diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 114bb57..861dc1b 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -2,6 +2,34 @@ ######################################## # +# bootloader_search_bootloader_data_directory(domain) +# +define(`bootloader_search_bootloader_data_directory',` +requires_block_template(`$0'_depend) +allow $1 boot_t:dir search; +') + +define(`bootloader_search_bootloader_data_directory_depend',` +type boot_t; +class dir search; +') + +######################################## +# +# bootloader_ignore_search_bootloader_data_directory(domain) +# +define(`bootloader_ignore_search_bootloader_data_directory',` +requires_block_template(`$0'_depend) +dontaudit $1 boot_t:dir search; +') + +define(`bootloader_ignore_search_bootloader_data_directory_depend',` +type boot_t; +class dir search; +') + +######################################## +# # bootloader_install_kernel(domain) # define(`bootloader_install_kernel',` diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index d9ca4b1..7194d62 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -781,3 +781,25 @@ define(`filesystem_get_all_filesystems_attributes_depend',` attribute fs_type; class filesystem getattr; ') + +######################################## +# +# filesystem_get_all_file_attributes(type) +# +define(`filesystem_get_all_file_attributes',` +requires_block_template(`$0'_depend) +allow $1 fs_type:dir { search getattr }; +allow $1 fs_type:file getattr; +allow $1 fs_type:lnk_file getattr; +allow $1 fs_type:fifo_file getattr; +allow $1 fs_type:sock_file getattr; +') + +define(`filesystem_get_all_file_attributes_depend',` +attribute fs_type; +class dir { search getattr }; +class file getattr; +class lnk_file getattr; +class fifo_file getattr; +class sock_file getattr; +') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index da13020..8c8a3b8 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -61,6 +61,7 @@ genfscon usbdevfs / system_u:object_r:usbfs_t type proc_t; files_make_mountpoint(proc_t) +filesystem_make_filesystem(proc_t) genfscon proc / system_u:object_r:proc_t genfscon proc /sysvipc system_u:object_r:proc_t diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index c72ccde..d104aa8 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -41,13 +41,19 @@ allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setatt # for this purpose. allow $1_crond_t $1_cron_spool_t:file entrypoint; -ifdef(`fcron.te', ` -allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -') +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t $1_crond_t:process transition; +dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh }; kernel_read_system_state($1_crond_t) kernel_read_kernel_sysctl($1_crond_t) +# ps does not need to access /boot when run from cron +bootloader_ignore_search_bootloader_data_directory($1_crond_t) + corenetwork_network_tcp_on_all_interfaces($1_crond_t) corenetwork_network_raw_on_all_interfaces($1_crond_t) corenetwork_network_udp_on_all_interfaces($1_crond_t) @@ -67,6 +73,8 @@ domain_execute_all_entrypoint_programs($1_crond_t) files_read_general_application_resources($1_crond_t) files_execute_system_config_script($1_crond_t) +# for nscd: +files_ignore_search_runtime_data_directory($1_crond_t) corecommands_execute_general_programs($1_crond_t) corecommands_execute_system_programs($1_crond_t) @@ -74,13 +82,20 @@ corecommands_execute_system_programs($1_crond_t) libraries_use_dynamic_loader($1_crond_t) libraries_read_shared_libraries($1_crond_t) libraries_execute_library_scripts($1_crond_t) +libraries_execute_dynamic_loader($1_crond_t) files_read_runtime_system_config($1_crond_t) +logging_search_system_log_directory($1_crond_t) + selinux_read_config($1_crond_t) miscfiles_read_localization($1_crond_t) +tunable_policy(`fcron_crond', ` +allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +') + ifdef(`TODO',` # Access user files and dirs. allow $1_crond_t home_root_t:dir search; @@ -91,12 +106,6 @@ can_exec($1_crond_t, $1_home_t) file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t) -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via execve_secure. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -domain_trans(crond_t, shell_exec_t, $1_crond_t) - ifdef(`mta.te', ` domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) allow $1_crond_t sendmail_exec_t:lnk_file { getattr read }; @@ -111,17 +120,9 @@ can_ypbind($1_crond_t) allow $1_crond_t var_spool_t:dir search; allow $1_crond_t var_t:dir r_dir_perms; allow $1_crond_t var_t:file { getattr read ioctl }; -allow $1_crond_t var_log_t:dir search; -can_exec($1_crond_t, ld_so_t) - -# ps does not need to access /boot when run from cron -dontaudit $1_crond_t boot_t:dir search; # quiet other ps operations dontaudit $1_crond_t domain:dir { getattr search }; -# for nscd -dontaudit $1_crond_t var_run_t:dir search; - ') dnl endif TODO ############################## @@ -139,6 +140,11 @@ allow crond_t $1_cron_spool_t:file { getattr read }; allow $1_crontab_t self:capability { setuid setgid chown dac_override }; allow $1_crontab_t self:process { sigkill sigstop signull signal }; +# create files in /var/spool/cron +allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name }; +type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t; + # crontab signals crond by updating the mtime on the spooldir allow $1_crontab_t cron_spool_t:dir setattr; @@ -174,10 +180,8 @@ file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) # Use the type when creating files in /var/spool/cron. allow sysadm_crontab_t $1_cron_spool_t:file { getattr read }; -allow $1_crontab_t { var_t var_spool_t }:dir { getattr search }; -file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) -ifdef(`fcron.te', ` +tunable_policy(`fcron_crond', ` # fcron wants an instant update of a crontab change for the administrator # also crontab does a security check for crontab -u ifelse(`$1', `sysadm', ` @@ -199,7 +203,9 @@ allow $1_crontab_t $1_home_t:file r_file_perms; dontaudit $1_crontab_t $1_home_dir_t:dir write; # Access terminals. -access_terminal($1_crontab_t, $1); +allow $1_crontab_t devpts_t:dir { read search getattr }; +allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl }; +allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl }; # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index cba4cbd..7ea1ed8 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -2,9 +2,6 @@ policy_module(consoletype, 1.0) -# NB The constraints file has some entries for crond_t, this makes it -# different from all other domains... - ######################################## # # Declarations @@ -19,7 +16,7 @@ bool cron_can_relabel false; type cron_spool_t; files_make_file(cron_spool_t) -type crond_t; #, privmail, privfd, nscd_client_domain +type crond_t; #, privmail, nscd_client_domain type crond_exec_t; domain_make_daemon_domain(crond_t,crond_exec_t) domain_make_file_descriptors_widely_inheritable(crond_t) @@ -42,6 +39,9 @@ domain_make_daemon_domain(system_crond_t,anacron_exec_t) corecommands_make_shell_entrypoint(system_crond_t) role system_r types system_crond_t; +type system_crond_lock_t; +files_make_lock_file(system_crond_lock_t) + type system_crond_tmp_t; files_make_temporary_file(system_crond_tmp_t) @@ -74,6 +74,9 @@ allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unli allow crond_t crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir }) +allow crond_t system_cron_spool_t:dir { getattr search read }; +allow crond_t system_cron_spool_t:file { getattr read }; + kernel_read_kernel_sysctl(crond_t) kernel_read_hardware_state(crond_t) kernel_get_selinuxfs_mount_point(crond_t) @@ -96,6 +99,9 @@ domain_use_widely_inheritable_file_descriptors(crond_t) files_read_general_system_config(crond_t) +corecommands_execute_shell(crond_t) +corecommands_read_system_programs_directory(crond_t) + libraries_use_dynamic_loader(crond_t) libraries_read_shared_libraries(crond_t) @@ -110,6 +116,10 @@ miscfiles_read_localization(crond_t) # need auth_chkpwd to check for locked accounts. authlogin_check_password_transition(crond_t) +tunable_policy(`fcron_crond', ` +allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +') + tunable_policy(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(crond_t) terminal_ignore_use_general_pseudoterminal(crond_t) @@ -121,29 +131,24 @@ udev_read_database(crond_t) ') ifdef(`TODO',` -allow crond_t proc_t:dir r_dir_perms; -allow crond_t proc_t:lnk_file read; -dontaudit crond_t unpriv_userdomain:fd use; +# NB The constraints file has some entries for crond_t, this makes