From 98a8ead4c549099d050d2a2ca6ca92a88929ce66 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 15 2005 21:03:29 +0000 Subject: more updates --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index b63c5fe..85c05a4 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,5 @@ +- Add equivalents for old can_resolve(), can_ldap(), and + can_portmap() to sysnetwork. - Fix base module compile issues. - Added policies: ktalk diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index c03493e..28004e2 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -4,12 +4,18 @@ # file should be used. # -## Allow execution of anonymous mappings, e.g. executable stack. +## Allow making anonymous memory executable, e.g. +## for runtime-code generation or executable stack. gen_tunable(allow_execmem,false) -## Support Share libraries with text relocations +## Allow making a modified private file +## mapping executable (text relocation). gen_tunable(allow_execmod,false) +## Allow making the stack executable via mprotect. +## Also requires allow_execmem. +gen_tunable(allow_execstack,false) + ## Allow gpg executable stack gen_tunable(allow_gpg_execstack,false) @@ -56,9 +62,6 @@ gen_tunable(ssh_sysadm_login,false) ## dir and read files (such as ~/.bashrc) gen_tunable(staff_read_sysadm_file,false) -## Allow the use of DNS for name resolution. -gen_tunable(use_dns,false) - ## Support NFS home directories gen_tunable(use_nfs_home_dirs,false) diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 060908b..d139e14 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -14,6 +14,9 @@ role system_r types logrotate_t; type logrotate_exec_t; files_type(logrotate_exec_t) +type logrotate_lock_t; +files_lock_file(logrotate_lock_t) + type logrotate_tmp_t; files_tmp_file(logrotate_tmp_t) @@ -46,6 +49,9 @@ allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; allow logrotate_t self:msg { send receive }; +allow logrotate_t logrotate_lock_t:file create_file_perms; +files_create_lock(logrotate_t,logrotate_lock_t) + can_exec(logrotate_t, logrotate_tmp_t) allow logrotate_t logrotate_tmp_t:dir create_dir_perms; @@ -82,7 +88,6 @@ domain_getattr_all_entry_files(logrotate_t) files_read_usr_files(logrotate_t) files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) -files_manage_generic_locks(logrotate_t) files_read_all_pids(logrotate_t) # Write to /var/spool/slrnpull - should be moved into its own type. files_manage_generic_spools(logrotate_t) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index d2a0172..3579887 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -117,6 +117,7 @@ libs_use_ld_so(ping_t) libs_use_shared_libs(ping_t) sysnet_read_config(ping_t) +sysnet_dns_name_resolve(ping_t) logging_send_syslog_msg(ping_t) diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index bdce124..c4fbafc 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -620,6 +620,23 @@ interface(`corenet_udp_bind_generic_port',` ######################################## ## +## Connect TCP sockets to generic ports. +## +## +## The type of the process performing this action. +## +# +interface(`corenet_tcp_connect_generic_port',` + gen_require(` + type port_t; + class tcp_socket name_connect; + ') + + allow $1 port_t:tcp_socket name_connect; +') + +######################################## +## ## Send and receive TCP network traffic on all ports. ## ## @@ -837,6 +854,23 @@ interface(`corenet_udp_bind_reserved_port',` ######################################## ## +## Connect TCP sockets to generic reserved ports. +## +## +## The type of the process performing this action. +## +# +interface(`corenet_tcp_connect_reserved_port',` + gen_require(` + type reserved_port_t; + class tcp_socket name_connect; + ') + + allow $1 reserved_port_t:tcp_socket name_connect; +') + +######################################## +## ## Send and receive TCP network traffic on all reserved ports. ## ## @@ -973,6 +1007,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ######################################## ## +## Do not audit attempts to connect TCP sockets +## all reserved ports. +## +## +## Domain to not audit. +## +# +interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + class tcp_socket name_connect; + ') + + dontaudit $1 reserved_port_type:tcp_socket name_connect; +') + +######################################## +## ## Read and write the TUN/TAP virtual network device. ## ## @@ -982,11 +1034,11 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` interface(`corenet_use_tun_tap_device',` gen_require(` type tun_tap_device_t; - class chr_file { read write }; + class chr_file { read write ioctl }; ') dev_list_all_dev_nodes($1) - allow $1 tun_tap_device_t:chr_file { read write }; + allow $1 tun_tap_device_t:chr_file { read write ioctl }; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 0f0904e..978c2b0 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -185,6 +185,25 @@ interface(`dev_rw_generic_file',` ######################################## ## +## Delete generic files in /dev. +## +## +## Domain allowed access. +## +# +interface(`dev_delete_generic_file',` + gen_require(` + type device_t; + class dir { search write remove_name }; + class file unlink; + ') + + allow $1 device_t:dir { search write remove_name }; + allow $1 device_t:file unlink; +') + +######################################## +## ## Dontaudit getattr on generic pipes. ## ## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 6a57c88..a3c784f 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1630,6 +1630,24 @@ interface(`fs_dontaudit_list_tmpfs',` ') ######################################## +## +## Create, read, write, and delete +## tmpfs directories +## +## +## Domain allowed