diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 2cec5d3..bf155f2 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.2.20)
+policy_module(corenetwork, 1.2.21)
########################################
#
@@ -75,6 +75,7 @@ network_port(amavisd_send, tcp,10025,s0)
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
+network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index b7492cf..366f395 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -313,7 +313,7 @@ interface(`kerberos_admin',`
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
type krb5kdc_principal_t, krb5kdc_tmp_t;
type krb5kdc_var_run_t, krb5_host_rcache_t;
- type kadmind_spool_t, kadmind_var_lib_t, kpropd_t;
+ type kpropd_t;
')
allow $1 kadmind_t:process { ptrace signal_perms };
@@ -333,15 +333,9 @@ interface(`kerberos_admin',`
logging_list_logs($1)
admin_pattern($1, kadmind_log_t)
- files_list_spool($1)
- admin_pattern($1, kadmind_spool_t)
-
files_list_tmp($1)
admin_pattern($1, kadmind_tmp_t)
- files_list_var_lib($1)
- admin_pattern($1, kadmind_var_lib_t)
-
files_list_pids($1)
admin_pattern($1, kadmind_var_run_t)
diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc
index 2bc1dd8..ff0ce69 100644
--- a/policy/modules/services/sasl.fc
+++ b/policy/modules/services/sasl.fc
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
#
# /usr
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index 90fb069..5a70491 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -34,14 +34,20 @@ interface(`sasl_connect',`
interface(`sasl_admin',`
gen_require(`
type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
+ type saslauthd_initrc_exec_t;
')
allow $1 saslauthd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, saslauthd_t)
-
+
+ init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 saslauthd_initrc_exec_t system_r;
+ allow $2 system_r;
+
files_list_tmp($1)
- manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t)
+ admin_pattern($1, saslauthd_tmp_t)
files_list_pids($1)
- manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t)
+ admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 2547e75..7ba2b17 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
-policy_module(sasl, 1.9.0)
+policy_module(sasl, 1.9.1)
########################################
#
@@ -17,6 +17,9 @@ type saslauthd_t;
type saslauthd_exec_t;
init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+type saslauthd_initrc_exec_t;
+init_script_file(saslauthd_initrc_exec_t)
+
type saslauthd_tmp_t;
files_tmp_file(saslauthd_tmp_t)
@@ -99,7 +102,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
')
optional_policy(`
- kerberos_read_keytab(saslauthd_t)
+ kerberos_keytab_template(saslauthd, saslauthd_t)
')
optional_policy(`
diff --git a/policy/modules/services/snort.fc b/policy/modules/services/snort.fc
index cfd80ff..7bedd2f 100644
--- a/policy/modules/services/snort.fc
+++ b/policy/modules/services/snort.fc
@@ -1,6 +1,9 @@
+/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0)
+/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
-/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
+/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
-/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
-/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
+/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index a32cfc8..170da36 100644
--- a/policy/modules/services/snort.if
+++ b/policy/modules/services/snort.if
@@ -1 +1,60 @@
## Snort network intrusion detection system
+
+########################################
+##
+## Execute a domain transition to run snort.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`snort_domtrans',`
+ gen_require(`
+ type snort_t, snort_exec_t;
+ ')
+
+ domtrans_pattern($1, snort_exec_t, snort_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an snort environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the snort domain.
+##
+##
+##
+#
+interface(`snort_admin',`
+ gen_require(`
+ type snort_t, snort_var_run_t, snort_log_t;
+ type snort_initrc_exec_t;
+ ')
+
+ allow $1 snort_t:process { ptrace signal_perms };
+ ps_process_pattern($1, snort_t)
+
+ init_labeled_script_domtrans($1, snort_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 snort_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, snort_etc_t)
+ files_search_etc($1)
+
+ admin_pattern($1, snort_log_t)
+ logging_search_logs($1)
+
+ admin_pattern($1, snort_var_run_t)
+ files_search_pids($1)
+')
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index e3a4619..550c90b 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
-policy_module(snort, 1.5.0)
+policy_module(snort, 1.5.1)
########################################
#
@@ -11,7 +11,10 @@ type snort_exec_t;
init_daemon_domain(snort_t, snort_exec_t)
type snort_etc_t;
-files_type(snort_etc_t)
+files_config_file(snort_etc_t)
+
+type snort_initrc_exec_t;
+init_script_file(snort_initrc_exec_t)
type snort_log_t;
logging_log_file(snort_log_t)
@@ -34,6 +37,8 @@ allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read wr
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
+# Snort IPS node. unverified.
