diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 6f9abaf..cb547a7 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -4,6 +4,7 @@ comsat dbus dhcpd + squid * Fri Aug 26 2005 Chris PeBenito - 20050826 - Add Makefile support for building loadable modules. diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 911bca8..d52097b 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -138,6 +138,11 @@ optional_policy(`nscd.te',` nscd_use_socket(logrotate_t) ') +optional_policy(`squid.te',` + # cjp: why? + squid_domtrans(logrotate_t) +') + ifdef(`TODO',` #from privmail this needs more work: @@ -155,14 +160,6 @@ allow logrotate_t domain:notdevfile_class_set r_file_perms; allow logrotate_t domain:dir r_dir_perms; allow logrotate_t exec_type:file getattr; -#this should go to squid: -optional_policy(`logrotate.te', ` - allow squid_t { system_crond_t crond_t }:fd use; - allow squid_t crond_t:fifo_file { read write }; - allow squid_t system_crond_t:fifo_file write; - allow squid_t self:capability kill; -') - # for /var/lib/logrotate.status and /var/lib/logcheck file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file) diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 2e8def0..472a313 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -53,6 +53,24 @@ interface(`bootloader_run',` ######################################## ## +## Do not audit attempts to get attributes +## of the /boot directory. +## +## +## Domain to not audit. +## +# +interface(`bootloader_dontaudit_getattr_boot_dir',` + gen_require(` + type boot_t; + class dir getattr; + ') + + dontaudit $1 boot_t:dir getattr; +') + +######################################## +## ## Search the /boot directory. ## ## diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index 837a94a..6840d4b 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -21,6 +21,24 @@ interface(`selinux_get_fs_mount',` ######################################## ## +## Do not audit attempts to get the +## attributes of the selinuxfs directory. +## +## +## Domain to not audit. +## +# +interface(`selinux_dontaudit_getattr_dir',` + gen_require(` + type security_t; + class dir getattr; + ') + + dontaudit $1 security_t:dir getattr; +') + +######################################## +## ## Do not audit attempts to search selinuxfs. ## ## diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index c183b0b..2ba6b92 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -216,6 +216,24 @@ interface(`term_setattr_console',` ######################################## ## +## Do not audit attempts to get the +## attributes of the /dev/pts directory. +## +## +## The type of the process to not audit. +## +# +interface(`term_dontaudit_getattr_pty_dir',` + gen_require(` + type devpts_t; + class dir getattr; + ') + + dontaudit $1 devpts_t:dir getattr; +') + +######################################## +## ## Read the /dev/pts directory to ## list all ptys. ## diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index ec5f5ae..e418325 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -316,6 +316,24 @@ interface(`cron_system_entry',` ######################################## ## +## Inherit and use a file descriptor +## from the cron daemon. +## +## +## Domain allowed access. +## +# +interface(`cron_use_fd',` + gen_require(` + type crond_t; + class fd use; + ') + + allow $1 crond_t:fd use; +') + +######################################## +## ## Send a SIGCHLD signal to the cron daemon. ## ## @@ -333,10 +351,10 @@ interface(`cron_sigchld',` ######################################## ## -## Read a cron daemon unnamed pipe +## Read a cron daemon unnamed pipe. ## ## -## The type of the process to performing this action. +## Domain allowed access. ## # interface(`cron_read_pipe',` @@ -350,6 +368,23 @@ interface(`cron_read_pipe',` ######################################## ## +## Read and write a cron daemon unnamed pipe. +## +## +## Domain allowed access. +## +# +interface(`cron_rw_pipe',` + gen_require(` + type crond_t; + class file { read write }; + ') + + allow $1 crond_t:file { read write }; +') + +######################################## +## ## Read and write the cron daemon log files. ## ## @@ -386,6 +421,41 @@ interface(`cron_search_spool',` ######################################## ## +## Inherit and use a file descriptor +## from system cron jobs. +## +## +## Domain allowed access. +## +# +interface(`cron_use_system_job_fd',` + gen_require(` + type system_crond_t; + class fd use; + ') + + allow $1 system_crond_t:fd use; +') + +######################################## +## +## Wrate a system cron job unnamed pipe. +## +## +## Domain allowed access. +## +# +interface(`cron_write_system_job_pipe',` + gen_require(` + type system_crond_t; + class file write; + ') + + allow $1 system_crond_t:file write; +') + +######################################## +## ## Read temporary files from the system cron jobs. ## ## diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index cba03ea..d0ddc63 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -322,6 +322,11 @@ optional_policy(`nscd.te',` nscd_use_socket(system_crond_t) ') +optional_policy(`squid.te',` + # cjp: why? + squid_domtrans(system_crond_t) +') + ifdef(`TODO',` dontaudit userdomain system_crond_t:fd use; diff --git a/refpolicy/policy/modules/services/squid.fc b/refpolicy/policy/modules/services/squid.fc new file mode 100644 index 0000000..944b7e6 --- /dev/null +++ b/refpolicy/policy/modules/services/squid.fc @@ -0,0 +1,14 @@ + +/etc/squid(/.