 @@ policy_module(logging,1.0) attribute logfile; -type auditd_log_t; +type auditctl_t; #, privlog; +type auditctl_exec_t; +init_system_domain(auditctl_t,auditctl_exec_t) +role system_r types auditctl_t; + +type auditd_etc_t; #, secure_file_type; +files_type(auditd_etc_t) + +type auditd_log_t; # secure_file_type; files_type(auditd_log_t) type auditd_t; @@ -49,13 +57,55 @@ files_type(var_log_t) # Auditd local policy # +allow auditctl_t self:capability { audit_write audit_control }; +allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; + +libs_use_ld_so(auditctl_t) +libs_use_shared_libs(auditctl_t) + +allow auditctl_t etc_t:file { getattr read }; + +allow auditctl_t auditd_etc_t:file r_file_perms; + +kernel_read_kernel_sysctl(auditctl_t) + +domain_use_wide_inherit_fd(auditctl_t) + +init_use_script_pty(auditctl_t) +init_dontaudit_use_fd(auditctl_t) + +locallogin_dontaudit_use_fd(auditctl_t) + +ifdef(`TODO',` +role secadm_r types auditctl_t; +role sysadm_r types auditctl_t; +audit_manager_domain(secadm_t) + +ifdef(`targeted_policy', `', ` +ifdef(`separate_secadm', `', ` +audit_manager_domain(sysadm_t) +allow auditctl_t admin_tty_type:chr_file rw_file_perms; +') +') +') dnl end TODO + +######################################## +# +# Auditd local policy +# + allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; allow auditd_t self:process { signal_perms setsched }; -allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write }; +allow auditd_t self:file { getattr read write }; +allow auditd_t self:unix_dgram_socket create_socket_perms; +allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; + +allow auditd_t auditd_etc_t:file r_file_perms; -allow auditd_t var_log_t:dir rw_dir_perms; +allow auditd_t auditd_log_t:dir rw_dir_perms; allow auditd_t auditd_log_t:file create_file_perms; +allow auditd_t var_log_t:dir search; allow auditd_t auditd_var_run_t:file create_file_perms; files_create_pid(auditd_t,auditd_var_run_t) @@ -72,6 +122,8 @@ fs_search_auto_mountpoints(auditd_t) term_dontaudit_use_console(auditd_t) init_use_fd(auditd_t) +init_exec(auditd_t) +init_write_initctl(auditd_t) init_use_script_pty(auditd_t) domain_use_wide_inherit_fd(auditd_t) @@ -91,10 +143,8 @@ userdom_dontaudit_search_sysadm_home_dir(auditd_t) # cjp: this is questionable userdom_use_sysadm_tty(auditd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_tty(auditd_t) - term_dontaudit_use_generic_pty(auditd_t) - files_dontaudit_read_root_file(auditd_t) +ifdef(`targeted_policy',` + unconfined_domain_template(auditd_t) ') optional_policy(`selinuxutil.te',` @@ -155,11 +205,12 @@ miscfiles_read_localization(klogd_t) # syslogd local policy # +# sys_admin chown fsetid for syslog-ng # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin }; +allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; dontaudit syslogd_t self:capability sys_tty_config; allow syslogd_t self:process signal_perms; - +allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; @@ -167,9 +218,18 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_file_perms; allow syslogd_t self:udp_socket { connected_socket_perms connect }; +# Create and bind to /dev/log or /var/run/log. +allow syslogd_t devlog_t:sock_file create_file_perms; +files_create_pid(syslogd_t,devlog_t,sock_file) +# cjp: I belive these are not needed: +allow syslogd_t devlog_t:unix_stream_socket name_bind; +allow syslogd_t devlog_t:unix_dgram_socket name_bind; + # create/append log files. allow syslogd_t var_log_t:dir rw_dir_perms; allow syslogd_t var_log_t:file create_file_perms; +# Allow access for syslog-ng +allow syslogd_t var_log_t:dir { create setattr }; # manage temporary files allow syslogd_t syslogd_tmp_t:file create_file_perms; @@ -178,13 +238,6 @@ files_create_tmp_files(syslogd_t,syslogd_tmp_t) allow syslogd_t syslogd_var_run_t:file create_file_perms; files_create_pid(syslogd_t,syslogd_var_run_t,file) -# Create and bind to /dev/log or /var/run/log. -allow syslogd_t devlog_t:sock_file create_file_perms; -files_create_pid(syslogd_t,devlog_t,sock_file) -# I