From 725926c586ecbd93d6f7168c65070d80335ba3d1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 08 2005 22:00:30 +0000 Subject: pile of sediff fixes --- diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index 39d9f79..cb0cb3b 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -201,7 +201,7 @@ allow amanda_recover_t amanda_recover_dir_t:file create_file_perms; allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms; allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms; allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms; -userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ file lnk_file sock_file fifo_file }) +userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file }) allow amanda_recover_t amanda_tmp_t:dir create_dir_perms; allow amanda_recover_t amanda_tmp_t:file create_file_perms; diff --git a/refpolicy/policy/modules/admin/anaconda.te b/refpolicy/policy/modules/admin/anaconda.te index b988381..a07668f 100644 --- a/refpolicy/policy/modules/admin/anaconda.te +++ b/refpolicy/policy/modules/admin/anaconda.te @@ -35,6 +35,10 @@ optional_policy(`dmesg.te',` dmesg_domtrans(anaconda_t) ') +optional_policy(`kudzu.te',` + kudzu_domtrans(anaconda_t) +') + optional_policy(`rpm.te',` rpm_domtrans(anaconda_t) ') diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 19295dd..b5ab0c6 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -41,6 +41,7 @@ kernel_dontaudit_read_system_state(consoletype_t) fs_getattr_all_fs(consoletype_t) fs_search_auto_mountpoints(consoletype_t) +fs_write_nfs_files(consoletype_t) term_use_console(consoletype_t) term_use_unallocated_tty(consoletype_t) @@ -48,6 +49,7 @@ term_use_unallocated_tty(consoletype_t) init_use_fd(consoletype_t) init_use_script_pty(consoletype_t) init_use_script_fd(consoletype_t) +init_write_script_pipe(consoletype_t) domain_use_wide_inherit_fd(consoletype_t) @@ -107,8 +109,6 @@ optional_policy(`userdomain.te',` ') ifdef(`TODO',` -allow consoletype_t nfs_t:file write; - optional_policy(`xdm.te', ` allow consoletype_t xdm_tmp_t:file rw_file_perms; ') diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 31691cd..957965b 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -155,9 +155,6 @@ allow kudzu_t modules_conf_t:file unlink; optional_policy(`rhgb.te',` rhgb_domain(kudzu_t) ') -optional_policy(`anaconda.te', ` - domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t) -') optional_policy(`lpd.te',` allow kudzu_t printconf_t:file { getattr read }; ') diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index b7fd8de..cca5d2c 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -56,7 +56,10 @@ template(`su_restricted_domain_template', ` domain_use_wide_inherit_fd($1_su_t) files_read_etc_files($1_su_t) + files_search_var_lib($1_su_t) + init_dontaudit_use_fd($1_su_t) + init_dontaudit_use_script_pty($1_su_t) # Write to utmp. init_rw_script_pid($1_su_t) @@ -73,7 +76,7 @@ template(`su_restricted_domain_template', ` # Only allow transitions to unprivileged user domains. userdom_spec_domtrans_unpriv_users($1_su_t) - optional_policy(`crond.te',` + optional_policy(`cron.te',` cron_read_pipe($1_su_t) ') diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index fb77e18..b12829c 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -68,6 +68,7 @@ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exe allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:fd use; allow chfn_t self:fifo_file rw_file_perms; +allow chfn_t self:sock_file r_file_perms; allow chfn_t self:shm create_shm_perms; allow chfn_t self:sem create_sem_perms; allow chfn_t self:msgq create_msgq_perms; @@ -102,6 +103,8 @@ auth_dontaudit_read_shadow(chfn_t) # can exec /sbin/unix_chkpwd corecmd_search_bin(chfn_t) corecmd_search_sbin(chfn_t) +# allow checking if a shell is executable +corecmd_check_exec_shell(chfn_t) domain_use_wide_inherit_fd(chfn_t) @@ -134,9 +137,6 @@ optional_policy(`nis.te',` ifdef(`TODO',` ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;') - -# allow checking if a shell is executable -allow chfn_t shell_exec_t:file execute; ') dnl endif TODO ######################################## @@ -310,9 +310,8 @@ term_use_all_user_ptys(passwd_t) auth_manage_shadow(passwd_t) -# /usr/bin/passwd asks for w access to utmp, but it will operate -# correctly without it. Do not audit write denials to utmp. -init_dontaudit_rw_script_pid(passwd_t) +# allow checking if a shell is executable +corecmd_check_exec_shell(passwd_t) domain_use_wide_inherit_fd(passwd_t) @@ -321,6 +320,10 @@ files_manage_etc_files(passwd_t) files_search_var(passwd_t) files_dontaudit_search_pids(passwd_t) +# /usr/bin/passwd asks for w access to utmp, but it will operate +# correctly without it. Do not audit write denials to utmp. +init_dontaudit_rw_script_pid(passwd_t) + libs_use_ld_so(passwd_t) libs_use_shared_libs(passwd_t) @@ -346,9 +349,6 @@ allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; # Inherit and use descriptors from login. ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;') -# allow checking if a shell is executable -allow passwd_t shell_exec_t:file execute; - # make sure that getcon succeeds allow passwd_t userdomain:dir search; allow passwd_t userdomain:file read; @@ -365,6 +365,7 @@ allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setr allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; allow sysadm_passwd_t self:fifo_file rw_file_perms; +allow sysadm_passwd_t self:sock_file r_file_perms; allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms; allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms; allow sysadm_passwd_t self:unix_dgram_socket sendto; @@ -403,6 +404,7 @@ term_use_all_user_ptys(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t) # allow vipw to exec the editor +corecmd_search_sbin(sysadm_passwd_t) corecmd_exec_bin(sysadm_passwd_t) corecmd_exec_shell(sysadm_passwd_t) files_read_usr_files(sysadm_passwd_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 83e3fb6..e620283 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -164,6 +164,9 @@ interface(`bootloader_read_kernel_symbol_table',` allow $1 boot_t:dir r_dir_perms; allow $1 system_map_t:file r_file_perms; + + # cjp: this should be dropped: + allow $1 boot_t:file { getattr read }; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index c1b5862..4a7ce1b 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -792,6 +792,23 @@ interface(`dev_rw_apm_bios',` ######################################## ## +## Read and write the PCMCIA card manager device. +## +## +## Domain allowed access. +## +# +interface(`dev_rw_cardmgr',` + gen_require(` + type cardmgr_dev_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 cardmgr_dev_t:chr_file { read write }; +') + +######################################## +## ## Do not audit attempts to read and ## write the PCMCIA card manager device. ## @@ -1356,7 +1373,9 @@ interface(`dev_getattr_mtrr',` ') allow $1 device_t:dir r_dir_perms; - allow $1 mtrr_device_t:chr_file getattr; + + # proc entry is a file. added for nmbd_t + allow $1 mtrr_device_t:{ file chr_file } getattr; ') ######################################## @@ -1967,6 +1986,23 @@ interface(`dev_getattr_usbfs_dir',` ######################################## ## +## Do not audit attempts to get the attributes +## of a directory in the usb filesystem. +## +## +## Domain to not audit. +## +# +interface(`dev_dontaudit_getattr_usbfs_dir',` + gen_require(` + type usbfs_t; + ') + + dontaudit $1 usbfs_t:dir getattr; +') + +######################################## +## ## Search the directory containing USB hardware information. ## ## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 69a8354..f12e5d4 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -462,7 +462,7 @@ interface(`fs_getattr_cifs',` ## Search directories on a CIFS or SMB filesystem. ## ## -## The type of the domain reading the files. +## Domain allowed access. ## # interface(`fs_search_cifs',` @@ -480,7 +480,7 @@ interface(`fs_search_cifs',` ## CIFS or SMB filesystem. ## ## -## The type of the domain reading the files. +## Domain allowed access. ## # interface(`fs_list_cifs',` @@ -514,7 +514,7 @@ interface(`fs_dontaudit_list_cifs',` ## Read files on a CIFS or SMB filesystem. ## ## -## The type of the domain reading the files. +## Domain allowed