*)? context_template(system_u:object_r:squid_conf_t,s0) + +/usr/sbin/squid -- context_template(system_u:object_r:squid_exec_t,s0) + +/usr/share/squid(/.*)? context_template(system_u:object_r:squid_conf_t,s0) + +/var/cache/squid(/.*)? context_template(system_u:object_r:squid_cache_t,s0) + +/var/log/squid(/.*)? context_template(system_u:object_r:squid_log_t,s0) + +/var/run/squid\.pid -- context_template(system_u:object_r:squid_var_run_t,s0) + +/var/spool/squid(/.*)? context_template(system_u:object_r:squid_cache_t,s0) diff --git a/refpolicy/policy/modules/services/squid.if b/refpolicy/policy/modules/services/squid.if new file mode 100644 index 0000000..a5bdc54 --- /dev/null +++ b/refpolicy/policy/modules/services/squid.if @@ -0,0 +1,84 @@ +## Squid caching http proxy server + +######################################## +## +## Execute squid in the squid domain. +## +## +## The type of the process performing this action. +## +# +interface(`squid_domtrans',` + gen_require(` + type squid_t, squid_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1,squid_exec_t,squid_t) + + allow $1 squid_t:fd use; + allow squid_t $1:fd use; + allow squid_t $1:fifo_file rw_file_perms; + allow squid_t $1:process sigchld; +') + +######################################## +## +## Read squid configuration file. +## +## +## Domain allowed access. +## +# +interface(`squid_read_config',` + gen_require(` + type squid_conf_t; + class file r_file_perms; + ') + + files_search_etc($1) + allow $1 squid_conf_t:file r_file_perms; +') + +######################################## +## +## Create, read, write, and delete +## squid logs. +## +## +## Domain allowed access. +## +# +interface(`squid_manage_logs',` + gen_require(` + type squid_log_t; + class dir rw_dir_perms; + class file create_file_perms; + ') + + logging_search_logs($1) + allow $1 squid_log_t:dir rw_dir_perms; + allow $1 squid_log_t:file create_file_perms; +') + +######################################## +## +## Use squid services by connecting over TCP. +## +## +## Domain allowed access. +## +# +interface(`squid_use',` + gen_require(` + type squid_t; + class tcp_socket { connectto acceptfrom recvfrom }; + ') + + allow $1 squid_t:tcp_socket { connectto recvfrom }; + allow squid_t $1:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1) +') diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te new file mode 100644 index 0000000..ddba18a --- /dev/null +++ b/refpolicy/policy/modules/services/squid.te @@ -0,0 +1,166 @@ + +policy_module(squid,1.0) + +######################################## +# +# Declarations +# + +type squid_t; +type squid_exec_t; +init_daemon_domain(squid_t,squid_exec_t) + +# type for /var/cache/squid +type squid_cache_t; +files_type(squid_cache_t) + +type squid_conf_t; +files_type(squid_conf_t) + +type squid_log_t; +logging_log_file(squid_log_t) + +type squid_var_run_t; +files_pid_file(squid_var_run_t) + +######################################## +# +# Local policy +# + +allow squid_t self:capability { setgid setuid }; +dontaudit squid_t self:capability sys_tty_config; +allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow squid_t self:unix_stream_socket create_stream_socket_perms; +allow squid_t self:unix_dgram_socket create_socket_perms; +allow squid_t self:unix_dgram_socket sendto; +allow squid_t self:unix_stream_socket connectto; +allow squid_t self:fifo_file rw_file_perms; +allow squid_t self:fd use; +allow squid_t self:shm create_shm_perms; +allow squid_t self:sem create_sem_perms; +allow squid_t self:msgq create_msgq_perms; +allow squid_t self:msg { send receive }; + +# Grant permissions to create, access, and delete cache files. +allow squid_t squid_cache_t:dir create_dir_perms; +allow squid_t squid_cache_t:file create_file_perms; +allow squid_t squid_cache_t:lnk_file create_lnk_perms; + +allow squid_t squid_conf_t:file r_file_perms; +allow squid_t squid_conf_t:dir r_dir_perms; +allow squid_t squid_conf_t:lnk_file read; + +can_exec(squid_t,squid_exec_t) + +allow squid_t squid_log_t:file create_file_perms; +allow squid_t squid_log_t:dir rw_dir_perms; +logging_create_log(squid_t,squid_log_t,{ file dir }) + +allow squid_t squid_var_run_t:file