From ce6fee6575bd086427c2fe67eb50e40592fc7ebd Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jul 14 2009 14:30:22 +0000 Subject: 5 patches from dan --- diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index 4d8f914..82c4052 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -1,5 +1,5 @@ -policy_module(uml, 2.0.1) +policy_module(uml, 2.0.2) ######################################## # @@ -16,14 +16,12 @@ ubac_constrained(uml_t) type uml_ro_t; typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t }; typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t }; -files_type(uml_ro_t) -ubac_constrained(uml_ro_t) +userdom_user_home_content(uml_ro_t) type uml_rw_t; typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t }; typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t }; -files_type(uml_rw_t) -ubac_constrained(uml_rw_t) +userdom_user_home_content(uml_rw_t) type uml_tmp_t; typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 508fee1..0de3898 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.11.9) +policy_module(corenetwork, 1.11.10) ######################################## # @@ -131,6 +131,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) +network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc index bb40138..59aa54f 100644 --- a/policy/modules/services/bind.fc +++ b/policy/modules/services/bind.fc @@ -1,17 +1,22 @@ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) + /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ifdef(`distro_debian',` /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) @@ -40,8 +45,12 @@ ifdef(`distro_redhat',` /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) /var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0) /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/proc(/.*)? <> /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index 728901d..0bc0189 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -38,6 +38,42 @@ interface(`bind_signal',` ######################################## ## +## Send null sigals to BIND. +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_signull',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process signull; +') + +######################################## +## +## Send BIND the kill signal +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_kill',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process sigkill; +') + +######################################## +## ## Execute ndc in the ndc domain, and ## allow the specified role the ndc domain. ## @@ -269,7 +305,7 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; - type named_conf_t, named_var_run_t; + type named_conf_t, named_var_lib_t, named_var_run_t; type named_cache_t, named_zone_t; type dnssec_t, ndc_t; type named_initrc_exec_t; @@ -283,6 +319,7 @@ interface(`bind_admin',` bind_run_ndc($1, $2) + init_labeled_script_domtrans($1, bind_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 named_initrc_exec_t system_r; allow $2 system_r; @@ -300,6 +337,9 @@ interface(`bind_admin',` admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) + files_list_var_lib($1) + admin_pattern($1, named_var_lib_t) + files_list_pids($1) admin_pattern($1, named_var_run_t) ') diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index f5f80a8..d047e9d 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind, 1.9.2) +policy_module(bind, 1.9.3) ######################################## # @@ -123,6 +123,7 @@ corenet_sendrecv_dns_server_packets(named_t) corenet_sendrecv_dns_client_packets(named_t) corenet_sendrecv_rndc_server_packets(named_t) corenet_sendrecv_rndc_client_packets(named_t) +corenet_dontaudit_udp_bind_all_reserved_ports(named_t) corenet_udp_bind_all_unreserved_ports(named_t) dev_read_sysfs(named_t) @@ -169,7 +170,7 @@ optional_policy(` ') optional_policy(` - kerberos_use(named_t) + kerberos_keytab_template(named, named_t) ') optional_policy(` diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if index 614e0e4..40eeebe 100644 --- a/policy/modules/services/inetd.if +++ b/policy/modules/services/inetd.if @@ -36,8 +36,7 @@ interface(`inetd_core_service_domain',` role system_r types $1; domtrans_pattern(inetd_t, $2, $1) - - allow inetd_t $1:process sigkill; + allow inetd_t $1:process { siginh sigkill }; ') ######################################## diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index b0d82ba..8eda765 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -1,5 +1,5 @@ -policy_module(inetd, 1.9.2) +policy_module(inetd, 1.9.3) ######################################## # diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc index 205f91b..797e903 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc @@ -1,4 +1,5 @@ /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) @@ -6,6 +7,5 @@ /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) +/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) -/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if