access. +## +# +interface(`fs_manage_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + class dir create_dir_perms; + ') + + allow $1 tmpfs_t:dir create_dir_perms; +') + +######################################## # # fs_create_tmpfs_data(domain,derivedtype,[class]) # @@ -1728,6 +1746,26 @@ interface(`fs_relabel_tmpfs_blk_dev',` ######################################## ## +## Read and write, create and delete generic +## files on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +# +interface(`fs_manage_tmpfs_files',` + gen_require(` + type tmpfs_t; + class dir rw_dir_perms; + class file create_file_perms; + ') + + allow $1 tmpfs_t:dir rw_dir_perms; + allow $1 tmpfs_t:file create_file_perms; +') + +######################################## +## ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 62a4f36..e1771a6 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -22,6 +22,7 @@ sid fs context_template(system_u:object_r:fs_t,s0) fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0); fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0); fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0); +fs_use_xattr reiserfs context_template(system_u:object_r:fs_t,s0); fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem @@ -55,9 +56,11 @@ genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0) type hugetlbfs_t, filesystem_type; files_mountpoint(hugetlbfs_t) allow hugetlbfs_t self:filesystem associate; +genfscon hugetlbfs / context_template(system_u:object_r:hugetlbfs_t,s0) type inotifyfs_t, filesystem_type; allow inotifyfs_t self:filesystem associate; +genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0) type mqueue_t, filesystem_type; files_mountpoint(mqueue_t) @@ -89,8 +92,8 @@ files_type(tmpfs_t) # and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems like devpts and tmpfs # where we want to label objects with a derived type. -fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0); fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0); +fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0); allow tmpfs_t self:filesystem associate; allow tmpfs_t noxattrfs:filesystem associate; @@ -119,10 +122,10 @@ genfscon smbfs / context_template(system_u:object_r:cifs_t,s0) # type dosfs_t, filesystem_type, noxattrfs; allow dosfs_t self:filesystem associate; -genfscon vfat / context_template(system_u:object_r:dosfs_t,s0) -genfscon msdos / context_template(system_u:object_r:dosfs_t,s0) genfscon fat / context_template(system_u:object_r:dosfs_t,s0) +genfscon msdos / context_template(system_u:object_r:dosfs_t,s0) genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0) +genfscon vfat / context_template(system_u:object_r:dosfs_t,s0) # # iso9660_t is the type for CD filesystems diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 02d3827..6d0b9ba 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -53,6 +53,23 @@ interface(`kernel_rootfs_mountpoint',` ######################################## ## +## Set the process group of kernel threads. +## +## +## Domain allowed access. +## +# +interface(`kernel_setpgid',` + gen_require(` + type kernel_t; + class process setpgid; + ') + + allow $1 kernel_t:process setpgid; +') + +######################################## +## ## Send a SIGCHLD signal to kernel threads. ## ## @@ -65,7 +82,7 @@ interface(`kernel_sigchld',` class process sigchld; ') - allow kernel_t $1:process sigchld; + allow $1 kernel_t:process sigchld; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index 6840d4b..0a1a072 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -276,6 +276,28 @@ interface(`selinux_compute_create_context',` ######################################## ## +## Allows caller to compute polyinstatntiated +## directory members. +## +## +## Domain allowed access. +## +# +interface(`selinux_compute_member',` + gen_require(` + type security_t; + class dir { read search getattr }; + class file { getattr read write }; + class security compute_member; + ') + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security compute_member; +') + +######################################## +## ## Calculate the context for relabeling objects. ## ## diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if index b9b181f..72c5c0e 100644 --- a/refpolicy/policy/modules/services/bind.if +++ b/refpolicy/policy/modules/services/bind.if @@ -109,6 +109,24 @@ interface(`bind_write_config',` ######################################## ## +## Create, read, write, and delete +## BIND configuration directories. +## +## +## Domain allowed access. +## +# +interface(`bind_manage_config_dir',` + gen_require(` + type named_conf_t; + class dir perms; + ') + + allow $1 named_conf_t:dir create_dir_perms; +') + +######################################## +## ## Do not audit attempts to set the attributes ## of the BIND pid directory. ## diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index cf278f8..4a6af13 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -15,6 +15,9 @@ type named_exec_t; init_daemon_domain(named_t,named_exec_t) role system_r types named_t; +type named_checkconf_exec_t; +init_system_domain(named_t,named_checkconf_exec_t) + # A type for configuration files of named. type named_conf_t; files_type(named_conf_t) @@ -23,6 +26,9 @@ files_type(named_conf_t) type named_cache_t; files_type(named_cache_t) +type named_log_t; +logging_log_file(named_log_t) + type named_tmp_t; files_tmp_file(named_tmp_t) @@ -67,6 +73,10 @@ allow named_t named_cache_t:lnk_file create_lnk_perms; can_exec(named_t, named_exec_t) +allow named_t named_log_t:file create_file_perms; +allow named_t named_log_t:dir rw_dir_perms; +logging_create_log(named_t,named_log_t,{ file dir }) + allow named_t