it +# different from all other domains... + +allow crond_t unpriv_userdomain:fd use; allow crond_t autofs_t:dir { search getattr }; dontaudit crond_t sysadm_home_dir_t:dir search; + optional_policy(`rhgb.te', ` allow crond_t rhgb_t:process sigchld; allow crond_t rhgb_t:fd use; allow crond_t rhgb_t:fifo_file { read write }; ') - -allow crond_t unpriv_userdomain:fd use; can_ypbind(crond_t) ifdef(`automount.te', ` allow crond_t autofs_t:dir { search getattr }; ') - -# for finding binaries and /bin/sh -allow crond_t { bin_t sbin_t }:dir search; -allow crond_t { bin_t sbin_t }:lnk_file read; - # Read from /var/spool/cron. allow crond_t var_lib_t:dir search; allow crond_t var_spool_t:dir r_dir_perms; @@ -159,9 +164,6 @@ allow crond_t sysadm_home_dir_t:dir r_dir_perms; allow crond_t home_root_t:dir { getattr search }; allow crond_t user_home_dir_type:dir r_dir_perms; -# Run a shell. -can_exec(crond_t, shell_exec_t) - ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. @@ -199,10 +201,40 @@ allow system_crond_t system_cron_spool_t:file entrypoint; allow system_crond_t system_cron_spool_t:file { getattr read }; +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t system_crond_t:process transition; +dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh }; + +# Write /var/lock/makewhatis.lock. +allow system_crond_t system_crond_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +files_create_private_lock_file(system_crond_t,system_crond_lock_t) + +# write temporary files +allow system_crond_t system_crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +files_create_private_tmp_data(system_crond_t,system_crond_tmp_t) + +# write temporary files in crond tmp dir: +allow system_crond_t crond_tmp_t:dir { getattr search read write add_name remove_name }; +type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t; + +# Read from /var/spool/cron. +allow system_crond_t cron_spool_t:dir { getattr search read }; +allow system_crond_t cron_spool_t:file { getattr read }; + +# Access crond log files +allow system_crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +logging_create_private_log(system_crond_t,crond_log_t) + kernel_read_kernel_sysctl(system_crond_t) kernel_read_system_state(system_crond_t) kernel_read_software_raid_state(system_crond_t) +# ps does not need to access /boot when run from cron +bootloader_ignore_search_bootloader_data_directory(system_crond_t) + corenetwork_network_tcp_on_all_interfaces(system_crond_t) corenetwork_network_raw_on_all_interfaces(system_crond_t) corenetwork_network_udp_on_all_interfaces(system_crond_t) @@ -219,6 +251,7 @@ devices_get_all_character_device_attributes(system_crond_t) devices_get_pseudorandom_data(system_crond_t) filesystem_get_all_filesystems_attributes(system_crond_t) +filesystem_get_all_file_attributes(system_crond_t) init_use_file_descriptors(system_crond_t) init_script_use_file_descriptors(system_crond_t) @@ -234,6 +267,8 @@ files_read_runtime_system_config(system_crond_t) files_read_all_directories(system_crond_t) files_get_all_file_attributes(system_crond_t) files_read_general_application_resources(system_crond_t) +# for nscd: +files_ignore_search_runtime_data_directory(system_crond_t) corecommands_execute_general_programs(system_crond_t) corecommands_execute_system_programs(system_crond_t) @@ -241,6 +276,7 @@ corecommands_execute_system_programs(system_crond_t) libraries_use_dynamic_loader(system_crond_t) libraries_read_shared_libraries(system_crond_t) libraries_execute_library_scripts(system_crond_t) +libraries_execute_dynamic_loader(system_crond_t) logging_read_system_logs(system_crond_t) logging_send_system_log_message(system_crond_t) @@ -265,16 +301,6 @@ selinux_read_file_contexts(system_crond_t) ifdef(`TODO',` -ifdef(`fcron.te', ` -allow crond_t system_cron_spool_t:file create_file_perms; -') - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via execve_secure. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -domain_trans(crond_t, shell_exec_t, system_crond_t) - ifdef(`mta.te', ` domain_auto_trans(system_crond_t, sendmail_exec_t, system_mail_t) allow system_crond_t sendmail_exec_t:lnk_file { getattr read }; @@ -286,55 +312,25 @@ allow mta_user_agent system_crond_t:fd use; r_dir_file(system_mail_t, crond_tmp_t) ') -# This domain is granted permissions common to most domains. - can_ypbind(system_crond_t) allow system_crond_t var_spool_t:dir search; allow system_crond_t var_t:dir r_dir_perms; allow system_crond_t var_t:file { getattr read ioctl }; -can_exec(system_crond_t, ld_so_t) - -# ps does not need to access /boot when run from cron -dontaudit system_crond_t boot_t:dir search; # quiet other ps operations dontaudit system_crond_t domain:dir { getattr search }; -# for nscd -dontaudit system_crond_t var_run_t:dir search; - -allow system_crond_t proc_t:filesystem getattr; -allow system_crond_t usbdevfs_t:filesystem getattr; allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; -# Access log files -file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file) - -allow crond_t system_cron_spool_t:dir r_dir_perms; -allow crond_t system_cron_spool_t:file r_file_perms; - -# Read from /var/spool/cron. -allow system_crond_t cron_spool_t:dir r_dir_perms; -allow system_crond_t cron_spool_t:file r_file_perms; - # Write to /var/lib/slocate.db. allow system_crond_t var_lib_t:dir rw_dir_perms; allow system_crond_t var_lib_t:file create_file_perms; -# Write /var/lock/makewhatis.lock. -lock_domain(system_crond) - # for if /var/mail is a symlink allow { system_crond_t crond_t } mail_spool_t:lnk_file read; allow crond_t mail_spool_t:dir search; -# Stat any file and search any directory for find. -allow system_crond_t fs_type:notdevfile_class_set getattr; - -# Create temporary files. -file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t) - # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. allow system_crond_t var_spool_t:file create_file_perms; @@ -345,14 +341,6 @@ dontaudit system_crond_t unlabeled_t:dir r_dir_perms; dontaudit system_crond_t unlabeled_t:file r_file_perms; # -# reading /var/spool/cron/mailman -# -allow system_crond_t devpts_t:filesystem getattr; -allow system_crond_t sysfs_t:filesystem getattr; -allow system_crond_t tmpfs_t:filesystem getattr; -allow system_crond_t rpc_pipefs_t:filesystem getattr; - -# # These rules are here to allow system cron jobs to su # ifdef(`su.te', ` @@ -366,8 +354,6 @@ allow system_crond_su_t crond_t:fifo_file ioctl; # allow system_crond_t initctl_t:fifo_file write; dontaudit userdomain system_crond_t:fd use; - -allow system_crond_t removable_t:filesystem { getattr }; # # Required for webalizer # @@ -375,4 +361,10 @@ ifdef(`apache.te', ` allow system_crond_t httpd_log_t:file { getattr read }; ') +tunable_policy(`distro_redhat', ` +optional_policy(`rpm.te', ` +allow system_crond_t rpm_log_t:file create_file_perms; +') +') + ') dnl end TODO diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc index 127ef06..c04ef76 100644 --- a/refpolicy/policy/modules/services/mta.fc +++ b/refpolicy/policy/modules/services/mta.fc @@ -3,9 +3,11 @@ /etc/aliases -- system_u:object_r:etc_aliases_t /etc/aliases\.db -- system_u:object_r:etc_aliases_t -/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t +ifdef(`sendmail.te',`',` +/usr/lib(64)?/sendmail -- system_u:object_r:mta_exec_t -/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t +/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:mta_exec_t +') /var/mail(/.*)? system_u:object_r:mail_spool_t diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 8ead83e..670408b 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -9,16 +9,175 @@ define(`mta_per_userdomain_template',` requires_block_template(`$0'_depend) -type $1_mail_t; +type $1_mail_t; # , user_mail_domain, nscd_client_domain; domain_make_domain($1_mail_t) +role $1_r types $1_mail_t; type $1_mail_tmp_t; files_make_temporary_file($1_mail_tmp_t) +############################## +# +# $1_mail_t local policy +# + +allow $1_mail_t self:capability { setuid setgid chown }; +allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit }; + +# tcp networking +allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; + +# re-exec itself +allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans }; +allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; + +# Transition from the user domain to the derived domain. +allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans }; +allow $1_t sendmail_exec_t:lnk_file { getattr read }; +allow $1_t $1_mail_t:process transition; +type_transition $1_t