belive these are not needed: -allow syslogd_t devlog_t:unix_stream_socket name_bind; -allow syslogd_t devlog_t:unix_dgram_socket name_bind; - # manage pid file allow syslogd_t syslogd_var_run_t:file create_file_perms; files_create_pid(syslogd_t,syslogd_var_run_t) @@ -192,6 +245,10 @@ files_create_pid(syslogd_t,syslogd_var_run_t) kernel_read_kernel_sysctl(syslogd_t) kernel_read_proc_symlinks(syslogd_t) kernel_send_syslog_msg_from(devlog_t,syslogd_t) +# Allow access to /proc/kmsg for syslog-ng +kernel_read_messages(klogd_t) +kernel_clear_ring_buffer(klogd_t) +kernel_change_ring_buffer_level(klogd_t) dev_create_dev_node(syslogd_t,devlog_t,sock_file) dev_read_sysfs(syslogd_t) @@ -213,7 +270,9 @@ corenet_raw_sendrecv_all_nodes(syslogd_t) corenet_udp_sendrecv_all_nodes(syslogd_t) corenet_udp_sendrecv_all_ports(syslogd_t) corenet_udp_bind_all_nodes(syslogd_t) -corenet_udp_bind_syslogd_port(syslogd_t) +corenet_tcp_bind_syslogd_port(syslogd_t) +#cjp: why? +corenet_tcp_connect_rsh_port(syslogd_t) fs_getattr_all_fs(syslogd_t) @@ -223,6 +282,8 @@ init_use_script_pty(syslogd_t) domain_use_wide_inherit_fd(syslogd_t) files_read_etc_files(syslogd_t) +# /initrd is not umounted before minilog starts +files_dontaudit_search_isid_type_dir(syslogd_t) libs_use_ld_so(syslogd_t) libs_use_shared_libs(syslogd_t) @@ -234,38 +295,18 @@ miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fd(syslogd_t) userdom_dontaudit_search_sysadm_home_dir(syslogd_t) -# -# /initrd is not umounted before minilog starts -# -files_dontaudit_search_isid_type_dir(syslogd_t) -#allow syslogd_t tmpfs_t:dir search; -#dontaudit syslogd_t unlabeled_t:file read; -#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; -allow syslogd_t self:capability net_admin; -allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; - -ifdef(`distro_suse', ` +ifdef(`distro_suse',` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel files_create_var_lib(syslogd_t,devlog_t,sock_file) ') -ifdef(`klogd.te', `', ` - # Allow access to /proc/kmsg for syslog-ng - kernel_read_messages(syslogd_t) - kernel_clear_ring_buffer(syslogd_t) - kernel_change_ring_buffer_level(syslogd_t) -') - -ifdef(`targeted_policy', ` +ifdef(`targeted_policy',` + allow syslogd_t var_run_t:fifo_file { ioctl read write }; term_dontaudit_use_unallocated_tty(syslogd_t) term_dontaudit_use_generic_pty(syslogd_t) files_dontaudit_read_root_file(syslogd_t) ') -optional_policy(`cron.te',` - cron_rw_log(syslogd_t) -') - optional_policy(`inn.te',` inn_manage_log(syslogd_t) ') @@ -283,16 +324,19 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` - optional_policy(`rhgb.te', ` rhgb_domain(syslogd_t) ') +allow syslogd_t tmpfs_t:dir search; +dontaudit syslogd_t unlabeled_t:file { getattr read }; +dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; + # log to the xconsole allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; # # Special case to handle crashes # -allow syslogd_t { device_t file_t }:sock_file unlink; +allow syslogd_t { device_t file_t }:sock_file { getattr unlink }; ') dnl end TODO diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 59430db..387500f 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -72,7 +72,7 @@ corecmd_exec_sbin(cardmgr_t) domain_use_wide_inherit_fd(cardmgr_t) domain_exec_all_entry_files(cardmgr_t) # Read /proc/PID directories for all domains (for fuser). -domain_read_all_domains_state(cardmgr_t) +domain_read_confined_domains_state(cardmgr_t) # cjp: these look excessive: domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t) domain_dontaudit_getattr_all_sockets(cardmgr_t) diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te index 4b2cbbb..3901bc4 100644 --- a/strict/domains/misc/kernel.te +++ b/strict/domains/misc/kernel.te @@ -11,7 +11,7 @@ # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. # -type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite ifdef(`nfs_export_all_rw',`,etc_writer') ; +type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ; role system_r types