access. ## # interface(`fs_read_cifs_files',` @@ -1085,7 +1085,7 @@ interface(`fs_getattr_nfs',` ## Search directories on a NFS filesystem. ## ## -## The type of the domain reading the files. +## Domain allowed access. ## # interface(`fs_search_nfs',` @@ -1119,7 +1119,7 @@ interface(`fs_dontaudit_list_nfs',` ## Read files on a NFS filesystem. ## ## -## The type of the domain reading the files. +## Domain allowed access. ## # interface(`fs_read_nfs_files',` @@ -1152,6 +1152,23 @@ interface(`fs_dontaudit_read_nfs_files',` ######################################## ## +## Read files on a NFS filesystem. +## +## +## Domain allowed access. +## +# +interface(`fs_write_nfs_files',` + gen_require(` + type nfs_t; + ') + + allow $1 nfs_t:dir r_dir_perms; + allow $1 nfs_t:file write; +') + +######################################## +## ## Execute files on a NFS filesystem. ## ## diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index bdd44b9..2b238ee 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -2,7 +2,7 @@ ## Policy for kernel threads, proc filesystem,and unlabeled processes and objects. ## ## -## This policy has initial SIDs. +## This module has initial SIDs. ## ######################################## @@ -27,9 +27,9 @@ interface(`kernel_userland_entry',` domain_auto_trans(kernel_t, $2, $1) - allow $1 kernel_t:fd use; allow kernel_t $1:fd use; - allow kernel_t $1:fifo_file rw_file_perms; + allow $1 kernel_t:fd use; + allow $1 kernel_t:fifo_file rw_file_perms; allow $1 kernel_t:process sigchld; ') @@ -494,6 +494,23 @@ interface(`kernel_list_proc',` ######################################## ## +## Do not audit attempts to list the +## contents of directories in /proc. +## +## +## Domain to not audit. +## +# +interface(`kernel_dontaudit_list_proc',` + gen_require(` + type proc_t; + ') + + dontaudit $1 proc_t:dir list_dir_perms; +') + +######################################## +## ## Read symbolic links in /proc. ## ## @@ -1502,6 +1519,23 @@ interface(`kernel_dontaudit_getattr_unlabeled_file',` ######################################## ## +## Do not audit attempts by caller to +## read an unlabeled file. +## +## +## Domain to not audit. +## +# +interface(`kernel_dontaudit_read_unlabeled_file',` + gen_require(` + type unlabeled_t; + ') + + dontaudit $1 unlabeled_t:file { getattr read }; +') + +######################################## +## ## Do not audit attempts by caller to get attributes for ## unlabeled block devices. ## diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index fd5eced..f4c7fc6 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_create_pty',` ## ttys and all ptys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_use_all_terms',` @@ -143,7 +143,7 @@ interface(`term_use_all_terms',` ## Write to the console. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_write_console',` @@ -160,7 +160,7 @@ interface(`term_write_console',` ## Read from and write to the console. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_use_console',` @@ -178,7 +178,7 @@ interface(`term_use_console',` ## or write to the console. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_dontaudit_use_console',` @@ -195,7 +195,7 @@ interface(`term_dontaudit_use_console',` ## device node. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_setattr_console',` @@ -230,7 +230,7 @@ interface(`term_dontaudit_getattr_pty_dir',` ## Search the contents of the /dev/pts directory. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_search_ptys',` @@ -248,7 +248,7 @@ interface(`term_search_ptys',` ## list all ptys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_list_ptys',` @@ -302,7 +302,7 @@ interface(`term_dontaudit_manage_pty_dir',` ## ioctl of generic pty types. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # # cjp: added for ppp @@ -323,7 +323,7 @@ interface(`term_ioctl_generic_pty',` ## the targeted policy. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_use_generic_pty',` @@ -361,7 +361,7 @@ interface(`term_dontaudit_use_generic_pty',` ## terminal (/dev/tty). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_use_controlling_term',` @@ -413,7 +413,7 @@ interface(`term_dontaudit_use_ptmx',` ## pty device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_getattr_all_user_ptys',` @@ -435,7 +435,7 @@ interface(`term_getattr_all_user_ptys',` ## device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_dontaudit_getattr_all_user_ptys',` @@ -455,7 +455,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',` ## pty device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_setattr_all_user_ptys',` @@ -475,7 +475,7 @@ interface(`term_setattr_all_user_ptys',` ## Relabel to all user ptys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_relabelto_all_user_ptys',` @@ -492,7 +492,7 @@ interface(`term_relabelto_all_user_ptys',` ## Read and write all user ptys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_use_all_user_ptys',` @@ -529,7 +529,7 @@ interface(`term_dontaudit_use_all_user_ptys',` ## user pty device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_relabel_all_user_ptys',` @@ -550,7 +550,7 @@ interface(`term_relabel_all_user_ptys',` ## tty device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_getattr_unallocated_ttys',` @@ -569,7 +569,7 @@ interface(`term_getattr_unallocated_ttys',` ## of all unallocated tty device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_dontaudit_getattr_unallocated_ttys',` @@ -587,7 +587,7 @@ interface(`term_dontaudit_getattr_unallocated_ttys',` ## tty device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_setattr_unallocated_ttys',` @@ -606,7 +606,7 @@ interface(`term_setattr_unallocated_ttys',` ## tty type. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_relabel_unallocated_ttys',` @@ -625,7 +625,7 @@ interface(`term_relabel_unallocated_ttys',` ## the unallocated tty type. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_reset_tty_labels',` @@ -642,10 +642,27 @@ interface(`term_reset_tty_labels',` ######################################## ## +## Do not audit attempts to get the attributes +## of unallocated ttys. +## +## +## Domain allowed access. +## +# +interface(`term_dontaudit_getattr_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dontaudit $1 tty_device_t:chr_file getattr; +') + +######################################## +## ## Write to unallocated ttys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_write_unallocated_ttys',` @@ -663,7 +680,7 @@ interface(`term_write_unallocated_ttys',` ## Read and write unallocated ttys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_use_unallocated_tty',` @@ -699,7 +716,7 @@ interface(`term_dontaudit_use_unallocated_tty',` ## device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_getattr_all_user_ttys',` @@ -719,7 +736,7 @@ interface(`term_getattr_all_user_ttys',` ## device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_dontaudit_getattr_all_user_ttys',` @@ -738,7 +755,7 @@ interface(`term_dontaudit_getattr_all_user_ttys',` ## device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_setattr_all_user_ttys',` @@ -757,7 +774,7 @@ interface(`term_setattr_all_user_ttys',` ## user tty device nodes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_relabel_all_user_ttys',` @@ -775,7 +792,7 @@ interface(`term_relabel_all_user_ttys',` ## Write to all user ttys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_write_all_user_ttys',` @@ -793,7 +810,7 @@ interface(`term_write_all_user_ttys',` ## Read and write all user to all user ttys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_use_all_user_ttys',` @@ -811,7 +828,7 @@ interface(`term_use_all_user_ttys',` ## any user ttys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`term_dontaudit_use_all_user_ttys',` diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 2a61cf3..9cc5489 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -179,6 +179,8 @@ allow httpd_t httpd_squirrelmail_t:dir create_dir_perms; allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms; allow httpd_t httpd_squirrelmail_t:file create_file_perms; +allow httpd_t httpd_suexec_exec_t:file { getattr read }; + allow httpd_t httpd_sys_content_t:dir r_dir_perms; allow httpd_t httpd_sys_content_t:file r_file_perms; @@ -393,13 +395,6 @@ optional_policy(`mailman.te',` mailman_read_archive(httpd_t) ') -optional_policy(`mta.te',` - mta_stub() - - # apache