diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 4b11b16..7566bba 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -10,6 +10,7 @@ apt (Erich Schubert) clamav (Erich Schubert) dpkg (Erich Schubert) + ethereal evolution mozilla mplayer diff --git a/refpolicy/policy/modules/apps/ethereal.fc b/refpolicy/policy/modules/apps/ethereal.fc new file mode 100644 index 0000000..12ae276 --- /dev/null +++ b/refpolicy/policy/modules/apps/ethereal.fc @@ -0,0 +1,7 @@ + +/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0) +/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) + +ifdef(`strict_policy',` +HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) +') diff --git a/refpolicy/policy/modules/apps/ethereal.if b/refpolicy/policy/modules/apps/ethereal.if new file mode 100644 index 0000000..87af193 --- /dev/null +++ b/refpolicy/policy/modules/apps/ethereal.if @@ -0,0 +1,303 @@ +## Ethereal packet capture tool. + +####################################### +## +## The per user domain template for the ethereal module. +## +## +##

+## This template creates a derived domains which are used +## for ethereal packet capture tool. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`ethereal_per_userdomain_template',` + + ############################## + # + # Declarations + # + + # Type for program + type $1_ethereal_t; + domain_type($1_ethereal_t) + domain_entry_file($1_ethereal_t,ethereal_exec_t) + role $3 types $1_ethereal_t; + + type $1_ethereal_home_t alias $1_ethereal_rw_t; + files_poly_member($1_ethereal_home_t) + userdom_user_home_content($1,$1_ethereal_home_t) + + type $1_ethereal_tmp_t; + files_tmp_file($1_ethereal_tmp_t) + + type $1_ethereal_tmpfs_t; + files_tmpfs_file($1_ethereal_tmpfs_t) + + ############################## + # + # Local Policy + # + + allow $1_ethereal_t self:capability { net_admin net_raw setgid }; + allow $1_ethereal_t self:process { signal getsched }; + allow $1_ethereal_t self:fifo_file { getattr read write }; + allow $1_ethereal_t self:shm destroy; + allow $1_ethereal_t self:shm create_shm_perms; + allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms }; + allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read }; + allow $1_ethereal_t self:tcp_socket create_socket_perms; + allow $1_ethereal_t self:udp_socket create_socket_perms; + + # Store temporary files + allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms; + allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms; + files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file }) + + # Re-execute itself (why?) + can_exec($1_ethereal_t, ethereal_exec_t) + corecmd_search_sbin($1_ethereal_t) + + # /home/.ethereal + allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms; + allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms; + allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms; + userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir) + + allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms; + allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms; + allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms; + allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms; + allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms; + fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + + domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t) + allow $1_ethereal_t $2:fd use; + allow $1_ethereal_t $2:process sigchld; + + allow $2 $1_ethereal_home_t:dir manage_dir_perms; + allow $2 $1_ethereal_home_t:file manage_file_perms; + allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms; + allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + + kernel_read_kernel_sysctls($1_ethereal_t) + kernel_read_system_state($1_ethereal_t) + kernel_read_sysctl($1_ethereal_t) + + corecmd_search_bin($1_ethereal_t) + + corenet_tcp_connect_generic_port($1_ethereal_t) + corenet_tcp_sendrecv_generic_if($1_ethereal_t) + + dev_read_urand($1_ethereal_t) + + files_read_etc_files($1_ethereal_t) + files_read_usr_files($1_ethereal_t) + + fs_list_inotifyfs($1_ethereal_t) + fs_search_auto_mountpoints($1_ethereal_t) + + libs_read_lib_files($1_ethereal_t) + libs_use_ld_so($1_ethereal_t) + libs_use_shared_libs($1_ethereal_t) + + miscfiles_read_fonts($1_ethereal_t) + miscfiles_read_localization($1_ethereal_t) + + seutil_use_newrole_fds($1_ethereal_t) + + sysnet_read_config($1_ethereal_t) + + userdom_manage_user_home_content_files($1,$1_ethereal_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs($1_ethereal_t) + fs_manage_nfs_files($1_ethereal_t) + fs_manage_nfs_symlinks($1_ethereal_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs($1_ethereal_t) + fs_manage_cifs_files($1_ethereal_t) + fs_manage_cifs_symlinks($1_ethereal_t) + ') + + optional_policy(`nscd',` + nscd_socket_use($1_ethereal_t) + ') + + # Manual transition from userhelper + optional_policy(`userhelper', ` + userhelper_use_user_fd($1,$1_ethereal_t) + userhelper_sigchld_user($1,$1_ethereal_t) + ') + + optional_policy(`xserver',` + xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t) + xserver_create_xdm_tmp_sockets($1_ethereal_t) + ') + + ifdef(`TODO',` + # Why does it write this? + optional_policy(`snmpd.te', ` + dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; + ') + #TODO + gnome_application($1_ethereal, $1) + gnome_file_dialog($1_ethereal, $1) + # FIXME: policy is incomplete + ') + +') + +####################################### +## +## The administrative functions template for the ethereal module. +## +## +##

+## This template creates rules for administrating ethereal, +## allowing the specified user to manage ethereal files. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +# +template(`tethereal_admin_template',` + gen_require(` + type $1_ethereal_t; + ') + + # Create various types of sockets + allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms; + allow $1_ethereal_t self:udp_socket create_socket_perms; + allow $1_ethereal_t self:packet_socket create_socket_perms; + allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms; + allow $1_ethereal_t self:tcp_socket create_socket_perms; + + userdom_use_user_terminals($1,$1_ethereal_t) + # Ethereal tries to write to user terminal + userdom_dontaudit_use_user_terminals($1,$1_ethereal_t) +') + +######################################## +## +## Run ethereal in ethereal domain. +## +## +##

+## Run ethereal in ethereal domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`ethereal_domtrans_user_ethereal',` + gen_require(` + type $1_ethereal_t, ethereal_exec_t; + ') + + domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t) + + allow $2 $1_ethereal_t:fd use; + allow $1_ethereal_t $2:fd use; + allow $1_ethereal_t $2:fifo_file rw_file_perms; + allow $1_ethereal_t $2:process sigchld; +') + +######################################## +## +## Run tethereal in the tethereal domain. +## +## +## +## Domain allowed access. +## +## +# +template(`ethereal_domtrans_tethereal',` + gen_require(` + type tethereal_t, tethereal_exec_t; + ') + + domain_auto_trans($1,tethereal_exec_t,tethereal_t) + + allow $1 tethereal_t:fd use; + allow tethereal_t $1:fd use; + allow tethereal_t $1:fifo_file rw_file_perms; + allow tethereal_t $1:process sigchld; +') + +######################################## +## +## Execute tethereal in the tethereal domain, and +## allow the specified role the tethereal domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the tethereal domain. +## +## +## +## +## The type of the terminal allow the tethereal domain to use. +## +## +# +interface(`ethereal_run_tethereal',` + gen_require(` + type tethereal_t; + ') + + ethereal_domtrans_tethereal($1) + role $2 types tethereal_t; + allow tethereal_t $3:chr_file rw_term_perms; +') diff --git a/refpolicy/policy/modules/apps/ethereal.te b/refpolicy/policy/modules/apps/ethereal.te new file mode 100644 index 0000000..5d9c713 --- /dev/null +++ b/refpolicy/policy/modules/apps/ethereal.te @@ -0,0 +1,57 @@ + +policy_module(ethereal,1.0.0) + +######################################## +# +# Declarations +# + +type ethereal_exec_t; +files_type(ethereal_exec_t) + +type tethereal_t; +type tethereal_exec_t; +domain_type(tethereal_t) +domain_entry_file(tethereal_t,tethereal_exec_t) + +type tethereal_tmp_t; +files_tmp_file(tethereal_tmp_t) + +######################################## +# +# Tethereal policy +# + +allow tethereal_t tethereal_t : capability { dac_override dac_read_search setgid setuid net_raw }; +allow tethereal_t self:unix_stream_socket create_stream_socket_perms; +allow tethereal_t self:netlink_route_socket create_netlink_socket_perms; +allow tethereal_t self:packet_socket create_socket_perms; +allow tethereal_t self:tcp_socket create_socket_perms; +allow tethereal_t self:udp_socket create_socket_perms; + +# Store temporary files +allow tethereal_t tethereal_tmp_t:dir create_dir_perms; +allow tethereal_t tethereal_tmp_t:file create_file_perms; +files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file }) + +# /proc +kernel_read_all_sysctls(tethereal_t) +kernel_read_system_state(tethereal_t) + +# Read ethereal files in /usr +files_read_usr_files(tethereal_t) +# /etc/nsswitch.conf +files_read_etc_files(tethereal_t) + +libs_use_ld_so(tethereal_t) +libs_use_shared_libs(tethereal_t) + +miscfiles_read_localization(tethereal_t) + +seutil_use_newrole_fds(tethereal_t) + +sysnet_dns_name_resolve(tethereal_t) + +optional_policy(`nscd',` + nscd_socket_use(tethereal_t) +') diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if index e5aa700..a8bda8c 100644 --- a/refpolicy/policy/modules/apps/userhelper.if +++ b/refpolicy/policy/modules/apps/userhelper.if @@ -174,6 +174,9 @@ template(`userhelper_per_userdomain_template',` userdom_entry_spec_domtrans_sysadm($1_userhelper_t) ') + optional_policy(`ethereal',` + ethereal_domtrans_user_ethereal($1,$1_userhelper_t) + ') optional_policy(`logging',` logging_send_syslog_msg($1_userhelper_t) @@ -243,3 +246,48 @@ interface(`userhelper_dontaudit_search_config',` dontaudit $1 userhelper_conf_t:dir search_dir_perms; ') + +######################################## +## +## Allow domain to use userhelper file descriptor. +## +## +## +## The prefix of the domain, example user is the prefix of user_t. +## +## +## +## +## Domain allowed access. +## +## +# +template(`userhelper_use_user_fd',` + gen_require(` + type $1_userhelper_t; + ') + + allow $2 $1_userhelper_t:fd use; +') +######################################## +## +## Allow domain to send sigchld to userhelper. +## +## +## +## The prefix of the domain, example user is the prefix of user_t. +## +## +## +## +## Domain allowed access. +## +## +# +template(`userhelper_sigchld_user',` + gen_require(` + type $1_userhelper_t; + ') + + allow $2 $1_userhelper_t:process sigchld; +') diff --git a/refpolicy/policy/modules/apps/userhelper.te b/refpolicy/policy/modules/apps/userhelper.te index 22cae2e..af82043 100644 --- a/refpolicy/policy/modules/apps/userhelper.te +++ b/refpolicy/policy/modules/apps/userhelper.te @@ -1,5 +1,5 @@ -policy_module(userhelper,1.0.0) +policy_module(userhelper,1.0.1) ######################################## # diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 04e03b9..986dbde 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -894,6 +894,10 @@ template(`admin_user_template',` cron_admin_template($1,$1_t,$1_r) ') + optional_policy(`ethereal',` + tethereal_admin_template($1,$1_t,$1_r) + ') + optional_policy(`lpd',` lpr_admin_template($1,$1_t,$1_r) ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 286f55f..28a3474 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.3.3) +policy_module(userdomain,1.3.4) gen_require(` role sysadm_r, staff_r, user_r; @@ -256,6 +256,10 @@ ifdef(`targeted_policy',` dpkg_run(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`ethereal',` + ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`firstboot',` firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t) ')