diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index ba5e9e6..39a28ce 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -549,6 +549,13 @@ gen_tunable(xdm_sysadm_login,false) ifdef(`targeted_policy',` ## ##

+## Allow mount to mount any file +##

+##
+gen_tunable(allow_mount_anyfile,false) + +## +##

## Allow spammd to read/write user home directories. ##

##
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 2e72dc4..58c545f 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -186,6 +186,7 @@ corenet_udp_bind_all_nodes(traceroute_t) corenet_tcp_bind_all_nodes(traceroute_t) # traceroute needs this but not tracepath corenet_raw_bind_all_nodes(traceroute_t) +corenet_udp_bind_traceroute_port(traceroute_t) corenet_tcp_connect_all_ports(traceroute_t) fs_dontaudit_getattr_xattr_fs(traceroute_t) @@ -195,6 +196,8 @@ domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) files_dontaudit_search_var(traceroute_t) +init_use_fds(traceroute_t) + libs_use_ld_so(traceroute_t) libs_use_shared_libs(traceroute_t) diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index 59678e0..3ec1132 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -46,6 +46,7 @@ kernel_dontaudit_search_sysctl(prelink_t) corecmd_manage_all_executables(prelink_t) corecmd_relabel_all_executables(prelink_t) corecmd_mmap_all_executables(prelink_t) +corecmd_read_sbin_symlinks(prelink_t) dev_read_urand(prelink_t) diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te index a30fc76..5769ceb 100644 --- a/refpolicy/policy/modules/apps/mono.te +++ b/refpolicy/policy/modules/apps/mono.te @@ -35,4 +35,8 @@ ifdef(`targeted_policy',` optional_policy(` networkmanager_dbus_chat(mono_t) ') + + optional_policy(` + unconfined_dbus_connect(mono_t) + ') ') diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc index 44e046a..53e1db7 100644 --- a/refpolicy/policy/modules/kernel/corecommands.fc +++ b/refpolicy/policy/modules/kernel/corecommands.fc @@ -76,6 +76,7 @@ ifdef(`targeted_policy',` # /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) +/lib/udev/scsi_id -- gen_context(system_u:object_r:sbin_t,s0) ifdef(`distro_gentoo',` /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 6e26352..781e884 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -69,9 +69,9 @@ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0) +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) -network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,9100,s0) +network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) @@ -125,6 +125,7 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0) +network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te index 8c6ea33..c58cb7b 100644 --- a/refpolicy/policy/modules/kernel/domain.te +++ b/refpolicy/policy/modules/kernel/domain.te @@ -109,6 +109,10 @@ tunable_policy(`global_ssp',` dev_read_urand(domain) ') +optional_policy(` + setrans_translate_context(domain) +') + ######################################## # # Unconfined access to this module diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index 947082f..6a362d6 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -181,6 +181,10 @@ allow file_type self:filesystem associate; fs_associate(file_type) fs_associate_noxattr(file_type) +ifdef(`targeted_policy', ` + fs_associate_tmpfs(file_type) +') + ######################################## # # Rules for all tmp file types diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 07df538..47edcf8 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -1409,7 +1409,7 @@ interface(`kernel_read_kernel_sysctls',` type proc_t, sysctl_t, sysctl_kernel_t; ') - allow $1 proc_t:dir search; + allow $1 proc_t:dir search_dir_perms; allow $1 sysctl_t:dir r_dir_perms; allow $1 sysctl_kernel_t:dir r_dir_perms; allow $1 sysctl_kernel_t:file r_file_perms; diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te index 7638c0c..f2ea7e1 100644 --- a/refpolicy/policy/modules/kernel/mls.te +++ b/refpolicy/policy/modules/kernel/mls.te @@ -57,9 +57,11 @@ attribute mlsrangetrans; # type lvm_exec_t; +type setrans_exec_t; ifdef(`enable_mls',` range_transition initrc_t auditd_exec_t s15:c0.c255; range_transition kernel_t init_exec_t s0 - s15:c0.c255; range_transition kernel_t lvm_exec_t s0 - s15:c0.c255; +range_transition initrc_t setrans_exec_t s15:c0.c255; ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 710c28b..3184194 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -427,11 +427,6 @@ optional_policy(` yam_read_content(httpd_t) ') -ifdef(`TODO',` -can_tcp_connect(web_client_domain, httpd_t) - -') dnl