should set close-on-exec - dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; -') - optional_policy(`mysql.te',` mysql_stream_connect(httpd_t) mysql_rw_db_socket(httpd_t) @@ -409,6 +404,11 @@ optional_policy(`nscd.te',` nscd_use_socket(httpd_t) ') +optional_policy(`postgresql.te',` + # Allow httpd to work with postgresql + postgresql_unix_connect(httpd_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(httpd_t) ') @@ -544,6 +544,7 @@ corecmd_exec_shell(httpd_suexec_t) files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) +files_search_home(httpd_suexec_t) libs_use_ld_so(httpd_suexec_t) libs_use_shared_libs(httpd_suexec_t) @@ -619,6 +620,13 @@ optional_policy(`mount.te',` ') ') +optional_policy(`mta.te',` + mta_stub(httpd_suexec_t) + + # apache should set close-on-exec + dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; +') + optional_policy(`nis.te',` nis_use_ypbind(httpd_suexec_t) ') diff --git a/refpolicy/policy/modules/services/apm.if b/refpolicy/policy/modules/services/apm.if index ed346a9..4cac734 100644 --- a/refpolicy/policy/modules/services/apm.if +++ b/refpolicy/policy/modules/services/apm.if @@ -86,3 +86,21 @@ interface(`apm_append_log',` logging_search_logs($1) allow $1 apmd_log_t:file append; ') + +######################################## +## +## Connect to apmd over an unix stream socket. +## +## +## Domain allowed access. +## +# +interface(`apm_stream_connect',` + gen_require(` + type apmd_t; + ') + + files_search_pids($1) + allow $1 apmd_var_run_t:sock_file write; + allow $1 apmd_t:unix_stream_socket connectto; +') diff --git a/refpolicy/policy/modules/services/arpwatch.if b/refpolicy/policy/modules/services/arpwatch.if index dc5b070..2e0dedd 100644 --- a/refpolicy/policy/modules/services/arpwatch.if +++ b/refpolicy/policy/modules/services/arpwatch.if @@ -51,6 +51,22 @@ interface(`arpwatch_rw_tmp_files',` ######################################## ## +## Read and write arpwatch temporary files. +## +## +## Domain allowed access. +## +# +interface(`arpwatch_manage_tmp_files',` + gen_require(` + type arpwatch_tmp_t; + ') + + allow $1 arpwatch_tmp_t:file manage_file_perms; +') + +######################################## +## ## Do not audit attempts to read and write ## arpwatch packet sockets. ## diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index a4db2f7..7c31188 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -148,7 +148,6 @@ ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(named_t) term_dontaudit_use_generic_pty(named_t) files_dontaudit_read_root_file(named_t) - #dontaudit ndc_t unlabeled_t:file { getattr read }; ') optional_policy(`dbus.te',` @@ -247,7 +246,9 @@ ifdef(`distro_redhat',` allow ndc_t named_conf_t:dir search; ') -ifdef(`targeted_policy', ` +ifdef(`targeted_policy',` + kernel_dontaudit_read_unlabeled_file(ndc_t) + term_use_unallocated_tty(ndc_t) term_use_generic_pty(ndc_t) ') @@ -270,6 +271,10 @@ optional_policy(`nscd.te',` nscd_use_socket(ndc_t) ') +optional_policy(`bind.te',` + ppp_dontaudit_use_fd(ndc_t) +') + ########################################################### # # Partially converted rules. THESE ARE ONLY TEMPORARY diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 1ab8ded..5d6e7bb 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -206,6 +206,8 @@ logging_send_syslog_msg(bluetooth_helper_t) miscfiles_read_localization(bluetooth_helper_t) miscfiles_read_fonts(bluetooth_helper_t) +userdom_search_all_users_home(bluetooth_helper_t) + optional_policy(`nscd.te',` nscd_use_socket(bluetooth_helper_t) ') @@ -213,20 +215,12 @@ optional_policy(`nscd.te',` ifdef(`TODO',` allow bluetooth_helper_t tmp_t:dir search; -allow bluetooth_helper_t home_dir_type:dir search; - ifdef(`xserver.te', ` allow bluetooth_helper_t xserver_log_t:dir search; allow bluetooth_helper_t xserver_log_t:file { getattr read }; ') -ifdef(`targeted_policy', ` - allow bluetooth_helper_t tmp_t:sock_file { read write }; - allow bluetooth_helper_t tmpfs_t:file { read write }; - allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; - allow bluetooth_t unconfined_t:dbus send_msg; - allow unconfined_t bluetooth_t:dbus send_msg; -', ` +ifdef(`targeted_policy', `', ` ifdef(`xdm.te', ` allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write }; ') @@ -237,6 +231,11 @@ ifdef(`targeted_policy', ` ') dnl end TODO ifdef(`targeted_policy',` + allow bluetooth_helper_t tmp_t:sock_file { read write }; + allow bluetooth_helper_t tmpfs_t:file { read write }; + allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; + allow bluetooth_t unconfined_t:dbus send_msg; + allow unconfined_t bluetooth_t:dbus send_msg; allow bluetooth_t unconfined_t:dbus send_msg; allow unconfined_t bluetooth_t:dbus send_msg; ') diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te index 57eb700..3f13e1c 100644 --- a/refpolicy/policy/modules/services/comsat.te +++ b/refpolicy/policy/modules/services/comsat.te @@ -75,6 +75,8 @@ miscfiles_read_localization(comsat_t) sysnet_read_config(comsat_t) +userdom_dontaudit_getattr_sysadm_tty(comsat_t) + mta_getattr_spool(comsat_t) optional_policy(`kerberos.te',` @@ -89,6 +91,4 @@ optional_policy(`nscd.te',` nscd_use_socket(comsat_t) ') -ifdef(`TODO',` -dontaudit comsat_t sysadm_tty_device_t:chr_file getattr; -') + diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index c20e965..3df2e37 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -375,10 +375,9 @@ interface(`cron_sigchld',` interface(`cron_read_pipe',` gen_require(` type crond_t; - class file r_file_perms; ') - allow $1 crond_t:file r_file_perms; + allow $1 crond_t:fifo_file r_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if index d1e86d0..5ef539b 100644 --- a/refpolicy/policy/modules/services/cups.if +++ b/refpolicy/policy/modules/services/cups.if @@ -2,6 +2,27 @@ ######################################## ## +## Execute cups_config in the cups_config domain. +## +## +## The type of the process performing this action. +## +# +interface(`cups_domtrans_config',` + gen_require(` + type cupsd_config_t, cupsd_config_exec_t; + ') + + domain_auto_trans($1,cupsd_config_exec_t,cupsd_config_t) + + allow $1 cupsd_config_t:fd use; + allow cupsd_config_t $1:fd use; + allow cupsd_config_t $1:fifo_file rw_file_perms; + allow cupsd_config_t $1:process sigchld; +') + +######################################## +## ## Read cups-writable configuration files. ## ## diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index b3517f7..33ce8a0 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -661,7 +661,6 @@ optional_policy(`hal.te', ` ') allow hald_t cupsd_config_t:process signal; - domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t) ') # killall causes the following diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index ce2cfb9..f38f3bd 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -136,3 +136,7 @@ optional_policy(`rhgb.te',` rhgb_domain(fingerd_t) ') ') + +# stop it accessing sub-directories, prevents checking a Maildir for new mail, +# have to change this when we create a type for Maildir +dontaudit fingerd_t user_home_t:dir search; diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if index 71042be..bf1c3dd 100644 --- a/refpolicy/policy/modules/services/ftp.if +++ b/refpolicy/policy/modules/services/ftp.if @@ -1,5 +1,40 @@ ## File transfer protocol service +####################################### +## +## The per user domain template for the ftp module. +## +## +##

