From 77f6e2cd27a34a61439d2766f775ed0ba66ede48 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 13 2005 20:59:36 +0000 Subject: partial (most of it) merge of selinux-policy-strict-sources-1.27.1-15 --- diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide index 4e0391d..cebb782 100644 --- a/docs/macro_conversion_guide +++ b/docs/macro_conversion_guide @@ -577,6 +577,15 @@ allow $1 $2:unix_stream_socket connectto; allow $1 $2:unix_dgram_socket sendto; # +# can_winbind(): +# +ifdef(`winbind.te', ` +allow $1 winbind_var_run_t:dir { getattr search }; +allow $1 winbind_t:unix_stream_socket connectto; +allow $1 winbind_var_run_t:sock_file { getattr read write }; +') + +# # can_ypbind(): complete # optional_policy(`nis.te',` diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs index c23f172..5af2fc1 100644 --- a/refpolicy/policy/mcs +++ b/refpolicy/policy/mcs @@ -147,13 +147,141 @@ category c124; category c125; category c126; category c127; +category c128; +category c129; +category c130; +category c131; +category c132; +category c133; +category c134; +category c135; +category c136; +category c137; +category c138; +category c139; +category c140; +category c141; +category c142; +category c143; +category c144; +category c145; +category c146; +category c147; +category c148; +category c149; +category c150; +category c151; +category c152; +category c153; +category c154; +category c155; +category c156; +category c157; +category c158; +category c159; +category c160; +category c161; +category c162; +category c163; +category c164; +category c165; +category c166; +category c167; +category c168; +category c169; +category c170; +category c171; +category c172; +category c173; +category c174; +category c175; +category c176; +category c177; +category c178; +category c179; +category c180; +category c181; +category c182; +category c183; +category c184; +category c185; +category c186; +category c187; +category c188; +category c189; +category c190; +category c191; +category c192; +category c193; +category c194; +category c195; +category c196; +category c197; +category c198; +category c199; +category c200; +category c201; +category c202; +category c203; +category c204; +category c205; +category c206; +category c207; +category c208; +category c209; +category c210; +category c211; +category c212; +category c213; +category c214; +category c215; +category c216; +category c217; +category c218; +category c219; +category c220; +category c221; +category c222; +category c223; +category c224; +category c225; +category c226; +category c227; +category c228; +category c229; +category c230; +category c231; +category c232; +category c233; +category c234; +category c235; +category c236; +category c237; +category c238; +category c239; +category c240; +category c241; +category c242; +category c243; +category c244; +category c245; +category c246; +category c247; +category c248; +category c249; +category c250; +category c251; +category c252; +category c253; +category c254; +category c255; # # Each MCS level specifies a sensitivity and zero or more categories which may # be associated with that sensitivity. # -level s0:c0.c127; +level s0:c0.c255; # # Define the MCS policy @@ -201,9 +329,23 @@ level s0:c0.c127; # # Only files are constrained by MCS at this stage. # -mlsconstrain file { read write setattr append unlink link rename +mlsconstrain file { write setattr append unlink link rename create ioctl lock execute } (h1 dom h2); +mlsconstrain file { read } ((h1 dom h2) or + ( t1 == mlsfileread )); + + +# new file labels must be dominated by the relabeling subject clearance +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto } + ( h1 dom h2 ); + +define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append +link unlink rename relabelfrom relabelto }') + +define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink +rename search add_name remove_name reparent write rmdir relabelfrom +relabelto }') # XXX # diff --git a/refpolicy/policy/mls b/refpolicy/policy/mls index 45b15f0..dc1ab87 100644 --- a/refpolicy/policy/mls +++ b/refpolicy/policy/mls @@ -15,12 +15,17 @@ sensitivity s6; sensitivity s7; sensitivity s8; sensitivity s9; - +sensitivity s10; +sensitivity s11; +sensitivity s12; +sensitivity s13; +sensitivity s14; +sensitivity s15; # # Define the ordering of the sensitivity levels (least to greatest) # -dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 } +dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } # @@ -156,22 +161,156 @@ category c124; category c125; category c126; category c127; +category c128; +category c129; +category c130; +category c131; +category c132; +category c133; +category c134; +category c135; +category c136; +category c137; +category c138; +category c139; +category c140; +category c141; +category c142; +category c143; +category c144; +category c145; +category c146; +category c147; +category c148; +category c149; +category c150; +category c151; +category c152; +category c153; +category c154; +category c155; +category c156; +category c157; +category c158; +category c159; +category c160; +category c161; +category c162; +category c163; +category c164; +category c165; +category c166; +category c167; +category c168; +category c169; +category c170; +category c171; +category c172; +category c173; +category c174; +category c175; +category c176; +category c177; +category c178; +category c179; +category c180; +category c181; +category c182; +category c183; +category c184; +category c185; +category c186; +category c187; +category c188; +category c189; +category c190; +category c191; +category c192; +category c193; +category c194; +category c195; +category c196; +category c197; +category c198; +category c199; +category c200; +category c201; +category c202; +category c203; +category c204; +category c205; +category c206; +category c207; +category c208; +category c209; +category c210; +category c211; +category c212; +category c213; +category c214; +category c215; +category c216; +category c217; +category c218; +category c219; +category c220; +category c221; +category c222; +category c223; +category c224; +category c225; +category c226; +category c227; +category c228; +category c229; +category c230; +category c231; +category c232; +category c233; +category c234; +category c235; +category c236; +category c237; +category c238; +category c239; +category c240; +category c241; +category c242; +category c243; +category c244; +category c245; +category c246; +category c247; +category c248; +category c249; +category c250; +category c251; +category c252; +category c253; +category c254; +category c255; # # Each MLS level specifies a sensitivity and zero or more categories which may # be associated with that sensitivity. # -level s0:c0.c127; -level s1:c0.c127; -level s2:c0.c127; -level s3:c0.c127; -level s4:c0.c127; -level s5:c0.c127; -level s6:c0.c127; -level s7:c0.c127; -level s8:c0.c127; -level s9:c0.c127; +level s0:c0.c255; +level s1:c0.c255; +level s2:c0.c255; +level s3:c0.c255; +level s4:c0.c255; +level s5:c0.c255; +level s6:c0.c255; +level s7:c0.c255; +level s8:c0.c255; +level s9:c0.c255; +level s10:c0.c255; +level s11:c0.c255; +level s12:c0.c255; +level s13:c0.c255; +level s14:c0.c255; +level s15:c0.c255; # diff --git a/refpolicy/policy/modules/admin/anaconda.te b/refpolicy/policy/modules/admin/anaconda.te index 107b339..b988381 100644 --- a/refpolicy/policy/modules/admin/anaconda.te +++ b/refpolicy/policy/modules/admin/anaconda.te @@ -48,10 +48,6 @@ optional_policy(`usermanage.te',` ') ifdef(`TODO',` -optional_policy(`su.te',` - role system_r types sysadm_su_t; - domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t) -') optional_policy(`ssh.te',` role system_r types sysadm_ssh_agent_t; domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t) diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index caa4615..f13f83b 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -104,6 +104,7 @@ libs_read_lib(kudzu_t) logging_send_syslog_msg(kudzu_t) +miscfiles_read_hwdata(kudzu_t) miscfiles_read_localization(kudzu_t) modutils_read_module_conf(kudzu_t) diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if index 57aa956..a97588c 100644 --- a/refpolicy/policy/modules/admin/logrotate.if +++ b/refpolicy/policy/modules/admin/logrotate.if @@ -11,9 +11,6 @@ interface(`logrotate_domtrans',` gen_require(` type logrotate_t, logrotate_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,logrotate_exec_t,logrotate_t) @@ -42,7 +39,6 @@ interface(`logrotate_domtrans',` interface(`logrotate_run',` gen_require(` type logrotate_t; - class chr_file rw_term_perms; ') logrotate_domtrans($1) @@ -68,6 +64,22 @@ interface(`logrotate_exec',` ######################################## ## +## Inherit and use logrotate file descriptors. +## +## +## Domain allowed access. +## +# +interface(`logrotate_use_fd',` + gen_require(` + type logrotate_t; + ') + + allow $1 logrotate_t:fd use; +') + +######################################## +## ## Do not audit attempts to inherit logrotate file descriptors. ## ## @@ -77,7 +89,6 @@ interface(`logrotate_exec',` interface(`logrotate_dontaudit_use_fd',` gen_require(` type logrotate_t; - class fd use; ') dontaudit $1 logrotate_t:fd use; @@ -94,7 +105,6 @@ interface(`logrotate_dontaudit_use_fd',` interface(`logrotate_read_tmp_files',` gen_require(` type logrotate_tmp_t; - class file r_file_perms; ') files_search_tmp($1) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index d5526ee..2b1a7c5 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -28,174 +28,170 @@ ## # template(`su_per_userdomain_template',` - # in optional since loadable modules do not natively - # support per-userdomain templates yet. - optional_policy(`su.te',` - gen_require(` - type su_exec_t; - ') - - type $1_su_t; - domain_entry_file($1_su_t,su_exec_t) - domain_type($1_su_t) - domain_role_change_exempt($1_su_t) - domain_subj_id_change_exempt($1_su_t) - domain_obj_id_change_exempt($1_su_t) - domain_wide_inherit_fd($1_su_t) - role $3 types $1_su_t; - - allow $2 $1_su_t:process signal; - - allow $1_su_t self:capability { audit_control setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; - allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - - # Transition from the user domain to this domain. - domain_auto_trans($2, su_exec_t, $1_su_t) - allow $2 $1_su_t:fd use; - allow $1_su_t $2:fd use; - allow $1_su_t $2:fifo_file rw_file_perms; - allow $1_su_t $2:process sigchld; - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_su_t,$2) - allow $2 $1_su_t:fd use; - allow $1_su_t $2:fd use; - allow $1_su_t $2:fifo_file rw_file_perms; - allow $1_su_t $2:process sigchld; - - kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctl($1_su_t) - - # for SSP - dev_read_urand($1_su_t) - - fs_search_auto_mountpoints($1_su_t) - - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_access_vector($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) - - # Relabel ttys and ptys. - term_relabel_all_user_ttys($1_su_t) - term_relabel_all_user_ptys($1_su_t) - # Close and re-open ttys and ptys to get the fd into the correct domain. - term_use_all_user_ttys($1_su_t) - term_use_all_user_ptys($1_su_t) - - auth_domtrans_user_chk_passwd($1_su_t,$1) - auth_dontaudit_read_shadow($1_su_t) - - domain_wide_inherit_fd($1_su_t) - - files_read_etc_files($1_su_t) - files_search_var_lib($1_su_t) - - init_dontaudit_use_fd($1_su_t) - # Write to utmp. - init_rw_script_pid($1_su_t) - - libs_use_ld_so($1_su_t) - libs_use_shared_libs($1_su_t) - - logging_send_syslog_msg($1_su_t) - - miscfiles_read_localization($1_su_t) - - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) - - userdom_use_user_terminals($1,$1_su_t) - - if(secure_mode) - { - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - } else { - # Allow transitions to all user domains - userdom_spec_domtrans_all_users($1_su_t) - } - - if (use_nfs_home_dirs) { - fs_search_nfs($1_su_t) - } - - if (use_samba_home_dirs) { - fs_search_cifs($1_su_t) - } - - optional_policy(`crond.te',` - cron_read_pipe($1_su_t) - ') - - optional_policy(`kerberos.te',` - kerberos_use($1_su_t) - ') - - optional_policy(`nis.te',` - nis_use_ypbind($1_su_t) - ') - - optional_policy(`nscd.te',` - nscd_use_socket($1_su_t) - ') - - ifdef(`TODO',` - - ifdef(`support_polyinstantiation', ` - mls_file_read_up($1_su_t) - mls_file_write_down($1_su_t) - mls_file_upgrade($1_su_t) - mls_file_downgrade($1_su_t) - mls_process_set_level($1_su_t) - - # Su can polyinstantiate - polyinstantiater($1_su_t) - # Su has to unmount polyinstantiated directories (like home) - # that should not be polyinstantiated under the new user - allow $1_su_t fs_t:filesystem unmount; - # Su needs additional permission to mount over a previous mount - allow $1_su_t polymember:dir mounton; - ') - - # Caused by su - init scripts - dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; - - # Inherit and use descriptors from gnome-pty-helper. - ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') - - allow $1_su_t { home_root_t $1_home_dir_t }:dir search; - allow $1_su_t $1_home_t:file create_file_perms; - - ifdef(`user_canbe_sysadm', ` - allow $1_su_t home_dir_type:dir { search write }; - ', ` - dontaudit $1_su_t home_dir_type:dir { search write }; - ') - - # Modify .Xauthority file (via xauth program). - ifdef(`xauth.te', ` - file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) - file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) - file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) - domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) - ') - - ifdef(`cyrus.te', ` - allow $1_su_t cyrus_var_lib_t:dir search; - ') - ifdef(`ssh.te', ` - # Access sshd cookie files. - allow $1_su_t sshd_tmp_t:file rw_file_perms; - file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) - ') - ') dnl end TODO + gen_require(` + type su_exec_t; + ') + + type $1_su_t; + domain_entry_file($1_su_t,su_exec_t) + domain_type($1_su_t) + domain_role_change_exempt($1_su_t) + domain_subj_id_change_exempt($1_su_t) + domain_obj_id_change_exempt($1_su_t) + domain_wide_inherit_fd($1_su_t) + role $3 types $1_su_t; + + allow $2 $1_su_t:process signal; + + allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + dontaudit $1_su_t self:capability sys_tty_config; + allow $1_su_t self:process { setexec setsched setrlimit }; + allow $1_su_t self:fifo_file rw_file_perms; + allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + + # Transition from the user domain to this domain. + domain_auto_trans($2, su_exec_t, $1_su_t) + allow $2 $1_su_t:fd use; + allow $1_su_t $2:fd use; + allow $1_su_t $2:fifo_file rw_file_perms; + allow $1_su_t $2:process sigchld; + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_su_t,$2) + allow $2 $1_su_t:fd use; + allow $1_su_t $2:fd use; + allow $1_su_t $2:fifo_file rw_file_perms; + allow $1_su_t $2:process sigchld; + + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctl($1_su_t) + + # for SSP + dev_read_urand($1_su_t) + + fs_search_auto_mountpoints($1_su_t) + + selinux_get_fs_mount($1_su_t) + selinux_validate_context($1_su_t) + selinux_compute_access_vector($1_su_t) + selinux_compute_create_context($1_su_t) + selinux_compute_relabel_context($1_su_t) + selinux_compute_user_contexts($1_su_t) + + # Relabel ttys and ptys. + term_relabel_all_user_ttys($1_su_t) + term_relabel_all_user_ptys($1_su_t) + # Close and re-open ttys and ptys to get the fd into the correct domain. + term_use_all_user_ttys($1_su_t) + term_use_all_user_ptys($1_su_t) + + auth_domtrans_user_chk_passwd($1_su_t,$1) + auth_dontaudit_read_shadow($1_su_t) + + domain_wide_inherit_fd($1_su_t) + + files_read_etc_files($1_su_t) + files_search_var_lib($1_su_t) + + init_dontaudit_use_fd($1_su_t) + # Write to utmp. + init_rw_script_pid($1_su_t) + + libs_use_ld_so($1_su_t) + libs_use_shared_libs($1_su_t) + + logging_send_syslog_msg($1_su_t) + + miscfiles_read_localization($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + userdom_use_user_terminals($1,$1_su_t) + + if(secure_mode) + { + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + } else { + # Allow transitions to all user domains + userdom_spec_domtrans_all_users($1_su_t) + } + + tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs($1_su_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_search_cifs($1_su_t) + ') + + optional_policy(`crond.te',` + cron_read_pipe($1_su_t) + ') + + optional_policy(`kerberos.te',` + kerberos_use($1_su_t) + ') + + optional_policy(`nis.te',` + nis_use_ypbind($1_su_t) + ') + + optional_policy(`nscd.te',` + nscd_use_socket($1_su_t) + ') + + ifdef(`TODO',` + + ifdef(`support_polyinstantiation', ` + mls_file_read_up($1_su_t) + mls_file_write_down($1_su_t) + mls_file_upgrade($1_su_t) + mls_file_downgrade($1_su_t) + mls_process_set_level($1_su_t) + + # Su