named_tmp_t:dir create_dir_perms; allow named_t named_tmp_t:file create_file_perms; files_create_tmp_files(named_t, named_tmp_t, { file dir }) @@ -99,7 +109,8 @@ corenet_tcp_bind_all_nodes(named_t) corenet_udp_bind_all_nodes(named_t) corenet_tcp_bind_dns_port(named_t) corenet_udp_bind_dns_port(named_t) -#corenet_tcp_bind_rndc_port(named_t) +corenet_tcp_bind_rndc_port(named_t) +corenet_tcp_connect_all_ports(named_t) dev_read_sysfs(named_t) dev_read_rand(named_t) @@ -196,6 +207,7 @@ corenet_tcp_sendrecv_all_nodes(ndc_t) corenet_raw_sendrecv_all_nodes(ndc_t) corenet_tcp_sendrecv_all_ports(ndc_t) corenet_tcp_bind_all_nodes(ndc_t) +corenet_tcp_connect_rndc_port(ndc_t) fs_getattr_xattr_fs(ndc_t) @@ -215,20 +227,13 @@ logging_send_syslog_msg(ndc_t) miscfiles_read_localization(ndc_t) sysnet_read_config(ndc_t) +sysnet_dns_name_resolve(ndc_t) # for /etc/rndc.key ifdef(`distro_redhat',` allow ndc_t named_conf_t:dir search; ') -tunable_policy(`use_dns',` - allow ndc_t self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if(ndc_t) - corenet_udp_sendrecv_all_nodes(ndc_t) - corenet_udp_sendrecv_dns_port(ndc_t) - corenet_udp_bind_all_nodes(ndc_t) -') - tunable_policy(`named_write_master_zones',` allow named_t named_zone_t:dir create_dir_perms; allow named_t named_zone_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index a20b616..f8dd882 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -288,7 +288,6 @@ logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) miscfiles_read_man_pages(system_crond_t) -miscfiles_rw_man_cache(system_crond_t) seutil_read_config(system_crond_t) diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if index f0baf8b..adfd14e 100644 --- a/refpolicy/policy/modules/services/kerberos.if +++ b/refpolicy/policy/modules/services/kerberos.if @@ -55,10 +55,7 @@ interface(`kerberos_use',` corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) sysnet_read_config($1) - ') - - tunable_policy(`allow_kerberos && use_dns',` - corenet_udp_sendrecv_dns_port($1) + sysnet_dns_name_resolve($1) ') ') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index e6efcbd..06537b8 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -42,8 +42,6 @@ template(`mta_per_userdomain_template',` allow $1_mail_t self:capability { setuid setgid chown }; allow $1_mail_t self:process { signal_perms setrlimit }; - - # tcp networking allow $1_mail_t self:tcp_socket create_socket_perms; # re-exec itself @@ -91,19 +89,12 @@ template(`mta_per_userdomain_template',` miscfiles_read_localization($1_mail_t) sysnet_read_config($1_mail_t) + sysnet_dns_name_resolve($1_mail_t) userdom_use_user_terminals($1,$1_mail_t) # Write to the user domain tty. cjp: why? userdom_use_user_terminals($1,mta_user_agent) - tunable_policy(`use_dns',` - allow $1_mail_t self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if($1_mail_t) - corenet_udp_sendrecv_all_nodes($1_mail_t) - corenet_udp_bind_all_nodes($1_mail_t) - corenet_udp_sendrecv_dns_port($1_mail_t) - ') - tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files($1_mail_t) fs_manage_cifs_symlinks($1_mail_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 3a112e9..634db10 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -45,7 +45,6 @@ ifdef(`targeted_policy',`',` allow system_mail_t self:capability { setuid setgid chown }; allow system_mail_t self:process { signal_perms setrlimit }; - allow system_mail_t self:tcp_socket create_socket_perms; # re-exec itself @@ -60,9 +59,10 @@ corenet_tcp_sendrecv_all_if(system_mail_t) corenet_raw_sendrecv_all_if(system_mail_t) corenet_tcp_sendrecv_all_nodes(system_mail_t) corenet_raw_sendrecv_all_nodes(system_mail_t) -corenet_tcp_bind_all_nodes(system_mail_t) corenet_tcp_sendrecv_all_ports(system_mail_t) +corenet_tcp_bind_all_nodes(system_mail_t) +dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) fs_getattr_xattr_fs(system_mail_t) @@ -86,6 +86,7 @@ logging_send_syslog_msg(system_mail_t) miscfiles_read_localization(system_mail_t) sysnet_read_config(system_mail_t) +sysnet_dns_name_resolve(system_mail_t) userdom_use_sysadm_terms(system_mail_t) @@ -116,14 +117,6 @@ ifdef(`targeted_policy',` ') ') -tunable_policy(`use_dns',` - allow system_mail_t self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if(system_mail_t) - corenet_udp_sendrecv_all_nodes(system_mail_t) - corenet_udp_bind_all_nodes(system_mail_t) - corenet_udp_sendrecv_dns_port(system_mail_t) -') - optional_policy(`cron.te',` cron_read_system_job_tmp_files(system_mail_t) ') @@ -174,14 +167,6 @@ allow system_mail_t privmail:fd use; allow system_mail_t privmail:process sigchld; allow system_mail_t privmail:fifo_file { read write }; -optional_policy(`arpwatch.te',` - allow system_mail_t arpwatch_tmp_t:file rw_file_perms; - - ifdef(`hide_broken_symptoms', ` - dontaudit system_mail_t arpwatch_t:packet_socket { read write }; - ') -') - optional_policy(`qmail.te',` allow system_mail_t qmail_etc_t:dir search; allow system_mail_t qmail_etc_t:{ file lnk_file } read; diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 4830cf0..0d8f7d3 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -32,8 +32,9 @@ files_tmp_file(mysqld_tmp_t) allow mysqld_t self:capability { dac_override setgid setuid }; dontaudit mysqld_t self:capability sys_tty_config; -allow mysqld_t self:process getsched; +allow mysqld_t self:process { setsched getsched }; allow mysqld_t self:fifo_file { read write }; +allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket connected_socket_perms; @@ -112,6 +113,10 @@ optional_policy(`nis.te',` nis_use_ypbind(mysqld_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(mysqld_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(mysqld_t) ') diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index 