kernel_t; general_domain_access(kernel_t) general_proc_read_access(kernel_t) @@ -22,8 +22,8 @@ can_exec(kernel_t, shell_exec_t) # Use capabilities. allow kernel_t self:capability *; -allow kernel_t sysfs_t:dir search; -allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search; +r_dir_file(kernel_t, sysfs_t) +allow kernel_t { usbfs_t usbdevfs_t }:dir search; # Run init in the init_t domain. domain_auto_trans(kernel_t, init_exec_t, init_t) @@ -36,6 +36,7 @@ allow kernel_t fs_type:filesystem mount_fs_perms; # Send signal to any process. allow kernel_t domain:process signal; +allow kernel_t domain:dir search; # Access the console. allow kernel_t device_t:dir search; @@ -50,6 +51,7 @@ can_exec(kernel_t, chroot_exec_t) allow kernel_t self:capability sys_chroot; allow kernel_t { unlabeled_t root_t file_t }:dir mounton; +allow kernel_t unlabeled_t:fifo_file rw_file_perms; allow kernel_t file_t:dir rw_dir_perms; allow kernel_t file_t:blk_file create_file_perms; allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms }; diff --git a/strict/domains/program/auditd.te b/strict/domains/program/auditd.te index ce6210e..84adf36 100644 --- a/strict/domains/program/auditd.te +++ b/strict/domains/program/auditd.te @@ -2,11 +2,66 @@ # # Authors: Colin Walters # +# Some fixes by Paul Moore +# +define(`audit_manager_domain', ` +allow $1 auditd_etc_t:file rw_file_perms; +create_dir_file($1, auditd_log_t) +domain_auto_trans($1, auditctl_exec_t, auditctl_t) +') daemon_domain(auditd) -allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow auditd_t self:capability { audit_write audit_control }; -allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms; + +allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; allow auditd_t self:unix_dgram_socket create_socket_perms; +allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; +allow auditd_t self:process setsched; +allow auditd_t self:file { getattr read write }; allow auditd_t etc_t:file { getattr read }; -log_domain(auditd) + +# Do not use logdir_domain since this is a security file +type auditd_log_t, file_type, secure_file_type; +allow auditd_t var_log_t:dir search; +rw_dir_create_file(auditd_t, auditd_log_t) + +can_exec(auditd_t, init_exec_t) +allow auditd_t initctl_t:fifo_file write; + +ifdef(`targeted_policy', ` +dontaudit auditd_t unconfined_t:fifo_file read; +') + +type auditctl_t, domain, privlog; +type auditctl_exec_t, file_type, exec_type, sysadmfile; +uses_shlib(auditctl_t) +allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; +allow auditctl_t self:capability { audit_write audit_control }; +allow auditctl_t etc_t:file { getattr read }; +allow auditctl_t admin_tty_type:chr_file rw_file_perms; + +type auditd_etc_t, file_type, secure_file_type; +allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms; +allow initrc_t auditd_etc_t:file r_file_perms; + +role secadm_r types auditctl_t; +role sysadm_r types auditctl_t; +audit_manager_domain(secadm_t) + +ifdef(`targeted_policy', `', ` +ifdef(`separate_secadm', `', ` +audit_manager_domain(sysadm_t) +') +') + +role system_r types auditctl_t; +domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t) + +dontaudit auditctl_t local_login_t:fd use; +allow auditctl_t proc_t:dir search; +allow auditctl_t sysctl_kernel_t:dir search; +allow auditctl_t sysctl_kernel_t:file { getattr read }; +dontaudit auditctl_t init_t:fd use; +allow auditctl_t initrc_devpts_t:chr_file { read write }; +allow auditctl_t privfd:fd use; + + diff --git a/strict/domains/program/cardmgr.te b/strict/domains/program/cardmgr.te index c9a5e97..16a6f1f 100644 --- a/strict/domains/program/cardmgr.te +++ b/strict/domains/program/cardmgr.te @@ -61,7 +61,9 @@ allow ifconfig_t cardmgr_t:fd use; allow cardmgr_t proc_t:file { getattr read ioctl }; # Read /proc/PID directories for all domains (for fuser). -can_ps(cardmgr_t, domain) +can_ps(cardmgr_t, domain -unrestricted) +dontaudit cardmgr_t unrestricted:dir search; + allow cardmgr_t device_type:{ chr_file blk_file } getattr; allow cardmgr_t ttyfile:chr_file