+## This template allows ftpd to manage files in +## a user home directory, creating files with the +## correct type. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +# +template(`ftp_per_userdomain_template',` + gen_require(` + type ftpd_t; + ') + + tunable_policy(`ftpd_is_daemon',` + userdom_manage_user_home_subdir_files($1,ftpd_t) + userdom_manage_user_home_subdir_symlinks($1,ftpd_t) + userdom_manage_user_home_subdir_sockets($1,ftpd_t) + userdom_manage_user_home_subdir_pipes($1,ftpd_t) + userdom_create_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) + ') +') + ######################################## ## ## Use ftp by connecting over TCP. diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 9577069..d19d772 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -97,6 +97,7 @@ auth_append_login_records(ftpd_t) auth_write_login_records(ftpd_t) corecmd_exec_bin(ftpd_t) +corecmd_exec_sbin(ftpd_t) # Execute /bin/ls (can comment this out for proftpd) # also may need rules to allow tar etc... corecmd_exec_ls(ftpd_t) @@ -130,6 +131,17 @@ ifdef(`targeted_policy',` term_dontaudit_use_generic_pty(ftpd_t) term_dontaudit_use_unallocated_tty(ftpd_t) + + optional_policy(`ftp.te',` + tunable_policy(`ftpd_is_daemon',` + # cjp: fix this to use regular interfaces + userdom_manage_user_home_subdir_files(user,ftpd_t) + userdom_manage_user_home_subdir_symlinks(user,ftpd_t) + userdom_manage_user_home_subdir_sockets(user,ftpd_t) + userdom_manage_user_home_subdir_pipes(user,ftpd_t) + userdom_create_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file }) + ') + ') ') tunable_policy(`allow_ftpd_anon_write',` @@ -213,13 +225,4 @@ ifdef(`TODO',` optional_policy(`rhgb.te',` rhgb_domain(ftpd_t) ') - -# cjp: this was in base user macro, but we cannot -# use typeattribute ftpd_t privhome; interface -# since typeattribute doesnt work in conditionals -ifdef(`ftpd.te' , ` -if (ftpd_is_daemon) { -file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) -} -') ') diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if index 68f262d..ca45cde 100644 --- a/refpolicy/policy/modules/services/hal.if +++ b/refpolicy/policy/modules/services/hal.if @@ -20,3 +20,20 @@ interface(`hal_domtrans',` allow hald_t $1:fifo_file rw_file_perms; allow hald_t $1:process sigchld; ') + +######################################## +## +## Send to hal over a unix domain +## datagram socket. +## +## +## Domain allowed access. +## +# +interface(`hal_dgram_sendto',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:unix_dgram_socket sendto; +') diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 6c80d20..725485c 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -125,6 +125,16 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(hald_t) ') +optional_policy(`apm.te',` + # For /usr/libexec/hald-addon-acpi + # writes to /var/run/acpid.socket + apm_stream_connect(hald_t) +') + +optional_policy(`cups.te',` + cups_domtrans_config(hald_t) +') + optional_policy(`dbus.te',` allow hald_t self:dbus send_msg; dbus_system_bus_client_template(hald,hald_t) @@ -181,12 +191,6 @@ allow hald_t device_t:dir create_dir_perms; optional_policy(`hald.te',` allow udev_t hald_t:unix_dgram_socket sendto; ') - -# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket -ifdef(`apmd.te', ` -allow hald_t apmd_var_run_t:sock_file write; -allow hald_t apmd_t:unix_stream_socket connectto; -') ') dnl end TODO ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index 11b1b03..83655c1 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -86,6 +86,8 @@ term_dontaudit_use_console(innd_t) corecmd_exec_bin(innd_t) corecmd_exec_shell(innd_t) +corecmd_search_sbin(innd_t) +corecmd_read_sbin_symlink(innd_t) domain_use_wide_inherit_fd(innd_t) diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te index 3e3613b..8687b89 100644 --- a/refpolicy/policy/modules/services/mailman.te +++ b/refpolicy/policy/modules/services/mailman.te @@ -51,6 +51,9 @@ optional_policy(`apache.te',` apache_sigchld(mailman_cgi_t) apache_use_fd(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) + + # FIXME: + allow mailman_cgi_t httpd_sys_script_t:dir search; ') ######################################## diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 5334c09..d85e550 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -191,6 +191,9 @@ optional_policy(`postfix.te',` optional_policy(`crond.te',` cron_crw_tcp_socket(system_mail_t) ') + + allow mta_user_agent sysadm_t:fifo_file { read write }; + type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t; ') optional_policy(`sendmail.te',` @@ -230,10 +233,13 @@ optional_policy(`qmail.te',` allow system_mail_t qmail_etc_t:dir search; allow system_mail_t qmail_etc_t:{ file lnk_file } read; ') +') dnl end TODO + +allow mta_user_agent system_crond_tmp_t:file { read getattr }; optional_policy(`arpwatch.te',` # why is mail delivered to a directory of type arpwatch_data_t? - arpwatch_search_data_dir(mta_delivery_agent) + arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(system_mail_t) arpwatch_manage_tmp_files(mta_user_agent) ifdef(`hide_broken_symptoms', ` @@ -241,5 +247,3 @@ optional_policy(`arpwatch.te',` arpwatch_dontaudit_rw_packet_socket(mta_user_agent) ') ') - -') dnl end TODO diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index 2451eb2..649d341 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -204,3 +204,54 @@ interface(`nis_tcp_connect_ypbind',` allow ypbind_t $1:tcp_socket { acceptfrom recvfrom }; allow $1 kernel_t:tcp_socket recvfrom; ') + +######################################## +## +## Read ypbind pid files. +## +## +## Domain allowed access. +## +# +interface(`nis_read_ypbind_pid',` + gen_require(` + type ypbind_t; + ') + + files_search_pids($1) + allow $1 ypbind_t:file r_file_perms; +') + +######################################## +## +## Delete ypbind pid files. +## +## +## Domain allowed access. +## +# +interface(`nis_delete_ypbind_pid',` + gen_require(` + type ypbind_t; + ') + + # TODO: add delete pid from dir call to files + allow $1 ypbind_t:file unlink; +') + +######################################## +## +## Read ypserv configuration files. +## +## +## Domain allowed access. +## +# +interface(`nis_read_ypserv_config',` + gen_require(` + type ypserv_t; + ') + + files_search_etc($1) + allow $1 ypserv_t:file { getattr read }; +') diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 559589e..afeff3e 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -90,6 +90,7 @@ selinux_compute_user_contexts(nscd_t) domain_use_wide_inherit_fd(nscd_t) files_read_etc_files(nscd_t) +files_read_generic_tmp_symlinks(nscd_t) init_use_fd(nscd_t) init_use_script_pty(nscd_t) @@ -126,6 +127,7 @@ optional_policy(`nis.te',` optional_policy(`samba.te',` samba_connect_winbind(nscd_t) + samba_search_var(nscd_t) ') optional_policy(`udev.te', ` @@ -133,13 +135,7 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` -optional_policy(`winbind.te', ` - allow nscd_t samba_var_t:dir search; -') optional_policy(`rhgb.te',` rhgb_domain(nscd_t) ') - -allow nscd_t tmp_t:dir { search getattr }; -allow nscd_t tmp_t:lnk_file read; ') dnl end TODO diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 524fcc3..748c48e 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -112,6 +112,7 @@ miscfiles_read_localization(ntpd_t) sysnet_read_config(ntpd_t) userdom_dontaudit_use_unpriv_user_fd(ntpd_t) +userdom_list_sysadm_home_dir(ntpd_t) userdom_dontaudit_list_sysadm_home_dir(ntpd_t) ifdef(`targeted_policy', ` @@ -145,6 +146,12 @@ optional_policy(`nscd.te',` nscd_use_socket(ntpd_t) ') +optional_policy(`samba.te',` + # cjp: the connect was previously missing + # so it might be ok to drop this + samba_connect_winbind(ntpd_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(ntpd_t) ') @@ -162,9 +169,4 @@ allow sysadm_t ntpd_t:udp_socket recvfrom; allow sysadm_t ntpd_t:udp_socket sendto; allow ntpd_t sysadm_t:udp_socket recvfrom; - -ifdef(`winbind.te', ` -allow ntpd_t winbind_var_run_t:dir r_dir_perms; -allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; -') ') dnl end TODO diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index c9dcd28..1f4c4db 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -200,6 +200,11 @@ sysnet_read_config(portmap_helper_t) userdom_dontaudit_use_all_user_fd(portmap_helper_t) +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(portmap_helper_t) + term_dontaudit_use_generic_pty(portmap_helper_t) +') + optional_policy(`mount.te',` mount_send_nfs_client_request(portmap_helper_t) ') diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index e7ddccc..e589926 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -93,6 +93,8 @@ allow postfix_master_t self:fifo_file rw_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; +allow postfix_master_t postfix_etc_t:file rw_file_perms; + can_exec(postfix_master_t,postfix_exec_t) allow postfix_master_t postfix_map_exec_t:file rx_file_perms; @@ -333,6 +335,7 @@ allow postfix_map_t postfix_map_tmp_t:file create_file_perms; files_create_tmp_files(postfix_map_t, postfix_map_tmp_t, { file dir }) kernel_read_kernel_sysctl(postfix_map_t) +kernel_dontaudit_list_proc(postfix_map_t) corenet_tcp_sendrecv_all_if(postfix_map_t) corenet_udp_sendrecv_all_if(postfix_map_t) @@ -463,6 +466,11 @@ optional_policy(`crond.te',` cron_rw_system_job_pipe(postfix_postdrop_t) ') +optional_policy(`ppp.te',` + ppp_use_fd(postfix_postqueue_t) + ppp_sigchld(postfix_postqueue_t) +') + ####################################### # # Postfix postqueue local policy diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index 5c19d7f..fd1de40 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -212,12 +212,4 @@ ifdef(`distro_gentoo', ` postgresql_search_db_dir(initrc_su_t) dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; ') - -# Goes to apache.te: -# Allow httpd to work with postgresql -optional_policy(`postgresql.te', ` - # Original policy had apache connecting to postgresql_tmp_t:sock_file - # instead of what is assumed to be correct: postgresql_var_run_t. -Don - postgresql_unix_connect(httpd_t) -') ') diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if index 88c7fba..aa5e4d9 100644 --- a/refpolicy/policy/modules/services/ppp.if +++ b/refpolicy/policy/modules/services/ppp.if @@ -18,6 +18,23 @@ interface(`ppp_use_fd',` ######################################## ## +## Do not audit attempts to inherit +## and use PPP file discriptors. +## +## +## Domain to not audit. +## +# +interface(`ppp_dontaudit_use_fd',` + gen_require(` + type pppd_t; + ') + + dontaudit $1 pppd_t:fd use; +') + +######################################## +## ## Allow domain to send sigchld to parent of PPP domain type. ## ## @@ -35,7 +52,7 @@ interface(`ppp_sigchld',` ######################################## ## -## Allow domain to send a signal to PPP domain type. +## Send a generic signal to PPP. ## ## ## Domain allowed access. @@ -51,6 +68,22 @@ interface(`ppp_signal',` ######################################## ## +## Send a SIGCHLD signal to PPP. +## +## +## Domain allowed access. +## +# +interface(`ppp_sigchld',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:process sigchld; +') + +######################################## +## ## Execute domain in the ppp domain. ## ## diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 8734731..cb55c54 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -107,9 +107,8 @@ allow pppd_t pppd_secret_t:file r_file_perms; # Automatically label newly created files under /etc/ppp with this type type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t; -kernel_list_proc(pppd_t) kernel_read_kernel_sysctl(pppd_t) -kernel_read_proc_symlinks(pppd_t) +kernel_read_system_state(pppd_t) kernel_read_net_sysctl(pppd_t) kernel_read_network_state(pppd_t) kernel_load_module(pppd_t) @@ -318,23 +317,22 @@ optional_policy(`udev.te',` ') ifdef(`TODO',` -ifdef(`postfix.te', ` - allow pppd_t postfix_etc_t:dir search; - allow pppd_t postfix_etc_t:file r_file_perms; - allow pppd_t postfix_master_exec_t:file { getattr read }; - - ppp_use_fd(postfix_postqueue_t) - ppp_signal_daemon(postfix_postqueue_t) -') optional_policy(`rhgb.te',` rhgb_domain(pppd_t) ') optional_policy(`rhgb.te',` rhgb_domain(pptp_t) ') -ifdef(`named.te', ` - dontaudit ndc_t pppd_t:fd use; ') -domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) +ifdef(`postfix.te', ` + allow pppd_t postfix_etc_t:dir search; + allow pppd_t postfix_etc_t:file r_file_perms; + allow pppd_t postfix_master_exec_t:file { getattr read }; ') + +domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) +allow pppd_t initrc_t:fd use; +allow initrc_t pppd_t:fd use; +allow initrc_t pppd_t:fifo_file rw_file_perms; +allow initrc_t pppd_t:process sigchld; diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index b8ad337..c07e206 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -76,6 +76,7 @@ auth_read_shadow(radiusd_t) corecmd_exec_bin(radiusd_t) corecmd_exec_shell(radiusd_t) +corecmd_search_sbin(radiusd_t) domain_use_wide_inherit_fd(radiusd_t) diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te index 17d8e1e..abc611e 100644 --- a/refpolicy/policy/modules/services/rlogin.te +++ b/refpolicy/policy/modules/services/rlogin.te @@ -87,6 +87,7 @@ seutil_dontaudit_search_config(rlogind_t) sysnet_read_config(rlogind_t) +userdom_setattr_unpriv_user_pty(rlogind_t) # cjp: this is egregious userdom_read_all_user_files(rlogind_t) diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index c67e85b..b8ade12 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -62,13 +62,17 @@ files_manage_mounttab(rpcd_t) seutil_dontaudit_search_config(rpcd_t) -# FIXME -dontaudit userdomain exports_t:file getattr; - ifdef(`distro_redhat',` allow rpcd_t self:capability { chown dac_override setgid setuid }; ') +optional_policy(`nis.te',` + nis_read_ypserv_config(rpcd_t) +') + +# FIXME +dontaudit userdomain exports_t:file getattr; + ######################################## # # NFSD local policy @@ -132,9 +136,9 @@ fs_read_rpc_dirs(gssd_t) fs_read_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) -files_read_tmp(gssd_t) -files_read_tmp_files(gssd_t) -files_read_tmp_symlinks(gssd_t) +files_list_tmp(gssd_t) +files_read_generic_tmp_files(gssd_t) +files_read_generic_tmp_symlinks(gssd_t) tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_user_tmp(gssd_t) diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te index 5ab132e..d5c5711 100644 --- a/refpolicy/policy/modules/services/rshd.te +++ b/refpolicy/policy/modules/services/rshd.te @@ -74,8 +74,8 @@ tunable_policy(`use_nfs_home_dirs',` ') tunable_policy(`use_samba_home_dirs',` - fs_read_nfs_files(rshd_t) - fs_read_nfs_symlinks(rshd_t) + fs_read_cifs_files(rshd_t) + fs_read_cifs_symlinks(rshd_t) ') optional_policy(`kerberos.te',` diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if index d28ba60..3e9a0a5 100644 --- a/refpolicy/policy/modules/services/samba.if +++ b/refpolicy/policy/modules/services/samba.if @@ -197,6 +197,24 @@ interface(`samba_read_secrets',` ######################################## ## +## Allow the specified domain to search +## samba /var directories. +## +## +## Domain allowed access. +## +# +interface(`samba_search_var',` + gen_require(` + type samba_var_t; + ') + + files_search_var($1) + allow $1 samba_var_t:dir search_dir_perms; +') + +######################################## +## ## Allow the specified domain to write to smbmount tcp sockets. ## ## diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 7702c76..47e8ead 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -233,6 +233,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) +dev_dontaudit_getattr_usbfs_dir(smbd_t) fs_getattr_all_fs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 45b81a3..b5cfae2 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -146,6 +146,15 @@ ifdef(`TODO',` can_udp_send(sysadm_t, snmpd_t) can_udp_send(snmpd_t, sysadm_t) +optional_policy(`cupsd.te', ` + allow snmpd_t cupsd_rw_etc_t:file { getattr read }; +') + +optional_policy(`rhgb.te',` + rhgb_domain(snmpd_t) +') +') dnl end TODO + ifdef(`distro_redhat', ` optional_policy(`rpm.te', ` dontaudit snmpd_t rpm_var_lib_t:dir write; @@ -153,20 +162,9 @@ ifdef(`distro_redhat', ` ') ') -dontaudit snmpd_t rpc_pipefs_t:dir getattr; -allow snmpd_t rpc_pipefs_t:dir getattr; - optional_policy(`amanda.te', ` dontaudit snmpd_t amanda_dumpdates_t:file { getattr read }; ') -optional_policy(`cupsd.te', ` - allow snmpd_t cupsd_rw_etc_t:file { getattr read }; -') - +allow snmpd_t rpc_pipefs_t:dir getattr; allow snmpd_t var_lib_nfs_t:dir search; - -optional_policy(`rhgb.te',` - rhgb_domain(snmpd_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 1ec9f1a..f872211 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -37,6 +37,7 @@ dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; allow spamd_t self:fifo_file rw_file_perms; +allow spamd_t self:sock_file r_file_perms; allow spamd_t self:shm create_shm_perms; allow spamd_t self:sem create_sem_perms; allow spamd_t self:msgq create_msgq_perms; diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 6bc464a..ee6fd72 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -262,16 +262,22 @@ ifdef(`xdm.te', ` allow system_chkpwd_t self:capability setuid; allow system_chkpwd_t self:process getattr; +allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow system_chkpwd_t shadow_t:file { getattr read }; # is_selinux_enabled