9ad95f8..1f5a0c5 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -35,17 +35,20 @@ interface(`nis_use_ypbind',` corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) - corenet_tcp_bind_all_nodes($1) - corenet_udp_bind_all_nodes($1) corenet_tcp_sendrecv_all_ports($1) corenet_udp_sendrecv_all_ports($1) + corenet_tcp_bind_all_nodes($1) + corenet_udp_bind_all_nodes($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) corenet_tcp_bind_reserved_port($1) corenet_udp_bind_reserved_port($1) corenet_dontaudit_tcp_bind_all_reserved_ports($1) corenet_dontaudit_udp_bind_all_reserved_ports($1) - + corenet_tcp_connect_portmap_port($1) + corenet_tcp_connect_reserved_port($1) + corenet_tcp_connect_generic_port($1) + corenet_dontaudit_tcp_connect_all_reserved_ports($1) ',` dontaudit $1 var_yp_t:dir search; ') diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 6ed8241..0cb99bd 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -11,6 +11,9 @@ type nscd_t; type nscd_exec_t; init_daemon_domain(nscd_t,nscd_exec_t) +type nscd_log_t; +logging_log_file(nscd_log_t) + type nscd_var_run_t; files_pid_file(nscd_var_run_t) @@ -35,6 +38,9 @@ allow nscd_t self:udp_socket create_socket_perms; # cjp: this should probably be in a direct_sysadm_daemon tunable allow nscd_t self:nscd { admin getstat }; +allow nscd_t nscd_log_t:file create_file_perms; +logging_create_log(nscd_t,nscd_log_t) + allow nscd_t nscd_var_run_t:file create_file_perms; allow nscd_t nscd_var_run_t:sock_file create_file_perms; files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file }) @@ -66,6 +72,7 @@ corenet_udp_sendrecv_all_ports(nscd_t) corenet_tcp_bind_all_nodes(nscd_t) corenet_udp_bind_all_nodes(nscd_t) corenet_tcp_connect_all_ports(nscd_t) +corenet_use_tun_tap_device(nscd_t) selinux_get_fs_mount(nscd_t) selinux_validate_context(nscd_t) @@ -111,8 +118,6 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` -nscd_socket_domain(daemon) - optional_policy(`winbind.te', ` # Handle winbind for samba, Might only be needed for targeted policy @@ -124,6 +129,7 @@ optional_policy(`winbind.te', ` optional_policy(`rhgb.te',` rhgb_domain(nscd_t) ') +r_dir_file(nscd_t, cert_t) allow nscd_t tmp_t:dir { search getattr }; allow nscd_t tmp_t:lnk_file read; ') dnl end TODO diff --git a/refpolicy/policy/modules/services/ntp.if b/refpolicy/policy/modules/services/ntp.if index 9c43145..8527e7e 100644 --- a/refpolicy/policy/modules/services/ntp.if +++ b/refpolicy/policy/modules/services/ntp.if @@ -2,6 +2,20 @@ ######################################## ## +## NTP stub interface. No access allowed. +## +## +## N/A +## +# +interface(`ntp_stub',` + gen_require(`ntp.te',` + type ntpd_t; + ') +') + +######################################## +## ## Execute ntp server in the ntpd domain. ## ## diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 8f6084c..1256da6 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -1,12 +1,12 @@ -policy_module(authlogin,1.0) +policy_module(remotelogin,1.0) ######################################## # # Declarations # -type remote_login_t; +type remote_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade; domain_obj_id_change_exempt(remote_login_t) domain_subj_id_change_exempt(remote_login_t) domain_role_change_exempt(remote_login_t) @@ -107,6 +107,8 @@ logging_send_syslog_msg(remote_login_t) seutil_read_config(remote_login_t) seutil_read_default_contexts(remote_login_t) +sysnet_dns_name_resolve(remote_login_t) + miscfiles_read_localization(remote_login_t) userdom_use_unpriv_users_fd(remote_login_t) @@ -132,18 +134,6 @@ tunable_policy(`read_default_t',` files_read_default_pipes(remote_login_t) ') -# Allow remote login to resolve host names (passed in via the -h switch) -tunable_policy(`use_dns',` - allow remote_login_t self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if(remote_login_t) - corenet_raw_sendrecv_all_if(remote_login_t) - corenet_udp_sendrecv_all_nodes(remote_login_t) - corenet_raw_sendrecv_all_nodes(remote_login_t) - corenet_udp_sendrecv_dns_port(remote_login_t) - corenet_udp_bind_all_nodes(remote_login_t) - sysnet_read_config(remote_login_t) -') - tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(remote_login_t) fs_read_nfs_symlinks(remote_login_t) @@ -172,6 +162,8 @@ optional_policy(`remotelogin.te',` # FIXME: what is this for? remotelogin_signull(xdm_t) ') +# Login can polyinstantiate +polyinstantiater(remote_login_t) allow remote_login_t userpty_type:chr_file { setattr write }; allow remote_login_t ptyfile:chr_file { getattr ioctl }; diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 0b1d97e..61e6238 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -129,11 +129,6 @@ optional_policy(`rhgb.te', ` rhgb_domain(sendmail_t) ') -optional_policy(`arpwatch.te',` - # why is mail delivered to a directory of type arpwatch_data_t? - allow mta_delivery_agent arpwatch_data_t:dir search; -') - # # Need this transition to create /etc/aliases.db # diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index e1c29eb..1b4b1d4 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -144,6 +144,7 @@ template(`ssh_per_userdomain_template',` seutil_read_config($1_ssh_t) sysnet_read_config($1_ssh_t) + sysnet_dns_name_resolve($1_ssh_t) userdom_use_unpriv_users_fd($1_ssh_t) @@ -155,14 +156,6 @@ template(`ssh_per_userdomain_template',` files_read_default_pipes($1_ssh_t) ') - tunable_policy(`use_dns',` - allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; - corenet_udp_sendrecv_all_if($1_ssh_t) - corenet_udp_sendrecv_all_nodes($1_ssh_t) - corenet_udp_sendrecv_dns_port($1_ssh_t) - corenet_udp_bind_all_nodes($1_ssh_t) - ') - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_ssh_t) fs_manage_nfs_files($1_ssh_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index