getattr; dontaudit cardmgr_t ptyfile:chr_file getattr; diff --git a/strict/domains/program/checkpolicy.te b/strict/domains/program/checkpolicy.te index d75b4f8..0cfa5a0 100644 --- a/strict/domains/program/checkpolicy.te +++ b/strict/domains/program/checkpolicy.te @@ -12,6 +12,7 @@ type checkpolicy_t, domain; role sysadm_r types checkpolicy_t; role system_r types checkpolicy_t; +role secadm_r types checkpolicy_t; type checkpolicy_exec_t, file_type, exec_type, sysadmfile; @@ -19,7 +20,7 @@ type checkpolicy_exec_t, file_type, exec_type, sysadmfile; # # Rules -domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) +domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t) # able to create and modify binary policy files allow checkpolicy_t policy_config_t:dir rw_dir_perms; diff --git a/strict/domains/program/consoletype.te b/strict/domains/program/consoletype.te index f3f2c28..b1cc126 100644 --- a/strict/domains/program/consoletype.te +++ b/strict/domains/program/consoletype.te @@ -19,28 +19,28 @@ role system_r types consoletype_t; uses_shlib(consoletype_t) general_domain_access(consoletype_t) +ifdef(`targeted_policy', `', ` domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t) -allow consoletype_t tty_device_t:chr_file { getattr ioctl write }; -allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl }; - ifdef(`xdm.te', ` domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) allow consoletype_t xdm_tmp_t:file { read write }; ') -allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use; -allow consoletype_t admin_tty_type:chr_file rw_file_perms; ifdef(`hotplug.te', ` domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t) ') +') + +allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms; + +allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use; # Use capabilities. allow consoletype_t self:capability sys_admin; allow consoletype_t console_device_t:chr_file { getattr ioctl read write }; allow consoletype_t initrc_t:fifo_file write; -allow consoletype_t tty_device_t:chr_file read; allow consoletype_t nfs_t:file write; allow consoletype_t sysadm_t:fifo_file rw_file_perms; diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te index c19a2d8..d92a422 100644 --- a/strict/domains/program/crond.te +++ b/strict/domains/program/crond.te @@ -43,8 +43,6 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; read_locale(crond_t) -log_domain(crond) - # Use capabilities. allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice }; dontaudit crond_t self:capability sys_resource; @@ -101,9 +99,6 @@ can_setexec(crond_t) # Still need to study anacron. domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t) -# Access log files -file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file) - # Inherit and use descriptors from init for anacron. allow system_crond_t init_t:fd use; @@ -205,11 +200,11 @@ domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t) r_dir_file(system_crond_t, file_context_t) can_getsecurity(system_crond_t) } -allow system_crond_t removable_t:filesystem { getattr }; +dontaudit system_crond_t removable_t:filesystem getattr; # # Required for webalizer # ifdef(`apache.te', ` -allow system_crond_t httpd_log_t:file { getattr read }; +allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read }; ') -dontaudit crond_t self:capability { sys_tty_config }; +dontaudit crond_t self:capability sys_tty_config; diff --git a/strict/domains/program/firstboot.te b/strict/domains/program/firstboot.te index 37b107d..bb4d4e8 100644 --- a/strict/domains/program/firstboot.te +++ b/strict/domains/program/firstboot.te @@ -10,7 +10,7 @@ # # firstboot_exec_t is the type of the firstboot executable. # -application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer') +application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer') type firstboot_rw_t, file_type, sysadmfile; role system_r types firstboot_t; @@ -29,8 +29,10 @@ domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t) file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file) can_exec_any(firstboot_t) +ifdef(`useradd.te',` domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t) domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t) +') allow firstboot_t etc_runtime_t:file { getattr read }; r_dir_file(firstboot_t, etc_t) @@ -107,8 +109,10 @@ read_sysctl(firstboot_t) allow firstboot_t var_run_t:dir getattr; allow firstboot_t var_t:dir getattr; +ifdef(`hostname.te', ` allow hostname_t devtty_t:chr_file { read write }; allow hostname_t firstboot_t:fd use; +') ifdef(`iptables.te', ` allow iptables_t devtty_t:chr_file { read write }; allow iptables_t firstboot_t:fd use; @@ -128,4 +132,7 @@ file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t) # The big hammer # unconfined_domain(firstboot_t) +ifdef(`targeted_policy', ` +allow firstboot_t unconfined_t:process transition; +') diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te index c060211..7899aec 100644 --- a/strict/domains/program/getty.te +++ b/strict/domains/program/getty.te @@ -42,6 +42,7 @@ allow getty_t wtmp_t:file rw_file_perms; # Chown, chmod, read and write ttys. allow getty_t tty_device_t:chr_file { setattr rw_file_perms }; allow getty_t ttyfile:chr_file { setattr rw_file_perms }; +dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms; # for error condition handling allow getty_t fs_t:filesystem getattr; diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te index f6e248e..8832423 100644 --- a/strict/domains/program/initrc.te +++ b/strict/domains/program/initrc.te @@ -120,7 +120,10 @@ allow initrc_t domain:process { getattr getsession }; # Mount and unmount file systems. allow initrc_t fs_type:filesystem mount_fs_perms; -allow initrc_t { file_t default_t }:dir { read search getattr mounton }; +allow initrc_t file_t:dir { read search getattr mounton }; + +# during boot up initrc needs to do the following +allow initrc_t default_t:dir { read search getattr mounton }; # Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME. file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file) @@ -153,9 +156,6 @@ allow initrc_t clock_device_t:devfile_class_set rw_file_perms; # Kill all processes. allow initrc_t domain:process signal_perms; -# Read and unlink /var/run/*.pid files. -allow initrc_t pidfile:file { getattr read unlink }; - # Write to /dev/urandom. allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms; @@ -229,9 +229,13 @@ allow initrc_t sound_device_t:chr_file { setattr ioctl read write }; allow initrc_t { home_root_t home_type }:dir r_dir_perms; allow initrc_t home_type:file r_file_perms; +# Read and unlink /var/run/*.pid files. +allow initrc_t pidfile:file { getattr read unlink }; + # for system start scripts allow initrc_t pidfile:dir rw_dir_perms; allow initrc_t pidfile:sock_file unlink; + rw_dir_create_file(initrc_t, var_lib_t) # allow start scripts to clean /tmp @@ -252,7 +256,9 @@ type run_init_t, domain; domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; +typeattribute initrc_t privuser; domain_trans(initrc_t, shell_exec_t, unconfined_t) +allow initrc_t unconfined_t:system syslog_mod; ', ` run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t) ') @@ -309,3 +315,4 @@ ifdef(`distro_gentoo', ` domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) ') allow initrc_t self:netlink_route_socket r_netlink_socket_perms; +allow initrc_t device_t:lnk_file create_file_perms; diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te index 43b31ef..09f5960 100644 --- a/strict/domains/program/samba.te +++ b/strict/domains/program/samba.te @@ -9,14 +9,13 @@ # Declarations for Samba # -daemon_domain(smbd, `, auth_chkpwd') +daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain') daemon_domain(nmbd) type samba_etc_t, file_type, sysadmfile, usercanread; type samba_log_t, file_type, sysadmfile, logfile; type samba_var_t, file_type, sysadmfile; type samba_share_t, file_type, sysadmfile, customizable; type samba_secrets_t, file_type, sysadmfile; -typealias samba_var_t alias samba_spool_t; # for /var/run/samba/messages.tdb allow smbd_t