end TODO - ######################################## # # Apache helper local policy @@ -668,6 +663,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + clamav_domtrans_clamscan(httpd_sys_script_t) +') + +optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) ') diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index e6b6496..2cac58b 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -222,6 +222,8 @@ ifdef(`targeted_policy',` optional_policy(` xserver_stream_connect_xdm(bluetooth_helper_t) + xserver_use_xdm_fds(bluetooth_helper_t) + xserver_rw_xdm_pipes(bluetooth_helper_t) ') ') diff --git a/refpolicy/policy/modules/services/clamav.fc b/refpolicy/policy/modules/services/clamav.fc index c4ec71e..4640ac6 100644 --- a/refpolicy/policy/modules/services/clamav.fc +++ b/refpolicy/policy/modules/services/clamav.fc @@ -1,5 +1,8 @@ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) + +/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) +/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) diff --git a/refpolicy/policy/modules/services/clamav.if b/refpolicy/policy/modules/services/clamav.if index aef1c03..dfb0dd0 100644 --- a/refpolicy/policy/modules/services/clamav.if +++ b/refpolicy/policy/modules/services/clamav.if @@ -61,3 +61,26 @@ interface(`clamav_read_config',` files_search_etc($1) allow $1 clamd_etc_t:file r_file_perms; ') + +######################################## +## +## Execute a domain transition to run clamscan. +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_domtrans_clamscan',` + gen_require(` + type clamscan_t, clamscan_exec_t; + ') + + domain_auto_trans($1,clamscan_exec_t,clamscan_t) + + allow clamscan_t $1:fd use; + allow clamscan_t $1:fifo_file rw_file_perms; + allow clamscan_t $1:process sigchld; +') + diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te index 3c68646..03a916b 100644 --- a/refpolicy/policy/modules/services/clamav.te +++ b/refpolicy/policy/modules/services/clamav.te @@ -35,6 +35,10 @@ files_type(clamd_var_lib_t) type clamd_var_run_t; files_pid_file(clamd_var_run_t) +type clamscan_t; +type clamscan_exec_t; +init_daemon_domain(clamscan_t, clamscan_exec_t) + type freshclam_t; type freshclam_exec_t; init_daemon_domain(freshclam_t, freshclam_exec_t) @@ -193,3 +197,42 @@ clamav_stream_connect(freshclam_t) cron_use_fds(freshclam_t) cron_use_system_job_fds(freshclam_t) cron_rw_pipes(freshclam_t) + +######################################## +# +# clamscam local policy +# + +allow clamscan_t self:capability { setgid setuid dac_override }; +allow clamscan_t self:fifo_file rw_file_perms; +allow clamscan_t self:unix_stream_socket create_stream_socket_perms; +allow clamscan_t self:unix_dgram_socket create_socket_perms; +allow clamscan_t self:tcp_socket { listen accept }; + +# configuration files +allow clamscan_t clamd_etc_t:dir r_dir_perms; +allow clamscan_t clamd_etc_t:file r_file_perms; +allow clamscan_t clamd_etc_t:lnk_file { getattr read }; + +# var/lib files together with clamd +allow clamscan_t clamd_var_lib_t:file r_file_perms; +allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms; +allow clamscan_t clamd_var_lib_t:dir r_dir_perms; + +kernel_read_kernel_sysctls(clamscan_t) + +files_read_etc_files(clamscan_t) +files_read_etc_runtime_files(clamscan_t) +files_search_var_lib(clamscan_t) + +libs_use_ld_so(clamscan_t) +libs_use_shared_libs(clamscan_t) + +miscfiles_read_localization(clamscan_t) +miscfiles_read_public_files(clamscan_t) + +clamav_stream_connect(clamscan_t) + +optional_policy(` + apache_read_sys_content(clamscan_t) +') diff --git a/refpolicy/policy/modules/services/cvs.if b/refpolicy/policy/modules/services/cvs.if index bdb19b4..380a139 100644 --- a/refpolicy/policy/modules/services/cvs.if +++ b/refpolicy/policy/modules/services/cvs.if @@ -17,3 +17,23 @@ interface(`cvs_read_data',` allow $1 cvs_data_t:file { getattr read }; ') + +######################################## +## +## Allow the specified domain to execute cvs +## in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`cvs_exec',` + gen_require(` + type cvs_exec_t; + ') + + can_exec($1,cvs_exec_t) +') + diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 9ef28df..f932ad0 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -98,6 +98,9 @@ files_read_etc_files(dovecot_t) files_search_spool(dovecot_t) files_search_tmp(dovecot_t) files_dontaudit_list_default(dovecot_t) +# Dovecot now has quota support and it uses getmntent() to find the