e05857b..7a126cc 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -53,6 +53,14 @@ template(`authlogin_per_userdomain_template',` files_list_etc($1_chkpwd_t) allow $1_chkpwd_t shadow_t:file { getattr read }; + # Transition from the user domain to this domain. + domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) + + allow $1_chkpwd_t $2:fd use; + allow $2 $1_chkpwd_t:fd use; + allow $1_chkpwd_t $2:fifo_file rw_file_perms; + allow $1_chkpwd_t $2:process sigchld; + # is_selinux_enabled kernel_read_system_state($1_chkpwd_t) @@ -73,13 +81,7 @@ template(`authlogin_per_userdomain_template',` seutil_read_config($1_chkpwd_t) - # Transition from the user domain to this domain. - domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) - - allow $1_chkpwd_t $2:fd use; - allow $2 $1_chkpwd_t:fd use; - allow $1_chkpwd_t $2:fifo_file rw_file_perms; - allow $1_chkpwd_t $2:process sigchld; + sysnet_dns_name_resolve($1_chkpwd_t) # Write to the user domain tty. userdom_use_user_terminals($1,$1_chkpwd_t) @@ -87,17 +89,6 @@ template(`authlogin_per_userdomain_template',` # Inherit and use descriptors from gnome-pty-helper. #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') - tunable_policy(`use_dns',` - allow $1_chkpwd_t self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if($1_chkpwd_t) - corenet_raw_sendrecv_all_if($1_chkpwd_t) - corenet_udp_sendrecv_all_nodes($1_chkpwd_t) - corenet_raw_sendrecv_all_nodes($1_chkpwd_t) - corenet_udp_bind_all_nodes($1_chkpwd_t) - corenet_udp_sendrecv_dns_port($1_chkpwd_t) - sysnet_read_config($1_chkpwd_t) - ') - optional_policy(`kerberos.te',` kerberos_use($1_chkpwd_t) ') @@ -237,16 +228,7 @@ interface(`auth_domtrans_chk_passwd',` dontaudit $1 shadow_t:file { getattr read }; - tunable_policy(`use_dns',` - allow $1 self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) - corenet_udp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) - corenet_udp_bind_all_nodes($1) - corenet_udp_sendrecv_dns_port($1) - sysnet_read_config($1) - ') + sysnet_dns_name_resolve($1) optional_policy(`kerberos.te',` kerberos_use($1) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 21620db..0769638 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -124,6 +124,10 @@ optional_policy(`nscd.te',` ifdef(`TODO',` ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') +# Supress xdm denial +ifdef(`xdm.te', ` +dontaudit pam_t xdm_t:fd use; +') dnl ifdef ') dnl endif TODO ######################################## @@ -272,34 +276,15 @@ miscfiles_read_localization(system_chkpwd_t) seutil_read_config(system_chkpwd_t) -userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t) +sysnet_dns_name_resolve(system_chkpwd_t) +sysnet_use_ldap(system_chkpwd_t) -tunable_policy(`use_dns',` - allow system_chkpwd_t self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if(system_chkpwd_t) - corenet_raw_sendrecv_all_if(system_chkpwd_t) - corenet_udp_sendrecv_all_nodes(system_chkpwd_t) - corenet_raw_sendrecv_all_nodes(system_chkpwd_t) - corenet_udp_bind_all_nodes(system_chkpwd_t) - corenet_udp_sendrecv_dns_port(system_chkpwd_t) - sysnet_read_config(system_chkpwd_t) -') +userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t) optional_policy(`kerberos.te',` kerberos_use(system_chkpwd_t) ') -optional_policy(`ldap.te',` - allow system_chkpwd_t self:tcp_socket create_socket_perms; - corenet_tcp_sendrecv_all_if(system_chkpwd_t) - corenet_raw_sendrecv_all_if(system_chkpwd_t) - corenet_tcp_sendrecv_all_nodes(system_chkpwd_t) - corenet_raw_sendrecv_all_nodes(system_chkpwd_t) - corenet_tcp_sendrecv_ldap_port(system_chkpwd_t) - corenet_tcp_bind_all_nodes(system_chkpwd_t) - sysnet_read_config(system_chkpwd_t) -') - optional_policy(`nis.te',` nis_use_ypbind(system_chkpwd_t) ') diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 73db9df..61dbd27 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -18,12 +18,9 @@ role system_r types hostname_t; # for setting the hostname allow hostname_t self:process { sigchld sigkill sigstop signull signal }; - allow hostname_t self:capability sys_admin; dontaudit hostname_t self:capability sys_tty_config; -sysnet_read_config(hostname_t) - kernel_read_kernel_sysctl(hostname_t) kernel_dontaudit_use_fd(hostname_t) kernel_list_proc(hostname_t) @@ -55,6 +52,9 @@ logging_send_syslog_msg(hostname_t) miscfiles_read_localization(hostname_t) +sysnet_read_config(hostname_t) +sysnet_dns_name_resolve(hostname_t) + userdom_use_all_user_fd(hostname_t) ifdef(`distro_redhat', ` @@ -67,17 +67,6 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(hostname_t) ') -tunable_policy(`use_dns',` - allow hostname_t self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if(hostname_t) - corenet_raw_sendrecv_all_if(hostname_t) - corenet_udp_sendrecv_all_nodes(hostname_t) - corenet_raw_sendrecv_all_nodes(hostname_t) - corenet_udp_bind_all_nodes(hostname_t) - corenet_udp_sendrecv_dns_port(hostname_t) - sysnet_read_config(hostname_t) -') - optional_policy(`firstboot.te',` firstboot_use_fd(hostname_t) ') @@ -90,7 +79,8 @@ optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(hostname_t) ') -optional_policy(`udev.te', ` +optional_policy(`udev.te',` + udev_dontaudit_use_fd(hostname_t) udev_read_db(hostname_t) ') diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 19c0e63..7e10b6a 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -104,10 +104,10 @@ interface(`hotplug_getattr_config_dir',` interface(`hotplug_search_config',` gen_require(` type hotplug_etc_t; - class dir search; + class dir { getattr search }; ') - allow $1 hotplug_etc_t:dir search; + allow $1 hotplug_etc_t:dir { getattr search }; ') ######################################## diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index b6c33db..514724b 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -23,14 +23,13 @@ files_pid_file(hotplug_var_run_t) # Local policy # -allow hotplug_t self:capability { net_admin sys_tty_config mknod }; +allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit hotplug_t self:capability { dac_override dac_read_search }; - allow hotplug_t self:process { getsession getattr }; - allow hotplug_t self:fifo_file rw_file_perms; +allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; allow hotplug_t self:udp_socket create_socket_perms; allow hotplug_t self:tcp_socket connected_stream_socket_perms; @@ -45,6 +44,7 @@ allow hotplug_t hotplug_var_run_t:file { getattr create read write append setatt files_create_pid(hotplug_t,hotplug_var_run_t) kernel_sigchld(hotplug_t) +kernel_setpgid(hotplug_t) kernel_read_system_state(hotplug_t) kernel_read_kernel_sysctl(hotplug_t) kernel_read_net_sysctl(hotplug_t) @@ -58,7 +58,7 @@ corenet_raw_sendrecv_all_nodes(hotplug_t) corenet_tcp_sendrecv_all_ports(hotplug_t) corenet_tcp_bind_all_nodes(hotplug_t) -dev_read_sysfs(hotplug_t) +dev_rw_sysfs(hotplug_t) dev_read_usbfs(hotplug_t) dev_setattr_printer(hotplug_t) dev_setattr_snd_dev(hotplug_t) @@ -107,6 +107,8 @@ modutils_read_mods_deps(hotplug_t) miscfiles_read_localization(hotplug_t) +seutil_dontaudit_search_config(hotplug_t) + sysnet_read_config(hotplug_t) userdom_dontaudit_use_unpriv_user_fd(hotplug_t) @@ -122,8 +124,6 @@ ifdef(`distro_redhat', ` ') ifdef(`targeted_policy', ` - unconfined_domain_template(hotplug_t) - optional_policy(`consoletype.te',` consoletype_domtrans(hotplug_t) ') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 5e702c9..f4d943d 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -90,10 +90,14 @@ interface(`init_daemon_domain',` # Red Hat systems seem to have a stray # fd open from the initrd - optional_policy(`distro_redhat',` + ifdef(`distro_redhat',` kernel_dontaudit_use_fd($1) files_dontaudit_read_root_file($1) ') + + optional_policy(`nscd.te',` + nscd_use_socket($1) + ') ') ######################################## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index b105b6e..5d03d77 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -385,6 +385,10 @@ ifdef(`distro_redhat',` # readahead asks for these mta_read_aliases(initrc_t) + + optional_policy(`bind.te',` + bind_manage_config_dir(initrc_t) + ') ') ifdef(`targeted_policy',` @@ -546,6 +550,12 @@ ifdef(`distro_redhat', ` allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; allow initrc_t self:capability sys_admin; allow initrc_t device_t:dir create; + + optional_policy(`rpm.te',` + rpm_stub() + #read ahead wants to read this + allow initrc_t system_cron_spool_t:file { getattr read }; + ') ') ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index a30a314..25e0b0a 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -28,6 +28,9 @@ type ipsec_mgmt_exec_t; init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t) role system_r types ipsec_mgmt_t; +type ipsec_mgmt_lock_t; +files_lock_file(ipsec_mgmt_lock_t) + type ipsec_mgmt_var_run_t; files_pid_file(ipsec_mgmt_var_run_t) @@ -155,6 +158,9 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket { create setopt }; allow ipsec_mgmt_t self:fifo_file rw_file_perms; +allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms; +files_create_lock(ipsec_mgmt_t,ipsec_mgmt_lock_t) + allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms; files_create_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t) @@ -235,9 +241,6 @@ files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dir(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) -# Allow scripts to use /var/locl/subsys/ipsec -# cjp: need a lock type -files_manage_generic_locks(ipsec_mgmt_t) init_use_script_pty(ipsec_mgmt_t) init_exec_script(ipsec_mgmt_t) diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 509ba51..98f777b 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -69,6 +69,7 @@ logging_send_syslog_msg(iptables_t) miscfiles_read_localization(iptables_t) sysnet_domtrans_ifconfig(iptables_t) +sysnet_dns_name_resolve(iptables_t) userdom_use_all_user_fd(iptables_t) @@ -79,19 +80,6 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(iptables_t) ') -tunable_policy(`use_dns',` - allow iptables_t self:udp_socket create_socket_perms; - - corenet_udp_sendrecv_all_if(iptables_t) - corenet_raw_sendrecv_all_if(iptables_t) - corenet_udp_sendrecv_all_nodes(iptables_t) - corenet_raw_sendrecv_all_nodes(iptables_t) - corenet_udp_bind_all_nodes(iptables_t) - corenet_udp_sendrecv_dns_port(iptables_t) - - sysnet_read_config(iptables_t) -') - optional_policy(`firstboot.te',` firstboot_use_fd(iptables_t) firstboot_write_pipe(iptables_t) diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index b59c850..9a09e42 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -225,7 +225,7 @@ interface(`libs_use_shared_libs',` type lib_t, shlib_t, texrel_shlib_t; class dir r_dir_perms; class lnk_file r_file_perms; - class file rx_file_perms; + class file { rx_file_perms execmod }; ') files_search_usr($1) @@ -233,6 +233,7 @@ interface(`libs_use_shared_libs',` allow $1 lib_t:lnk_file r_file_perms; allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms; allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms; + allow $1 texrel_shlib_t:file execmod; ') ######################################## diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 447829e..0c5d65e 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -6,7 +6,7 @@ policy_module(locallogin,1.0) # Declarations # -type local_login_t; +type