sendmail_exec_t:file $1_mail_t; + +kernel_read_kernel_sysctl($1_mail_t) + +corenetwork_network_tcp_on_all_interfaces($1_mail_t) +corenetwork_network_raw_on_all_interfaces($1_mail_t) +corenetwork_network_tcp_on_all_nodes($1_mail_t) +corenetwork_network_raw_on_all_nodes($1_mail_t) +corenetwork_network_tcp_on_all_ports($1_mail_t) +corenetwork_bind_tcp_on_all_nodes($1_mail_t) + +domain_use_widely_inheritable_file_descriptors($1_mail_t) + +libraries_use_dynamic_loader($1_mail_t) +libraries_read_shared_libraries($1_mail_t) + +corecommands_execute_general_programs($1_mail_t) + +files_read_general_system_config($1_mail_t) + logging_send_system_log_message($1_mail_t) +miscfiles_read_localization($1_mail_t) + +sysnetwork_read_network_config($1_mail_t) + +tunable_policy(`use_dns',` +allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; +corenetwork_network_udp_on_all_interfaces($1_mail_t) +corenetwork_network_udp_on_all_nodes($1_mail_t) +corenetwork_bind_udp_on_all_nodes($1_mail_t) +corenetwork_network_udp_on_dns_port($1_mail_t) +') + +optional_policy(`procmail.te',` +procmail_execute($1_mail_t) +') + +ifdef(`TODO',` + +can_ypbind($1_mail_t) + +allow $1_mail_t device_t:dir search; +allow $1_mail_t { var_t var_spool_t }:dir search; +allow $1_mail_t sbin_t:dir search; + +# It wants to check for nscd +dontaudit $1_mail_t var_run_t:dir search; + +# For when the user wants to send mail via port 25 localhost +can_tcp_connect($1_t, mail_server_domain) + +# Read user temporary files. +allow $1_mail_t $1_tmp_t:file r_file_perms; +dontaudit $1_mail_t $1_tmp_t:file append; +ifdef(`postfix.te', ` +# postfix seems to need write access if the file handle is opened read/write +allow $1_mail_t $1_tmp_t:file write; +')dnl end if postfix + +allow mta_user_agent $1_tmp_t:file { read getattr }; + +# Write to the user domain tty. +allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl }; +allow mta_user_agent devpts_t:dir { read search getattr }; +allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl }; + +allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl }; +allow $1_mail_t devpts_t:dir { read search getattr }; +allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl }; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') + +# Create dead.letter in user home directories. +file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) + +if (use_samba_home_dirs) { +rw_dir_create_file($1_mail_t, cifs_t) +} + +# if you do not want to allow dead.letter then use the following instead +#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; +#allow $1_mail_t $1_home_t:file r_file_perms; + +# for reading .forward - maybe we need a new type for it? +# also for delivering mail to maildir +file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) + +ifdef(`qmail.te', ` +allow $1_mail_t qmail_etc_t:dir search; +allow $1_mail_t qmail_etc_t:{ file lnk_file } read; +')dnl end if qmail + +') dnl end TODO ') define(`mta_per_userdomain_template_depend',` ') + +####################################### +# +# mta_make_mailserver_domain(domain,entrypointtype) +# +define(`mta_execute',` +requires_block_template(`$0'_depend) +domain_make_daemon_domain($1,$2) +typeattribute $1 mailserver_domain; +') + +define(`mta_execute_depend',` +attribute mailserver_domain; +') + +####################################### +# +# mta_transition(domain) +# +define(`mta_transition',` +requires_block_template(`$0'_depend) +allow $1 sendmail_exec_t:file { getattr read execute }; +allow $1 system_mail_t:process transition; +type_transition $1 sendmail_exec_t:file hwmta_t; +dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh }; +') + +define(`mta_transition_depend',` +type system_mail_t, sendmail_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +####################################### +# +# mta_execute(domain) +# +define(`mta_execute',` +requires_block_template(`$0'_depend) +allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans }; +') + +define(`mta_execute_depend',` +type sendmail_exec_t; +class file { getattr read execute execute_no_trans }; +') diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index be458a9..ac6b391 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -2,6 +2,11 @@ policy_module(mta,1.0) +######################################## +# +# Declarations +# + type etc_aliases_t; files_make_file(etc_aliases_t) @@ -13,3 +18,180 @@ files_make_file(mqueue_spool_t) type mail_spool_t; files_make_file(mail_spool_t) + +type sendmail_exec_t; +files_make_file(sendmail_exec_t) + +type system_mail_t; #, user_mail_domain, nscd_client_domain; +domain_make_domain(system_mail_t) +role system_r types system_mail_t; + +######################################## +# +# System mail local policy +# + +allow system_mail_t self:capability { setuid setgid chown }; +allow system_mail_t self:process { sigkill sigstop signull signal setrlimit }; + +allow system_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; + +# re-exec itself +allow system_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans }; +allow system_mail_t sendmail_exec_t:lnk_file { getattr read }; + +kernel_read_kernel_sysctl(system_mail_t) +kernel_read_system_state(system_mail_t) +kernel_read_network_state(system_mail_t) + +corenetwork_network_tcp_on_all_interfaces(system_mail_t) +corenetwork_network_raw_on_all_interfaces(system_mail_t) +corenetwork_network_tcp_on_all_nodes(system_mail_t) +corenetwork_network_raw_on_all_nodes(system_mail_t) +corenetwork_bind_tcp_on_all_nodes(system_mail_t) +corenetwork_network_tcp_on_all_ports(system_mail_t) + +devices_get_pseudorandom_data(system_mail_t) + +filesystem_get_persistent_filesystem_attributes(system_mail_t) + +init_script_use_pseudoterminal(system_mail_t) + +files_read_runtime_system_config(system_mail_t) +files_read_general_system_config(system_mail_t) +# It wants to check for nscd +files_ignore_search_runtime_data_directory(system_mail_t) + +corecommands_execute_general_programs(system_mail_t) + +libraries_use_dynamic_loader(system_mail_t) +libraries_read_shared_libraries(system_mail_t) + +logging_send_system_log_message(system_mail_t) + +miscfiles_read_localization(system_mail_t) + +sysnetwork_read_network_config(system_mail_t) + +tunable_policy(`use_dns',` +allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; +corenetwork_network_udp_on_all_interfaces(system_mail_t) +corenetwork_network_udp_on_all_nodes(system_mail_t) +corenetwork_bind_udp_on_all_nodes(system_mail_t) +corenetwork_network_udp_on_dns_port(system_mail_t) +') + +optional_policy(`procmail.te',` +procmail_execute(system_mail_t) +') + +ifdef(`TODO',` + + + +can_ypbind(system_mail_t) + +allow system_mail_t device_t:dir search; +allow system_mail_t { var_t var_spool_t }:dir search; +allow system_mail_t sbin_t:dir search; + +# Transition from a system domain to the derived domain. +domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) +allow privmail sendmail_exec_t:lnk_file { getattr read }; + +ifdef(`crond.te', ` +# Read cron temporary files. +allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; +allow mta_user_agent system_crond_tmp_t:file { read getattr }; +') + +ifdef(`qmail.te', ` +allow system_mail_t qmail_etc_t:dir search; +allow system_mail_t qmail_etc_t:{ file lnk_file } read; +')dnl end if qmail + +ifdef(`targeted_policy', ` +# rules are currently defined in sendmail.te, but it is not included in +# targeted policy. We could move these rules permanantly here. + +ifdef(`postfix.te', `', ` +domain_execute_all_entrypoint_programs(system_mail_t) +files_execute_system_config_script(system_mail_t) +corecommands_execute_general_programs(system_mail_t) +corecommands_execute_system_programs(system_mail_t) +libraries_use_dynamic_loader(system_mail_t) +libraries_read_shared_libraries(system_mail_t) +libraries_execute_dynamic_loader(system_mail_t) +libraries_execute_library_scripts(system_mail_t) +') + +allow system_mail_t { var_t var_spool_t }:dir getattr; + +allow system_mail_t mqueue_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +allow system_mail_t mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow system_mail_t mqueue_spool_t:lnk_file { create read getattr setattr link unlink rename }; + +allow system_mail_t mail_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +allow system_mail_t mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow system_mail_t mail_spool_t:lnk_file { create read getattr setattr link unlink rename }; + +allow system_mail_t mail_spool_t:fifo_file rw_file_perms; +allow system_mail_t etc_mail_t:file { getattr