diff --git a/refpolicy/Changelog b/refpolicy/Changelog index efcf513..c10c3df 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -2,6 +2,7 @@ build phase instead of during the generation phase. - DISTRO=redhat now implies DIRECT_INITRC=y. - Added policies: + amanda canna cyrus dovecot diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 4e9b0e3..cd7d478 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -1395,6 +1395,23 @@ interface(`kernel_rw_unlabeled_dir',` ######################################## ## +## Do not audit attempts by caller to get the +## attributes of an unlabeled file. +## +## +## The process type not to audit. +## +# +interface(`kernel_dontaudit_getattr_unlabeled_file',` + gen_require(` + type unlabeled_t; + ') + + dontaudit $1 unlabeled_t:file getattr; +') + +######################################## +## ## Do not audit attempts by caller to get attributes for ## unlabeled block devices. ## @@ -1408,7 +1425,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',` class blk_file getattr; ') - allow $1 unlabeled_t:blk_file getattr; + dontaudit $1 unlabeled_t:blk_file getattr; ') ######################################## diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index d209a85..5646bb2 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind,1.0) +policy_module(bind,0.9) ######################################## # diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 6ec899b..12292ac 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -71,6 +71,8 @@ corenet_udp_bind_all_nodes(inetd_t) corenet_tcp_connect_all_ports(inetd_t) # listen on service ports: +corenet_tcp_bind_amanda_port(inetd_t) +corenet_udp_bind_amanda_port(inetd_t) corenet_tcp_bind_auth_port(inetd_t) #corenet_udp_bind_comsat_port(inetd_t) corenet_tcp_bind_dbskkd_port(inetd_t) @@ -123,6 +125,10 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(inetd_t) ') +optional_policy(`amanda.te',` + amanda_search_lib(inetd_t) +') + optional_policy(`mount.te',` mount_send_nfs_client_request(inetd_t) ') diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index 5a6992b..e4d64c3 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.0) +policy_module(networkmanager,0.9) ######################################## # diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 90d5c0d..914fb0e 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -618,6 +618,40 @@ interface(`files_dontaudit_getattr_non_security_sockets',` ######################################## ## +## Read all block nodes with file types. +## +## +## Domain allowed access. +## +# +interface(`files_read_all_blk_nodes',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:dir search; + allow $1 file_type:blk_file { getattr read }; +') + +######################################## +## +## Read all character nodes with file types. +## +## +## Domain allowed access. +## +# +interface(`files_read_all_chr_nodes',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:dir search; + allow $1 file_type:chr_file { getattr read }; +') + +######################################## +## ## Relabel all files on the filesystem, except ## the listed exceptions. ## diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 1b2cbc1..0f01873 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1803,6 +1803,87 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',` ######################################## ## +## Create objects in sysadm home directories +## with automatic file type transition. +## +## +## Domain allowed access. +## +## +## The class of the object to be created. +## If not specified, file is used. +## +# +interface(`userdom_create_sysadm_home',` + ifdef(`targeted_policy',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + allow $1 user_home_dir_t:dir rw_dir_perms; + ifelse(`$2',`',` + ifelse(`$3',`',` + type_transition $1 user_home_dir_t:file user_home_t; + ',` + type_transition $1 user_home_dir_t:$3 user_home_t; + ') + ',` + ifelse(`$3',`',` + type_transition $1 user_home_dir_t:file $2; + ',` + type_transition $1 user_home_dir_t:$3 $2; + ') + ') + ',` + gen_require(` + type sysadm_home_dir_t, sysadm_home_t; + ') + + allow $1 sysadm_home_dir_t:dir rw_dir_perms; + + ifelse(`$2',`',` + ifelse(`$3',`',` + type_transition $1 sysadm_home_dir_t:file sysadm_home_t; + ',` + type_transition $1 sysadm_home_dir_t:$3 sysadm_home_t; + ') + ',` + ifelse(`$3',`',` + type_transition $1 sysadm_home_dir_t:file $2; + ',` + type_transition $1 sysadm_home_dir_t:$3 $2; + ') + ') + ') +') + +######################################## +## +## Search the sysadm users home sub directories. +## +## +## Domain to not audit. +## +# +interface(`userdom_search_sysadm_home_subdirs',` + ifdef(`targeted_policy',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; + + ',` + gen_require(` + type sysadm_home_dir_t, sysadm_home_t; + ') + + allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms; + ') +') + +######################################## +## ## Read files in the sysadm users home directory. ## ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index b14131b..87a536a 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -121,6 +121,10 @@ ifdef(`targeted_policy',` domain_ptrace_all_domains(sysadm_t) ') + optional_policy(`amanda.te',` + amanda_run_recover(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`apache.te',` apache_run_helper(sysadm_t,sysadm_r,admin_terminal) #apache_run_all_scripts(sysadm_t,sysadm_r)