nmbd_var_run_t:file rw_file_perms; @@ -41,14 +40,17 @@ allow system_crond_t samba_log_t:file { read getattr lock }; general_domain_access(smbd_t) general_proc_read_access(smbd_t) -type smbd_port_t, port_type, reserved_port_type; allow smbd_t smbd_port_t:tcp_socket name_bind; # Use capabilities. allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search }; # Use the network. -can_network_server(smbd_t) +can_network(smbd_t) +can_ldap(smbd_t) +can_kerberos(smbd_t) +can_winbind(smbd_t) +allow smbd_t ipp_port_t:tcp_socket name_connect; allow smbd_t urandom_device_t:chr_file { getattr read }; @@ -62,13 +64,16 @@ allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms; # Permissions for Samba cache files in /var/cache/samba and /var/lib/samba allow smbd_t var_lib_t:dir search; -allow smbd_t samba_var_t:dir create_dir_perms; -allow smbd_t samba_var_t:file create_file_perms; +create_dir_file(smbd_t, samba_var_t) + +# Needed for shared printers +allow smbd_t var_spool_t:dir search; # Permissions to write log files. allow smbd_t samba_log_t:file { create ra_file_perms }; allow smbd_t var_log_t:dir search; allow smbd_t samba_log_t:dir ra_dir_perms; +dontaudit smbd_t samba_log_t:dir remove_name; allow smbd_t usr_t:file { getattr read }; @@ -88,7 +93,6 @@ can_exec(logrotate_t, samba_log_t) general_domain_access(nmbd_t) general_proc_read_access(nmbd_t) -type nmbd_port_t, port_type, reserved_port_type; allow nmbd_t nmbd_port_t:udp_socket name_bind; # Use capabilities. @@ -111,6 +115,7 @@ allow nmbd_t usr_t:file { getattr read }; allow nmbd_t samba_log_t:file { create ra_file_perms }; allow nmbd_t var_log_t:dir search; allow nmbd_t samba_log_t:dir ra_dir_perms; +allow nmbd_t etc_t:file { getattr read }; ifdef(`cups.te', ` allow smbd_t cupsd_rw_etc_t:file { getattr read }; ') @@ -136,6 +141,7 @@ allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_over # Access samba config allow smbmount_t samba_etc_t:file r_file_perms; allow smbmount_t samba_etc_t:dir r_dir_perms; +allow initrc_t samba_etc_t:file rw_file_perms; # Write samba log allow smbmount_t samba_log_t:file create_file_perms; @@ -153,6 +159,7 @@ allow smbmount_t etc_t:file r_file_perms; # Networking can_network(smbmount_t) +allow smbmount_t port_type:tcp_socket name_connect; can_ypbind(smbmount_t) allow smbmount_t self:unix_dgram_socket create_socket_perms; allow smbmount_t self:unix_stream_socket create_socket_perms; @@ -180,3 +187,28 @@ access_terminal(smbmount_t, sysadm) allow smbmount_t userdomain:fd use; allow smbmount_t local_login_t:fd use; ') +# Derive from app. domain. Transition from mount. +application_domain(samba_net, `, nscd_client_domain') +file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file) +read_locale(samba_net_t) +allow samba_net_t samba_etc_t:file r_file_perms; +r_dir_file(samba_net_t, samba_var_t) +can_network_udp(samba_net_t) +access_terminal(samba_net_t, sysadm) +allow samba_net_t self:unix_dgram_socket create_socket_perms; +allow samba_net_t self:unix_stream_socket create_stream_socket_perms; +rw_dir_create_file(samba_net_t, samba_var_t) +allow samba_net_t etc_t:file { getattr read }; +can_network_client(samba_net_t) +allow samba_net_t smbd_port_t:tcp_socket name_connect; +can_ldap(samba_net_t) +can_kerberos(samba_net_t) +allow samba_net_t urandom_device_t:chr_file r_file_perms; +allow samba_net_t proc_t:dir search; +allow samba_net_t proc_t:lnk_file read; +allow samba_net_t self:dir search; +allow samba_net_t self:file read; +allow samba_net_t self:process signal; +tmp_domain(samba_net) +dontaudit samba_net_t sysadm_home_dir_t:dir search; +allow samba_net_t privfd:fd use; diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te index 33d1e20..8583814 100644 --- a/strict/domains/program/syslogd.te +++ b/strict/domains/program/syslogd.te @@ -64,8 +64,6 @@ can_unix_connect(privlog,syslogd_t) allow privlog devlog_t:lnk_file read; ifdef(`crond.te', ` -# Write to the cron log. -allow syslogd_t crond_log_t:file rw_file_perms; # for daemon re-start allow system_crond_t syslogd_t:lnk_file