From eaed904cd5e356973a48e59d89cb4cf214ab4202 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 05 2007 19:35:08 +0000 Subject: trunk: 3 patches from dan. --- diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index c72f4b9..b8dee5d 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables,1.5.1) +policy_module(iptables,1.5.2) ######################################## # @@ -64,6 +64,7 @@ init_use_fds(iptables_t) init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) +init_rw_script_stream_sockets(iptables_t) libs_use_ld_so(iptables_t) libs_use_shared_libs(iptables_t) @@ -102,6 +103,10 @@ optional_policy(` ') optional_policy(` + rhgb_dontaudit_use_ptys(iptables_t) +') + +optional_policy(` seutil_sigchld_newrole(iptables_t) ') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index 409a4d9..e11c6ac 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -1,5 +1,5 @@ -policy_module(iscsid,1.2.2) +policy_module(iscsid,1.2.3) ######################################## # @@ -54,6 +54,8 @@ files_search_var_lib(iscsid_t) manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t) files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) +kernel_read_system_state(iscsid_t) + corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_all_if(iscsid_t) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index 1224ba2..f931d69 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -1,5 +1,7 @@ /dev/log -s gen_context(system_u:object_r:devlog_t,s0) +/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) @@ -28,12 +30,14 @@ ifdef(`distro_suse', ` /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) +/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0) ifndef(`distro_gentoo',` /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) +/var/run/audispd_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 3a56695..4b702fb 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -34,6 +34,51 @@ interface(`logging_log_file',` # interface(`logging_send_audit_msgs',` allow $1 self:capability audit_write; + allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; +') + +####################################### +## +## dontaudit attempts to send audit messages. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_dontaudit_send_audit_msgs',` + dontaudit $1 self:capability audit_write; + dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; +') + +######################################## +## +## Set login uid +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_set_loginuid',` + allow $1 self:capability audit_control; + allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; +') + +######################################## +## +## Set up audit +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_set_audit_parameters',` + allow $1 self:capability { audit_write audit_control }; allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ') @@ -484,12 +529,11 @@ interface(`logging_append_all_logs',` interface(`logging_read_all_logs',` gen_require(` attribute logfile; - type var_log_t; ') files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; - read_files_pattern($1,logfile, logfile) + allow $1 logfile:dir list_dir_perms; + read_files_pattern($1, logfile, logfile) ') ######################################## @@ -616,3 +660,128 @@ interface(`logging_manage_generic_logs',` files_search_var($1) manage_files_pattern($1,var_log_t,var_log_t) ') + +######################################## +## +## All of the rules required to administrate +## the audit environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the audit domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`logging_admin_audit',` + gen_require(` + type auditd_t, auditd_etc_t, auditd_log_t; + type auditd_var_run_t; + ') + + allow $1 auditd_t:process { ptrace signal_perms }; + ps_process_pattern($1, auditd_t) + + manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) + manage_files_pattern($1, auditd_etc_t, auditd_etc_t) + + manage_dirs_pattern($1, auditd_log_t, auditd_log_t) + manage_files_pattern($1, auditd_log_t, auditd_log_t) + + manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) + manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) +') + +######################################## +## +## All of the rules required to administrate +## the syslog environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`logging_admin_syslog',` + gen_require(` + type syslogd_t, klogd_t, syslog_conf_t; + type syslogd_tmp_t, syslogd_var_lib_t; + type syslogd_var_run_t, klogd_var_run_t; + type klogd_tmp_t, var_log_t; + ') + + allow $1 syslogd_t:process { ptrace signal_perms }; + allow $1 klogd_t:process { ptrace signal_perms }; + ps_process_pattern($1, syslogd_t) + ps_process_pattern($1, klogd_t) + + manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) + manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) + + manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t) + manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t) + + manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t) + manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t) + + manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t) + manage_files_pattern($1, syslog_conf_t, syslog_conf_t) + files_etc_filetrans($1, syslog_conf_t, file) + + manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) + manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) + + manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + + logging_manage_all_logs($1) +') + +######################################## +## +## All of the rules required to administrate +## the logging environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`logging_admin',` + logging_admin_audit($1, $2, $3) + logging_admin_syslog($1, $2, $3) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index a2d363f..d97a0f9 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.8.1) +policy_module(logging,1.8.2) ######################################## # @@ -41,6 +41,9 @@ files_tmp_file(klogd_tmp_t) type klogd_var_run_t; files_pid_file(klogd_var_run_t) +type syslog_conf_t; +files_type(syslog_conf_t) + type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t,syslogd_exec_t) @@ -48,6 +51,9 @@ init_daemon_domain(syslogd_t,syslogd_exec_t) type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) +type syslogd_var_lib_t; +files_type(syslogd_var_lib_t) + type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) @@ -64,8 +70,8 @@ ifdef(`enable_mls',` # Auditctl local policy # -allow auditctl_t self:capability { fsetid dac_read_search dac_override audit_write audit_control }; -allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; +allow auditctl_t self:capability { fsetid dac_read_search dac_override }; +allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; @@ -92,6 +98,7 @@ libs_use_shared_libs(auditctl_t) locallogin_dontaudit_use_fds(auditctl_t) +logging_set_audit_parameters(auditctl_t) logging_send_syslog_msg(auditctl_t) ######################################## @@ -99,12 +106,12 @@ logging_send_syslog_msg(auditctl_t) # Auditd local policy # -allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource }; +allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; allow auditd_t self:process { signal_perms setpgid setsched }; +allow auditd_t self:file { getattr read write }; allow auditd_t self:unix_dgram_socket create_socket_perms; -allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -allow auditd_t self:fifo_file rw_fifo_file_perms; +allow auditd_t self:fifo_file rw_file_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file read_file_perms; @@ -141,6 +148,7 @@ files_list_usr(auditd_t) init_telinit(auditd_t) +logging_set_audit_parameters(auditd_t) logging_send_syslog_msg(auditd_t) libs_use_ld_so(auditd_t) @@ -241,6 +249,8 @@ allow syslogd_t self:fifo_file rw_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; +allow syslogd_t syslog_conf_t:file read_file_perms; + # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; files_pid_filetrans(syslogd_t,devlog_t,sock_file) @@ -257,6 +267,9 @@ manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) +manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) +files_search_var_lib(syslogd_t) + allow syslogd_t syslogd_var_run_t:file manage_file_perms; files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)