mountpoints. +files_read_etc_runtime_files(dovecot_t) +files_getattr_all_mountpoints(dovecot_t) init_use_fds(dovecot_t) init_use_script_ptys(dovecot_t) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index eb8bdee..fd59766 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -143,6 +143,8 @@ tunable_policy(`allow_ftpd_anon_write',` ') tunable_policy(`ftp_home_dir',` + allow ftpd_t self:capability { dac_override dac_read_search }; + # allow access to /home files_list_home(ftpd_t) userdom_read_all_users_home_content_files(ftpd_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index dfd67d4..dc4af08 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -51,9 +51,6 @@ kernel_read_fs_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) kernel_write_proc_files(hald_t) -files_search_boot(hald_t) -files_getattr_home_dir(hald_t) - auth_read_pam_console_data(hald_t) corecmd_exec_all_executables(hald_t) @@ -95,7 +92,7 @@ files_search_var_lib(hald_t) files_read_usr_files(hald_t) # hal is now execing pm-suspend files_create_boot_flag(hald_t) -files_getattr_default_dirs(hald_t) +files_getattr_all_dirs(hald_t) fs_getattr_all_fs(hald_t) fs_search_all(hald_t) @@ -154,7 +151,6 @@ ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(hald_t) term_dontaudit_use_generic_ptys(hald_t) files_dontaudit_read_root_files(hald_t) - files_dontaudit_getattr_home_dir(hald_t) ') optional_policy(` @@ -164,10 +160,6 @@ optional_policy(` ') optional_policy(` - automount_dontaudit_getattr_tmp_dirs(hald_t) -') - -optional_policy(` bind_search_cache(hald_t) ') diff --git a/refpolicy/policy/modules/services/inn.if b/refpolicy/policy/modules/services/inn.if index 56cf211..39ce526 100644 --- a/refpolicy/policy/modules/services/inn.if +++ b/refpolicy/policy/modules/services/inn.if @@ -16,7 +16,7 @@ interface(`inn_exec',` type innd_t; ') - can_exec($1,innd_t) + can_exec($1,innd_exec_t) ') ######################################## @@ -156,3 +156,28 @@ interface(`inn_dgram_send',` allow $1 innd_t:unix_dgram_socket sendto; ') + + +######################################## +## +## Execute inn in the inn domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`inn_domtrans',` + gen_require(` + type innd_t, innd_exec_t; + ') + + corecmd_search_bin($1) + domain_auto_trans($1,innd_exec_t,innd_t) + + allow innd_t $1:fd use; + allow innd_t $1:fifo_file rw_file_perms; + allow innd_t $1:process sigchld; +') + diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 98cbbc7..8f7938c 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -87,6 +87,7 @@ corenet_tcp_bind_generic_port(ypbind_t) corenet_udp_bind_generic_port(ypbind_t) corenet_tcp_bind_reserved_port(ypbind_t) corenet_udp_bind_reserved_port(ypbind_t) +corenet_tcp_bind_all_rpc_ports(ypbind_t) corenet_tcp_connect_all_ports(ypbind_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index d602f4d..760926f 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -32,6 +32,7 @@ files_pid_file(postgresql_var_run_t) # postgresql Local policy # allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; +dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; allow postgresql_t self:process signal_perms; allow postgresql_t self:fifo_file { getattr read write ioctl }; allow postgresql_t self:file { getattr read }; @@ -41,7 +42,7 @@ allow postgresql_t self:tcp_socket create_stream_socket_perms; allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:unix_stream_socket create_stream_socket_perms; -dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; +allow postgresql_t self:netlink_route_socket r_netlink_socket_perms; allow postgresql_t postgresql_db_t:dir create_dir_perms; allow postgresql_t postgresql_db_t:fifo_file create_file_perms; diff --git a/refpolicy/policy/modules/services/pyzor.if b/refpolicy/policy/modules/services/pyzor.if index 9d38ba1..ef23b07 100644 --- a/refpolicy/policy/modules/services/pyzor.if +++ b/refpolicy/policy/modules/services/pyzor.if @@ -44,3 +44,37 @@ interface(`pyzor_exec',` corecmd_search_bin($1) can_exec($1,pyzor_exec_t) ') + +####################################### +## +## The per user domain template for the pyzor module. +## +## +##