can polyinstantiate + polyinstantiater($1_su_t) + # Su has to unmount polyinstantiated directories (like home) + # that should not be polyinstantiated under the new user + allow $1_su_t fs_t:filesystem unmount; + # Su needs additional permission to mount over a previous mount + allow $1_su_t polymember:dir mounton; + ') + + # Caused by su - init scripts + dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; + + # Inherit and use descriptors from gnome-pty-helper. + ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') + + allow $1_su_t { home_root_t $1_home_dir_t }:dir search; + allow $1_su_t $1_home_t:file create_file_perms; + + ifdef(`user_canbe_sysadm', ` + allow $1_su_t home_dir_type:dir { search write }; + ', ` + dontaudit $1_su_t home_dir_type:dir { search write }; + ') + + # Modify .Xauthority file (via xauth program). + ifdef(`xauth.te', ` + file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) + file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) + file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) + domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) + ') + + ifdef(`cyrus.te', ` + allow $1_su_t cyrus_var_lib_t:dir search; + ') + ifdef(`ssh.te', ` + # Access sshd cookie files. + allow $1_su_t sshd_tmp_t:file rw_file_perms; + file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) ') + ') dnl end TODO ') ####################################### diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te index e01bee1..56158eb 100644 --- a/refpolicy/policy/modules/admin/su.te +++ b/refpolicy/policy/modules/admin/su.te @@ -6,7 +6,11 @@ policy_module(su,1.0) # Declarations # -type su_exec_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type su_exec_t; +') files_type(su_exec_t) # Remaining policy in the per-user domain template diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index b3ed57c..612b4c5 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -68,14 +68,14 @@ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exe allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:fd use; allow chfn_t self:fifo_file rw_file_perms; -allow chfn_t self:unix_dgram_socket create_socket_perms; -allow chfn_t self:unix_stream_socket create_stream_socket_perms; -allow chfn_t self:unix_dgram_socket sendto; -allow chfn_t self:unix_stream_socket connectto; allow chfn_t self:shm create_shm_perms; allow chfn_t self:sem create_sem_perms; allow chfn_t self:msgq create_msgq_perms; allow chfn_t self:msg { send receive }; +allow chfn_t self:unix_dgram_socket create_socket_perms; +allow chfn_t self:unix_stream_socket create_stream_socket_perms; +allow chfn_t self:unix_dgram_socket sendto; +allow chfn_t self:unix_stream_socket connectto; kernel_read_system_state(chfn_t) kernel_read_kernel_sysctl(chfn_t) @@ -192,14 +192,15 @@ allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit allow groupadd_t self:process { setrlimit setfscreate }; allow groupadd_t self:fd use; allow groupadd_t self:fifo_file rw_file_perms; -allow groupadd_t self:unix_dgram_socket create_socket_perms; -allow groupadd_t self:unix_stream_socket create_stream_socket_perms; -allow groupadd_t self:unix_dgram_socket sendto; -allow groupadd_t self:unix_stream_socket connectto; allow groupadd_t self:shm create_shm_perms; allow groupadd_t self:sem create_sem_perms; allow groupadd_t self:msgq create_msgq_perms; allow groupadd_t self:msg { send receive }; +allow groupadd_t self:unix_dgram_socket create_socket_perms; +allow groupadd_t self:unix_stream_socket create_stream_socket_perms; +allow groupadd_t self:unix_dgram_socket sendto; +allow groupadd_t self:unix_stream_socket connectto; +allow groupadd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; fs_getattr_xattr_fs(groupadd_t) fs_search_auto_mountpoints(groupadd_t) @@ -236,6 +237,7 @@ miscfiles_read_localization(groupadd_t) auth_manage_shadow(groupadd_t) auth_rw_lastlog(groupadd_t) +auth_use_nsswitch(groupadd_t) seutil_read_config(groupadd_t) @@ -445,7 +447,6 @@ allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; ifdef(`targeted_policy', ` role system_r types sysadm_passwd_t; -allow sysadm_passwd_t devpts_t:chr_file rw_file_perms; ') ') dnl endif TODO @@ -459,14 +460,15 @@ allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit allow useradd_t self:process setfscreate; allow useradd_t self:fd use; allow useradd_t self:fifo_file rw_file_perms; -allow useradd_t self:unix_dgram_socket create_socket_perms; -allow useradd_t self:unix_stream_socket create_stream_socket_perms; -allow useradd_t self:unix_dgram_socket sendto; -allow useradd_t self:unix_stream_socket connectto; allow useradd_t self:shm create_shm_perms; allow useradd_t self:sem create_sem_perms; allow useradd_t self:msgq create_msgq_perms; allow useradd_t self:msg { send receive }; +allow useradd_t self:unix_dgram_socket create_socket_perms; +allow useradd_t self:unix_stream_socket create_stream_socket_perms; +allow useradd_t self:unix_dgram_socket sendto; +allow useradd_t self:unix_stream_socket connectto; +allow useradd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) @@ -486,6 +488,7 @@ term_use_all_user_ptys(useradd_t) auth_manage_shadow(useradd_t) auth_rw_lastlog(useradd_t) +auth_use_nsswitch(useradd_t) corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index 2d58940..2225882 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -89,6 +89,10 @@ userdom_use_unpriv_users_fd(webalizer_t) apache_read_log(webalizer_t) apache_manage_sys_content(webalizer_t) +optional_policy(`ftp.te',` + ftp_read_log(webalizer_t) +') + optional_policy(`nis.te',` nis_use_ypbind(webalizer_t) ') diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index d13b1cd..6e37fb1 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -53,7 +53,7 @@ network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dbskkd, tcp,1178,s0) network_port(dhcpc, udp,68,s0) -network_port(dhcpd, udp,67,s0) +network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0) network_port(dict, tcp,2628,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(fingerd, tcp,79,s0) @@ -86,6 +86,8 @@ network_port(nessus, tcp,1241,s0) network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0) network_port(ntp, udp,123,s0) network_port(openvpn, udp,5000,s0) +network_port(pegasus_http, tcp,5988,s0) +network_port(pegasus_https, tcp,5989,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index e69e2b8..7209a09 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -177,6 +177,24 @@ interface(`fs_getattr_xattr_fs',` ######################################## ## +## Get the quotas of a persistent +## filesystem which has extended +## attributes, such as ext3, JFS, or XFS. +## +## +## The type of the domain getting quotas. +## +# +interface(`fs_get_xattr_fs_quotas',` + gen_require(` + type fs_t; + ') + + allow $1 fs_t:filesystem quotaget; +') + +######################################## +## ## Do not audit attempts to ## get the attributes of a persistent ## filesystem which has extended diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 511d864..367b176 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -44,6 +44,10 @@ type binfmt_misc_fs_t, filesystem_type; files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) +type capifs_t, filesystem_type; +allow capifs_t self:filesystem associate; +genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) + type eventpollfs_t, filesystem_type; genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 06b32a1..6e63f7a 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -709,17 +709,17 @@ interface(`kernel_read_network_state',` ######################################## ## -## Do not audit attempts by caller to search the sysctl directory. +## Do not audit attempts by caller to search +## the base directory of sysctls. ## ## ## The process type not to audit. ## ## # -interface(`kernel_dontaudit_search_sysctl_dir',` +interface(`kernel_dontaudit_search_sysctl',` gen_require(` type sysctl_t; - class dir search; ') dontaudit $1 sysctl_t:dir search; @@ -736,8 +736,6 @@ interface(`kernel_dontaudit_search_sysctl_dir',` interface(`kernel_read_device_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_dev_t; - class dir r_dir_perms; - class file r_file_perms; ') allow $1 proc_t:dir search; @@ -757,8 +755,6 @@ interface(`kernel_read_device_sysctl',` interface(`kernel_rw_device_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_dev_t; - class dir r_dir_perms; - class file rw_file_perms; ') allow $1 proc_t:dir search; @@ -778,8 +774,6 @@ interface(`kernel_rw_device_sysctl',` interface(`kernel_read_vm_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_vm_t; - class dir r_dir_perms; - class file r_file_perms; ') allow $1 proc_t:dir search; @@ -798,8 +792,6 @@ interface(`kernel_read_vm_sysctl',` interface(`kernel_rw_vm_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_vm_t; - class dir r_dir_perms; - class file rw_file_perms; ') allow $1 proc_t:dir search; @@ -809,16 +801,31 @@ interface(`kernel_rw_vm_sysctl',` ######################################## ## -## Do not audit attempts by caller to search sysctl network directories. +## Search network sysctl directories. +## +## +## Domain allowed access. +## +# +interface(`kernel_search_network_sysctl',` + gen_require(` + type proc_t, sysctl_t, sysctl_net_t; + ') + + allow $1 { proc_t sysctl_t sysctl_net_t }:dir search; +') + +######################################## +## +## Do not audit attempts by caller to search network sysctl directories. ## ## ## The process type not to audit. ## # -interface(`kernel_dontaudit_search_network_sysctl_dir',` +interface(`kernel_dontaudit_search_network_sysctl',` gen_require(` type sysctl_net_t; - class dir search; ') dontaudit $1 sysctl_net_t:dir search; diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 169fd14..d7611ba 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -220,10 +220,6 @@ ifdef(`TODO',` ifdef(`targeted_policy', ` unconfined_domain(kernel_t) ') -ifdef(`mls_policy', ` -# run init with maximum MLS range -range_transition kernel_t init_exec_t s0 - s9:c0.c127; -') ') dnl end TODO ######################################## diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te index 4f29a66..bbdabb5 100644 --- a/refpolicy/policy/modules/kernel/mls.te +++ b/refpolicy/policy/modules/kernel/mls.te @@ -43,3 +43,32 @@ attribute mlstrustedobject; attribute privrangetrans; attribute mlsrangetrans; + +######################################## +# +# THIS IS A HACK +# +# Only the base module can have range_transitions, so we +# temporarily have to break encapsulation to work around this. +# + +type getty_t; +type login_exec_t; +type init_exec_t; +type initrc_t; +type su_exec_t; +type udev_exec_t; +type unconfined_t; + +ifdef(`enable_mcs', ` +range_transition getty_t login_exec_t s0 - s0:c0.c255; +range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; +range_transition unconfined_t su_exec_t s0 - s0:c0.c255; +range_transition kernel_t udev_exec_t s0 - s0:c0.c255; +range_transition initrc_t udev_exec_t s0 - s0:c0.c255; +') + +ifdef(`enable_mls', ` +# run init with maximum MLS range +range_transition kernel_t init_exec_t s0 - s9:c0.c255; +') diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index 0a1a072..2d39c8a 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -31,7 +31,6 @@ interface(`selinux_get_fs_mount',` interface(`selinux_dontaudit_getattr_dir',` gen_require(` type security_t; - class dir getattr; ') dontaudit $1 security_t:dir getattr; @@ -39,6 +38,22 @@ interface(`selinux_dontaudit_getattr_dir',` ######################################## ## +## Search selinuxfs. +## +## +## Domain allowed access. +## +# +interface(`selinux_search_fs',` + gen_require(` + type security_t; + ') + + allow $1 security_t:dir search; +') + +######################################## +## ## Do not audit attempts to search selinuxfs. ## ## @@ -48,7 +63,6 @@ interface(`selinux_dontaudit_getattr_dir',` interface(`selinux_dontaudit_search_fs',` gen_require(` type security_t; - class dir search; ') dontaudit $1 security_t:dir search; @@ -66,8 +80,6 @@ interface(`selinux_dontaudit_search_fs',` interface(`selinux_get_enforce_mode',` gen_require(` type security_t; - class dir { read search getattr }; - class file { getattr read }; ') allow $1 security_t:dir { read search getattr }; @@ -97,9 +109,6 @@ interface(`selinux_set_enforce_mode',` gen_require(` type security_t; attribute can_setenforce; - class dir { read search getattr }; - class file { getattr read write }; - class security setenforce; ') allow $1 security_t:dir { read search getattr }; @@ -121,9 +130,6 @@ interface(`selinux_load_policy',` gen_require(` type security_t; attribute can_load_policy; - class dir { read search getattr }; - class file { getattr read write }; - class security load_policy; ') allow $1 security_t:dir { read search getattr }; @@ -158,9 +164,6 @@ interface(`selinux_load_policy',` interface(`selinux_set_boolean',` gen_require(` type security_t; - class dir { read search getattr }; - class file { getattr read write }; - class security setbool; ') ifelse(`$2',`',` @@ -199,9 +202,6 @@ interface(`selinux_set_parameters',` gen_require(` type security_t; attribute can_setsecparam; - class dir { read search getattr }; - class file { getattr read write }; - class security setsecparam; ') allow $1 security_t:dir { read search getattr }; @@ -222,9 +222,6 @@ interface(`selinux_set_parameters',` interface(`selinux_validate_context',` gen_require(` type security_t; - class dir { read search getattr }; - class file { getattr read write }; - class security check_context; ') allow $1 security_t:dir { read search getattr }; @@ -243,9 +240,6 @@ interface(`selinux_validate_context',` interface(`selinux_compute_access_vector',` gen_require(` type security_t; - class dir { read search getattr }; - class file { getattr read write }; - class security compute_av; ') allow $1 security_t:dir { read search getattr }; @@ -264,9 +258,6 @@ interface(`selinux_compute_access_vector',` interface(`selinux_compute_create_context',` gen_require(` type security_t; - class dir { read search getattr }; - class file { getattr read write }; - class security compute_create; ') allow $1 security_t:dir { read search getattr }; @@ -286,9 +277,6 @@ interface(`selinux_compute_create_context',` interface(`selinux_compute_member',` gen_require(` type security_t; - class dir { read search getattr }; - class file { getattr read write }; - class security compute_member; ') allow $1 security_t:dir { read search getattr }; @@ -316,9 +304,6 @@ interface(`selinux_compute_member',` interface(`selinux_compute_relabel_context',` gen_require(` type security_t; - class dir { read search getattr }; - class file { getattr read write }; - class security compute_relabel; ') allow $1 security_t:dir { read search getattr }; @@ -337,9 +322,6 @@ interface(`selinux_compute_relabel_context',` interface(`selinux_compute_user_contexts',` gen_require(` type security_t; - class dir { read search getattr }; - class file { getattr read write }; - class security compute_user; ') allow $1 security_t:dir { read search getattr }; @@ -359,9 +341,6 @@ interface(`selinux_unconfined',` gen_require(` attribute can_load_policy, can_setenforce, can_setsecparam; type security_t; - class dir { getattr search read }; - class file { getattr read write }; - class security { load_policy setenforce setbool }; ') # Access the security API. diff --git a/refpolicy/policy/modules/kernel/storage.fc b/refpolicy/policy/modules/kernel/storage.fc index cb5177d..287099a 100644 --- a/refpolicy/policy/modules/kernel/storage.fc +++ b/refpolicy/policy/modules/kernel/storage.fc @@ -51,6 +51,7 @@ ifdef(`distro_redhat', ` /dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) /dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) /dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s0) diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index 894d88d..d461ed8 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -29,6 +29,10 @@ files_mountpoint(devpts_t) fs_type(devpts_t) fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); +ifdef(`targeted_policy',` + typeattribute devpts_t ttynode; +') + # # devtty_t is the type of /dev/tty. # diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 34ebf10..0543cff 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -539,7 +539,7 @@ interface(`apache_list_modules',` # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr interface(`apache_manage_sys_content',` gen_require(` - type httpd_log_t; + type httpd_sys_content_t; ') files_search_var($1) diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 0f5b1d6..e0d79b4 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -215,6 +215,14 @@ corenet_tcp_bind_all_nodes(httpd_t) corenet_udp_bind_all_nodes(httpd_t) corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) +# allow httpd to connect to mysql/posgresql +corenet_tcp_connect_postgresql_port(httpd_t) +corenet_tcp_connect_mysqld_port(httpd_t) +# allow httpd to work as a relay +corenet_tcp_connect_gopher_port(httpd_t) +corenet_tcp_connect_ftp_port(httpd_t) +corenet_tcp_connect_http_port(httpd_t) +corenet_tcp_connect_http_cache_port(httpd_t) dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) @@ -226,6 +234,8 @@ fs_search_auto_mountpoints(httpd_t) term_dontaudit_use_console(httpd_t) +auth_use_nsswitch(httpd_t) + # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_sbin(httpd_t) @@ -261,7 +271,6 @@ miscfiles_read_certs(httpd_t) seutil_dontaudit_search_config(httpd_t) -sysnet_dns_name_resolve(httpd_t) sysnet_use_ldap(httpd_t) sysnet_read_config(httpd_t) @@ -363,10 +372,6 @@ optional_policy(`mysql.te',` mysql_rw_db_socket(httpd_t) ') -optional_policy(`nis.te',` - nis_use_ypbind(httpd_t) -') - optional_policy(`nscd.te',` nscd_use_socket(httpd_t) ') diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index b9f3262..36c6544 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -20,6 +20,9 @@ domain_entry_file(apm_t,apm_exec_t) type apmd_log_t; logging_log_file(apmd_log_t) +type apmd_tmp_t; +files_tmp_file(apmd_tmp_t) + type apmd_var_run_t; files_pid_file(apmd_var_run_t) @@ -72,6 +75,10 @@ allow apmd_t self:unix_stream_socket create_stream_socket_perms; allow apmd_t apmd_log_t:file create_file_perms; logging_create_log(apmd_t,apmd_log_t) +allow apmd_t apmd_tmp_t:dir create_dir_perms; +allow apmd_t apmd_tmp_t:file create_file_perms; +files_create_tmp_files(apmd_t, apmd_tmp_t, { file dir }) + allow apmd_t apmd_var_run_t:dir rw_dir_perms; allow apmd_t apmd_var_run_t:file create_file_perms; allow apmd_t apmd_var_run_t:sock_file create_file_perms; @@ -96,6 +103,8 @@ fs_dontaudit_getattr_all_symlinks(apmd_t); # Excessive? fs_dontaudit_getattr_all_pipes(apmd_t); # Excessive? fs_dontaudit_getattr_all_sockets(apmd_t); # Excessive? +selinux_search_fs(apmd_t) + term_dontaudit_use_console(apmd_t) corecmd_exec_bin(apmd_t) @@ -144,6 +153,7 @@ ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(apmd_t) term_dontaudit_use_generic_pty(apmd_t) files_dontaudit_read_root_file(apmd_t) + unconfined_domain_template(apmd_t) ') ifdef(`distro_redhat',` @@ -165,10 +175,10 @@ ifdef(`distro_redhat',` netutils_domtrans(apmd_t) ') - ',` +',` # for ifconfig which is run all the time - kernel_dontaudit_search_sysctl_dir(apmd_t) + kernel_dontaudit_search_sysctl(apmd_t) ') ifdef(`distro_suse',` @@ -182,6 +192,10 @@ optional_policy(`clock.te',` clock_rw_adjtime(apmd_t) ') +optional_policy(`logrotate.te',` + logrotate_use_fd(apmd_t) +') + optional_policy(`mta.te',` mta_send_mail(apmd_t) ') @@ -212,6 +226,8 @@ optional_policy(`cron.te',` allow apmd_t crond_t:fifo_file { getattr read write ioctl }; ') +r_dir_file(apmd_t, hwdata_t) + optional_policy(`rhgb.te',` rhgb_domain(apmd_t) ') diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index e8ecba6..5d0821d 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -35,8 +35,9 @@ dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process getattr; allow system_dbusd_t self:fifo_file { read write }; allow system_dbusd_t self:dbus { send_msg acquire_svc }; -allow system_dbusd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; allow system_dbusd_t self:unix_dgram_socket create_socket_perms; +allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; @@ -71,6 +72,9 @@ selinux_compute_user_contexts(system_dbusd_t) term_dontaudit_use_console(system_dbusd_t) +auth_use_nsswitch(system_dbusd_t) +auth_read_pam_console_data(system_dbusd_t) + corecmd_list_bin(system_dbusd_t) corecmd_read_bin_symlink(system_dbusd_t) corecmd_read_bin_file(system_dbusd_t) @@ -120,14 +124,6 @@ tunable_policy(`read_default_t',` files_read_default_pipes(system_dbusd_t) ') -optional_policy(`authlogin.te',` - auth_read_pam_console_data(system_dbusd_t) -') - -optional_policy(`nis.te',` - nis_use_ypbind(system_dbusd_t) -') - optional_policy(`nscd.te',` nscd_use_socket(system_dbusd_t) ') diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index 62a990f..6673f76 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -61,6 +61,7 @@ corenet_tcp_sendrecv_all_ports(dhcpd_t) corenet_udp_sendrecv_all_ports(dhcpd_t) corenet_tcp_bind_all_nodes(dhcpd_t) corenet_udp_bind_all_nodes(dhcpd_t) +corenet_tcp_bind_dhcpd_port(dhcpd_t) corenet_udp_bind_dhcpd_port(dhcpd_t) corenet_udp_bind_pxe_port(dhcpd_t) corenet_tcp_connect_all_ports(dhcpd_t) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index e54b4ce..32eda81 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -157,10 +157,10 @@ tunable_policy(`use_samba_home_dirs && ftp_home_dir',` fs_read_cifs_symlinks(ftpd_t) ') -optional_policy(`crond.te', ` +optional_policy(`cron.te',` corecmd_exec_shell(ftpd_t) - files_read_usr_file(ftpd_t) + files_read_usr_files(ftpd_t) cron_system_entry(ftpd_t, ftpd_exec_t) @@ -170,14 +170,16 @@ optional_policy(`crond.te', ` ') optional_policy(`inetd.te',` - if (!ftpd_is_daemon) { + tunable_policy(`! ftpd_is_daemon',` #reh: typeattributes not allowed in conditionals yet. #inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) + ') - optional_policy(`tcpd.te',` + optional_policy(`tcpd.te',` + tunable_policy(`! ftpd_is_daemon',` tcpd_domtrans(tcpd_t) ') - } + ') ') optional_policy(`mount.te',` diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index b9f1934..0eff9fd 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -101,6 +101,7 @@ libs_exec_lib_files(hald_t) logging_send_syslog_msg(hald_t) miscfiles_read_localization(hald_t) +miscfiles_read_hwdata(hald_t) seutil_read_config(hald_t) seutil_read_default_contexts(hald_t) diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 2d7e33c..eb91503 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -343,7 +343,7 @@ interface(`mta_rw_aliases',` # interface(`mta_dontaudit_rw_delivery_tcp_socket',` gen_require(` - attribute mailserver_domain; + attribute mailserver_delivery; ') dontaudit $1 mailserver_delivery:tcp_socket { read write }; diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 0d8f7d3..49f0f9e 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -68,6 +68,7 @@ corenet_raw_sendrecv_all_nodes(mysqld_t) corenet_tcp_sendrecv_all_ports(mysqld_t) corenet_tcp_bind_all_nodes(mysqld_t) corenet_tcp_bind_mysqld_port(mysqld_t) +corenet_tcp_connect_mysqld_port(mysqld_t) dev_read_sysfs(mysqld_t) diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 1c1d9e5..7928f96 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -182,6 +182,8 @@ fs_search_auto_mountpoints(ypserv_t) term_dontaudit_use_console(ypserv_t) +corecmd_exec_bin(ypserv_t) + domain_use_wide_inherit_fd(ypserv_t) init_use_fd(ypserv_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 0e5f6f7..c1c2fa0 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -34,6 +34,7 @@ allow nscd_t self:unix_stream_socket create_stream_socket_perms; allow nscd_t self:unix_dgram_socket create_socket_perms; allow nscd_t self:netlink_selinux_socket create_socket_perms; allow nscd_t self:netlink_route_socket r_netlink_socket_perms; +allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow nscd_t self:tcp_socket create_socket_perms; allow nscd_t self:udp_socket create_socket_perms; diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 3c1bdba..e768390 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -30,10 +30,11 @@ init_system_domain(ntpd_t,ntpdate_exec_t) # Local policy # -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot }; +# sys_resource and setrlimit is for locking memory # ntpdate wants sys_nice +allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; -allow ntpd_t self:process { signal_perms setcap setsched }; +allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; allow ntpd_t self:fifo_file { read write getattr }; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; @@ -120,8 +121,7 @@ ifdef(`targeted_policy', ` optional_policy(`cron.te',` # for cron jobs - # system_crond_t is not right, cron is not doing what it should - cron_system_entry(ntpd_t,ntpd_exec_t) + cron_system_entry(ntpd_t,ntpdate_exec_t) ') optional_policy(`firstboot.te',` diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index 1ad01fb..aa54016 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -26,6 +26,7 @@ files_pid_file(rsync_var_run_t) # Local policy # +allow rsync_t self:capability sys_chroot; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_file_perms; allow rsync_t self:tcp_socket { listen accept connected_socket_perms }; diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 5ea5745..ae2ede6 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -225,10 +225,12 @@ dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) fs_getattr_all_fs(smbd_t) +fs_get_xattr_fs_quotas(smbd_t) fs_search_auto_mountpoints(smbd_t) term_dontaudit_use_console(smbd_t) +auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) domain_use_wide_inherit_fd(smbd_t) @@ -238,6 +240,8 @@ files_read_etc_files(smbd_t) files_read_etc_runtime_files(smbd_t) files_read_usr_files(smbd_t) files_search_spool(smbd_t) +# Allow samba to list mnt_t for potential mounted dirs +files_list_mnt(smbd_t) init_use_fd(smbd_t) init_use_script_pty(smbd_t) @@ -268,17 +272,6 @@ optional_policy(`kerberos.te',` kerberos_use(smbd_t) ') -optional_policy(`ldap.te',` - allow smbd_t self:tcp_socket create_socket_perms; - corenet_tcp_sendrecv_all_if(smbd_t) - corenet_raw_sendrecv_all_if(smbd_t) - corenet_tcp_sendrecv_all_nodes(smbd_t) - corenet_raw_sendrecv_all_nodes(smbd_t) - corenet_tcp_sendrecv_ldap_port(smbd_t) - corenet_tcp_bind_all_nodes(smbd_t) - sysnet_read_config(smbd_t) -') - optional_policy(`nis.te',` nis_use_ypbind(smbd_t) ') @@ -300,7 +293,10 @@ optional_policy(`rhgb.te',` rhgb_domain(smbd_t) ') anonymous_domain(smbd) -can_winbind(smbd_t) +ifdef(`hide_broken_symptoms', ` +dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr; +dontaudit smbd_t devpts_t:dir getattr; +') ') ######################################## @@ -626,6 +622,8 @@ allow winbind_helper_t samba_etc_t:dir r_dir_perms; allow winbind_helper_t samba_etc_t:lnk_file { getattr read }; allow winbind_helper_t samba_etc_t:file r_file_perms; +allow winbind_helper_t samba_var_t:dir search; + allow winbind_helper_t winbind_var_run_t:dir r_dir_perms; allow winbind_helper_t winbind_var_run_t:sock_file { getattr read write }; allow winbind_helper_t winbind_t:unix_stream_socket connectto; @@ -644,3 +642,7 @@ miscfiles_read_localization(winbind_helper_t) optional_policy(`nscd.te',` nscd_use_socket(winbind_helper_t) ') + +ifdef(`TODO',` +allow winbind_helper_t squid_log_t:file ra_file_perms; +') diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 7892b20..10adf7d 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -26,11 +26,10 @@ files_type(snmpd_var_lib_t) # Local policy # allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; -allow snmpd_t self:file { getattr read }; allow snmpd_t self:fifo_file rw_file_perms; -allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; -allow snmpd_t self:unix_stream_socket create_socket_perms; +allow snmpd_t self:unix_stream_socket create_stream_socket_perms; +allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t snmpd_etc_t:file { getattr read }; @@ -38,9 +37,10 @@ allow snmpd_t snmpd_log_t:file create_file_perms; logging_create_log(snmpd_t,snmpd_log_t) allow snmpd_t snmpd_var_lib_t:file create_file_perms; +allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms; allow snmpd_t snmpd_var_lib_t:dir create_dir_perms; files_create_usr(snmpd_t,snmpd_var_lib_t) -files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir }) +files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir sock_file }) files_create_var_lib(snmpd_t,snmpd_var_lib_t) allow snmpd_t snmpd_var_run_t:file create_file_perms; @@ -80,6 +80,7 @@ corecmd_exec_sbin(snmpd_t) corecmd_exec_shell(snmpd_t) domain_use_wide_inherit_fd(snmpd_t) +domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) files_read_etc_files(snmpd_t) diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index 5e8fcb9..a18741a 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -78,6 +78,10 @@ corenet_tcp_bind_all_nodes(squid_t) corenet_udp_bind_all_nodes(squid_t) corenet_tcp_bind_http_cache_port(squid_t) corenet_udp_bind_http_cache_port(squid_t) +corenet_tcp_bind_ftp_port(squid_t) +corenet_udp_bind_ftp_port(squid_t) +corenet_tcp_bind_gopher_port(squid_t) +corenet_udp_bind_gopher_port(squid_t) corenet_tcp_connect_ftp_port(squid_t) corenet_tcp_connect_gopher_port(squid_t) corenet_tcp_connect_http_port(squid_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 59469f2..a574392 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -827,6 +827,28 @@ interface(`auth_manage_login_records',` ######################################## ## +## Use nsswitch to look up uid-username mappings. +## +## +## Domain allowed access. +## +# +interface(`auth_use_nsswitch',` + + sysnet_dns_name_resolve($1) + sysnet_use_ldap($1) + + optional_policy(`nis.te',` + nis_use_ypbind($1) + ') + + ifdef(`TODO',` + can_winbind($1) + ') +') + +######################################## +## ## Unconfined access to the authlogin module. ## ## diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 88401cf..63225ee 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -19,7 +19,11 @@ logging_log_file(faillog_t) type lastlog_t; logging_log_file(lastlog_t) -type login_exec_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type login_exec_t; +') files_type(login_exec_t) type pam_console_t; @@ -141,7 +145,8 @@ allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; # for /var/run/console.lock checking allow pam_console_t pam_var_console_t:dir r_dir_perms;; allow pam_console_t pam_var_console_t:file r_file_perms; -allow pam_console_t pam_var_console_t:lnk_file r_file_perms; +dontaudit pam_console_t pam_var_console_t:file write; +allow pam_console_t pam_var_console_t:lnk_file { getattr read }; kernel_read_kernel_sysctl(pam_console_t) kernel_use_fd(pam_console_t) @@ -182,6 +187,8 @@ term_setattr_console(pam_console_t) term_getattr_unallocated_ttys(pam_console_t) term_setattr_unallocated_ttys(pam_console_t) +auth_use_nsswitch(pam_console_t) + domain_use_wide_inherit_fd(pam_console_t) files_read_etc_files(pam_console_t) @@ -305,6 +312,8 @@ allow utempter_t self:unix_stream_socket create_stream_socket_perms; allow utempter_t wtmp_t:file rw_file_perms; +dev_read_urand(utempter_t) + term_getattr_all_user_ttys(utempter_t) term_getattr_all_user_ptys(utempter_t) term_dontaudit_use_all_user_ttys(utempter_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 0533433..3ac2b20 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -50,7 +50,7 @@ domain_use_wide_inherit_fd(hwclock_t) init_use_fd(hwclock_t) init_use_script_pty(hwclock_t) -files_list_etc(hwclock_t) +files_read_etc_files(hwclock_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dir(hwclock_t) diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index c403848..00586cd 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -6,7 +6,11 @@ policy_module(getty,1.0) # Declarations # -type getty_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type getty_t; +') type getty_exec_t; init_domain(getty_t,getty_exec_t) domain_wide_inherit_fd(getty_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index b9e3310..6e268c6 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -111,6 +111,7 @@ libs_read_lib(hotplug_t) modutils_domtrans_insmod(hotplug_t) modutils_read_mods_deps(hotplug_t) +miscfiles_read_hwdata(hotplug_t) miscfiles_read_localization(hotplug_t) seutil_dontaudit_search_config(hotplug_t) @@ -163,6 +164,10 @@ optional_policy(`nis.te',` nis_use_ypbind(hotplug_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(hotplug_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(hotplug_t) ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 8513036..9b5f8e4 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -22,7 +22,11 @@ role system_r types init_t; # # init_exec_t is the type of the init