read }; +', ` dnl if not targeted policy: +ifdef(`sendmail.te', ` +# sendmail has an ugly design, the one process parses input from the user and +# then does system things with it. +domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t) +', ` +domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t) +') dnl end if sendmail.te + +# allow the sysadmin to do "mail someone < /home/user/whatever" +allow sysadm_mail_t user_home_dir_type:dir search; +r_dir_file(sysadm_mail_t, user_home_type) +') dnl end ifdef targeted_policy + +# for a mail server process that does things in response to a user command +allow mta_user_agent userdomain:process sigchld; +allow mta_user_agent { userdomain privfd }:fd use; +ifdef(`crond.te', ` +allow mta_user_agent crond_t:process sigchld; +') +allow mta_user_agent sysadm_t:fifo_file { read write }; + +allow { system_mail_t mta_user_agent } privmail:fd use; +allow { system_mail_t mta_user_agent } privmail:process sigchld; +allow { system_mail_t mta_user_agent } privmail:fifo_file { read write }; +allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write }; + +ifdef(`arpwatch.te', ` +# why is mail delivered to a directory of type arpwatch_data_t? +allow mta_delivery_agent arpwatch_data_t:dir search; +allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms; +ifdef(`hide_broken_symptoms', ` +dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; +') +')dnl end if arpwatch.te + +allow mta_delivery_agent home_root_t:dir { getattr search }; + +# for /var/spool/mail +ra_dir_create_file(mta_delivery_agent, mail_spool_t) + +# for piping mail to a command +can_exec(mta_delivery_agent, shell_exec_t) +allow mta_delivery_agent bin_t:dir search; +allow mta_delivery_agent bin_t:lnk_file read; +allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read }; + +# Transition from a system domain to the derived domain. +domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) +allow privmail sendmail_exec_t:lnk_file { getattr read }; + +ifdef(`crond.te', ` +# Read cron temporary files. +allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; +allow mta_user_agent system_crond_tmp_t:file { read getattr }; +') + +') dnl end TODO diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 29ad653..57eb823 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -2,6 +2,38 @@ ####################################### # +# clock_transition(domain) +# +define(`clock_transition',` +requires_block_template(`$0'_depend) +allow $1 hwclock_exec_t:file { getattr read execute }; +allow $1 hwclock_t:process transition; +type_transition $1 hwclock_exec_t:file hwclock_t; +dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh }; +') + +define(`clock_transition_depend',` +type hwclock_t, hwclock_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +####################################### +# +# clock_execute(domain) +# +define(`clock_execute',` +requires_block_template(`$0'_depend) +allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans }; +') + +define(`clock_execute_depend',` +type hwclock_exec_t; +class file { getattr read execute execute_no_trans }; +') + +####################################### +# # clock_modify_drift_records(domain) # define(`clock_modify_drift_records',` diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 0b3bee5..c9355bd 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -15,6 +15,34 @@ type shell_exec_t; ######################################## # +# corecommands_search_general_programs_directory(domain) +# +define(`corecommands_search_general_programs_directory',` +requires_block_template(`$0'_depend) +allow $1 bin_t:dir search; +') + +define(`corecommands_search_general_programs_directory_depend',` +type bin_t; +class dir search; +') + +######################################## +# +# corecommands_read_general_programs_directory(domain) +# +define(`corecommands_read_general_programs_directory',` +requires_block_template(`$0'_depend) +allow $1 bin_t:dir { getattr search read }; +') + +define(`corecommands_read_general_programs_directory_depend',` +type bin_t; +class dir { getattr search read }; +') + +######################################## +# # corecommands_execute_general_programs(domain) # define(`corecommands_execute_general_programs',` @@ -33,6 +61,34 @@ class