+## This template allows pyzor to manage files in +## a user home directory, creating files with the +## correct type. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +# +template(`pyzor_per_userdomain_template',` + type $1_pyzor_home_t; + userdom_user_home_content($1,$1_pyzor_home_t) + + allow pyzord_t $1_pyzor_home_t:dir create_dir_perms; + allow pyzord_t $1_pyzor_home_t:file create_file_perms; + allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms; + userdom_search_user_home_dirs($1,pyzord_t) + userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file }) +') diff --git a/refpolicy/policy/modules/services/pyzor.te b/refpolicy/policy/modules/services/pyzor.te index 72f9ffa..ab12af3 100644 --- a/refpolicy/policy/modules/services/pyzor.te +++ b/refpolicy/policy/modules/services/pyzor.te @@ -99,8 +99,6 @@ libs_use_shared_libs(pyzord_t) miscfiles_read_localization(pyzord_t) -# only works until we define a different type for maildir -userdom_priveleged_home_dir_manager(pyzord_t) # Do not audit attempts to access /root. userdom_dontaudit_search_sysadm_home_dirs(pyzord_t) userdom_dontaudit_search_staff_home_dirs(pyzord_t) diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index 1f55f3f..9c03855 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -83,7 +83,7 @@ optional_policy(` # NFSD local policy # -allow nfsd_t self:capability { sys_admin sys_resource }; +allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index fb9b239..69b76a4 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -73,6 +73,7 @@ ifdef(`targeted_policy',` ifdef(`strict_policy',` # so a tunnel can point to another ssh tunnel allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom }; + allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t sshd_tmp_t:dir create_dir_perms; allow sshd_t sshd_tmp_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index f8df806..f807733 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -749,6 +749,42 @@ interface(`xserver_rw_console',` ######################################## ## +## Use file descriptors for xdm. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_use_xdm_fds',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:fd use; +') + +######################################## +## +## Read and write XDM unnamed pipes. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`xserver_rw_xdm_pipes',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:fifo_file { getattr read write }; +') + +######################################## +## ## Connect to XDM over a unix domain ## stream socket. ## diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 3b83771..4bf2db6 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -772,6 +772,25 @@ interface(`init_stream_connect_script',` ######################################## ## +## Allow the specified domain to read/write to +## init scripts with a unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_script_stream_sockets',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:unix_stream_socket { read write }; +') + +######################################## +## ## Dont audit the specified domain connecting to ## init scripts with a unix domain stream socket. ## diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index 55ef8f4..6b9c982 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -40,6 +40,8 @@ ifdef(`distro_redhat',` /opt/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0) /opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_gentoo',` /opt/netscape/plugins/libflashplayer.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -55,6 +57,7 @@ ifdef(`distro_gentoo',` # /usr # /usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/(.*/)?/RealPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0) @@ -73,6 +76,7 @@ ifdef(`distro_gentoo',` /usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libxul.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ati-fglrx/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -81,9 +85,9 @@ ifdef(`distro_gentoo',` /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -121,6 +125,7 @@ ifdef(`distro_redhat',` /usr/lib(64)?/helix/codecs/colorcvt\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/cvt1\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xorg/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -172,9 +177,9 @@ ifdef(`distro_redhat',` # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavformat-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavcodec-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavutil-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xine/plugins/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -183,6 +188,7 @@ ifdef(`distro_redhat',` # Flash plugin, Macromedia HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -197,8 +203,11 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/(local/)?