program. # -type init_exec_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type init_exec_t; +') kernel_userland_entry(init_t,init_exec_t) domain_entry_file(init_t,init_exec_t) @@ -41,7 +45,11 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) -type initrc_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type initrc_t; +') domain_type(initrc_t) role system_r types initrc_t; @@ -192,7 +200,7 @@ allow initrc_t self:netlink_route_socket r_netlink_socket_perms; allow initrc_t init_t:fd use; -allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans }; +can_exec(initrc_t,initrc_exec_t) allow initrc_t initrc_state_t:dir create_dir_perms; allow initrc_t initrc_state_t:file create_file_perms; @@ -201,6 +209,7 @@ allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rena allow initrc_t initrc_var_run_t:file create_file_perms; files_create_pid(initrc_t,initrc_var_run_t) +can_exec(initrc_t,initrc_tmp_t) allow initrc_t initrc_tmp_t:file create_file_perms; allow initrc_t initrc_tmp_t:dir create_dir_perms; files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir }) @@ -329,6 +338,8 @@ logging_append_all_logs(initrc_t) logging_read_auditd_config(initrc_t) miscfiles_read_localization(initrc_t) +# slapd needs to read cert files from its initscript +miscfiles_read_certs(initrc_t) mls_file_read_up(initrc_t) mls_file_write_down(initrc_t) @@ -610,6 +621,16 @@ ifdef(`distro_redhat', ` allow initrc_t self:capability sys_admin; allow initrc_t device_t:dir create; + # wants to delete /poweroff and other files + allow initrc_t root_t:file unlink; + # wants to read /.fonts directory + allow initrc_t default_t:file { getattr read }; + ifdef(`xserver.te', ` + # wants to cleanup xserver log dir + allow initrc_t xserver_log_t:dir rw_dir_perms; + allow initrc_t xserver_log_t:file unlink; + ') + optional_policy(`rpm.te',` rpm_stub() #read ahead wants to read this diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index a954963..be5328a 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -89,6 +89,7 @@ corenet_raw_sendrecv_all_nodes(ipsec_t) corenet_tcp_sendrecv_all_ports(ipsec_t) corenet_tcp_bind_all_nodes(ipsec_t) corenet_udp_bind_reserved_port(ipsec_t) +corenet_udp_bind_isakmp_port(ipsec_t) dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index d23c918..36fd3bd 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -123,16 +123,19 @@ fs_search_auto_mountpoints(auditd_t) term_dontaudit_use_console(auditd_t) -init_use_fd(auditd_t) -init_exec(auditd_t) -init_write_initctl(auditd_t) -init_use_script_pty(auditd_t) +# cjp: why? +corecmd_exec_sbin(auditd_t) domain_use_wide_inherit_fd(auditd_t) files_read_etc_files(auditd_t) files_list_usr(auditd_t) +init_use_fd(auditd_t) +init_exec(auditd_t) +init_write_initctl(auditd_t) +init_use_script_pty(auditd_t) + logging_send_syslog_msg(auditd_t) libs_use_ld_so(auditd_t) @@ -292,6 +295,7 @@ init_use_script_pty(syslogd_t) domain_use_wide_inherit_fd(syslogd_t) files_read_etc_files(syslogd_t) +files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts files_dontaudit_search_isid_type_dir(syslogd_t) @@ -325,6 +329,10 @@ optional_policy(`nis.te',` nis_use_ypbind(syslogd_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(syslogd_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(syslogd_t) ') diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc index 3443014..5327fda 100644 --- a/refpolicy/policy/modules/system/miscfiles.fc +++ b/refpolicy/policy/modules/system/miscfiles.fc @@ -12,8 +12,8 @@ # # /srv # -/srv/([^/]*/)?ftp(/.*)? gen_context(system_u:object_r:ftpd_anon_t,s0) -/srv/([^/]*/)?rsync(/.*)? gen_context(system_u:object_r:ftpd_anon_t,s0) +/srv/([^/]*/)?ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0) +/srv/([^/]*/)?rsync(/.*)? gen_context(system_u:object_r:public_content_t,s0) # # /usr @@ -44,7 +44,7 @@ # # /var # -/var/ftp(/.*)? gen_context(system_u:object_r:ftpd_anon_t,s0) +/var/ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0) ifdef(`distro_debian', ` /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index 44bac28..39c5c5b 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -5,7 +5,7 @@ ## Read system SSL certificates. ## ## -## Type type of the process performing this action. +## Domain allowed access. ## # interface(`miscfiles_read_certs',` @@ -23,7 +23,7 @@ interface(`miscfiles_read_certs',` ## Read fonts. ## ## -## Type type of the process performing this action. +## Domain allowed access. ## # interface(`miscfiles_read_fonts',` @@ -41,40 +41,20 @@ interface(`miscfiles_read_fonts',` ######################################## ## -## Read public files used for file -## transfer services. +## Read hardware identification data. ## ## ## Domain allowed access. ## # -interface(`miscfiles_read_public_files',` +interface(`miscfiles_read_hwdata',` gen_require(` - type ftpd_anon_t; + type hwdata_t; ') - allow $1 ftpd_anon_t:dir r_dir_perms; - allow $1 ftpd_anon_t:file r_file_perms; - allow $1 ftpd_anon_t:lnk_file { getattr read }; -') - -######################################## -## -## Create, read, write, and delete public files -## and directories used for file transfer services. -## -## -## Domain allowed access. -## -# -interface(`miscfiles_manage_public_files',` - gen_require(` - type ftpd_anon_rw_t; - ') - - allow $1 ftpd_anon_rw_t:dir create_dir_perms; - allow $1 ftpd_anon_rw_t:file create_file_perms; - allow $1 ftpd_anon_rw_t:lnk_file create_lnk_perms; + allow $1 hwdata_t:dir r_dir_perms; + allow $1 hwdata_t:file r_file_perms; + allow $1 hwdata_t:file { getattr read }; ') ######################################## @@ -82,7 +62,7 @@ interface(`miscfiles_manage_public_files',` ## Allow process to read localization info ## ## -## Type type of the process performing this action. +## Domain allowed access. ## # interface(`miscfiles_read_localization',` @@ -106,7 +86,7 @@ interface(`miscfiles_read_localization',` ## Allow process to read legacy time localization info ## ## -## Type type of the process performing this action. +## Domain allowed access. ## # interface(`miscfiles_legacy_read_localization',` @@ -178,10 +158,48 @@ interface(`miscfiles_manage_man_pages',` ######################################## ## +## Read public files used for file +## transfer services. +## +## +## Domain allowed access. +## +# +interface(`miscfiles_read_public_files',` + gen_require(` + type public_content_t; + ') + + allow $1 public_content_t:dir r_dir_perms; + allow $1 public_content_t:file r_file_perms; + allow $1 public_content_t:lnk_file { getattr read }; +') + +######################################## +## +## Create, read, write, and delete public files +## and directories used for file transfer services. +## +## +## Domain allowed access. +## +# +interface(`miscfiles_manage_public_files',` + gen_require(` + type public_content_rw_t; + ') + + allow $1 public_content_rw_t:dir create_dir_perms; + allow $1 public_content_rw_t:file create_file_perms; + allow $1 public_content_rw_t:lnk_file create_lnk_perms; +') + +######################################## +## ## Read TeX data ## ## -## Type type of the process performing this action. +## Domain allowed access. ## # interface(`miscfiles_read_tetex_data',` @@ -203,7 +221,7 @@ interface(`miscfiles_read_tetex_data',` ## Execute TeX data programs in the caller domain. ## ## -## Type type of the process performing this action. +## Domain allowed access. ## # interface(`miscfiles_exec_tetex_data',` diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index 535e1af..ba7d43e 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -20,13 +20,10 @@ type fonts_t; files_type(fonts_t) # -# Type for anonymous FTP data, used by ftp and rsync +# type for /usr/share/hwdata # -type ftpd_anon_t; #, customizable; -files_type(ftpd_anon_t) - -type ftpd_anon_rw_t; #, customizable; -files_type(ftpd_anon_rw_t) +type hwdata_t; +files_type(hwdata_t) # # type for /tmp/.ICE-unix @@ -47,6 +44,15 @@ type man_t alias catman_t; files_type(man_t) # +# Types for public content +# +type public_content_t; #, customizable; +files_type(public_content_t) + +type public_content_rw_t; #, customizable; +files_type(public_content_rw_t) + +# # Base type for the tests directory. # type test_file_t; diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index ced726e..98e6397 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -19,7 +19,7 @@ files_tmp_file(mount_tmp_t) # mount local policy # -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown }; +allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config }; allow mount_t mount_tmp_t:file create_file_perms; allow mount_t mount_tmp_t:dir create_dir_perms; diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index d690a99..4afa29b 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -168,7 +168,8 @@ init_use_script_pty(load_policy_t) domain_use_wide_inherit_fd(load_policy_t) -files_search_etc(load_policy_t) +# for mcs.conf +files_read_etc_files(load_policy_t) libs_use_ld_so(load_policy_t) libs_use_shared_libs(load_policy_t) @@ -287,6 +288,11 @@ dev_rw_generic_file(restorecon_t) fs_getattr_xattr_fs(restorecon_t) +mls_file_read_up(restorecon_t) +mls_file_write_down(restorecon_t) +mls_file_upgrade(restorecon_t) +mls_file_downgrade(restorecon_t) + selinux_get_fs_mount(restorecon_t) selinux_validate_context(restorecon_t) selinux_compute_access_vector(restorecon_t) @@ -311,11 +317,6 @@ libs_use_shared_libs(restorecon_t) logging_send_syslog_msg(restorecon_t) -mls_file_read_up(restorecon_t) -mls_file_write_down(restorecon_t) -mls_file_upgrade(restorecon_t) -mls_file_downgrade(restorecon_t) - userdom_use_all_user_fd(restorecon_t) # relabeling rules @@ -430,6 +431,11 @@ kernel_list_unlabeled(setfiles_t) fs_getattr_xattr_fs(setfiles_t) fs_list_all(setfiles_t) +mls_file_read_up(setfiles_t) +mls_file_write_down(setfiles_t) +mls_file_upgrade(setfiles_t) +mls_file_downgrade(setfiles_t) + selinux_get_fs_mount(setfiles_t) selinux_validate_context(setfiles_t) selinux_compute_access_vector(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 5e3a4c8..656a0aa 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -395,13 +395,19 @@ interface(`sysnet_dns_name_resolve',` type net_conf_t; ') + allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; + corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) + corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) + corenet_tcp_sendrecv_all_ports($1) corenet_udp_sendrecv_dns_port($1) + corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) + corenet_tcp_connect_dns_port($1) files_search_etc($1) allow $1 net_conf_t:file r_file_perms; diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 75715b6..9cac143 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -57,6 +57,7 @@ allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms; allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans }; allow dhcpc_t dhcp_state_t:dir rw_dir_perms; +allow dhcpc_t dhcp_state_t:file { getattr read }; allow dhcpc_t dhcpc_state_t:file create_file_perms; type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t; @@ -268,8 +269,7 @@ files_read_etc_files(ifconfig_t); kernel_use_fd(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -kernel_dontaudit_search_sysctl_dir(ifconfig_t) -kernel_dontaudit_search_network_sysctl_dir(ifconfig_t) +kernel_search_network_sysctl(ifconfig_t) corenet_use_tun_tap_device(ifconfig_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 4247dd3..c021f91 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -6,8 +6,13 @@ policy_module(udev,1.0) # Declarations # +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type udev_exec_t; +') + type udev_t; -type udev_exec_t; type udev_helper_exec_t; kernel_userland_entry(udev_t,udev_exec_t) domain_obj_id_change_exempt(udev_t) @@ -34,19 +39,19 @@ files_pid_file(udev_var_run_t) # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_nice }; allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_file_perms; -allow udev_t self:unix_stream_socket { listen accept }; -allow udev_t self:unix_dgram_socket sendto; -allow udev_t self:unix_stream_socket connectto; -allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt }; allow udev_t self:shm create_shm_perms; allow udev_t self:sem create_sem_perms; allow udev_t self:msgq create_msgq_perms; allow udev_t self:msg { send receive }; +allow udev_t self:unix_stream_socket { listen accept }; +allow udev_t self:unix_dgram_socket sendto; +allow udev_t self:unix_stream_socket connectto; +allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; allow udev_t udev_exec_t:file write; @@ -89,6 +94,8 @@ selinux_compute_create_context(udev_t) selinux_compute_relabel_context(udev_t) selinux_compute_user_contexts(udev_t) +auth_use_nsswitch(udev_t) + corecmd_exec_bin(udev_t) corecmd_exec_sbin(udev_t) corecmd_exec_shell(udev_t) diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 7def5d0..3f6f48e 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -6,7 +6,11 @@ policy_module(unconfined,1.0) # Declarations # -type unconfined_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type unconfined_t; +') type unconfined_exec_t; init_system_domain(unconfined_t,unconfined_exec_t) role system_r types unconfined_t; @@ -34,5 +38,12 @@ ifdef(`targeted_policy',` ifdef(`TODO',` ifdef(`samba.te', `samba_domain(user)') + + ifdef(`use_mcs',` + domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t) + can_exec(sysadm_su_t, bin_t) + rw_dir_create_file(sysadm_su_t, home_dir_type) + ') + ') dnl end TODO ') diff --git a/strict/attrib.te b/strict/attrib.te index b5e4d8b..459e7cc 100644 --- a/strict/attrib.te +++ b/strict/attrib.te @@ -443,6 +443,9 @@ attribute serial_device; # Attribute to designate unrestricted access attribute unrestricted; +# Attribute to designate can transition to unconfined_t +attribute unconfinedtrans; + # For clients of nscd. attribute nscd_client_domain; diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te index b2df503..c0d017c 100644 --- a/strict/domains/misc/kernel.te +++ b/strict/domains/misc/kernel.te @@ -30,7 +30,7 @@ domain_auto_trans(kernel_t, init_exec_t, init_t) ifdef(`mls_policy', ` # run init with maximum MLS range -range_transition kernel_t init_exec_t s0 - s9:c0.c127; +range_transition kernel_t init_exec_t s0 - s9:c0.c255; ') # Share state with the init process. diff --git a/strict/domains/program/anaconda.te b/strict/domains/program/anaconda.te index 3e7ef0a..175947d 100644 --- a/strict/domains/program/anaconda.te +++ b/strict/domains/program/anaconda.te @@ -17,11 +17,6 @@ unconfined_domain(anaconda_t) role system_r types ldconfig_t; domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t) -ifdef(`su.te', ` -role system_r types sysadm_su_t; -domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t) -') - # Run other rc scripts in the anaconda_t domain. domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t) diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te index fb1fc1e..116069b 100644 --- a/strict/domains/program/apache.te +++ b/strict/domains/program/apache.te @@ -113,9 +113,12 @@ allow httpd_t bin_t:lnk_file read; can_network_server(httpd_t) can_kerberos(httpd_t) can_resolve(httpd_t) -can_ypbind(httpd_t) -can_ldap(httpd_t) +nsswitch_domain(httpd_t) allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind; +# allow httpd to connect to mysql/posgresql +allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect; +# allow httpd to work as a relay +allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; if (httpd_can_network_connect) { can_network_client(httpd_t) @@ -222,7 +225,7 @@ tmp_domain(httpd_php) # Creation of lock files for apache2 lock_domain(httpd) -# Allow apache to used ftpd_anon_t +# Allow apache to used public_content_t anonymous_domain(httpd) # connect to mysql @@ -305,9 +308,9 @@ allow httpd_helper_t httpd_log_t:file { append }; if (httpd_tty_comm) { allow { httpd_t httpd_helper_t } devpts_t:dir search; ifdef(`targeted_policy', ` -allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write }; +allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms; ') -allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write }; +allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms; } else { dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; } @@ -367,13 +370,13 @@ allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl }; allow httpd_suexec_t autofs_t:dir { search getattr }; tmp_domain(httpd_suexec) -if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +if (httpd_enable_cgi && httpd_unified) { domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) ') } -if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) { domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) create_dir_file(httpd_t, httpdcontent) } diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te index 6ce5958..8394e24 100644 --- a/strict/domains/program/apmd.te +++ b/strict/domains/program/apmd.te @@ -47,6 +47,7 @@ file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file) # acpid also has a logfile log_domain(apmd) +tmp_domain(apmd) ifdef(`distro_suse', ` var_lib_domain(apmd) @@ -140,3 +141,15 @@ dontaudit apmd_t selinux_config_t:dir search; allow apmd_t user_tty_type:chr_file rw_file_perms; # Access /dev/apm_bios. allow initrc_t apm_bios_t:chr_file { setattr getattr read }; + +ifdef(`logrotate.te', ` +allow apmd_t logrotate_t:fd use; +')dnl end if logrotate.te +allow apmd_t devpts_t:dir { getattr search }; +allow apmd_t security_t:dir search; +allow apmd_t usr_t:dir search; +r_dir_file(apmd_t, hwdata_t) +ifdef(`targeted_policy', ` +unconfined_domain(apmd_t) +') + diff --git a/strict/domains/program/auditd.te b/strict/domains/program/auditd.te index 84adf36..3dd15a7 100644 --- a/strict/domains/program/auditd.te +++ b/strict/domains/program/auditd.te @@ -65,3 +65,5 @@ allow auditctl_t initrc_devpts_t:chr_file { read write }; allow auditctl_t privfd:fd use; +allow auditd_t sbin_t:dir search; +can_exec(auditd_t, sbin_t) diff --git a/strict/domains/program/automount.te b/strict/domains/program/automount.te index d86e11d..d1bb20e 100644 --- a/strict/domains/program/automount.te +++ b/strict/domains/program/automount.te @@ -34,7 +34,9 @@ allow automount_t self:unix_dgram_socket create_socket_perms; can_exec(automount_t, { etc_t automount_etc_t }) can_network_server(automount_t) +can_resolve(automount_t) can_ypbind(automount_t) +can_ldap(automount_t) ifdef(`fsadm.te', ` domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t) @@ -56,6 +58,7 @@ can_exec(automount_t, bin_t)') allow automount_t { bin_t sbin_t }:dir search; can_exec(automount_t, mount_exec_t) +can_exec(automount_t, shell_exec_t) allow mount_t autofs_t:dir getattr; dontaudit automount_t var_t:dir write; @@ -73,3 +76,4 @@ file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir) allow automount_t var_lib_t:dir search; allow automount_t var_lib_nfs_t:dir search; + diff --git a/strict/domains/program/bootloader.te b/strict/domains/program/bootloader.te index 5046cd0..37e1c19 100644 --- a/strict/domains/program/bootloader.te +++ b/strict/domains/program/bootloader.te @@ -24,7 +24,9 @@ allow bootloader_t var_log_t:file write; # for nscd dontaudit bootloader_t var_run_t:dir search; +ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) +') allow bootloader_t { initrc_t privfd }:fd use; tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file }) diff --git a/strict/domains/program/cardmgr.te b/strict/domains/program/cardmgr.te index 16a6f1f..8f78988 100644 --- a/strict/domains/program/cardmgr.te +++ b/strict/domains/program/cardmgr.te @@ -15,7 +15,9 @@ daemon_domain(cardmgr, `, privmodule') allow cardmgr_t urandom_device_t:chr_file read; type cardctl_exec_t, file_type, sysadmfile, exec_type; +ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t) +') role sysadm_r types cardmgr_t; allow cardmgr_t admin_tty_type:chr_file { read write }; @@ -85,3 +87,4 @@ ifdef(`hald.te', ` rw_dir_file(hald_t, cardmgr_var_run_t) allow hald_t cardmgr_var_run_t:chr_file create_file_perms; ') +allow cardmgr_t device_t:lnk_file { getattr read }; diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te index 536824f..ceb0a45 100644 --- a/strict/domains/program/crond.te +++ b/strict/domains/program/crond.te @@ -106,7 +106,7 @@ allow system_crond_t init_t:fd use; # Inherit and use descriptors from initrc for anacron. allow system_crond_t initrc_t:fd use; -allow system_crond_t initrc_devpts_t:chr_file { read write }; +can_access_pty(system_crond_t, initrc) # Use capabilities. allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid }; @@ -205,7 +205,7 @@ dontaudit system_crond_t removable_t:filesystem getattr; # # Required for webalizer # +dontaudit crond_t self:capability sys_tty_config; ifdef(`apache.te', ` allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read }; ') -dontaudit crond_t self:capability sys_tty_config; diff --git a/strict/domains/program/cups.te b/strict/domains/program/cups.te index c1685db..a152ac3 100644 --- a/strict/domains/program/cups.te +++ b/strict/domains/program/cups.te @@ -188,6 +188,7 @@ allow hplip_t hplip_port_t:tcp_socket name_bind; # Uses networking to talk to the daemons allow hplip_t self:unix_dgram_socket create_socket_perms; allow hplip_t self:unix_stream_socket create_socket_perms; +allow hplip_t self:rawip_socket create_socket_perms; # for python can_exec(hplip_t, bin_t) @@ -196,6 +197,9 @@ allow hplip_t self:file { getattr read }; allow hplip_t proc_t:file r_file_perms; allow hplip_t urandom_device_t:chr_file { getattr read }; allow hplip_t usr_t:{ file lnk_file } r_file_perms; +allow hplip_t devpts_t:dir search; +allow hplip_t devpts_t:chr_file { getattr ioctl }; + dontaudit cupsd_t selinux_config_t:dir search; dontaudit cupsd_t selinux_config_t:file { getattr read }; @@ -209,7 +213,7 @@ allow cupsd_t userdomain:dbus send_msg; ') # CUPS configuration daemon -daemon_domain(cupsd_config) +daemon_domain(cupsd_config, `, nscd_client_domain') allow cupsd_config_t devpts_t:dir search; allow cupsd_config_t devpts_t:chr_file { getattr ioctl }; @@ -231,12 +235,13 @@ allow cupsd_config_t cupsd_t:process { signal }; allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read }; can_ps(cupsd_config_t, cupsd_t) -allow cupsd_config_t self:capability chown; +allow cupsd_config_t self:capability { chown sys_tty_config }; rw_dir_create_file(cupsd_config_t, cupsd_etc_t) rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file) +allow cupsd_config_t var_t:lnk_file read; can_network_tcp(cupsd_config_t) can_ypbind(cupsd_config_t) @@ -245,6 +250,7 @@ can_tcp_connect(cupsd_config_t, cupsd_t) allow cupsd_config_t self:fifo_file rw_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; +allow cupsd_config_t self:unix_dgram_socket create_socket_perms; ifdef(`dbusd.te', ` dbusd_client(system, cupsd_config) allow cupsd_config_t userdomain:dbus send_msg; @@ -255,9 +261,8 @@ allow userdomain cupsd_config_t:dbus send_msg; ifdef(`hald.te', ` ifdef(`dbusd.te', ` -allow cupsd_t hald_t:dbus send_msg; -allow cupsd_config_t hald_t:dbus send_msg; -allow hald_t cupsd_t:dbus send_msg; +allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg; +allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg; ')dnl end if dbusd.te allow hald_t cupsd_config_t:process signal; @@ -310,3 +315,7 @@ allow inetd_t printer_port_t:tcp_socket name_bind; r_dir_file(cupsd_lpd_t, cupsd_etc_t) r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t) allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect; +ifdef(`use_mcs', ` +range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; +') + diff --git a/strict/domains/program/cvs.te b/strict/domains/program/cvs.te index 324ddd3..3f3e63c 100644 --- a/strict/domains/program/cvs.te +++ b/strict/domains/program/cvs.te @@ -23,6 +23,9 @@ allow cvs_t { bin_t sbin_t }:lnk_file read; allow cvs_t etc_runtime_t:file { getattr read }; allow system_mail_t cvs_data_t:file { getattr read }; dontaudit cvs_t devtty_t:chr_file { read write }; +ifdef(`kerberos.te', ` # Allow kerberos to work allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms; dontaudit cvs_t krb5_conf_t:file write; +') + diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te index 8680035..a423235 100644 --- a/strict/domains/program/cyrus.te +++ b/strict/domains/program/cyrus.te @@ -42,7 +42,7 @@ allow system_crond_t cyrus_var_lib_t:file create_file_perms; create_dir_file(cyrus_t, mail_spool_t) allow cyrus_t var_spool_t:dir search; -ifdef(`saslaudthd.te', ` +ifdef(`saslauthd.te', ` allow cyrus_t saslauthd_var_run_t:dir search; allow cyrus_t saslauthd_var_run_t:sock_file { read write }; allow cyrus_t saslauthd_t:unix_stream_socket { connectto }; diff --git a/strict/domains/program/dbusd.te b/strict/domains/program/dbusd.te index 4c72b6b..acad4de 100644 --- a/strict/domains/program/dbusd.te +++ b/strict/domains/program/dbusd.te @@ -12,7 +12,7 @@ r_dir_file(system_dbusd_t, pam_var_console_t) # dac_override: /var/run/dbus is owned by messagebus on Debian allow system_dbusd_t self:capability { dac_override setgid setuid }; -can_ypbind(system_dbusd_t) +nsswitch_domain(system_dbusd_t) # I expect we need more than this @@ -23,3 +23,5 @@ allow initrc_t system_dbusd_var_run_t:sock_file write; can_exec(system_dbusd_t, sbin_t) allow system_dbusd_t self:fifo_file { read write }; allow system_dbusd_t self:unix_stream_socket connectto; +allow system_dbusd_t self:unix_stream_socket connectto; +allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te index 0308ed9..c12bc42 100644 --- a/strict/domains/program/dhcpc.te +++ b/strict/domains/program/dhcpc.te @@ -120,6 +120,7 @@ tmp_domain(dhcpc) allow dhcpc_t self:packet_socket create_socket_perms; allow dhcpc_t var_lib_t:dir search; file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) +allow dhcpc_t dhcp_state_t:file { getattr read }; allow dhcpc_t bin_t:dir { getattr search }; allow dhcpc_t bin_t:lnk_file read; @@ -161,5 +162,5 @@ allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; ifdef(`unconfined.te', ` allow unconfined_t dhcpc_t:dbus send_msg; allow dhcpc_t unconfined_t:dbus send_msg; -')dnl end ifdef unconfined.te +') ') diff --git a/strict/domains/program/dhcpd.te b/strict/domains/program/dhcpd.te index 07ad4ce..e276af2 100644 --- a/strict/domains/program/dhcpd.te +++ b/strict/domains/program/dhcpd.te @@ -17,8 +17,6 @@ # daemon_domain(dhcpd, `, nscd_client_domain') -allow dhcpd_t dhcpd_port_t:udp_socket name_bind; - # for UDP port 4011 allow dhcpd_t pxe_port_t:udp_socket name_bind; @@ -27,6 +25,7 @@ type dhcp_etc_t, file_type, sysadmfile, usercanread; # Use the network. can_network(dhcpd_t) allow dhcpd_t port_type:tcp_socket name_connect; +allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind; can_ypbind(dhcpd_t) allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_stream_socket create_socket_perms; diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te index 5611451..d5a6220 100644 --- a/strict/domains/program/fsadm.te +++ b/strict/domains/program/fsadm.te @@ -102,10 +102,10 @@ allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon }; allow fsadm_t kernel_t:system syslog_console; # Access terminals. -allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms; +can_access_pty(fsadm_t, initrc) +allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') allow fsadm_t privfd:fd use; -allow fsadm_t devpts_t:dir { getattr search }; read_locale(fsadm_t) diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te index 5cd42b1..9792bee 100644 --- a/strict/domains/program/hald.te +++ b/strict/domains/program/hald.te @@ -100,4 +100,4 @@ allow hald_t unconfined_t:dbus send_msg; ifdef(`mount.te', ` domain_auto_trans(hald_t, mount_exec_t, mount_t) ') - +r_dir_file(hald_t, hwdata_t) diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te index 07169c8..2138baf 100644 --- a/strict/domains/program/hostname.te +++ b/strict/domains/program/hostname.te @@ -24,5 +24,5 @@ dontaudit hostname_t file_t:dir search; ifdef(`distro_redhat', ` allow hostname_t tmpfs_t:chr_file rw_file_perms; ') -allow hostname_t initrc_devpts_t:chr_file { read write }; +can_access_pty(hostname_t, initrc) allow hostname_t initrc_t:fd use; diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te index 38e1d52..a6d8fbe 100644 --- a/strict/domains/program/hotplug.te +++ b/strict/domains/program/hotplug.te @@ -11,9 +11,9 @@ # hotplug_exec_t is the type of the hotplug executable. # ifdef(`unlimitedUtils', ` -daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer') +daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain') ', ` -daemon_domain(hotplug, `, privmodule') +daemon_domain(hotplug, `, privmodule, nscd_client_domain') ') etcdir_domain(hotplug) @@ -132,6 +132,7 @@ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; allow hotplug_t sysfs_t:dir { getattr read search write }; allow hotplug_t sysfs_t:file rw_file_perms; allow hotplug_t sysfs_t:lnk_file { getattr read }; +r_dir_file(hotplug_t, hwdata_t) allow hotplug_t udev_runtime_t:file rw_file_perms; ifdef(`lpd.te', ` allow hotplug_t printer_device_t:chr_file setattr; diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te index e5c5c4e..dab39ee 100644 --- a/strict/domains/program/hwclock.te +++ b/strict/domains/program/hwclock.te @@ -21,7 +21,6 @@ ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t) ') type adjtime_t, file_type, sysadmfile; - allow hwclock_t fs_t:filesystem getattr; read_locale(hwclock_t) @@ -47,3 +46,4 @@ read_locale(hwclock_t) # for when /usr is not mounted dontaudit hwclock_t file_t:dir search; allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +r_dir_file(hwclock_t, etc_t) diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te index dbab5bf..6cccc32 100644 --- a/strict/domains/program/ifconfig.te +++ b/strict/domains/program/ifconfig.te @@ -52,7 +52,8 @@ allow ifconfig_t run_init_t:fd use; allow ifconfig_t self:udp_socket create_socket_perms; # Access terminals. -allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +can_access_pty(ifconfig_t, initrc) +allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') allow ifconfig_t tun_tap_device_t:chr_file { read write }; @@ -60,7 +61,7 @@ allow ifconfig_t tun_tap_device_t:chr_file { read write }; # ifconfig attempts to search some sysctl entries. # Do not audit those attempts; comment out these rules if it is desired to # see the denials. -dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search; +allow ifconfig_t { sysctl_t sysctl_net_t }:dir search; allow ifconfig_t fs_t:filesystem getattr; diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te index 2715d03..c66d876 100644 --- a/strict/domains/program/initrc.te +++ b/strict/domains/program/initrc.te @@ -56,6 +56,10 @@ allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit ge can_create_pty(initrc) tmp_domain(initrc) +# +# Some initscripts generate scripts that they need to execute (ldap) +# +can_exec(initrc_t, initrc_tmp_t) var_run_domain(initrc) allow initrc_t var_run_t:{ file sock_file lnk_file } unlink; @@ -214,7 +218,15 @@ file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file) allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; allow initrc_t self:capability sys_admin; allow initrc_t device_t:dir create; - +# wants to delete /poweroff and other files +allow initrc_t root_t:file unlink; +# wants to read /.fonts directory +allow initrc_t default_t:file { getattr read }; +ifdef(`xserver.te', ` +# wants to cleanup xserver log dir +allow initrc_t xserver_log_t:dir rw_dir_perms; +allow initrc_t xserver_log_t:file unlink; +') ')dnl end distro_redhat allow initrc_t system_map_t:{ file lnk_file } r_file_perms; @@ -322,3 +334,6 @@ allow initrc_t device_t:lnk_file create_file_perms; ifdef(`dbusd.te', ` allow initrc_t system_dbusd_var_run_t:sock_file write; ') + +# Slapd needs to read cert files from its initscript +r_dir_file(initrc_t, cert_t) diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te index 36e55ac..ea45a36 100644 --- a/strict/domains/program/ipsec.te +++ b/strict/domains/program/ipsec.te @@ -219,7 +219,7 @@ can_exec(ipsec_mgmt_t, consoletype_exec_t ) dontaudit ipsec_mgmt_t selinux_config_t:dir search; dontaudit ipsec_t ttyfile:chr_file { read write }; allow ipsec_t self:capability { dac_override dac_read_search }; -allow ipsec_t reserved_port_t:udp_socket name_bind; +allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind; allow ipsec_mgmt_t dev_fs:file_class_set getattr; dontaudit ipsec_mgmt_t device_t:lnk_file read; allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms; diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te index 803ae3d..c560dc7 100644 --- a/strict/domains/program/kudzu.te +++ b/strict/domains/program/kudzu.te @@ -64,6 +64,7 @@ can_exec(kudzu_t, { bin_t sbin_t init_exec_t }) allow kudzu_t lib_t:file { read getattr }; # Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux allow kudzu_t usr_t:file { read getattr }; +r_dir_file(kudzu_t, hwdata_t) # Communicate with rhgb-client. allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; diff --git a/strict/domains/program/ldconfig.te b/strict/domains/program/ldconfig.te index 2ab5c48..fbb7688 100644 --- a/strict/domains/program/ldconfig.te +++ b/strict/domains/program/ldconfig.te @@ -16,7 +16,8 @@ role system_r types ldconfig_t; domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t) dontaudit ldconfig_t device_t:dir search; -allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +can_access_pty(ldconfig_t, initrc) +allow ldconfig_t admin_tty_type:chr_file rw_file_perms; allow ldconfig_t privfd:fd use; uses_shlib(ldconfig_t) diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te index e10a6e2..7ff7a61 100644 --- a/strict/domains/program/load_policy.te +++ b/strict/domains/program/load_policy.te @@ -45,11 +45,12 @@ r_dir_file(load_policy_t, selinux_config_t) allow load_policy_t root_t:dir search; allow load_policy_t etc_t:dir search; -# Read the devpts root directory (needed?) -allow load_policy_t devpts_t:dir r_dir_perms; +# for mcs.conf +allow load_policy_t etc_t:file { getattr read }; # Other access -allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr }; +can_access_pty(load_policy_t, initrc) +allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; uses_shlib(load_policy_t) allow load_policy_t self:capability dac_override; diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te index 887aa58..f0fb1cb 100644 --- a/strict/domains/program/login.te +++ b/strict/domains/program/login.te @@ -200,23 +200,20 @@ login_domain(remote) # since very weak authentication is used. login_spawn_domain(remote_login, unpriv_userdomain) -allow remote_login_t devpts_t:dir search; allow remote_login_t userpty_type:chr_file { setattr write }; # Use the pty created by rlogind. ifdef(`rlogind.te', ` -allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms }; - +can_access_pty(remote_login_t, rlogind) # Relabel ptys created by rlogind. -allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto }; +allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto }; ') # Use the pty created by telnetd. ifdef(`telnetd.te', ` -allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms }; - +can_access_pty(remote_login_t, telnetd) # Relabel ptys created by telnetd. -allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto }; +allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto }; ') allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl }; @@ -225,3 +222,8 @@ allow remote_login_t fs_t:filesystem { getattr }; # Allow remote login to resolve host names (passed in via the -h switch) can_resolve(remote_login_t) +ifdef(`use_mcs', ` +ifdef(`getty.te', ` +range_transition getty_t login_exec_t s0 - s0:c0.c255; +') +') diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te index 0af4cf5..27d960a 100644 --- a/strict/domains/program/modutil.te +++ b/strict/domains/program/modutil.te @@ -59,7 +59,8 @@ allow depmod_t modules_object_t:{ file lnk_file } r_file_perms; allow depmod_t modules_object_t:file unlink; # Access terminals. -allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +can_access_pty(depmod_t, initrc) +allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') # Read System.map from home directories. @@ -97,7 +98,8 @@ allow insmod_t self:lnk_file read; allow insmod_t usr_t:file { getattr read }; allow insmod_t privfd:fd use; -allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +can_access_pty(insmod_t, initrc) +allow insmod_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;') allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write }; @@ -162,7 +164,6 @@ type insmod_exec_t, file_type, exec_type, sysadmfile; domain_auto_trans(privmodule, insmod_exec_t, insmod_t) can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t }) allow insmod_t devtty_t:chr_file rw_file_perms; -allow update_modules_t devpts_t:dir search; allow insmod_t privmodule:process sigchld; dontaudit sysadm_t self:capability sys_module; @@ -197,8 +198,8 @@ allow update_modules_t init_t:fd use; allow update_modules_t device_t:dir { getattr search }; allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms; -allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; -allow update_modules_t devpts_t:dir search; +can_access_pty(update_modules_t, initrc) +allow update_modules_t admin_tty_type:chr_file rw_file_perms; can_exec(update_modules_t, insmod_exec_t) allow update_modules_t urandom_device_t:chr_file { getattr read }; diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te index ab6c359..e78f7fe 100644 --- a/strict/domains/program/mount.te +++ b/strict/domains/program/mount.te @@ -16,13 +16,14 @@ mount_loopback_privs(sysadm, mount) role sysadm_r types mount_t; role system_r types mount_t; -allow mount_t { initrc_devpts_t console_device_t }:chr_file { read write }; +can_access_pty(mount_t, initrc) +allow mount_t console_device_t:chr_file { read write }; domain_auto_trans(initrc_t, mount_exec_t, mount_t) allow mount_t init_t:fd use; allow mount_t privfd:fd use; -allow mount_t self:capability { ipc_lock dac_override }; +allow mount_t self:capability { dac_override ipc_lock sys_tty_config }; allow mount_t self:process { fork signal_perms }; allow mount_t file_type:dir search; diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te index ea0315b..8a96d2a 100644 --- a/strict/domains/program/mysqld.te +++ b/strict/domains/program/mysqld.te @@ -12,7 +12,7 @@ # daemon_domain(mysqld, `, nscd_client_domain') -allow mysqld_t mysqld_port_t:tcp_socket name_bind; +allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect }; allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; @@ -88,7 +88,7 @@ allow userdomain mysqld_var_run_t:sock_file write; } ') +allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; ifdef(`crond.te', ` allow system_crond_t mysqld_etc_t:file { getattr read }; ') -allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te index 39924d7..04c0712 100644 --- a/strict/domains/program/named.te +++ b/strict/domains/program/named.te @@ -113,8 +113,8 @@ can_resolve(ndc_t) read_locale(ndc_t) can_tcp_connect(ndc_t, named_t) -# for /etc/rndc.key ifdef(`distro_redhat', ` +# for /etc/rndc.key allow { ndc_t initrc_t } named_conf_t:dir search; # Allow init script to cp localtime to named_conf_t allow initrc_t named_conf_t:file { setattr write }; diff --git a/strict/domains/program/netutils.te b/strict/domains/program/netutils.te index 9b13fd4..8dcbdf1 100644 --- a/strict/domains/program/netutils.te +++ b/strict/domains/program/netutils.te @@ -55,7 +55,8 @@ allow netutils_t fs_t:filesystem getattr; # Access terminals. allow netutils_t privfd:fd use; -allow netutils_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +can_access_pty(netutils_t, initrc) +allow netutils_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') allow netutils_t proc_t:dir search; diff --git a/strict/domains/program/newrole.te b/strict/domains/program/newrole.te index 8d66e4b..207274d 100644 --- a/strict/domains/program/newrole.te +++ b/strict/domains/program/newrole.te @@ -18,3 +18,7 @@ allow newrole_t var_run_t:dir r_dir_perms; allow newrole_t initrc_var_run_t:file rw_file_perms; role secadm_r types newrole_t; + +ifdef(`targeted_policy', ` +typeattribute newrole_t unconfinedtrans; +') diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te index 77e2eb7..8e899c7 100644 --- a/strict/domains/program/nscd.te +++ b/strict/domains/program/nscd.te @@ -76,3 +76,4 @@ allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; log_domain(nscd) r_dir_file(nscd_t, cert_t) allow nscd_t tun_tap_device_t:chr_file { read write }; +allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te index db49c23..9916a6a 100644 --- a/strict/domains/program/ntpd.te +++ b/strict/domains/program/ntpd.te @@ -26,11 +26,11 @@ allow ntpd_t ntp_drift_t:file create_file_perms; # for SSP allow ntpd_t urandom_device_t:chr_file { getattr read }; -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot }; -dontaudit ntpd_t self:capability { net_admin }; -allow ntpd_t self:process { setcap setsched }; +# sys_resource and setrlimit is for locking memory +allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource }; +dontaudit ntpd_t self:capability { fsetid net_admin }; +allow ntpd_t self:process { setcap setsched setrlimit }; # ntpdate wants sys_nice -dontaudit ntpd_t self:capability { fsetid sys_nice }; # for some reason it creates a file in /tmp tmp_domain(ntpd) @@ -54,7 +54,7 @@ allow initrc_t net_conf_t:file { getattr read ioctl }; # for cron jobs # system_crond_t is not right, cron is not doing what it should ifdef(`crond.te', ` -system_crond_entry(ntpd_exec_t, ntpd_t) +system_crond_entry(ntpdate_exec_t, ntpd_t) ') can_exec(ntpd_t, initrc_exec_t) diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te index 488bed3..11c1994 100644 --- a/strict/domains/program/pamconsole.te +++ b/strict/domains/program/pamconsole.te @@ -25,6 +25,7 @@ allow pam_console_t { kernel_t init_t }:fd use; # for /var/run/console.lock checking allow pam_console_t { var_t var_run_t }:dir search; r_dir_file(pam_console_t, pam_var_console_t) +dontaudit pam_console_t pam_var_console_t:file write; # Allow to set attributes on /dev entries allow pam_console_t device_t:dir { getattr read }; @@ -48,3 +49,4 @@ allow pam_console_t xdm_var_run_t:file { getattr read }; allow initrc_t pam_var_console_t:dir rw_dir_perms; allow initrc_t pam_var_console_t:file unlink; allow pam_console_t file_context_t:file { getattr read }; +nsswitch_domain(pam_console_t) diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te index d7dff6c..30d7f86 100644 --- a/strict/domains/program/passwd.te +++ b/strict/domains/program/passwd.te @@ -153,5 +153,4 @@ allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_rel ifdef(`targeted_policy', ` role system_r types sysadm_passwd_t; -allow sysadm_passwd_t devpts_t:chr_file rw_file_perms; ') diff --git a/strict/domains/program/pegasus.te b/strict/domains/program/pegasus.te new file mode 100644 index 0000000..e2b557e --- /dev/null +++ b/strict/domains/program/pegasus.te @@ -0,0 +1,37 @@ +#DESC pegasus - The Open Group Pegasus CIM/WBEM Server +# +# Author: Jason Vas Dias +# Package: tog-pegasus +# +################################# +# +# Rules for the pegasus domain +# +daemon_domain(pegasus, `, nscd_client_domain, auth') +type pegasus_data_t, file_type, sysadmfile; +type pegasus_conf_t, file_type, sysadmfile; +type pegasus_mof_t, file_type, sysadmfile; +type pegasus_conf_exec_t, file_type, exec_type, sysadmfile; +allow pegasus_t self:capability { dac_override net_bind_service audit_write }; +can_network_tcp(pegasus_t); +nsswitch_domain(pegasus_t); +allow pegasus_t pegasus_var_run_t:sock_file { create setattr }; +allow pegasus_t self:unix_dgram_socket create_socket_perms; +allow pegasus_t self:unix_stream_socket create_stream_socket_perms; +allow pegasus_t self:file { read getattr }; +allow pegasus_t self:fifo_file rw_file_perms; +allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect }; +allow pegasus_t proc_t:file { getattr read }; +allow pegasus_t sysctl_vm_t:dir search; +allow pegasus_t initrc_var_run_t:file { read write lock }; +allow pegasus_t urandom_device_t:chr_file { getattr read }; +r_dir_file(pegasus_t, etc_t) +r_dir_file(pegasus_t, var_lib_t) +r_dir_file(pegasus_t, pegasus_mof_t) +rw_dir_create_file(pegasus_t, pegasus_conf_t) +rw_dir_create_file(pegasus_t, pegasus_data_t) +rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t) +allow pegasus_t shadow_t:file { getattr read }; +dontaudit pegasus_t selinux_config_t:dir search; + diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te index c0c664f..6461c51 100644 --- a/strict/domains/program/ping.te +++ b/strict/domains/program/ping.te @@ -37,6 +37,7 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t) uses_shlib(ping_t) can_network_client(ping_t) can_resolve(ping_t) +allow ping_t dns_port_t:tcp_socket name_connect; can_ypbind(ping_t) allow ping_t etc_t:file { getattr read }; allow ping_t self:unix_stream_socket create_socket_perms; @@ -58,6 +59,6 @@ dontaudit ping_t var_t:dir search; dontaudit ping_t devtty_t:chr_file { read write }; dontaudit ping_t self:capability sys_tty_config; ifdef(`hide_broken_symptoms', ` -allow ping_t init_t:fd use; +dontaudit ping_t init_t:fd use; ') diff --git a/strict/domains/program/postfix.te b/strict/domains/program/postfix.te index 26ac65b..5d24e5f 100644 --- a/strict/domains/program/postfix.te +++ b/strict/domains/program/postfix.te @@ -54,6 +54,8 @@ allow postfix_$1_t fs_t:filesystem getattr; allow postfix_$1_t proc_net_t:dir search; allow postfix_$1_t proc_net_t:file { getattr read }; can_exec(postfix_$1_t, postfix_$1_exec_t) +r_dir_file(postfix_$1_t, cert_t) +allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr }; allow postfix_$1_t tmp_t:dir getattr; @@ -69,6 +71,9 @@ ifdef(`crond.te', postfix_domain(master, `, mail_server_domain') rhgb_domain(postfix_master_t) +# for a find command +dontaudit postfix_master_t security_t:dir search; + read_sysctl(postfix_master_t) domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t) @@ -97,10 +102,12 @@ allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms; dontaudit postfix_master_t selinux_config_t:dir search; can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) ifdef(`distro_redhat', ` +# compatability for old default main.cf file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t) -', ` -file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) +# for newer main.cf that uses /etc/aliases +file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t) ') +file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) allow postfix_master_t sendmail_exec_t:file r_file_perms; allow postfix_master_t sbin_t:lnk_file { getattr read }; ifdef(`pppd.te', ` @@ -121,7 +128,7 @@ allow postfix_master_t postfix_private_t:fifo_file create_file_perms; can_network(postfix_master_t) allow postfix_master_t port_type:tcp_socket name_connect; can_ypbind(postfix_master_t) -allow postfix_master_t smtp_port_t:tcp_socket name_bind; +allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind; allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; allow postfix_master_t postfix_prng_t:file getattr; @@ -135,14 +142,10 @@ can_unix_connect(postfix_smtpd_t,saslauthd_t) ') create_dir_file(postfix_master_t, postfix_spool_flush_t) -allow postfix_master_t random_device_t:chr_file { read getattr }; allow postfix_master_t postfix_prng_t:file rw_file_perms; # for ls to get the current context allow postfix_master_t self:file { getattr read }; -# for SSP -allow postfix_master_t urandom_device_t:chr_file read; - # allow access to deferred queue and allow removing bogus incoming entries allow postfix_master_t postfix_spool_t:dir create_dir_perms; allow postfix_master_t postfix_spool_t:file create_file_perms; @@ -163,7 +166,6 @@ postfix_server_domain(smtp, `, mail_server_sender') allow postfix_smtp_t postfix_spool_t:file rw_file_perms; allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; -allow postfix_smtp_t urandom_device_t:chr_file { getattr read }; allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; # if you have two different mail servers on the same host let them talk via # SMTP, also if one mail server wants to talk to itself then allow it and let @@ -172,7 +174,6 @@ allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; can_tcp_connect(postfix_smtp_t, mail_server_domain) postfix_server_domain(smtpd) -allow postfix_smtpd_t urandom_device_t:chr_file { getattr read }; allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; @@ -184,7 +185,6 @@ allow postfix_smtpd_t self:file { getattr read }; # for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; - allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; postfix_server_domain(local, `, mta_delivery_agent') @@ -196,7 +196,7 @@ dontaudit procmail_t postfix_master_t:fd use; ') allow postfix_local_t etc_aliases_t:file r_file_perms; allow postfix_local_t self:fifo_file rw_file_perms; -allow postfix_local_t self:process setrlimit; +allow postfix_local_t self:process { setsched setrlimit }; allow postfix_local_t postfix_spool_t:file rw_file_perms; # for .forward - maybe we need a new type for it? allow postfix_local_t postfix_private_t:dir search; @@ -241,6 +241,7 @@ postfix_user_domain(postqueue) allow postfix_postqueue_t postfix_public_t:dir search; allow postfix_postqueue_t postfix_public_t:fifo_file getattr; allow postfix_postqueue_t self:udp_socket { create ioctl }; +allow postfix_postqueue_t self:tcp_socket create; allow postfix_master_t postfix_postqueue_exec_t:file getattr; domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) allow postfix_postqueue_t initrc_t:process sigchld; @@ -260,7 +261,7 @@ dontaudit postfix_postqueue_t