file { getattr read execute execute_no_trans }; ######################################## # +# corecommands_search_system_programs_directory(domain) +# +define(`corecommands_search_system_programs_directory',` +requires_block_template(`$0'_depend) +allow $1 sbin_t:dir search; +') + +define(`corecommands_search_system_programs_directory_depend',` +type sbin_t; +class dir search; +') + +######################################## +# +# corecommands_read_system_programs_directory(domain) +# +define(`corecommands_read_system_programs_directory',` +requires_block_template(`$0'_depend) +allow $1 sbin_t:dir { getattr search read }; +') + +define(`corecommands_read_system_programs_directory_depend',` +type sbin_t; +class dir { getattr search read }; +') + +######################################## +# # corecommands_execute_system_programs(domain) # define(`corecommands_execute_system_programs',` @@ -69,6 +125,24 @@ class file { getattr read execute execute_no_trans }; ######################################## # +# corecommands_shell_transition(domain) +# +define(`corecommands_shell_transition',` +requires_block_template(`$0'_depend) +allow $1 bin_t:dir { getattr search read }; +allow $1 bin_t:lnk_file { getattr read }; +allow $1 shell_exec_t:file { getattr read execute }; +') + +define(`corecommands_shell_transition_depend',` +type bin_t, shell_exec_t; +class dir { getattr search read }; +class lnk_file { getattr read }; +class file { getattr read execute }; +') + +######################################## +# # corecommands_chroot(domain) # define(`corecommands_chroot',` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 257e1b0..b383381 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -17,6 +17,20 @@ attribute file_type; ######################################## # +# files_make_lock_file(type) +# +define(`files_make_lock_file',` +requires_block_template(`$0'_depend) +files_make_file($1) +typeattribute $1 lockfile; +') + +define(`files_make_lock_file_depend',` +attribute lockfile; +') + +######################################## +# # files_make_mountpoint(type) # define(`files_make_mountpoint',` @@ -634,6 +648,26 @@ class file { getattr unlink }; ######################################## # +# files_create_private_lock_file(domain,private_type,[object class(es)]) +# +define(`files_create_private_lock_file',` +requires_block_template(`$0'_depend) +allow $1 var_t:dir search; +allow $1 var_lock_t:dir { getattr search read write add_name remove_name }; +ifelse(`$3',`',` +type_transition $1 var_lock_t:file $2; +',` +type_transition $1 var_lock_t:$3 $2; +') +') + +define(`files_create_private_lock_file_depend',` +type var_t, var_lock_t; +class dir { getattr search read write add_name }; +') + +######################################## +# # files_search_runtime_data_directory(domain) # define(`files_search_runtime_data_directory',` @@ -649,6 +683,20 @@ class dir search; ######################################## # +# files_ignore_search_runtime_data_directory(domain) +# +define(`files_ignore_search_runtime_data_directory',` +requires_block_template(`$0'_depend) +allow $1 var_run_t:dir search; +') + +define(`files_ignore_search_runtime_data_directory_depend',` +type var_run_t; +class dir search; +') + +######################################## +# # files_read_runtime_data_directory(domain) # define(`files_read_runtime_data_directory',` diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 7e02e9c..5c58f11 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -39,6 +39,25 @@ class file { execute execmod }; ######################################## # +# libraries_execute_dynamic_loader(domain) +# +define(`libraries_execute_dynamic_loader',` +requires_block_template(`$0'_depend) +allow $1 lib_t:dir { getattr read search }; +allow $1 lib_t:lnk_file { getattr read }; +allow $1 ld_so_t:lnk_file { getattr read }; +allow $1 ld_so_t:file { getattr read execute execute_no_trans }; +') + +define(`libraries_execute_dynamic_loader_depend',` +type lib_t, ld_so_t; +class dir { getattr read search }; +class lnk_file { getattr read }; +class file { getattr read execute execute_no_trans }; +') + +######################################## +# # libraries_modify_dynamic_loader_cache(domain) # define(`libraries_modify_dynamic_loader_cache',`