create_file_perms; +files_create_pid(squid_t,squid_var_run_t) + +kernel_read_kernel_sysctl(squid_t) +kernel_read_system_state(squid_t) +kernel_tcp_recvfrom(squid_t) + +bootloader_dontaudit_getattr_boot_dir(squid_t) + +corenet_tcp_sendrecv_all_if(squid_t) +corenet_raw_sendrecv_all_if(squid_t) +corenet_udp_sendrecv_all_if(squid_t) +corenet_tcp_sendrecv_all_nodes(squid_t) +corenet_udp_sendrecv_all_nodes(squid_t) +corenet_raw_sendrecv_all_nodes(squid_t) +corenet_tcp_sendrecv_all_ports(squid_t) +corenet_udp_sendrecv_all_ports(squid_t) +corenet_tcp_bind_all_nodes(squid_t) +corenet_udp_bind_all_nodes(squid_t) +corenet_tcp_bind_http_cache_port(squid_t) +corenet_udp_bind_http_cache_port(squid_t) + +dev_read_sysfs(squid_t) +dev_read_urand(squid_t) + +fs_getattr_all_fs(squid_t) +fs_search_auto_mountpoints(squid_t) + +selinux_dontaudit_getattr_dir(squid_t) + +term_dontaudit_use_console(squid_t) +term_dontaudit_getattr_pty_dir(squid_t) + +# to allow running programs from /usr/lib/squid (IE unlinkd) +corecmd_exec_bin(squid_t) +corecmd_exec_sbin(squid_t) +corecmd_exec_shell(squid_t) + +domain_use_wide_inherit_fd(squid_t) + +files_read_etc_files(squid_t) +files_read_etc_runtime_files(squid_t) +files_read_usr_files(squid_t) +files_search_spool(squid_t) +files_dontaudit_getattr_tmp_dir(squid_t) +files_getattr_home_dir(squid_t) + +init_use_fd(squid_t) +init_use_script_pty(squid_t) + +libs_use_ld_so(squid_t) +libs_use_shared_libs(squid_t) +# to allow running programs from /usr/lib/squid (IE unlinkd) +libs_exec_lib_files(squid_t) + +logging_send_syslog_msg(squid_t) + +miscfiles_read_localization(squid_t) + +userdom_use_unpriv_users_fd(squid_t) +userdom_dontaudit_use_unpriv_user_fd(squid_t) +userdom_dontaudit_search_sysadm_home_dir(squid_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(squid_t) + term_dontaudit_use_generic_pty(squid_t) + files_dontaudit_read_root_file(squid_t) +') + +optional_policy(`logrotate.te',` + allow squid_t self:capability kill; + cron_use_fd(squid_t) + cron_use_system_job_fd(squid_t) + cron_rw_pipe(squid_t) + cron_write_system_job_pipe(squid_t) +') + +optional_policy(`mount.te',` + mount_send_nfs_client_request(squid_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(squid_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(squid_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(squid_t) +') + +optional_policy(`udev.te', ` + udev_read_db(squid_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(squid_t) +') +ifdef(`apache.te',` +can_tcp_connect(squid_t, httpd_t) +') +#squid requires the following when run in diskd mode, the recommended setting +allow squid_t tmpfs_t:file { read write }; +') dnl end TODO diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 0d1e406..bf0e5b4 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1207,7 +1207,26 @@ interface(`files_manage_isid_type_chr_node',` ######################################## ## -## Search home directories root. +## Do not audit attempts to get the +## attributes of the home directories root +## (/home). +## +## +## The type of the process performing this action. +## +# +interface(`files_getattr_home_dir',` + gen_require(` + type home_root_t; + class dir search; + ') + + allow $1 home_root_t:dir search; +') + +######################################## +## +## Search home directories root (/home). ## ## ## The type of the process performing this action. @@ -1224,7 +1243,8 @@ interface(`files_search_home',` ######################################## ## -## Do not audit attempts to search home directories root. +## Do not audit attempts to search +## home directories root (/home). ## ## ## Domain to not audit. @@ -1471,6 +1491,24 @@ interface(`files_read_world_readable_sockets',` ######################################## ## +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). +## +## +## The type of the process performing this action. +## +# +interface(`files_dontaudit_getattr_tmp_dir',` + gen_require(` + type tmp_t; + class dir getattr; + ') + + dontaudit $1 tmp_t:dir getattr; +') + +######################################## +## ## Search the tmp directory (/tmp). ## ## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index c5d37a5..a55cd76 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -466,6 +466,11 @@ optional_policy(`rpm.te',` rpm_manage_db(initrc_t) ') +optional_policy(`squid.te',` + squid_read_config(initrc_t) + squid_manage_logs(initrc_t) +') + optional_policy(`ssh.te',` optional_policy(`inetd.te',` tunable_policy(`run_ssh_inetd',`',` diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 3c42fed..4615eef 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -278,6 +278,10 @@ template(`base_user_template',` files_search_var_lib($1_t) ') + optional_policy(`squid.te',` + squid_use($1_t) + ') + optional_policy(`usermanage.te',` usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) @@ -446,7 +450,7 @@ template(`unpriv_user_template', ` # Inherit rules for ordinary users. base_user_template($1) - typeattribute $1_t unpriv_userdomain; #, web_client_domain + typeattribute $1_t unpriv_userdomain; domain_wide_inherit_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -673,7 +677,7 @@ template(`admin_user_template',` # Inherit rules for ordinary users. base_user_template($1) - typeattribute $1_t privhome; #, admin, web_client_domain + typeattribute $1_t privhome; domain_obj_id_change_exempt($1_t) role system_r types $1_t;