net_conf_t:file r_file_perms; postfix_user_domain(showq) # the following auto_trans is usually in postfix server domain domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -allow postfix_showq_t self:udp_socket { create ioctl }; +can_resolve(postfix_showq_t) r_dir_file(postfix_showq_t, postfix_spool_maildrop_t) domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) allow postfix_showq_t self:capability { setuid setgid }; @@ -284,6 +285,7 @@ ifdef(`crond.te', allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;') # usually it does not need a UDP socket allow postfix_postdrop_t self:udp_socket create_socket_perms; +allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:capability sys_resource; postfix_public_domain(pickup) @@ -329,7 +331,8 @@ ifdef(`procmail.te', ` domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) ') ifdef(`sendmail.te', ` -allow sendmail_t postfix_etc_t:dir search; +r_dir_file(sendmail_t, postfix_etc_t) +allow sendmail_t postfix_spool_t:dir search; ') # Program for creating database files @@ -350,3 +353,4 @@ can_network_server(postfix_map_t) allow postfix_map_t port_type:tcp_socket name_connect; allow postfix_local_t mail_spool_t:dir { remove_name }; allow postfix_local_t mail_spool_t:file { unlink }; +can_exec(postfix_local_t, bin_t) diff --git a/strict/domains/program/procmail.te b/strict/domains/program/procmail.te index 347587b..fbf044d 100644 --- a/strict/domains/program/procmail.te +++ b/strict/domains/program/procmail.te @@ -19,8 +19,7 @@ role system_r types procmail_t; uses_shlib(procmail_t) allow procmail_t device_t:dir search; can_network_server(procmail_t) -can_ypbind(procmail_t) -can_winbind(procmail_t) +nsswitch_domain(procmail_t) allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; @@ -60,6 +59,14 @@ allow procmail_t { self proc_t }:lnk_file read; allow procmail_t usr_t:file { getattr ioctl read }; ifdef(`spamassassin.te', ` can_exec(procmail_t, spamassassin_exec_t) +can_resolve(procmail_t) +allow procmail_t port_t:udp_socket name_bind; +allow procmail_t tmp_t:dir getattr; +') +ifdef(`targeted_policy', ` +can_resolve(procmail_t) +allow procmail_t port_t:udp_socket name_bind; +allow procmail_t tmp_t:dir getattr; ') # Search /var/run. diff --git a/strict/domains/program/readahead.te b/strict/domains/program/readahead.te new file mode 100644 index 0000000..dde8e37 --- /dev/null +++ b/strict/domains/program/readahead.te @@ -0,0 +1,21 @@ +#DESC readahead - read files in page cache +# +# Author: Dan Walsh (dwalsh@redhat.com) +# + +################################# +# +# Declarations for readahead +# + +daemon_domain(readahead) +# +# readahead asks for these +# +allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read }; +allow readahead_t { file_type -secure_file_type }:dir r_dir_perms; +dontaudit readahead_t shadow_t:file { getattr read }; +allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr; +dontaudit readahead_t file_type:sock_file getattr; +allow readahead_t proc_t:file { getattr read }; +dontaudit readahead_t device_type:blk_file read; diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te index 0e3a278..dc58221 100644 --- a/strict/domains/program/restorecon.te +++ b/strict/domains/program/restorecon.te @@ -19,7 +19,7 @@ role system_r types restorecon_t; role sysadm_r types restorecon_t; role secadm_r types restorecon_t; -allow restorecon_t initrc_devpts_t:chr_file { read write ioctl }; +can_access_pty(restorecon_t, initrc) allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl }; domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t) diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te index b0ac4f0..88af4e4 100644 --- a/strict/domains/program/rlogind.te +++ b/strict/domains/program/rlogind.te @@ -35,4 +35,6 @@ allow rlogind_t self:file { getattr read }; allow rlogind_t default_t:dir search; typealias rlogind_port_t alias rlogin_port_t; read_sysctl(rlogind_t); -allow rlogind_t krb5_keytab_t:file r_file_perms; +ifdef(`kerberos.te', ` +allow rlogind_t krb5_keytab_t:file { getattr read }; +') diff --git a/strict/domains/program/roundup.te b/strict/domains/program/roundup.te new file mode 100644 index 0000000..4c3e97a --- /dev/null +++ b/strict/domains/program/roundup.te @@ -0,0 +1,29 @@ +# Roundup Issue Tracking System +# +# Authors: W. Michael Petullo +# Depends: portmap.te +# + +################################# +# +# Rules for the yppasswdd_t domain. +# +daemon_domain(yppasswdd, `, auth_write, privowner') + +# Use capabilities. +allow yppasswdd_t self:capability { net_bind_service }; + +# Use the network. +can_network_server(yppasswdd_t) + +read_sysctl(yppasswdd_t) + +# Send to portmap and initrc. +can_udp_send(yppasswdd_t, portmap_t) +can_udp_send(yppasswdd_t, initrc_t) + +allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind; +dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; + +allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read }; +allow yppasswdd_t self:unix_dgram_socket create_socket_perms; +allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; +file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file) +allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto }; +can_setfscreate(yppasswdd_t) +allow yppasswdd_t proc_t:file getattr; +allow yppasswdd_t { bin_t sbin_t }:dir search; +allow yppasswdd_t bin_t:lnk_file read; +can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t }) +allow yppasswdd_t self:fifo_file rw_file_perms; +rw_dir_create_file(yppasswdd_t, var_yp_t) diff --git a/strict/domains/program/ypserv.te b/strict/domains/program/ypserv.te index 656c15d..1ecc731 100644 --- a/strict/domains/program/ypserv.te +++ b/strict/domains/program/ypserv.te @@ -39,3 +39,4 @@ allow rpcd_t ypserv_conf_t:file { getattr read }; ') allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind; dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +can_exec(ypserv_t, bin_t) diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc index 6df147c..33c7f5e 100644 --- a/strict/file_contexts/distros.fc +++ b/strict/file_contexts/distros.fc @@ -1,67 +1,67 @@ ifdef(`distro_redhat', ` -/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t -/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t -/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t -/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t -/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t -/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t -/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t -/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t -/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t -/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t -/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t -/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t -/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t -/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t -/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t -/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t -/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t -/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t -/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t -/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t -/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t -/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t -/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t -/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t -/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t -/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t -/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t -/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t -/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t -/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t -/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t -/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t -/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t -/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t -/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t -/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t -/etc/rhgb(/.*)? -d system_u:object_r:mnt_t -/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t +/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0 +/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0 +/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0 +/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0 +/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0 +/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0 +/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0 +/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0 +/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0 +/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0 +/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0 +/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0 +/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0 +/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0 +/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0 +/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0 +/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0 +/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0 +/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0 +/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0 +/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0 +/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0 +/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0 +/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0 +/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0 +/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0 # # /emul/ia32-linux/usr # -/emul(/.*)? system_u:object_r:usr_t -/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t -/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t -/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t -/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t -/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t -/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t -/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t -/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t +/emul(/.*)? system_u:object_r:usr_t:s0 +/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0 +/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0 +/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 +/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0 +/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 +/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0 # /emul/ia32-linux/lib -/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t -/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0 +/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 # /emul/ia32-linux/bin -/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t +/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0 # /emul/ia32-linux/sbin -/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t +/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0 ifdef(`dbusd.te', `', ` -/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t +/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 ') # The following are libraries with text relocations in need of execmod permissions @@ -69,94 +69,96 @@ ifdef(`dbusd.te', `', ` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php -/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t -/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t -/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t -/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t -/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t -/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t -/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t -/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program(/.*)? system_u:object_r:bin_t -/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t -/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t -/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0 +/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0 +/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0 # Fedora Extras packages: ladspa, imlib2, ocaml -/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0 # Flash plugin, Macromedia -HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t +HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 # Jai, Sun Microsystems (Jpackage SPRM) -/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t -/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t +/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0 # Java, Sun Microsystems (JPackage SRPM) -/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t +/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t -/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t -/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t -/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t +/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0 +/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0 +/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0 +/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0 ') ifdef(`distro_suse', ` -/var/lib/samba/bin/.+ system_u:object_r:bin_t -/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t -/usr/lib/samba/classic/.* -- system_u:object_r:bin_t -/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/success -- system_u:object_r:etc_runtime_t -/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t +/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0 +/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0 +/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0 +/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/success -- system_u:object_r:etc_runtime_t:s0 +/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0 ') diff --git a/strict/file_contexts/program/cyrus.fc b/strict/file_contexts/program/cyrus.fc index 04b78be..71a9026 100644 --- a/strict/file_contexts/program/cyrus.fc +++ b/strict/file_contexts/program/cyrus.fc @@ -1,5 +1,5 @@ # cyrus /var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t /usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t -/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t +/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t /var/spool/imap(/.*)? system_u:object_r:mail_spool_t diff --git a/strict/file_contexts/program/ethereal.fc b/strict/file_contexts/program/ethereal.fc index abe9b02..ba1af85 100644 --- a/strict/file_contexts/program/ethereal.fc +++ b/strict/file_contexts/program/ethereal.fc @@ -1,3 +1,3 @@ /usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t -/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t -HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t +/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t +HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t diff --git a/strict/file_contexts/program/games.fc b/strict/file_contexts/program/games.fc index a4ab933..3465eee 100644 --- a/strict/file_contexts/program/games.fc +++ b/strict/file_contexts/program/games.fc @@ -1,8 +1,10 @@ # games -/usr/lib(64)?/games/.* -- system_u:object_r:games_exec_t -/var/games(/.*)? system_u:object_r:games_data_t -/usr/games/.* -- system_u:object_r:games_exec_t +/usr/lib/games(/.*)? system_u:object_r:games_exec_t /var/lib/games(/.*)? system_u:object_r:games_data_t +ifdef(`distro_debian', ` +/usr/games/.* -- system_u:object_r:games_exec_t +/var/games(/.*)? system_u:object_r:games_data_t +', ` /usr/bin/micq -- system_u:object_r:games_exec_t /usr/bin/blackjack -- system_u:object_r:games_exec_t /usr/bin/gataxx -- system_u:object_r:games_exec_t @@ -53,4 +55,7 @@ /usr/bin/lskat -- system_u:object_r:games_exec_t /usr/bin/lskatproc -- system_u:object_r:games_exec_t /usr/bin/Maelstrom -- system_u:object_r:games_exec_t +/usr/bin/civclient.* -- system_u:object_r:games_exec_t +/usr/bin/civserver.