+allow snort_t self:netlink_firewall_socket { bind create getattr };
allow snort_t snort_etc_t:dir list_dir_perms;
allow snort_t snort_etc_t:file read_file_perms;
@@ -67,6 +72,8 @@ corenet_tcp_sendrecv_all_ports(snort_t)
corenet_udp_sendrecv_all_ports(snort_t)
dev_read_sysfs(snort_t)
+dev_read_rand(snort_t)
+dev_read_urand(snort_t)
domain_use_interactive_fds(snort_t)
@@ -76,6 +83,8 @@ files_dontaudit_read_etc_runtime_files(snort_t)
fs_getattr_all_fs(snort_t)
fs_search_auto_mountpoints(snort_t)
+init_read_utmp(snort_t)
+
libs_use_ld_so(snort_t)
libs_use_shared_libs(snort_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 05d6d69..86b1851 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -847,6 +847,7 @@ interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
+ type auditd_initrc_exec_t;
')
allow $1 auditd_t:process { ptrace signal_perms };
@@ -862,6 +863,11 @@ interface(`logging_admin_audit',`
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
logging_run_auditctl($1, $2, $3)
+
+ init_labeled_script_domtrans($1, auditd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 auditd_initrc_exec_t system_r;
+ allow $2 system_r;
')
########################################
@@ -874,6 +880,11 @@ interface(`logging_admin_audit',`
## Domain allowed access.
##
##
+##
+##
+## User role allowed access.
+##
+##
##
#
interface(`logging_admin_syslog',`
@@ -882,6 +893,7 @@ interface(`logging_admin_syslog',`
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
+ type syslogd_initrc_exec_t;
')
allow $1 syslogd_t:process { ptrace signal_perms };
@@ -909,6 +921,11 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
+
+ init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 syslogd_initrc_exec_t system_r;
+ allow $2 system_r;
')
########################################
@@ -935,5 +952,5 @@ interface(`logging_admin_syslog',`
#
interface(`logging_admin',`
logging_admin_audit($1, $2, $3)
- logging_admin_syslog($1)
+ logging_admin_syslog($1, $2)
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index ab4edef..588cb95 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging, 1.11.4)
+policy_module(logging, 1.11.5)
########################################
#
@@ -130,6 +130,7 @@ allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file { getattr read write };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:fifo_file rw_file_perms;
+allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
@@ -151,9 +152,19 @@ dev_read_sysfs(auditd_t)
fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
+fs_rw_anon_inodefs_files(auditd_t)
selinux_search_fs(auditctl_t)
+corenet_all_recvfrom_unlabeled(auditd_t)
+corenet_all_recvfrom_netlabel(auditd_t)
+corenet_tcp_sendrecv_generic_if(auditd_t)
+corenet_tcp_sendrecv_all_nodes(auditd_t)
+corenet_tcp_sendrecv_all_ports(auditd_t)
+corenet_tcp_bind_all_nodes(auditd_t)
+corenet_tcp_bind_audit_port(auditd_t)
+corenet_sendrecv_audit_server_packets(auditd_t)
+
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
corecmd_exec_bin(auditd_t)
@@ -236,6 +247,8 @@ logging_send_syslog_msg(audisp_t)
miscfiles_read_localization(audisp_t)
+sysnet_dns_name_resolve(audisp_t)
+
########################################
#
# Audit remote logger local policy
@@ -247,6 +260,8 @@ corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_all_if(audisp_remote_t)
corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
+corenet_tcp_connect_audit_port(audisp_remote_t)
+corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)