From 74993c4daec6b6c9225110e039bbc38e3bad01f6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 13 2008 15:06:23 +0000 Subject: trunk: 8 patches from dan. --- diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index aac7ac8..7d37828 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -1,5 +1,5 @@ -policy_module(alsa, 1.5.0) +policy_module(alsa, 1.5.1) ######################################## # @@ -48,9 +48,12 @@ corecmd_exec_bin(alsa_t) files_search_home(alsa_t) files_read_etc_files(alsa_t) +files_read_usr_files(alsa_t) auth_use_nsswitch(alsa_t) +init_use_fds(alsa_t) + libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 06730e5..f2742b5 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda, 1.9.2) +policy_module(amanda, 1.9.3) ####################################### # @@ -129,6 +129,8 @@ corenet_udp_sendrecv_all_ports(amanda_t) corenet_tcp_bind_all_nodes(amanda_t) corenet_udp_bind_all_nodes(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) +corenet_tcp_bind_generic_port(amanda_t) +corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index df797ad..a9d92a4 100644 --- a/policy/modules/admin/mrtg.te +++ b/policy/modules/admin/mrtg.te @@ -1,5 +1,5 @@ -policy_module(mrtg, 1.4.0) +policy_module(mrtg, 1.4.1) ######################################## # @@ -78,6 +78,7 @@ dev_read_sysfs(mrtg_t) dev_read_urand(mrtg_t) domain_use_interactive_fds(mrtg_t) +domain_dontaudit_search_all_domains_state(mrtg_t) files_read_usr_files(mrtg_t) files_search_var(mrtg_t) @@ -92,6 +93,7 @@ files_read_etc_files(mrtg_t) fs_search_auto_mountpoints(mrtg_t) fs_getattr_xattr_fs(mrtg_t) +fs_list_inotifyfs(mrtg_t) term_dontaudit_use_console(mrtg_t) @@ -101,6 +103,8 @@ init_use_script_ptys(mrtg_t) init_read_utmp(mrtg_t) init_dontaudit_write_utmp(mrtg_t) +auth_use_nsswitch(mrtg_t) + libs_read_lib_files(mrtg_t) libs_use_ld_so(mrtg_t) libs_use_shared_libs(mrtg_t) @@ -111,12 +115,10 @@ miscfiles_read_localization(mrtg_t) selinux_dontaudit_getattr_dir(mrtg_t) -# Use the network. -sysnet_read_config(mrtg_t) - userdom_dontaudit_use_unpriv_user_fds(mrtg_t) sysadm_use_terms(mrtg_t) +sysadm_dontaudit_read_home_content_files(mrtg_t) ifdef(`enable_mls',` corenet_udp_sendrecv_lo_if(mrtg_t) @@ -140,14 +142,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(mrtg_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(mrtg_t) -') - -optional_policy(` seutil_sigchld_newrole(mrtg_t) ') @@ -162,10 +156,3 @@ optional_policy(` optional_policy(` udev_read_db(mrtg_t) ') - -ifdef(`TODO',` - # should not need this! - dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr }; - dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; - dontaudit mrtg_t root_t:lnk_file getattr; -') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 506b222..fffc473 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils, 1.6.1) +policy_module(netutils, 1.6.2) ######################################## # @@ -50,6 +50,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) +kernel_read_sysctl(netutils_t) corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_netlabel(netutils_t) @@ -78,6 +79,8 @@ files_dontaudit_search_var(netutils_t) init_use_fds(netutils_t) init_use_script_ptys(netutils_t) +auth_use_nsswitch(netutils_t) + libs_use_ld_so(netutils_t) libs_use_shared_libs(netutils_t) @@ -85,8 +88,6 @@ logging_send_syslog_msg(netutils_t) miscfiles_read_localization(netutils_t) -sysnet_read_config(netutils_t) - userdom_use_all_users_fds(netutils_t) optional_policy(` @@ -94,6 +95,10 @@ optional_policy(` ') optional_policy(` + vmware_append_log(netutils_t) +') + +optional_policy(` xen_append_log(netutils_t) ') @@ -107,12 +112,14 @@ dontaudit ping_t self:capability sys_tty_config; allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; +allow ping_t self:netlink_route_socket