read; ') @@ -79,16 +77,10 @@ allow syslogd_t initrc_var_run_t:file { read lock }; dontaudit syslogd_t initrc_var_run_t:file write; allow syslogd_t ttyfile:chr_file { getattr write }; -ifdef(`klogd.te', `', ` -# Allow access to /proc/kmsg for syslog-ng -allow syslogd_t proc_t:dir search; -allow syslogd_t proc_kmsg_t:file { getattr read }; -allow syslogd_t kernel_t:system { syslog_mod syslog_console }; -') # # Special case to handle crashes # -allow syslogd_t { device_t file_t }:sock_file unlink; +allow syslogd_t { device_t file_t }:sock_file { getattr unlink }; # Allow syslog to a terminal allow syslogd_t tty_device_t:chr_file { getattr write ioctl append }; @@ -100,6 +92,18 @@ allow syslogd_t syslogd_port_t:udp_socket name_bind; # dontaudit syslogd_t file_t:dir search; allow syslogd_t { tmpfs_t devpts_t }:dir search; -dontaudit syslogd_t unlabeled_t:file read; +dontaudit syslogd_t unlabeled_t:file { getattr read }; dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; +ifdef(`targeted_policy', ` +allow syslogd_t var_run_t:fifo_file { ioctl read write }; +') + +# Allow access to /proc/kmsg for syslog-ng +allow syslogd_t proc_t:dir search; +allow syslogd_t proc_kmsg_t:file { getattr read }; +allow syslogd_t kernel_t:system { syslog_mod syslog_console }; +allow syslogd_t self:capability { sys_admin chown fsetid }; +allow syslogd_t var_log_t:dir { create setattr }; +allow syslogd_t syslogd_port_t:tcp_socket name_bind; +allow syslogd_t rsh_port_t:tcp_socket name_connect; diff --git a/strict/domains/program/updfstab.te b/strict/domains/program/updfstab.te index 5c5c452..82edf3d 100644 --- a/strict/domains/program/updfstab.te +++ b/strict/domains/program/updfstab.te @@ -31,6 +31,8 @@ read_locale(updfstab_t) ifdef(`dbusd.te', ` dbusd_client(system, updfstab) allow updfstab_t system_dbusd_t:dbus { send_msg }; +allow initrc_t updfstab_t:dbus send_msg; +allow updfstab_t initrc_t:dbus send_msg; ') # not sure what the sysctl_kernel_t file is, or why it wants to write it, so @@ -72,3 +74,8 @@ can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } ) dontaudit updfstab_t home_root_t:dir { getattr search }; dontaudit updfstab_t { home_dir_type home_type }:dir search; allow updfstab_t fs_t:filesystem { getattr }; +allow updfstab_t tmpfs_t:dir getattr; +ifdef(`hald.te', ` +can_unix_connect(updfstab_t, hald_t) +') + diff --git a/strict/domains/program/useradd.te b/strict/domains/program/useradd.te index 2b1118f..779cd31 100644 --- a/strict/domains/program/useradd.te +++ b/strict/domains/program/useradd.te @@ -98,3 +98,7 @@ allow groupadd_t self:capability { setuid sys_resource }; allow groupadd_t self:process setrlimit; allow groupadd_t initrc_var_run_t:file r_file_perms; dontaudit groupadd_t initrc_var_run_t:file write; + +allow useradd_t default_context_t:dir search; +allow useradd_t file_context_t:dir search; +allow useradd_t file_context_t:file { getattr read }; diff --git a/strict/domains/program/utempter.te b/strict/domains/program/utempter.te index eb1af02..b9e670d 100644 --- a/strict/domains/program/utempter.te +++ b/strict/domains/program/utempter.te @@ -38,10 +38,7 @@ allow utempter_t user_tmpfile:file { getattr write append }; # Inherit and use descriptors from login. allow utempter_t privfd:fd use; -ifdef(`xdm.te', ` -allow utempter_t xdm_t:fd use; -allow utempter_t xdm_t:fifo_file { write getattr }; -') +ifdef(`xdm.te', `can_pipe_xdm(utempter_t)') allow utempter_t self:unix_stream_socket create_stream_socket_perms; diff --git a/strict/file_contexts/program/samba.fc b/strict/file_contexts/program/samba.fc index b8a9439..5ac7c2f 100644 --- a/strict/file_contexts/program/samba.fc +++ b/strict/file_contexts/program/samba.fc @@ -1,6 +1,7 @@ # samba scripts /usr/sbin/smbd -- system_u:object_r:smbd_exec_t /usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t +/usr/bin/net -- system_u:object_r:samba_net_exec_t /etc/samba(/.*)? system_u:object_r:samba_etc_t /var/log/samba(/.*)? system_u:object_r:samba_log_t /var/cache/samba(/.*)? system_u:object_r:samba_var_t