diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index a99f6e9..ee8e830 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -135,6 +135,7 @@ files_etc_filetrans_etc_runtime(bootloader_t, file) files_dontaudit_search_home(bootloader_t) +init_read_state(bootloader_t) init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) init_use_script_fds(bootloader_t) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 17357e5..bb4a6f0 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -34,6 +34,7 @@ kernel_dontaudit_write_kernel_sysctl(dmesg_t) dev_read_sysfs(dmesg_t) dev_read_kmsg(dmesg_t) +dev_read_raw_memory(dmesg_t) fs_search_auto_mountpoints(dmesg_t) @@ -51,6 +52,8 @@ init_use_script_ptys(dmesg_t) logging_send_syslog_msg(dmesg_t) logging_write_generic_logs(dmesg_t) +miscfiles_read_hwdata(dmesg_t) + userdom_dontaudit_use_unpriv_user_fds(dmesg_t) userdom_use_inherited_user_terminals(dmesg_t) diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index fc6d1d3..612503a 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -35,6 +35,7 @@ allow sudodomain self:unix_stream_socket create_stream_socket_perms; allow sudodomain self:unix_dgram_socket sendto; allow sudodomain self:unix_stream_socket connectto; allow sudodomain self:key manage_key_perms; +allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms; kernel_getattr_core_if(sudodomain) kernel_link_key(sudodomain) @@ -97,6 +98,10 @@ userdom_search_user_home_content(sudodomain) userdom_search_admin_dir(sudodomain) userdom_manage_all_users_keys(sudodomain) +tunable_policy(`authlogin_yubikey',` + auth_manage_home_content(sudodomain) +') + optional_policy(` dbus_system_bus_client(sudodomain) ') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 72e1a41..26e21b2 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -272,7 +272,7 @@ network_port(pulseaudio, tcp,4713,s0, udp,4713,s0) network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) -network_port(neutron, tcp,9696,s0) +network_port(neutron, tcp,9696,s0, tcp,9697,s0) network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) @@ -312,6 +312,7 @@ network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) network_port(svrloc, tcp,427,s0, udp,427,s0) network_port(swat, tcp,901,s0) +network_port(swift, tcp,6200-6203,s0) network_port(sype_transport, tcp,9911,s0, udp,9911,s0) network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0) network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) @@ -326,6 +327,7 @@ network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) +network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index fb27ae5..d86836b 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -5532,6 +5532,24 @@ interface(`dev_rw_xserver_misc',` ######################################## ## +## Dontaudit attempts to Read and write X server miscellaneous devices. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_leaked_xserver_misc',` + gen_require(` + type xserver_misc_device_t; + ') + + dontaudit $1 xserver_misc_device_t:chr_file { read write }; +') + +######################################## +## ## Read and write X server miscellaneous devices. ## ## diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 64d9761..269db99 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -137,9 +137,10 @@ term_use_controlling_term(domain) # list the root directory files_list_root(domain) -# allow all domains to search through default_t directory, since users sometimes -# place labels within these directories. (samba_share_t) for example. -files_search_default(domain) +# allow all domains to search through base_file_type directory, since users +# sometimes place labels within these directories. (samba_share_t) for example. +files_search_base_file_types(domain) + files_read_inherited_tmp_files(domain) files_append_inherited_tmp_files(domain) files_read_all_base_ro_files(domain) @@ -148,6 +149,10 @@ files_dontaduit_getattr_kernel_symbol_table(domain) # All executables should be able to search the directory they are in corecmd_search_bin(domain) +optional_policy(` + userdom_search_admin_dir(domain) +') + tunable_policy(`domain_kernel_load_modules',` kernel_request_load_module(domain) ') @@ -419,6 +424,7 @@ optional_policy(` optional_policy(` sysnet_filetrans_named_content(named_filetrans_domain) + sysnet_filetrans_named_content_ifconfig(named_filetrans_domain) ') optional_policy(` @@ -429,6 +435,7 @@ optional_policy(` systemd_filetrans_named_content(named_filetrans_domain) systemd_filetrans_named_hostname(named_filetrans_domain) systemd_filetrans_home_content(named_filetrans_domain) + systemd_dontaudit_write_inherited_logind_sessions_pipes(domain) ') optional_policy(` diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 2dd815a..8a14ff2 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -982,6 +982,24 @@ interface(`files_relabel_non_security_files',` ######################################## ## +## Search all base file dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_search_base_file_types',` + gen_require(` + attribute base_file_type; + ') + + allow $1 base_file_type:dir search_dir_perms; +') + +######################################## +## ## Relabel all base file types. ## ## diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index 924f856..7b26d12 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -21,5 +21,5 @@ HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) /usr/lib/udev/devices/hugepages/.* <> /usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) /usr/lib/udev/devices/shm/.* <> -/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) -/var/run/[^/]*/gvfs/.* <> +/var/run/user/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) +/var/run/user/[^/]*/gvfs/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 3270372..170e7da 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` ######################################## ## +## Dontaudit attempts to set the priority of kernel threads. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_dontaudit_setsched',` + gen_require(` + type kernel_t; + ') + + dontaudit $1 kernel_t:process setsched; +') + +######################################## +## ## Send a SIGCHLD signal to kernel threads. ## ## @@ -180,6 +198,24 @@ interface(`kernel_signal',` ######################################## ## +## Send signull to kernel threads. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_signull',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:process signull; +') + +######################################## +## ## Allows the kernel to share state information with ## the caller. ## diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index d6519a1..5a9d307 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -39,6 +39,9 @@ type ssh_keygen_t; type ssh_keygen_exec_t; init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) +type ssh_keygen_tmp_t; +files_tmp_file(ssh_keygen_tmp_t) + type sshd_keygen_t; type sshd_keygen_exec_t; init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t) @@ -468,6 +471,10 @@ manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) +manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t) +manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t) +files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir }) + kernel_read_system_state(ssh_keygen_t) kernel_read_kernel_sysctls(ssh_keygen_t) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 36fbb93..ed25543 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,7 +1,7 @@ -HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) -/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) /root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) /root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index c74d0d5..42803b7 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -2232,6 +2232,26 @@ interface(`auth_read_home_content',` read_files_pattern($1, auth_home_t, auth_home_t) ') +######################################## +## +## Read the authorization data in the user home directory +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_manage_home_content',` + + gen_require(` + type auth_home_t; + ') + + userdom_search_user_home_dirs($1) + manage_files_pattern($1, auth_home_t, auth_home_t) + manage_dirs_pattern($1, auth_home_t, auth_home_t) +') ######################################## ## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 9b993c6..837948b 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -14,7 +14,7 @@ gen_tunable(authlogin_radius, false) ## ##

-## Allow users to login using a yubikey server +## Allow users to login using a yubikey OTP server or challenge response mode ##

## gen_tunable(authlogin_yubikey, false) @@ -455,9 +455,29 @@ sysnet_dns_name_resolve(nsswitch_domain) systemd_hostnamed_read_config(nsswitch_domain) + +tunable_policy(`authlogin_nsswitch_use_ldap',` + allow nsswitch_domain self:tcp_socket create_socket_perms; +') + +tunable_policy(`authlogin_nsswitch_use_ldap',` + corenet_tcp_sendrecv_generic_if(nsswitch_domain) + corenet_tcp_sendrecv_generic_node(nsswitch_domain) + corenet_tcp_sendrecv_ldap_port(nsswitch_domain) + corenet_tcp_connect_ldap_port(nsswitch_domain) + corenet_sendrecv_ldap_client_packets(nsswitch_domain) +') + +tunable_policy(`authlogin_nsswitch_use_ldap',` + # Support for LDAPS + dev_read_rand(nsswitch_domain) + # LDAP Configuration using encrypted requires + dev_read_urand(nsswitch_domain) + sysnet_read_config(nsswitch_domain) +') + tunable_policy(`authlogin_nsswitch_use_ldap',` miscfiles_read_generic_certs(nsswitch_domain) - sysnet_use_ldap(nsswitch_domain) ') optional_policy(` @@ -468,6 +488,7 @@ optional_policy(` optional_policy(` tunable_policy(`authlogin_nsswitch_use_ldap',` + ldap_read_certs(nsswitch_domain) ldap_stream_connect(nsswitch_domain) ') ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index c983546..d76c572 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -324,6 +324,7 @@ optional_policy(` optional_policy(` kdump_read_crash(init_t) + kdump_read_config(init_t) ') optional_policy(` @@ -484,6 +485,11 @@ ifdef(`distro_redhat',` optional_policy(` rpc_manage_nfs_state_data(init_t) ') + + optional_policy(` + sysnet_relabelfrom_dhcpc_state(init_t) + sysnet_setattr_dhcp_state(init_t) + ') ') optional_policy(` diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 7ca1e9e..5338f4d 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -93,6 +93,7 @@ allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) +filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets") allow ipsec_t ipsec_key_file_t:dir list_dir_perms; read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) @@ -339,6 +340,7 @@ userdom_use_inherited_user_terminals(ipsec_mgmt_t) optional_policy(` bind_read_dnssec_keys(ipsec_mgmt_t) bind_read_config(ipsec_mgmt_t) + bind_read_state(ipsec_mgmt_t) ') optional_policy(` diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 821e74c..50b1c3c 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -769,6 +769,26 @@ interface(`sysnet_search_dhcp_state',` allow $1 dhcp_state_t:dir search_dir_perms; ') +####################################### +## +## Set the attributes of network config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_setattr_dhcp_state',` + gen_require(` + type dhcp_state_t; + ') + + files_search_var_lib($1) + allow $1 dhcp_state_t:file setattr_file_perms; +') + + ######################################## ## ## Create DHCP state data. @@ -881,12 +901,14 @@ interface(`sysnet_use_ldap',` # Support for LDAPS dev_read_rand($1) + # LDAP Configuration using encrypted requires dev_read_urand($1) sysnet_read_config($1) - # LDAP Configuration using encrypted requires - dev_read_urand($1) + optional_policy(` + ldap_read_certs($1) + ') ') ######################################## diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 28f16ce..f94755e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -320,6 +320,7 @@ allow ifconfig_t self:tcp_socket { create ioctl }; can_exec(ifconfig_t, ifconfig_exec_t) manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) +manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir }) allow ifconfig_t ifconfig_var_run_t:file mounton; @@ -346,6 +347,7 @@ dev_mount_sysfs_fs(ifconfig_t) dev_unmount_sysfs_fs(ifconfig_t) domain_use_interactive_fds(ifconfig_t) +domain_read_all_domains_state(ifconfig_t) read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) @@ -384,10 +386,15 @@ logging_send_syslog_msg(ifconfig_t) seutil_use_runinit_fds(ifconfig_t) sysnet_dns_name_resolve(ifconfig_t) +sysnet_filetrans_named_content_ifconfig(ifconfig_t) userdom_use_inherited_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) +optional_policy(` + hostname_exec(ifconfig_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(ifconfig_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 8bca1d7..24b2af3 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -369,6 +369,24 @@ interface(`systemd_write_inherited_logind_sessions_pipes',` ###################################### ## +## Dontaudit attempts to write inherited logind sessions pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',` + gen_require(` + type systemd_logind_sessions_t; + ') + + dontaudit $1 systemd_logind_sessions_t:fifo_file write; +') + +###################################### +## ## Write systemd inhibit pipes. ## ##