create_netlink_socket_perms; corenet_all_recvfrom_unlabeled(ping_t) corenet_all_recvfrom_netlabel(ping_t) corenet_tcp_sendrecv_all_if(ping_t) corenet_raw_sendrecv_all_if(ping_t) corenet_raw_sendrecv_all_nodes(ping_t) +corenet_raw_bind_all_nodes(ping_t) corenet_tcp_sendrecv_all_nodes(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) @@ -123,6 +130,8 @@ domain_use_interactive_fds(ping_t) files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) +auth_use_nsswitch(ping_t) + libs_use_ld_so(ping_t) libs_use_shared_libs(ping_t) @@ -130,9 +139,6 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) -sysnet_read_config(ping_t) -sysnet_dns_name_resolve(ping_t) - ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) ') @@ -143,14 +149,6 @@ tunable_policy(`user_ping',` ') optional_policy(` - nis_use_ypbind(ping_t) -') - -optional_policy(` - nscd_socket_use(ping_t) -') - -optional_policy(` pcmcia_use_cardmgr_fds(ping_t) ') @@ -166,7 +164,6 @@ optional_policy(` allow traceroute_t self:capability { net_admin net_raw setuid setgid }; allow traceroute_t self:rawip_socket create_socket_perms; allow traceroute_t self:packet_socket create_socket_perms; -allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) @@ -200,6 +197,8 @@ files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) +auth_use_nsswitch(traceroute_t) + libs_use_ld_so(traceroute_t) libs_use_shared_libs(traceroute_t) @@ -212,17 +211,7 @@ dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) files_read_usr_files(traceroute_t) -sysnet_read_config(traceroute_t) - tunable_policy(`user_ping',` term_use_all_user_ttys(traceroute_t) term_use_all_user_ptys(traceroute_t) ') - -optional_policy(` - nis_use_ypbind(traceroute_t) -') - -optional_policy(` - nscd_socket_use(traceroute_t) -') diff --git a/policy/modules/admin/vpn.fc b/policy/modules/admin/vpn.fc index 7409148..076dcc3 100644 --- a/policy/modules/admin/vpn.fc +++ b/policy/modules/admin/vpn.fc @@ -6,6 +6,8 @@ # # /usr # +/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) + /usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) /var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 06d3ab2..7eb40c3 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -1,5 +1,5 @@ -policy_module(vpn, 1.8.1) +policy_module(vpn, 1.8.2) ######################################## # @@ -23,7 +23,7 @@ files_pid_file(vpnc_var_run_t) # allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw }; -allow vpnc_t self:process getsched; +allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; allow vpnc_t self:tcp_socket create_stream_socket_perms; @@ -44,7 +44,7 @@ files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir}) kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) -kernel_read_kernel_sysctls(vpnc_t) +kernel_read_all_sysctls(vpnc_t) kernel_rw_net_sysctls(vpnc_t) corenet_all_recvfrom_unlabeled(vpnc_t) diff --git a/policy/modules/services/cvs.fc b/policy/modules/services/cvs.fc index 689a960..48a30de 100644 --- a/policy/modules/services/cvs.fc +++ b/policy/modules/services/cvs.fc @@ -5,3 +5,6 @@ /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) +#CVSWeb file context +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if index 997973d..33b5d01 100644 --- a/policy/modules/services/cvs.if +++ b/policy/modules/services/cvs.if @@ -69,4 +69,12 @@ interface(`cvs_admin',` domain_system_change_exemption($1) role_transition $2 cvs_initrc_exec_t system_r; allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, cvs_tmp_t) + + admin_pattern($1, cvs_data_t) + + files_list_pids($1) + admin_pattern($1, cvs_var_run_t) ') diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 3930262..62be9d8 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -1,5 +1,5 @@ -policy_module(cvs, 1.6.1) +policy_module(cvs, 1.6.2) ######################################## # @@ -99,7 +99,20 @@ tunable_policy(`allow_cvs_read_shadow',` ') optional_policy(` - kerberos_read_keytab(cvs_t) + kerberos_keytab_template(cvs, cvs_t) kerberos_read_config(cvs_t) kerberos_dontaudit_write_config(cvs_t) ') + +######################################## +# +# CVSWeb