(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 05f05b1..32bf657 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -98,6 +98,98 @@ interface(`logging_run_auditctl',` ######################################## ## +## Execute auditd in the auditd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_domtrans_auditd',` + gen_require(` + type auditd_t, auditd_exec_t; + ') + + domain_auto_trans($1,auditd_exec_t,auditd_t) + + allow auditd_t $1:fd use; + allow auditd_t $1:fifo_file rw_file_perms; + allow auditd_t $1:process sigchld; +') + +######################################## +## +## Execute auditd in the auditd domain, and +## allow the specified role the auditd domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the auditd domain. +## +## +## +## +## The type of the terminal allow the auditd domain to use. +## +## +# +interface(`logging_run_auditd',` + gen_require(` + type auditd_t; + ') + + logging_domtrans_auditd($1) + role $2 types auditd_t; + allow auditd_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Manage the auditd configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_manage_audit_config',` + gen_require(` + type auditd_etc_t; + ') + + files_search_etc($1) + allow $1 auditd_etc_t:file create_file_perms; +') + +######################################## +## +## Manage the audit log. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_manage_audit_log',` + gen_require(` + type auditd_log_t; + ') + + files_search_var($1) + allow $1 auditd_log_t:dir create_dir_perms; + allow $1 auditd_log_t:file create_file_perms; +') + +######################################## +## ## Execute syslogd in the syslog domain. ## ## diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 367a4bd..1d4060d 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -72,6 +72,10 @@ allow auditctl_t etc_t:file { getattr read }; allow auditctl_t auditd_etc_t:file r_file_perms; +# Needed for adding watches +files_getattr_all_dirs(auditctl_t) +files_read_etc_files(auditctl_t) + kernel_read_kernel_sysctls(auditctl_t) kernel_read_proc_symlinks(auditctl_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 779b2e6..e430ceb 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -110,6 +110,13 @@ ifdef(`distro_redhat',` ') ') +ifdef(`targeted_policy',` + tunable_policy(`allow_mount_anyfile',` + auth_read_all_dirs_except_shadow(mount_t) + auth_read_all_files_except_shadow(mount_t) + ') +') + optional_policy(` # for nfs corenet_non_ipsec_sendrecv(mount_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 84fe30e..cd2d18a 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -551,6 +551,8 @@ libs_use_ld_so(semanage_t) libs_use_shared_libs(semanage_t) libs_use_lib_files(semanage_t) +miscfiles_read_localization(semanage_t) + seutil_search_default_contexts(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_selinux_config(semanage_t) @@ -563,6 +565,12 @@ seutil_manage_module_store(semanage_t) seutil_get_semanage_trans_lock(semanage_t) seutil_get_semanage_read_lock(semanage_t) +ifdef(`targeted_policy',` +# Handle pp files created in homedir and /tmp + files_read_generic_tmp_files(semanage_t) + userdom_read_generic_user_home_content_files(semanage_t) +') + optional_policy(` nscd_socket_use(semanage_t) ') diff --git a/refpolicy/policy/modules/system/setrans.fc b/refpolicy/policy/modules/system/setrans.fc new file mode 100644 index 0000000..71c374f --- /dev/null +++ b/refpolicy/policy/modules/system/setrans.fc @@ -0,0 +1,3 @@ +/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) + +/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255) diff --git a/refpolicy/policy/modules/system/setrans.if b/refpolicy/policy/modules/system/setrans.if new file mode 100644 index 0000000..9547503 --- /dev/null +++ b/refpolicy/policy/modules/system/setrans.if @@ -0,0 +1,25 @@ +## SELinux MLS/MCS label translation service. + +####################################### +## +## Allow a domain to translate contexts. +## +## +## +## Domain allowed access. +## +## +# +interface(`setrans_translate_context',` + gen_require(` + type setrans_t, setrans_var_run_t; + ') + + allow $1 self:unix_stream_socket create_stream_socket_perms; + + allow $1 setrans_t:unix_stream_socket connectto; + allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms; + allow $1 setrans_var_run_t:sock_file rw_file_perms; + allow $1 setrans_var_run_t:dir search_dir_perms; + files_list_pids($1) +') diff --git a/refpolicy/policy/modules/system/setrans.te b/refpolicy/policy/modules/system/setrans.te new file mode 100644 index 0000000..3a7700f --- /dev/null +++ b/refpolicy/policy/modules/system/setrans.te @@ -0,0 +1,68 @@ + +policy_module(setrans,1.0.0) + +######################################## +# +# Declarations +# + +type setrans_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type setrans_exec_t; +') +init_daemon_domain(setrans_t, setrans_exec_t) + +type setrans_var_run_t; +files_pid_file(setrans_var_run_t) +mls_trusted_object(setrans_var_run_t) + +######################################## +# +# setrans local policy +# + +allow setrans_t self:process { setcap signal_perms }; +allow setrans_t self:unix_stream_socket create_stream_socket_perms; +allow setrans_t self:unix_dgram_socket create_socket_perms; +allow setrans_t self:netlink_selinux_socket create_socket_perms; + +can_exec(setrans_t, setrans_exec_t) +corecmd_search_sbin(setrans_t) + +# create unix domain socket in /var +allow setrans_t setrans_var_run_t:sock_file manage_file_perms; +allow setrans_t setrans_var_run_t:file manage_file_perms; +allow setrans_t setrans_var_run_t:dir rw_dir_perms; +files_pid_filetrans(setrans_t,setrans_var_run_t,file) + +kernel_read_kernel_sysctls(setrans_t) +kernel_read_proc_symlinks(setrans_t) + +# allow performing getpidcon() on all processes +domain_read_all_domains_state(setrans_t) +domain_getattr_all_domains(setrans_t) +domain_getsession_all_domains(setrans_t) + +files_read_etc_runtime_files(setrans_t) + +mls_file_read_up(setrans_t) +mls_file_write_down(setrans_t) +mls_net_receive_all_levels(setrans_t) +mls_rangetrans_target(setrans_t) + +selinux_compute_access_vector(setrans_t) + +term_dontaudit_use_generic_ptys(setrans_t) + +init_use_fds(setrans_t) + +libs_use_ld_so(setrans_t) +libs_use_shared_libs(setrans_t) + +logging_send_syslog_msg(setrans_t) + +miscfiles_read_localization(setrans_t) + +seutil_read_config(setrans_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 757d842..4260837 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -291,6 +291,8 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) dev_read_sysfs(ifconfig_t) +# for IPSEC setup: +dev_read_urand(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index ded1e2d..97e99db 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -431,3 +431,23 @@ interface(`unconfined_alias_domain',` errprint(`Warning: $0($1) has no effect in strict policy.'__endline__) ') ') + +######################################## +## +## Connect to the the unconfined DBUS +## for service (acquire_svc). +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_connect',` + gen_require(` + type unconfined_t; + class dbus acquire_svc; + ') + + allow $1 unconfined_t:dbus acquire_svc; +') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index f522e14..ca1438f 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -99,6 +99,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + inn_domtrans(unconfined_t) + ') + + optional_policy(` java_domtrans(unconfined_t) ') @@ -115,6 +119,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + prelink_domtrans(unconfined_t) + ') + + optional_policy(` portmap_domtrans_helper(unconfined_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 0924795..41b44eb 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -4264,6 +4264,27 @@ interface(`userdom_manage_generic_user_home_content_dirs',` ######################################## ## +## Read files in generic user home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_generic_user_home_content_files',` + gen_require(` + type user_home_t, user_home_dir_t; + ') + + files_search_home($1) + allow $1 user_home_dir_t:dir search_dir_perms; + allow $1 user_home_t:dir r_dir_perms; + allow $1 user_home_t:file r_file_perms; +') + +######################################## +## ## Create, read, write, and delete files ## in generic user home directories. ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 1829821..5cda678 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -106,7 +106,6 @@ ifdef(`targeted_policy',` ifdef(`enable_mls',` allow secadm_r system_r; allow secadm_r user_r; - allow user_r secadm_r; allow staff_r secadm_r; ') @@ -130,6 +129,7 @@ ifdef(`targeted_policy',` admin_user_template(secadm) role_change(staff,secadm) role_change(sysadm,secadm) + role_change(secadm,sysadm) ') # this should be tunable_policy, but @@ -240,6 +240,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + cvs_exec(sysadm_t) + ') + + optional_policy(` consoletype_exec(sysadm_t) ifdef(`enable_mls',` @@ -385,6 +389,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + rsync_exec(sysadm_t) + ') + + optional_policy(` samba_run_net(sysadm_t,sysadm_r,admin_terminal) samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal) ')