* -- system_u:object_r:games_exec_t +')dnl end non-Debian section diff --git a/strict/genfs_contexts b/strict/genfs_contexts index 6686d2e..11c16d4 100644 --- a/strict/genfs_contexts +++ b/strict/genfs_contexts @@ -94,7 +94,7 @@ genfscon afs / system_u:object_r:nfs_t genfscon debugfs / system_u:object_r:debugfs_t genfscon inotifyfs / system_u:object_r:inotifyfs_t genfscon hugetlbfs / system_u:object_r:hugetlbfs_t -genfscon mqueue / system_u:object_r:mqueue_t +genfscon capifs / system_u:object_r:capifs_t # needs more work genfscon eventpollfs / system_u:object_r:eventpollfs_t diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te index 4ff37c7..4a5900a 100644 --- a/strict/macros/core_macros.te +++ b/strict/macros/core_macros.te @@ -620,6 +620,9 @@ allow $1_devpts_t devpts_t:filesystem associate; # Label pty files with a derived type. type_transition $1_t devpts_t:chr_file $1_devpts_t; +# allow searching /dev/pts +allow $1_t devpts_t:dir { getattr read search }; + # Read and write my pty files. allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; ') diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te index 8bd5d7b..54dce1d 100644 --- a/strict/macros/global_macros.te +++ b/strict/macros/global_macros.te @@ -157,6 +157,11 @@ allow $1 lib_t:file r_file_perms; r_dir_file($1, locale_t) ') +define(`can_access_pty', ` +allow $1 devpts_t:dir r_dir_perms; +allow $1 $2_devpts_t:chr_file rw_file_perms; +') + ################################### # # access_terminal(domain, typeprefix) @@ -166,8 +171,7 @@ r_dir_file($1, locale_t) define(`access_terminal', ` allow $1 $2_tty_device_t:chr_file { read write getattr ioctl }; allow $1 devtty_t:chr_file { read write getattr ioctl }; -allow $1 devpts_t:dir { read search getattr }; -allow $1 $2_devpts_t:chr_file { read write getattr ioctl }; +can_access_pty($1, $2) ') # @@ -514,6 +518,9 @@ define(`application_domain', ` type $1_t, domain, privlog $2; type $1_exec_t, file_type, sysadmfile, exec_type; role sysadm_r types $1_t; +ifdef(`targeted_policy', ` +role system_r types $1_t; +') domain_auto_trans(sysadm_t, $1_exec_t, $1_t) uses_shlib($1_t) ') @@ -600,10 +607,10 @@ allow $1 self:capability sys_admin; # Also define boolean to allow anonymous writing # define(`anonymous_domain', ` -r_dir_file($1_t, ftpd_anon_t) +r_dir_file($1_t, { public_content_t public_content_rw_t } ) bool allow_$1_anon_write false; if (allow_$1_anon_write) { -create_dir_file($1_t,ftpd_anon_rw_t) +create_dir_file($1_t,public_content_rw_t) } ') # @@ -618,6 +625,7 @@ create_dir_file($1_t,ftpd_anon_rw_t) define(`unconfined_domain', ` typeattribute $1 unrestricted; +typeattribute $1 privuser; # Mount/unmount any filesystem. allow $1 fs_type:filesystem *; diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te index 0c8817a..8e8b05a 100644 --- a/strict/macros/network_macros.te +++ b/strict/macros/network_macros.te @@ -153,7 +153,8 @@ allow $1 mount_t:udp_socket rw_socket_perms; ')dnl end can_network definition define(`can_resolve',` -can_network_udp($1, `dns_port_t') +can_network_client($1, `dns_port_t') +allow $1 dns_port_t:tcp_socket name_connect; ') define(`can_portmap',` @@ -173,3 +174,17 @@ allow $1 winbind_t:unix_stream_socket connectto; allow $1 winbind_var_run_t:sock_file { getattr read write }; ') ') + + +################################# +# +# nsswitch_domain(domain) +# +# Permissions for looking up uid/username mapping via nsswitch +# +define(`nsswitch_domain', ` +can_resolve($1) +can_ypbind($1) +can_ldap($1) +can_winbind($1) +') diff --git a/strict/macros/program/i18n_input_macros.te b/strict/macros/program/i18n_input_macros.te new file mode 100644 index 0000000..58699fc --- /dev/null +++ b/strict/macros/program/i18n_input_macros.te @@ -0,0 +1,21 @@ +# +# Macros for i18n_input +# + +# +# Authors: Dan Walsh +# + +# +# i18n_input_domain(domain) +# +ifdef(`i18n_input.te', ` +define(`i18n_input_domain', ` +allow i18n_input_t $1_home_dir_t:dir { getattr search }; +r_dir_file(i18n_input_t, $1_home_t) +if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) } +if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) } +') +') + + diff --git a/strict/macros/program/pyzor_macros.te b/strict/macros/program/pyzor_macros.te index 36b4c54..af67d30 100644 --- a/strict/macros/program/pyzor_macros.te +++ b/strict/macros/program/pyzor_macros.te @@ -64,6 +64,6 @@ allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms; # Allow pyzor to be run by hand. Needed by any action other than # invocation from a spam filter. -allow $1_pyzor_t $1_devpts_t:chr_file rw_file_perms; +can_access_pty($1_pyzor_t, $1) allow $1_pyzor_t sshd_t:fd use; ') diff --git a/strict/macros/program/razor_macros.te b/strict/macros/program/razor_macros.te index ca681f7..e4c7c55 100644 --- a/strict/macros/program/razor_macros.te +++ b/strict/macros/program/razor_macros.te @@ -70,6 +70,6 @@ allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; # Allow razor to be run by hand. Needed by any action other than # invocation from a spam filter. -allow $1_razor_t $1_devpts_t:chr_file rw_file_perms; +can_access_pty($1_razor_t, $1) allow $1_razor_t sshd_t:fd use; ') diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te index 055e08a..ca2f2be 100644 --- a/strict/macros/program/su_macros.te +++ b/strict/macros/program/su_macros.te @@ -68,7 +68,7 @@ allow $1_su_t crond_t:fifo_file read; ') # Use capabilities. -allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control }; +allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write }; dontaudit $1_su_t self:capability sys_tty_config; # # Caused by su - init scripts diff --git a/strict/macros/program/uml_macros.te b/strict/macros/program/uml_macros.te index 9b87775..bc635f8 100644 --- a/strict/macros/program/uml_macros.te +++ b/strict/macros/program/uml_macros.te @@ -81,7 +81,7 @@ domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t) allow uml_net_t $1_uml_t:unix_stream_socket { read write }; allow uml_net_t $1_uml_t:unix_dgram_socket { read write }; dontaudit uml_net_t privfd:fd use; -allow uml_net_t $1_uml_devpts_t:chr_file { read write }; +can_access_pty(uml_net_t, $1_uml) dontaudit uml_net_t $1_uml_rw_t:dir { getattr search }; ')dnl end ifdef uml_net.te diff --git a/strict/macros/user_macros.te b/strict/macros/user_macros.te index dfc6c17..2c76665 100644 --- a/strict/macros/user_macros.te +++ b/strict/macros/user_macros.te @@ -121,6 +121,7 @@ allow $1_t system_map_t:file { getattr read }; # user domains. ifelse($1, sysadm, `',` ifdef(`apache.te', `apache_user_domain($1)') +ifdef(`i18n_input.te', `i18n_input_domain($1)') ') ifdef(`slocate.te', `locate_domain($1)') ifdef(`lockdev.te', `lockdev_domain($1)') diff --git a/strict/mcs b/strict/mcs index 20ec239..d67b134 100644 --- a/strict/mcs +++ b/strict/mcs @@ -146,13 +146,141 @@ category c124; category c125; category c126; category c127; +category c128; +category c129; +category c130; +category c131; +category c132; +category c133; +category c134; +category c135; +category c136; +category c137; +category c138; +category c139; +category c140; +category c141; +category c142; +category c143; +category c144; +category c145; +category c146; +category c147; +category c148; +category c149; +category c150; +category c151; +category c152; +category c153; +category c154; +category c155; +category c156; +category c157; +category c158; +category c159; +category c160; +category c161; +category c162; +category c163; +category c164; +category c165; +category c166; +category c167; +category c168; +category c169; +category c170; +category c171; +category c172; +category c173; +category c174; +category c175; +category c176; +category c177; +category c178; +category c179; +category c180; +category c181; +category c182; +category c183; +category c184; +category c185; +category c186; +category c187; +category c188; +category c189; +category c190; +category c191; +category c192; +category c193; +category c194; +category c195; +category c196; +category c197; +category c198; +category c199; +category c200; +category c201; +category c202; +category c203; +category c204; +category c205; +category c206; +category c207; +category c208; +category c209; +category c210; +category c211; +category c212; +category c213; +category c214; +category c215; +category c216; +category c217; +category c218; +category c219; +category c220; +category c221; +category c222; +category c223; +category c224; +category c225; +category c226; +category c227; +category c228; +category c229; +category c230; +category c231; +category c232; +category c233; +category c234; +category c235; +category c236; +category c237; +category c238; +category c239; +category c240; +category c241; +category c242; +category c243; +category c244; +category c245; +category c246; +category c247; +category c248; +category c249; +category c250; +category c251; +category c252; +category c253; +category c254; +category c255; # # Each MCS level specifies a sensitivity and zero or more categories which may # be associated with that sensitivity. # -level s0:c0.c127; +level s0:c0.c255; # # Define the MCS policy @@ -200,9 +328,23 @@ level s0:c0.c127; # # Only files are constrained by MCS at this stage. # -mlsconstrain file { read write setattr append unlink link rename +mlsconstrain file { write setattr append unlink link rename create ioctl lock execute } (h1 dom h2); +mlsconstrain file { read } ((h1 dom h2) or + ( t1 == mlsfileread )); + + +# new file labels must be dominated by the relabeling subject's clearance +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto } + ( h1 dom h2 ); + +define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append +link unlink rename relabelfrom relabelto }') + +define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink +rename search add_name remove_name reparent write rmdir relabelfrom +relabelto }') # XXX # diff --git a/strict/mls b/strict/mls index 01a652a..b3e9b5a 100644 --- a/strict/mls +++ b/strict/mls @@ -13,12 +13,17 @@ sensitivity s6; sensitivity s7; sensitivity s8; sensitivity s9; - +sensitivity s10; +sensitivity s11; +sensitivity s12; +sensitivity s13; +sensitivity s14; +sensitivity s15; # # Define the ordering of the sensitivity levels (least to greatest) # -dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 } +dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } # @@ -154,22 +159,156 @@ category c124; category c125; category c126; category c127; +category c128; +category c129; +category c130; +category c131; +category c132; +category c133; +category c134; +category c135; +category c136; +category c137; +category c138; +category c139; +category c140; +category c141; +category c142; +category c143; +category c144; +category c145; +category c146; +category c147; +category c148; +category c149; +category c150; +category c151; +category c152; +category c153; +category c154; +category c155; +category c156; +category c157; +category c158; +category c159; +category c160; +category c161; +category c162; +category c163; +category c164; +category c165; +category c166; +category c167; +category c168; +category c169; +category c170; +category c171; +category c172; +category c173; +category c174; +category c175; +category c176; +category c177; +category c178; +category c179; +category c180; +category c181; +category c182; +category c183; +category c184; +category c185; +category c186; +category c187; +category c188; +category c189; +category c190; +category c191; +category c192; +category c193; +category c194; +category c195; +category c196; +category c197; +category c198; +category c199; +category c200; +category c201; +category c202; +category c203; +category c204; +category c205; +category c206; +category c207; +category c208; +category c209; +category c210; +category c211; +category c212; +category c213; +category c214; +category c215; +category c216; +category c217; +category c218; +category c219; +category c220; +category c221; +category c222; +category c223; +category c224; +category c225; +category c226; +category c227; +category c228; +category c229; +category c230; +category c231; +category c232; +category c233; +category c234; +category c235; +category c236; +category c237; +category c238; +category c239; +category c240; +category c241; +category c242; +category c243; +category c244; +category c245; +category c246; +category c247; +category c248; +category c249; +category c250; +category c251; +category c252; +category c253; +category c254; +category c255; # # Each MLS level specifies a sensitivity and zero or more categories which may # be associated with that sensitivity. # -level s0:c0.c127; -level s1:c0.c127; -level s2:c0.c127; -level s3:c0.c127; -level s4:c0.c127; -level s5:c0.c127; -level s6:c0.c127; -level s7:c0.c127; -level s8:c0.c127; -level s9:c0.c127; +level s0:c0.c255; +level s1:c0.c255; +level s2:c0.c255; +level s3:c0.c255; +level s4:c0.c255; +level s5:c0.c255; +level s6:c0.c255; +level s7:c0.c255; +level s8:c0.c255; +level s9:c0.c255; +level s10:c0.c255; +level s11:c0.c255; +level s12:c0.c255; +level s13:c0.c255; +level s14:c0.c255; +level s15:c0.c255; # diff --git a/strict/net_contexts b/strict/net_contexts index f38e613..8ab1118 100644 --- a/strict/net_contexts +++ b/strict/net_contexts @@ -50,6 +50,10 @@ portcon udp 53 system_u:object_r:dns_port_t portcon tcp 53 system_u:object_r:dns_port_t portcon udp 67 system_u:object_r:dhcpd_port_t +portcon udp 647 system_u:object_r:dhcpd_port_t +portcon tcp 647 system_u:object_r:dhcpd_port_t +portcon udp 847 system_u:object_r:dhcpd_port_t +portcon tcp 847 system_u:object_r:dhcpd_port_t portcon udp 68 system_u:object_r:dhcpc_port_t portcon udp 70 system_u:object_r:gopher_port_t portcon tcp 70 system_u:object_r:gopher_port_t @@ -164,6 +168,8 @@ portcon tcp 5703 system_u:object_r:ptal_port_t portcon tcp 50000 system_u:object_r:hplip_port_t portcon tcp 50002 system_u:object_r:hplip_port_t portcon tcp 5900 system_u:object_r:vnc_port_t +portcon tcp 5988 system_u:object_r:pegasus_http_port_t +portcon tcp 5989 system_u:object_r:pegasus_https_port_t portcon tcp 6000 system_u:object_r:xserver_port_t portcon tcp 6001 system_u:object_r:xserver_port_t portcon tcp 6002 system_u:object_r:xserver_port_t diff --git a/strict/types/devpts.te b/strict/types/devpts.te index 56b8dde..291ec53 100644 --- a/strict/types/devpts.te +++ b/strict/types/devpts.te @@ -18,4 +18,7 @@ type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject; # type devpts_t, mount_point, fs_type; +ifdef(`targeted_policy', ` +typeattribute devpts_t ttyfile; +') diff --git a/strict/types/file.te b/strict/types/file.te index 24d0023..7b6fa9e 100644 --- a/strict/types/file.te +++ b/strict/types/file.te @@ -307,8 +307,7 @@ allow dosfs_t self:filesystem associate; type hugetlbfs_t, mount_point, fs_type, sysadmfile; allow hugetlbfs_t self:filesystem associate; -type mqueue_t, mount_point, fs_type, sysadmfile; -allow mqueue_t self:filesystem associate; +typealias file_t alias mqueue_t; # udev_runtime_t is the type of the udev table file type udev_runtime_t, file_type, sysadmfile; @@ -325,6 +324,9 @@ allow debugfs_t self:filesystem associate; type inotifyfs_t, fs_type, sysadmfile; allow inotifyfs_t self:filesystem associate; +type capifs_t, fs_type, sysadmfile; +allow capifs_t self:filesystem associate; + # removable_t is the default type of all removable media type removable_t, file_type, sysadmfile, usercanread; allow removable_t self:filesystem associate; @@ -332,11 +334,16 @@ allow file_type removable_t:filesystem associate; allow file_type noexattrfile:filesystem associate; # Type for anonymous FTP data, used by ftp and rsync -type ftpd_anon_t, file_type, sysadmfile, customizable; -type ftpd_anon_rw_t, file_type, sysadmfile, customizable; +type public_content_t, file_type, sysadmfile, customizable; +type public_content_rw_t, file_type, sysadmfile, customizable; +typealias public_content_t alias ftpd_anon_t; +typealias public_content_rw_t alias ftpd_anon_rw_t; allow customizable self:filesystem associate; # type for /tmp/.ICE-unix type ice_tmp_t, file_type, sysadmfile, tmpfile; +# type for /usr/share/hwdata +type hwdata_t, file_type, sysadmfile; + diff --git a/strict/types/network.te b/strict/types/network.te index aaf10d9..eb8bdcb 100644 --- a/strict/types/network.te +++ b/strict/types/network.te @@ -120,6 +120,8 @@ type stunnel_port_t, port_type; type zebra_port_t, port_type; type i18n_input_port_t, port_type; type vnc_port_t, port_type; +type pegasus_http_port_t, port_type; +type pegasus_https_port_t, port_type; type openvpn_port_t, port_type; type clamd_port_t, port_type; type transproxy_port_t, port_type; diff --git a/strict/users b/strict/users index c0269c4..acf0292 100644 --- a/strict/users +++ b/strict/users @@ -9,7 +9,7 @@ # Each user has a set of roles that may be entered by processes # with the users identity. The syntax of a user declaration is: # -# user username roles role_set [ level default_level range allowed_range ]; +# user username roles role_set [ level default_level range allowed_range ] level s0 range s0; # # The MLS default level and allowed range should only be specified if # MLS was enabled in the policy.