kernel_read_system_state(system_chkpwd_t) +dev_read_rand(system_chkpwd_t) +dev_read_urand(system_chkpwd_t) + fs_dontaudit_getattr_xattr_fs(system_chkpwd_t) term_dontaudit_use_unallocated_tty(system_chkpwd_t) +corecmd_search_sbin(system_chkpwd_t) + domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t) files_read_etc_files(system_chkpwd_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 2853222..ff622fa 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -61,7 +61,7 @@ logging_send_syslog_msg(hwclock_t) miscfiles_read_localization(hwclock_t) -ifdef(`targeted_policy', ` +ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(hwclock_t) term_dontaudit_use_generic_pty(hwclock_t) files_dontaudit_read_root_file(hwclock_t) diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 821170f..a1b9b4e 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -54,7 +54,7 @@ interface(`corecmd_list_bin',` ## Get the attributes of files in bin directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`corecmd_getattr_bin_file',` @@ -71,7 +71,7 @@ interface(`corecmd_getattr_bin_file',` ## Read files in bin directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`corecmd_read_bin_file',` @@ -90,7 +90,7 @@ interface(`corecmd_read_bin_file',` ## Read symbolic links in bin directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`corecmd_read_bin_symlink',` @@ -109,7 +109,7 @@ interface(`corecmd_read_bin_symlink',` ## Read pipes in bin directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`corecmd_read_bin_pipe',` @@ -128,7 +128,7 @@ interface(`corecmd_read_bin_pipe',` ## Read named sockets in bin directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`corecmd_read_bin_socket',` @@ -183,7 +183,7 @@ interface(`corecmd_exec_bin',` ##

## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## The type of the new process. @@ -259,7 +259,7 @@ interface(`corecmd_dontaudit_getattr_sbin_file',` ## Read files in sbin directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`corecmd_read_sbin_file',` @@ -278,7 +278,7 @@ interface(`corecmd_read_sbin_file',` ## Read symbolic links in sbin directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`corecmd_read_sbin_symlink',` @@ -297,7 +297,7 @@ interface(`corecmd_read_sbin_symlink',` ## Read named pipes in sbin directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`corecmd_read_sbin_pipe',` @@ -316,7 +316,7 @@ interface(`corecmd_read_sbin_pipe',` ## Read named sockets in sbin directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`corecmd_read_sbin_socket',` @@ -371,7 +371,7 @@ interface(`corecmd_exec_sbin',` ##

## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## The type of the new process. @@ -391,6 +391,24 @@ interface(`corecmd_sbin_domtrans',` ') ######################################## +## +## Check if a shell is executable (DAC-wise). +## +## +## Domain allowed access. +## +# +interface(`corecmd_check_exec_shell',` + gen_require(` + type bin_t, shell_exec_t; + ') + + allow $1 bin_t:dir r_dir_perms; + allow $1 bin_t:lnk_file r_file_perms; + allow $1 shell_exec_t:file execute; +') + +######################################## # # corecmd_exec_shell(domain) # @@ -441,7 +459,7 @@ interface(`corecmd_exec_ls',` ##

## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## The type of the shell process. @@ -475,7 +493,7 @@ interface(`corecmd_shell_spec_domtrans',` ##

## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## The type of the shell process. diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 6bfabae..c7b547c 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -2067,13 +2067,12 @@ interface(`files_search_tmp',` ## The type of the process performing this action. ## # -interface(`files_read_tmp',` +interface(`files_list_tmp',` gen_require(` type tmp_t; - class dir r_dir_perms; ') - allow $1 tmp_t:dir r_dir_perms; + allow $1 tmp_t:dir list_dir_perms; ') ######################################## @@ -2084,12 +2083,12 @@ interface(`files_read_tmp',` ## The type of the process performing this action. ## # -interface(`files_read_tmp_files',` +interface(`files_read_generic_tmp_files',` gen_require(` type tmp_t; - class file r_file_perms; ') + allow $1 tmp_t:dir search_dir_perms; allow $1 tmp_t:file r_file_perms; ') @@ -2101,12 +2100,12 @@ interface(`files_read_tmp_files',` ## The type of the process performing this action. ## # -interface(`files_read_tmp_symlinks',` +interface(`files_read_generic_tmp_symlinks',` gen_require(` type tmp_t; - class lnk_file r_file_perms; ') + allow $1 tmp_t:dir search_dir_perms; allow $1 tmp_t:lnk_file r_file_perms; ') @@ -2339,7 +2338,7 @@ interface(`files_dontaudit_search_src',` type src_t; ') - allow $1 src_t:dir search; + dontaudit $1 src_t:dir search; ') ######################################## diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 8efec44..7439c4d 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -28,6 +28,7 @@ allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_ allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_file_perms; +allow fsadm_t self:sock_file r_file_perms; allow fsadm_t self:unix_dgram_socket create_socket_perms; allow fsadm_t self:unix_stream_socket create_stream_socket_perms; allow fsadm_t self:unix_dgram_socket sendto; @@ -133,6 +134,11 @@ seutil_read_config(fsadm_t) userdom_use_unpriv_users_fd(fsadm_t) +ifdef(`targeted_policy',` + term_use_unallocated_tty(fsadm_t) + term_use_generic_pty(fsadm_t) +') + tunable_policy(`read_default_t',` files_list_default(fsadm_t) files_read_default_files(fsadm_t) @@ -151,7 +157,8 @@ optional_policy(`nis.te',` ') ifdef(`TODO',` -allow fsadm_t tmpfs_t:file { read write }; -allow fsadm_t ramfs_t:fifo_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') ') dnl end TODO + +allow fsadm_t tmpfs_t:file { read write }; +allow fsadm_t ramfs_t:fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 7c2b7ea..5821b22 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -113,5 +113,5 @@ optional_policy(`ppp.te',` ') optional_policy(`udev.te',` - udev_read_db(system_dbusd_t) + udev_read_db(getty_t) ') diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 666ed22..c39d43a 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -14,7 +14,7 @@ init_daemon_domain(hotplug_t,hotplug_exec_t) type hotplug_etc_t; files_config_file(hotplug_etc_t) kernel_search_from(hotplug_etc_t) -domain_entry_file(hotplug_t,hotplug_etc_t) +init_daemon_domain(hotplug_t,hotplug_etc_t) type hotplug_var_run_t; files_pid_file(hotplug_var_run_t) @@ -150,6 +150,10 @@ optional_policy(`fstools.te',` fstools_domtrans(hotplug_t) ') +optional_policy(`hal.te',` + hal_dgram_sendto(hotplug_t) +') + optional_policy(`hostname.te',` hostname_exec(hotplug_t) ') @@ -207,7 +211,4 @@ rhgb_domain(hotplug_t) dontaudit hotplug_t { init_t kernel_t }:file read; -optional_policy(`hald.te', ` - allow hotplug_t hald_t:unix_dgram_socket sendto; -') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 4c92dfa..3a9e940 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -346,7 +346,7 @@ interface(`init_dontaudit_use_fd',` ## Send UDP network traffic to init. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`init_udp_sendto',` @@ -392,7 +392,7 @@ interface(`init_domtrans_script',` ##

## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## The role to be performing this action. @@ -415,6 +415,22 @@ interface(`init_run_daemon',` ######################################## ## +## Write an init script unnamed pipe. +## +## +## Domain allowed access. +## +# +interface(`init_write_script_pipe',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:fifo_file write; +') + +######################################## +## ## Allow the specified domain to connect to ## init scripts with a unix domain stream socket. ## @@ -484,7 +500,7 @@ interface(`init_exec_script',` ## Read the process state (/proc/pid) of the init scripts. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`init_read_script_process_state',` @@ -552,7 +568,7 @@ interface(`init_get_script_process_group',` ## Send SIGCHLD signals to init scripts. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`init_sigchld_script',` @@ -568,7 +584,7 @@ interface(`init_sigchld_script',` ## Read and write init script unnamed pipes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`init_rw_script_pipe',` @@ -585,7 +601,7 @@ interface(`init_rw_script_pipe',` ## Send UDP network traffic to init scripts. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`init_udp_sendto_script',` @@ -629,7 +645,7 @@ interface(`init_unix_connect_script',` ##

## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`init_use_script_pty',` @@ -663,7 +679,7 @@ interface(`init_dontaudit_use_script_pty',` ## Read init scripts. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`init_read_script_file',` @@ -681,7 +697,7 @@ interface(`init_read_script_file',` ## Read and write init script temporary data. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`init_rw_script_tmp_files',` diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 23cd161..44d9301 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -366,6 +366,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) modutils_read_module_conf(initrc_t) +modutils_domtrans_insmod(initrc_t) seutil_read_config(initrc_t) @@ -480,7 +481,6 @@ optional_policy(`bind.te',` # Allow init script to cp localtime to named_conf_t bind_write_config(initrc_t) ') - ') optional_policy(`bluetooth.te',` @@ -488,7 +488,7 @@ optional_policy(`bluetooth.te',` ') optional_policy(`cpucontrol.te',` - cpucontrol_stub() + cpucontrol_stub(initrc_t) dev_getattr_cpu(initrc_t) ') diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index f226777..3ff19d7 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -95,9 +95,7 @@ ifdef(`targeted_policy',` unconfined_domain_template(ldconfig_t) ') -ifdef(`TODO',` optional_policy(`apache.te',` # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway dontaudit ldconfig_t httpd_modules_t:dir search; ') -') dnl end TODO diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 750f9b5..075a824 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -41,6 +41,7 @@ allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrli allow local_login_t self:process { setrlimit setexec }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_file_perms; +allow local_login_t self:sock_file r_file_perms; allow local_login_t self:unix_dgram_socket create_socket_perms; allow local_login_t self:unix_stream_socket create_stream_socket_perms; allow local_login_t self:unix_dgram_socket sendto; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 77e6b6e..3d3f9bb 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -229,6 +229,8 @@ logging_send_syslog_msg(klogd_t) miscfiles_read_localization(klogd_t) +userdom_dontaudit_search_sysadm_home_dir(klogd_t) + optional_policy(`udev.te', ` udev_read_db(klogd_t) ') @@ -238,6 +240,10 @@ ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(klogd_t) ') +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(klogd_t) +') + ######################################## # # syslogd local policy diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index 29a53bc..11724cd 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -36,7 +36,7 @@ interface(`modutils_read_module_conf',` files_search_etc($1) bootloader_search_boot($1) - allow $1 modules_conf_t:file r_file_perms; + allow $1 modules_conf_t:{ file lnk_file } r_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 5613a7a..e74fc19 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -16,7 +16,6 @@ files_type(modules_dep_t) type insmod_t; type insmod_exec_t; -kernel_userland_entry(insmod_t,insmod_exec_t) init_system_domain(insmod_t,insmod_exec_t) mls_file_write_down(insmod_t) role system_r types insmod_t; @@ -110,6 +109,10 @@ logging_search_logs(insmod_t) miscfiles_read_localization(insmod_t) +if( ! secure_mode_insmod ) { + kernel_userland_entry(insmod_t,insmod_exec_t) +} + ifdef(`hide_broken_symptoms',` dev_dontaudit_rw_cardmgr(insmod_t) ') diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if index c86414e..3f9ca2f 100644 --- a/refpolicy/policy/modules/system/pcmcia.if +++ b/refpolicy/policy/modules/system/pcmcia.if @@ -2,6 +2,20 @@ ######################################## ## +## PCMCIA stub interface. No access allowed. +## +## +## N/A +## +# +interface(`pcmcia_stub',` + gen_require(` + type cardmgr_t; + ') +') + +######################################## +## ## Execute cardmgr in the cardmgr domain. ## ## @@ -99,6 +113,7 @@ interface(`pcmcia_read_pid',` files_search_pids($1) allow $1 cardmgr_var_run_t:dir r_dir_perms; allow $1 cardmgr_var_run_t:file r_file_perms; + allow $1 cardmgr_var_run_t:lnk_file { getattr read }; ') ######################################## diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 982dded..0fd52e0 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -202,6 +202,7 @@ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit allow newrole_t self:process setexec; allow newrole_t self:fd use; allow newrole_t self:fifo_file rw_file_perms; +allow newrole_t self:sock_file r_file_perms; allow newrole_t self:shm create_shm_perms; allow newrole_t self:sem create_sem_perms; allow newrole_t self:msgq create_msgq_perms; @@ -242,6 +243,9 @@ term_relabel_all_user_ptys(newrole_t) auth_domtrans_chk_passwd(newrole_t) +corecmd_list_bin(newrole_t) +corecmd_read_bin_symlink(newrole_t) + domain_use_wide_inherit_fd(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_wide_inherit_fd(newrole_t) @@ -251,6 +255,7 @@ init_rw_script_pid(newrole_t) files_read_etc_files(newrole_t) files_read_var_files(newrole_t) +files_read_var_symlink(newrole_t) libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) @@ -377,6 +382,8 @@ domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t) ') ') dnl endif TODO +allow restorecon_t kernel_t:unix_dgram_socket { read write }; + ################################# # # Run_init local policy diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 07b155f..507905c 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -206,6 +206,9 @@ optional_policy(`netutils.te',` optional_policy(`nis.te',` nis_use_ypbind(dhcpc_t) nis_signal_ypbind(dhcpc_t) + nis_read_ypbind_pid(dhcpc_t) + nis_delete_ypbind_pid(dhcpc_t) + # dhclient sometimes starts ypbind init_exec_script(dhcpc_t) nis_domtrans_ypbind(dhcpc_t) @@ -222,6 +225,11 @@ optional_policy(`ntp.te',` ntp_domtrans(dhcpc_t) ') +optional_policy(`pcmcia.te',` + pcmcia_stub(dhcpc_t) + dev_rw_cardmgr(dhcpc_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -236,27 +244,6 @@ optional_policy(`userdomain.te',` ') ifdef(`TODO',` -ifdef(`cardmgr.te',` -allow dhcpc_t cardmgr_dev_t:chr_file { read write }; -') - -ifdef(`ypbind.te',` -allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink }; -') - -ifdef(`dbusd.te', ` -dbusd_client(system, dhcpc) -domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t) -allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow dhcpc_t self:dbus send_msg; -allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg; -allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; -ifdef(`unconfined.te', ` -allow unconfined_t dhcpc_t:dbus send_msg; -allow dhcpc_t unconfined_t:dbus send_msg; -')dnl end ifdef unconfined.te -') - optional_policy(`rhgb.te',` rhgb_domain(dhcpc_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 953d2cf..615afb0 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -992,7 +992,7 @@ template(`admin_user_template',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_search_user_home',` @@ -1024,7 +1024,7 @@ template(`userdom_search_user_home',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_home_subdirs',` @@ -1055,7 +1055,7 @@ template(`userdom_manage_user_home_subdirs',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_read_user_home_files',` @@ -1087,7 +1087,7 @@ template(`userdom_read_user_home_files',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_exec_user_home_files',` @@ -1121,7 +1121,7 @@ template(`userdom_exec_user_home_files',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_home_subdir_files',` @@ -1155,7 +1155,7 @@ template(`userdom_manage_user_home_subdir_files',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_home_subdir_symlinks',` @@ -1189,7 +1189,7 @@ template(`userdom_manage_user_home_subdir_symlinks',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_home_subdir_pipes',` @@ -1223,7 +1223,7 @@ template(`userdom_manage_user_home_subdir_pipes',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_home_subdir_sockets',` @@ -1256,7 +1256,7 @@ template(`userdom_manage_user_home_subdir_sockets',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## The class of the object to be created. If not @@ -1299,7 +1299,7 @@ template(`userdom_create_user_home',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_tmp_dirs',` @@ -1331,7 +1331,7 @@ template(`userdom_manage_user_tmp_dirs',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_tmp_files',` @@ -1364,7 +1364,7 @@ template(`userdom_manage_user_tmp_files',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_tmp_symlinks',` @@ -1397,7 +1397,7 @@ template(`userdom_manage_user_tmp_symlinks',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_tmp_pipes',` @@ -1430,7 +1430,7 @@ template(`userdom_manage_user_tmp_pipes',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_manage_user_tmp_sockets',` @@ -1461,7 +1461,7 @@ template(`userdom_manage_user_tmp_sockets',` ## is the prefix for user_t). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # template(`userdom_use_user_terminals',` @@ -1486,7 +1486,7 @@ template(`userdom_use_user_terminals',` ## caller to use setexeccon(). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_spec_domtrans_all_users',` @@ -1504,7 +1504,7 @@ interface(`userdom_spec_domtrans_all_users',` ## caller to use setexeccon(). ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_spec_domtrans_unpriv_users',` @@ -1520,7 +1520,7 @@ interface(`userdom_spec_domtrans_unpriv_users',` ## Execute a shell in the sysadm domain. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_shell_domtrans_sysadm',` @@ -1580,7 +1580,7 @@ interface(`userdom_dontaudit_search_staff_home_dir',` ## Read files in the staff users home directory. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_read_staff_home_files',` @@ -1598,7 +1598,7 @@ interface(`userdom_read_staff_home_files',` ## Send a SIGCHLD signal to sysadm users. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_sigchld_sysadm',` @@ -1615,10 +1615,31 @@ interface(`userdom_sigchld_sysadm',` ######################################## ## +## Do not audit attepts to get the attributes +## of sysadm ttys. +## +## +## Domain allowed access. +## +# +interface(`userdom_dontaudit_getattr_sysadm_tty',` + ifdef(`targeted_policy',` + term_dontaudit_getattr_unallocated_ttys($1) + ',` + gen_require(` + type sysadm_tty_device_t; + ') + + dontaudit $1 sysadm_tty_device_t:chr_file getattr; + ') +') + +######################################## +## ## Read and write sysadm ttys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_use_sysadm_tty',` @@ -1660,7 +1681,7 @@ interface(`userdom_dontaudit_use_sysadm_tty',` ## Read and write sysadm ptys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_use_sysadm_pty',` @@ -1702,7 +1723,7 @@ interface(`userdom_dontaudit_use_sysadm_pty',` ## Read and write sysadm ttys and ptys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_use_sysadm_terms',` @@ -1735,7 +1756,7 @@ interface(`userdom_dontaudit_use_sysadm_terms',` ## Inherit and use sysadm file descriptors ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_use_sysadm_fd',` @@ -1756,7 +1777,7 @@ interface(`userdom_use_sysadm_fd',` ## Read and write sysadm user unnamed pipes. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_rw_sysadm_pipe',` @@ -1842,6 +1863,22 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',` ######################################## ## +## List the sysadm users home directory. +## +## +## Domain allowed access. +## +# +interface(`userdom_list_sysadm_home_dir',` + gen_require(` + type sysadm_home_dir_t; + ') + + allow $1 sysadm_home_dir_t:dir list_dir_perms; +') + +######################################## +## ## Do not audit attempts to list the sysadm ## users home directory. ## @@ -1854,7 +1891,7 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',` type sysadm_home_dir_t; ') - dontaudit $1 sysadm_home_dir_t:dir r_dir_perms; + dontaudit $1 sysadm_home_dir_t:dir list_dir_perms; ') ######################################## @@ -1913,7 +1950,7 @@ interface(`userdom_search_sysadm_home_subdirs',` ## Read files in the sysadm users home directory. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_read_sysadm_home_files',` @@ -1931,7 +1968,7 @@ interface(`userdom_read_sysadm_home_files',` ## Search all users home directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_search_all_users_home',` @@ -1964,7 +2001,7 @@ interface(`userdom_dontaudit_search_all_users_home',` ## Read all files in all users home directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_read_all_user_files',` @@ -1983,7 +2020,7 @@ interface(`userdom_read_all_user_files',` ## in all users home directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_manage_all_user_dirs',` @@ -2001,7 +2038,7 @@ interface(`userdom_manage_all_user_dirs',` ## in all users home directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_manage_all_user_files',` @@ -2020,7 +2057,7 @@ interface(`userdom_manage_all_user_files',` ## in all users home directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_manage_all_user_symlinks',` @@ -2048,7 +2085,7 @@ interface(`userdom_manage_all_user_symlinks',` ##

## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_priveleged_home_dir_manager',` @@ -2065,7 +2102,7 @@ interface(`userdom_priveleged_home_dir_manager',` ## Send general signals to unprivileged user domains. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_signal_unpriv_users',` @@ -2081,7 +2118,7 @@ interface(`userdom_signal_unpriv_users',` ## Inherit the file descriptors from unprivileged user domains. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_use_unpriv_users_fd',` @@ -2098,7 +2135,7 @@ interface(`userdom_use_unpriv_users_fd',` ## file descriptors from all user domains. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_dontaudit_use_unpriv_user_fd',` @@ -2328,18 +2365,38 @@ interface(`userdom_read_unpriv_user_home_files',` ######################################## ## -## Read all unprivileged users temporary directories. +## Set the attributes of user ptys. ## ## ## Domain allowed access. ## # -interface(`userdom_list_unpriv_user_tmp',` +interface(`userdom_setattr_unpriv_user_pty',` gen_require(` - attribute user_tmpfile; + attribute user_ptynode; ') - allow $1 user_tmpfile:dir list_dir_perms; + allow $1 user_ptynode:chr_file setattr; +') + +######################################## +## +## Read all unprivileged users temporary directories. +## +## +## Domain allowed access. +## +# +interface(`userdom_list_unpriv_user_tmp',` + ifdef(`targeted_policy',` + files_list_tmp($1) + ',` + gen_require(` + attribute user_tmpfile; + ') + + allow $1 user_tmpfile:dir list_dir_perms; + ') ') ######################################## @@ -2351,11 +2408,15 @@ interface(`userdom_list_unpriv_user_tmp',` ## # interface(`userdom_read_unpriv_user_tmp_files',` - gen_require(` - attribute user_tmpfile; - ') + ifdef(`targeted_policy',` + files_read_generic_tmp_files($1) + ',` + gen_require(` + attribute user_tmpfile; + ') - allow $1 user_tmpfile:file { read getattr }; + allow $1 user_tmpfile:file { read getattr }; + ') ') ######################################## @@ -2367,11 +2428,15 @@ interface(`userdom_read_unpriv_user_tmp_files',` ## # interface(`userdom_read_unpriv_user_tmp_symlinks',` - gen_require(` - attribute user_tmpfile; - ') + ifdef(`targeted_policy',` + files_read_generic_tmp_symlinks($1) + ',` + gen_require(` + attribute user_tmpfile; + ') - allow $1 user_tmpfile:lnk_file { getattr read }; + allow $1 user_tmpfile:lnk_file { getattr read }; + ') ') ######################################## @@ -2379,7 +2444,7 @@ interface(`userdom_read_unpriv_user_tmp_symlinks',` ## Write all unprivileged users files in /tmp ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_write_unpriv_user_tmp',` @@ -2396,7 +2461,7 @@ interface(`userdom_write_unpriv_user_tmp',` ## user ttys. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_dontaudit_use_unpriv_user_tty',` @@ -2412,7 +2477,7 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',` ## Inherit the file descriptors from all user domains ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_use_all_user_fd',` @@ -2445,7 +2510,7 @@ interface(`userdom_dontaudit_use_all_user_fd',` ## Send general signals to all user domains. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`userdom_signal_all_users',`