policy +# + +optional_policy(` + apache_content_template(cvs) + + read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) + manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) +') diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc index 86a9d7e..445d93d 100644 --- a/policy/modules/services/cyrus.fc +++ b/policy/modules/services/cyrus.fc @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0) /usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if index 2d80a28..2bf2146 100644 --- a/policy/modules/services/cyrus.if +++ b/policy/modules/services/cyrus.if @@ -39,3 +39,46 @@ interface(`cyrus_stream_connect',` files_search_var_lib($1) stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) ') + +######################################## +## +## All of the rules required to administrate +## an cyrus environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the cyrus domain. +## +## +## +# +interface(`cyrus_admin',` + gen_require(` + type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; + type cyrus_var_run_t, cyrus_initrc_exec_t; + ') + + allow $1 cyrus_t:process { ptrace signal_perms }; + ps_process_pattern($1, cyrus_t) + + init_labeled_script_domtrans($1, cyrus_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cyrus_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, cyrus_tmp_t) + + files_list_var_lib($1) + admin_pattern($1, cyrus_var_lib_t) + + files_list_pids($1) + admin_pattern($1, cyrus_var_run_t) +') + + diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index 566944f..977143d 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -1,5 +1,5 @@ -policy_module(cyrus, 1.6.0) +policy_module(cyrus, 1.6.1) ######################################## # @@ -10,6 +10,9 @@ type cyrus_t; type cyrus_exec_t; init_daemon_domain(cyrus_t, cyrus_exec_t) +type cyrus_initrc_exec_t; +init_script_file(cyrus_initrc_exec_t) + type cyrus_tmp_t; files_tmp_file(cyrus_tmp_t) @@ -120,7 +123,7 @@ optional_policy(` ') optional_policy(` - kerberos_use(cyrus_t) + kerberos_keytab_template(cyrus, cyrus_t) ') optional_policy(` diff --git a/policy/modules/services/kerneloops.fc b/policy/modules/services/kerneloops.fc index ec01310..5ef261a 100644 --- a/policy/modules/services/kerneloops.fc +++ b/policy/modules/services/kerneloops.fc @@ -1 +1,3 @@ +/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0) + /usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if index 096c180..fe601a6 100644 --- a/policy/modules/services/kerneloops.if +++ b/policy/modules/services/kerneloops.if @@ -71,13 +71,23 @@ interface(`kerneloops_dontaudit_dbus_chat',` ## Domain allowed access. ## ## +## +## +## The role to be allowed to manage the kerneloops domain. +## +## ## # interface(`kerneloops_admin',` gen_require(` - type kerneloops_t; + type kerneloops_t, kerneloops_initrc_exec_t; ') allow $1 kerneloops_t:process { ptrace signal_perms }; ps_process_pattern($1, kerneloops_t) + + init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kerneloops_initrc_exec_t system_r; + allow $2 system_r; ') diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te index ef91028..9b53e9d 100644 --- a/policy/modules/services/kerneloops.te +++ b/policy/modules/services/kerneloops.te @@ -1,5 +1,5 @@ -policy_module(kerneloops, 1.0.0) +policy_module(kerneloops, 1.0.1) ######################################## # @@ -10,14 +10,18 @@ type kerneloops_t; type kerneloops_exec_t; init_daemon_domain(kerneloops_t, kerneloops_exec_t) +type kerneloops_initrc_exec_t; +init_script_file(kerneloops_initrc_exec_t) + ######################################## # # kerneloops local policy # allow kerneloops_t self:capability sys_nice; -allow kerneloops_t self:process { setsched getsched }; +allow kerneloops_t self:process { setsched getsched signal }; allow kerneloops_t self:fifo_file rw_file_perms; +allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; kernel_read_ring_buffer(kerneloops_t)