index 903e39b..b94c507 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -59,8 +59,9 @@ interface(`munin_append_log',` type munin_log_t; ') - allow $1 munin_log_t:file append_file_perms; logging_search_logs($1) + allow $1 munin_log_t:dir list_dir_perms; + append_files_pattern($1, munin_log_t, munin_log_t) ') ####################################### @@ -100,3 +101,54 @@ interface(`munin_dontaudit_search_lib',` dontaudit $1 munin_var_lib_t:dir search_dir_perms; ') + +######################################## +## +## All of the rules required to administrate +## an munin environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the munin domain. +## +## +## +# +interface(`munin_admin',` + gen_require(` + type munin_t, munin_etc_t, munin_tmp_t; + type munin_log_t, munin_var_lib_t, munin_var_run_t; + type httpd_munin_content_t; + type munin_initrc_exec_t; + ') + + allow $1 munin_t:process { ptrace signal_perms }; + ps_process_pattern($1, munin_t) + + init_labeled_script_domtrans($1, munin_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 munin_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, munin_tmp_t) + + logging_list_logs($1) + admin_pattern($1, munin_log_t) + + files_list_etc($1) + admin_pattern($1, munin_etc_t) + + files_list_var_lib($1) + admin_pattern($1, munin_var_lib_t) + + files_list_pids($1) + admin_pattern($1, munin_var_run_t) + + admin_pattern($1, httpd_munin_content_t) +') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index 80afc14..0031618 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -1,5 +1,5 @@ -policy_module(munin, 1.6.2) +policy_module(munin, 1.6.3) ######################################## # @@ -13,6 +13,9 @@ init_daemon_domain(munin_t, munin_exec_t) type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) +type munin_initrc_exec_t; +init_script_file(munin_initrc_exec_t) + type munin_log_t alias lrrd_log_t; logging_log_file(munin_log_t) @@ -30,21 +33,25 @@ files_pid_file(munin_var_run_t) # Local policy # -allow munin_t self:capability { setgid setuid }; +allow munin_t self:capability { chown dac_override setgid setuid }; dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; allow munin_t self:tcp_socket create_stream_socket_perms; allow munin_t self:udp_socket create_socket_perms; +allow munin_t self:fifo_file manage_fifo_file_perms; allow munin_t munin_etc_t:dir list_dir_perms; read_files_pattern(munin_t, munin_etc_t, munin_etc_t) read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) files_search_etc(munin_t) -allow munin_t munin_log_t:file manage_file_perms; -logging_log_filetrans(munin_t, munin_log_t, file) +can_exec(munin_t, munin_exec_t) + +manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) +manage_files_pattern(munin_t, munin_log_t, munin_log_t) +logging_log_filetrans(munin_t, munin_log_t, { file dir }) manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) @@ -61,9 +68,11 @@ manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) files_pid_filetrans(munin_t, munin_var_run_t, file) kernel_read_system_state(munin_t) -kernel_read_kernel_sysctls(munin_t) +kernel_read_network_state(munin_t) +kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) +corecmd_exec_shell(munin_t) corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) @@ -73,30 +82,43 @@ corenet_tcp_sendrecv_generic_node(munin_t) corenet_udp_sendrecv_generic_node(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) +corenet_tcp_bind_generic_node(munin_t) +corenet_tcp_bind_munin_port(munin_t) +corenet_tcp_connect_munin_port(munin_t) +corenet_tcp_connect_http_port(munin_t) dev_read_sysfs(munin_t) dev_read_urand(munin_t) domain_use_interactive_fds(munin_t) +domain_read_all_domains_state(munin_t) files_read_etc_files(munin_t) files_read_etc_runtime_files(munin_t) files_read_usr_files(munin_t) +files_list_spool(munin_t) fs_getattr_all_fs(munin_t) fs_search_auto_mountpoints(munin_t) +auth_use_nsswitch(munin_t) + logging_send_syslog_msg(munin_t) +logging_read_all_logs(munin_t) +miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) -sysnet_read_config(munin_t) +sysnet_exec_ifconfig(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t) optional_policy(` - # for accessing the output directory + apache_content_template(munin) + + manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) apache_search_sys_content(munin_t) ') @@ -105,7 +127,34 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(munin_t) + fstools_domtrans(munin_t) +') + +optional_policy(` + mta_read_config(munin_t) + mta_send_mail(munin_t) + mta_read_queue(munin_t) +') + +optional_policy(` + mysql_read_config(munin_t) + mysql_stream_connect(munin_t) +') + +optional_policy(` + netutils_domtrans_ping(munin_t) +') + +optional_policy(` + postfix_list_spool(munin_t) +') + +optional_policy(` + rpc_search_nfs_state_data(munin_t) +') + +optional_policy(` + sendmail_read_log(munin_t) ') optional_policy(`