local_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade; auth_login_entry_type(local_login_t) domain_type(local_login_t) domain_obj_id_change_exempt(local_login_t) @@ -15,6 +15,9 @@ domain_role_change_exempt(local_login_t) domain_wide_inherit_fd(local_login_t) role system_r types local_login_t; +type local_login_lock_t; +files_lock_file(local_login_lock_t) + type local_login_tmp_t; files_type(local_login_tmp_t) @@ -47,6 +50,9 @@ allow local_login_t self:sem create_sem_perms; allow local_login_t self:msgq create_msgq_perms; allow local_login_t self:msg { send receive }; +allow local_login_t local_login_lock_t:file create_file_perms; +files_create_lock(local_login_t,local_login_lock_t) + allow local_login_t local_login_tmp_t:dir create_dir_perms; allow local_login_t local_login_tmp_t:file create_file_perms; files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir }) @@ -125,7 +131,6 @@ domain_read_all_entry_files(local_login_t) files_read_etc_files(local_login_t) files_read_etc_runtime_files(local_login_t) files_read_usr_files(local_login_t) -files_manage_generic_locks(var_lock_t) files_list_mnt(local_login_t) files_list_world_readable(local_login_t) files_read_world_readable_files(local_login_t) @@ -209,6 +214,8 @@ optional_policy(`locallogin.te',` # FIXME: what is this for? locallogin_signull(xdm_t) ') +# Login can polyinstantiate +polyinstantiater(local_login_t) ') dnl endif TODO ################################# diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 4dabd10..1af5ed5 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -200,6 +200,12 @@ logging_send_syslog_msg(klogd_t) miscfiles_read_localization(klogd_t) +ifdef(`TODO',` +ifdef(`targeted_policy', ` +allow klogd_t unconfined_t:system syslog_mod; +') +') + ######################################## # # syslogd local policy diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index 399d502..b86b245 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -2,27 +2,6 @@ ######################################## ## -## Allow process to create files and dirs in /var/cache/man -## and /var/catman/ -## -## -## Type type of the process performing this action. -## -# -interface(`miscfiles_rw_man_cache',` - gen_require(` - type catman_t; - class dir create_dir_perms; - class file create_file_perms; - ') - - files_search_var($1) - allow $1 catman_t:dir create_dir_perms; - allow $1 catman_t:file create_file_perms; -') - -######################################## -## ## Read fonts ## ## diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 731cb7d..ae357bf 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -14,7 +14,7 @@ files_type(modules_conf_t) type modules_dep_t; files_type(modules_dep_t) -type insmod_t; +type insmod_t; #, mlsfilewrite type insmod_exec_t; kernel_userland_entry(insmod_t,insmod_exec_t) init_system_domain(insmod_t,insmod_exec_t) @@ -111,10 +111,18 @@ ifdef(`targeted_policy',` unconfined_domain_template(insmod_t) ') +optional_policy(`hotplug.te',` + hotplug_search_config(insmod_t) +') + optional_policy(`mount.te',` mount_domtrans(insmod_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(insmod_t) +') + optional_policy(`rpm.te',` rpm_rw_pipe(insmod_t) ') diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index d7ecfc7..4e5d709 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -6,7 +6,7 @@ policy_module(mount,1.0) # Declarations # -type mount_t; +type mount_t; #, mlsfileread, mlsfilewrite type mount_exec_t; init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -45,6 +45,7 @@ fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) fs_relabelfrom_xattr_fs(mount_t) fs_search_auto_mountpoints(mount_t) +fs_use_tmpfs_chr_dev(mount_t) term_use_console(mount_t) @@ -77,12 +78,11 @@ logging_send_syslog_msg(mount_t) miscfiles_read_localization(mount_t) +sysnet_use_portmap(mount_t) + userdom_use_all_user_fd(mount_t) ifdef(`distro_redhat',` - fs_use_tmpfs_chr_dev(mount_t) - allow mount_t tmpfs_t:dir mounton; - optional_policy(`authlogin.te',` auth_read_pam_console_data(mount_t) # mount config by default sets fscontext=removable_t @@ -109,6 +109,7 @@ optional_policy(`portmap.te', ` corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) corenet_udp_bind_reserved_port(mount_t) + corenet_tcp_connect_all_ports(mount_t) optional_policy(`nis.te',` nis_use_ypbind(mount_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index f0d486d..e4053ca 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -345,3 +345,91 @@ interface(`sysnet_create_dhcp_state',` type_transition $1 dhcp_state_t:$3 $2; ') ') + +######################################## +## +## Perform a DNS name resolution. +## +## +## Domain allowed access. +## +# +interface(`sysnet_dns_name_resolve',` + gen_require(` + type net_conf_t; + class udp_socket create_socket_perms; + ') + + allow $1 self:udp_socket create_socket_perms; + corenet_udp_sendrecv_all_if($1) + corenet_raw_sendrecv_all_if($1) + corenet_udp_sendrecv_all_nodes($1) + corenet_raw_sendrecv_all_nodes($1) + corenet_udp_sendrecv_dns_port($1) + corenet_udp_bind_all_nodes($1) + + files_search_etc($1) + allow $1 net_conf_t:file r_file_perms; +') + +######################################## +## +## Connect and use a LDAP server. +## +## +## Domain allowed access. +## +# +interface(`sysnet_use_ldap',` + gen_require(` + type net_conf_t; + class tcp_socket create_socket_perms; + ') + + allow $1 self:tcp_socket create_socket_perms; + + corenet_tcp_sendrecv_all_if($1) + corenet_raw_sendrecv_all_if($1) + corenet_tcp_sendrecv_all_nodes($1) + corenet_raw_sendrecv_all_nodes($1) + corenet_tcp_sendrecv_ldap_port($1) + corenet_tcp_bind_all_nodes($1) + corenet_tcp_connect_ldap_port($1) + + files_search_etc($1) + allow $1 net_conf_t:file r_file_perms; +') + +######################################## +## +## Connect and use remote port mappers. +## +## +## Domain allowed access. +## +# +interface(`sysnet_use_portmap',` + gen_require(` + type net_conf_t; + class tcp_socket create_socket_perms; + class udp_socket create_socket_perms; + ') + + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; + + corenet_tcp_sendrecv_all_if($1) + corenet_udp_sendrecv_all_if($1) + corenet_raw_sendrecv_all_if($1) + corenet_tcp_sendrecv_all_nodes($1) + corenet_udp_sendrecv_all_nodes($1) + corenet_raw_sendrecv_all_nodes($1) + corenet_tcp_sendrecv_portmap_port($1) + corenet_udp_sendrecv_portmap_port($1) + corenet_tcp_bind_all_nodes($1) + corenet_udp_bind_all_nodes($1) + corenet_tcp_connect_portmap_port($1) + + files_search_etc($1) + allow $1 net_conf_t:file r_file_perms; +') diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 2842c25..7a0554f 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -172,6 +172,9 @@ optional_policy(`hotplug.te',` # for the dhcp client to run ping to check IP addresses optional_policy(`netutils.te',` netutils_domtrans_ping(dhcpc_t) +',` + allow dhcpc_t self:capability setuid; + allow dhcpc_t self:rawip_socket create_socket_perms; ') optional_policy(`nis.te',` diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 6dedd30..340f528 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -26,6 +26,24 @@ interface(`udev_domtrans',` ######################################## ## +## Do not audit attempts to inherit a +## udev file descriptor. +## +## +## Domain to not audit. +## +# +interface(`udev_dontaudit_use_fd',` + gen_require(` + type udev_t; + class fd use; + ') + + dontaudit $1 udev_t:fd use; +') + +######################################## +## ## Do not audit attempts to read or write ## to a udev unix datagram socket. ## @@ -33,7 +51,7 @@ interface(`udev_domtrans',` ## Domain to not audit. ## # -interface(`udev_donaudit_rw_unix_dgram_socket',` +interface(`udev_dontaudit_rw_unix_dgram_socket',` gen_require(` type udev_t; class unix_dgram_socket { read write }; diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 81071aa..0829712 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -34,7 +34,7 @@ files_pid_file(udev_var_run_t) # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio }; allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; @@ -75,8 +75,10 @@ kernel_rw_unix_dgram_socket(udev_t) kernel_sendto_unix_dgram_socket(udev_t) kernel_signal(udev_t) -dev_read_sysfs(udev_t) +dev_rw_sysfs(udev_t) dev_manage_dev_nodes(udev_t) +dev_rw_generic_file(udev_t) +dev_delete_generic_file(udev_t) fs_getattr_all_fs(udev_t) @@ -125,6 +127,8 @@ sysnet_domtrans_ifconfig(udev_t) userdom_use_sysadm_tty(udev_t) ifdef(`distro_redhat',` + fs_manage_tmpfs_dirs(udev_t) + fs_manage_tmpfs_files(udev_t) fs_manage_tmpfs_symlinks(udev_t) fs_manage_tmpfs_sockets(udev_t) fs_manage_tmpfs_blk_dev(udev_t) diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 97d701d..59eb383 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -34,10 +34,16 @@ template(`unconfined_domain_template',` files_unconfined($1) tunable_policy(`allow_execmem',` - # Allow loading DSOs that require executable stack. + # Allow making anonymous memory executable, e.g. + # for runtime-code generation or executable stack. allow $1 self:process execmem; ') + tunable_policy(`allow_execmem && allow_execstack',` + # Allow making the stack executable via mprotect. + allow $1 self:process execstack; + ') + optional_policy(`authlogin.te',` auth_unconfined($1) ') @@ -61,8 +67,13 @@ template(`unconfined_domain_template',` ifdef(`TODO',` if (allow_execmod) { - # Allow text relocations on system shared libraries, e.g. libGL. - allow $1 texrel_shlib_t:file execmod; + ifdef(`targeted_policy', ` + allow $1 file_type:file execmod; + ', ` + # Allow text relocations on system shared libraries, e.g. libGL. + allow $1 texrel_shlib_t:file execmod; + allow $1 home_type:file execmod; + ') } ifdef(`dbusd.te', ` diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 0e91736..d105ae8 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -139,8 +139,8 @@ template(`base_user_template',` corenet_udp_sendrecv_all_ports($1_t) corenet_tcp_bind_all_nodes($1_t) corenet_udp_bind_all_nodes($1_t) - # allow port_t name binding for UDP because it is not very usable otherwise corenet_udp_bind_generic_port($1_t) + corenet_tcp_connect_all_ports($1_t) dev_read_input($1_t) dev_read_misc($1_t) @@ -194,7 +194,6 @@ template(`base_user_template',` logging_dontaudit_getattr_all_logs($1_t) miscfiles_read_localization($1_t) - miscfiles_rw_man_cache($1_t) # for running TeX programs miscfiles_read_tetex_data($1_t) miscfiles_exec_tetex_data($1_t) @@ -301,6 +300,8 @@ template(`base_user_template',` ifdef(`TODO',` + can_winbind($1_t) + # # Cups daemon running as user tries to write /etc/printcap # @@ -324,8 +325,6 @@ template(`base_user_template',` # dontaudit $1_t sysctl_net_t:dir search; - dontaudit $1_t default_context_t:dir search; - r_dir_file($1_t, usercanread) tunable_policy(`allow_execmod',` @@ -1481,7 +1480,7 @@ interface(`userdom_dontaudit_use_sysadm_tty',` term_dontaudit_use_unallocated_tty($1) ',` gen_require(` - attribute sysadm_tty_device_t; + type sysadm_tty_device_t; class chr_file { read write }; ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 8438dd5..6f89062 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -186,6 +186,11 @@ ifdef(`targeted_policy',` netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`ntp.te',` + ntp_stub() + corenet_udp_bind_ntp_port(sysadm_t) + ') + optional_policy(`pcmcia.te',` pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) ')