diff --git a/Changelog b/Changelog index 3fae533..fef189c 100644 --- a/Changelog +++ b/Changelog @@ -13,6 +13,7 @@ - Remove node definitions and change node usage to generic nodes. - Add kernel_service access vectors, from Stephen Smalley. - Added modules: + certmaster (Dan Walsh) git (Dan Walsh) guest (Dan Walsh) ifplugd (Dan Walsh) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 205b5f4..aa2e9dd 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.11.5) +policy_module(corenetwork, 1.11.6) ######################################## # @@ -79,6 +79,7 @@ network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict +network_port(certmaster, tcp,51235,s0) network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) @@ -145,6 +146,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tc network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) network_port(postgrey, tcp,60000,s0) +network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) diff --git a/policy/modules/services/certmaster.fc b/policy/modules/services/certmaster.fc new file mode 100644 index 0000000..914a184 --- /dev/null +++ b/policy/modules/services/certmaster.fc @@ -0,0 +1,7 @@ +/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) +/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) + +/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) + +/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) +/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if new file mode 100644 index 0000000..5198bc8 --- /dev/null +++ b/policy/modules/services/certmaster.if @@ -0,0 +1,126 @@ +## Certmaster SSL certificate distribution service + +######################################## +## +## Execute a domain transition to run certmaster. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`certmaster_domtrans',` + gen_require(` + type certmaster_t, certmaster_exec_t; + ') + + domtrans_pattern($1, certmaster_exec_t, certmaster_t) +') + +####################################### +## +## read certmaster logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`certmaster_read_log',` + gen_require(` + type certmaster_var_log_t; + ') + + read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + logging_search_logs($1) +') + +####################################### +## +## Append to certmaster logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`certmaster_append_log',` + gen_require(` + type certmaster_var_log_t; + ') + + append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + logging_search_logs($1) +') + +####################################### +## +## Create, read, write, and delete +## certmaster logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`certmaster_manage_log',` + gen_require(` + type certmaster_var_log_t; + ') + + manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + logging_search_logs($1) +') + +######################################## +## +## All of the rules required to administrate +## an snort environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +# +interface(`certmaster_admin',` + gen_require(` + type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; + type certmaster_etc_rw_t, certmaster_var_log_t; + type certmaster_initrc_exec_t; + ') + + allow $1 certmaster_t:process { ptrace signal_perms }; + ps_process_pattern($1, certmaster_t) + + init_labeled_script_domtrans($1, certmaster_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 certmaster_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + miscfiles_manage_cert_dirs($1) + miscfiles_manage_cert_files($1) + + admin_pattern($1, certmaster_etc_rw_t) + + files_list_pids($1) + admin_pattern($1, certmaster_var_run_t) + + logging_list_logs($1) + admin_pattern($1, certmaster_var_log_t) + + files_list_var_lib($1) + admin_pattern($1, certmaster_var_lib_t) +') diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te new file mode 100644 index 0000000..d72a997 --- /dev/null +++ b/policy/modules/services/certmaster.te @@ -0,0 +1,72 @@ + +policy_module(certmaster, 1.0.0) + +######################################## +# +# Declarations +# + +type certmaster_t; +type certmaster_exec_t; +init_daemon_domain(certmaster_t, certmaster_exec_t) + +type certmaster_initrc_exec_t; +init_script_file(certmaster_initrc_exec_t) + +type certmaster_etc_rw_t; +files_type(certmaster_etc_rw_t) + +type certmaster_var_lib_t; +files_type(certmaster_var_lib_t) + +type certmaster_var_log_t; +logging_log_file(certmaster_var_log_t) + +type certmaster_var_run_t; +files_pid_file(certmaster_var_run_t) + +########################################### +# +# certmaster local policy +# + +allow certmaster_t self:capability sys_tty_config; +allow certmaster_t self:tcp_socket create_stream_socket_perms; + +# config files +list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) +manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) + +# var/lib files for certmaster +manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) +manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) +files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) + +# log files +manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) +logging_log_filetrans(certmaster_t, certmaster_var_log_t, file ) + +# pid file +manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) +manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) +files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) + +# read meminfo +kernel_read_system_state(certmaster_t) + +corecmd_search_bin(certmaster_t) +corecmd_getattr_bin_files(certmaster_t) + +corenet_tcp_bind_generic_node(certmaster_t) +corenet_tcp_bind_certmaster_port(certmaster_t) + +files_search_etc(certmaster_t) +files_list_var(certmaster_t) +files_search_var_lib(certmaster_t) + +auth_use_nsswitch(certmaster_t) + +miscfiles_read_localization(certmaster_t) + +miscfiles_manage_cert_dirs(certmaster_t) +miscfiles_manage_cert_files(certmaster_t) diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc index 6123df5..4b567df 100644 --- a/policy/modules/services/mysql.fc +++ b/policy/modules/services/mysql.fc @@ -10,6 +10,8 @@ # # /usr # +/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) + /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index 0ca54a8..51556e9 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -140,6 +140,63 @@ interface(`mysql_manage_db_dirs',` allow $1 mysqld_db_t:dir manage_dir_perms; ') +####################################### +## +## Append to the MySQL database directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_append_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + append_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + +####################################### +## +## Read and write to the MySQL database directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_rw_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + +####################################### +## +## Create, read, write, and delete MySQL database files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_manage_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + ######################################## ## ## Read and write to the MySQL database @@ -180,6 +237,25 @@ interface(`mysql_write_log',` allow $1 mysqld_log_t:file { write_file_perms setattr }; ') +##################################### +## +## Search MySQL PID files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mysql_search_pid_files',` + gen_require(` + type mysqld_var_run_t; + ') + + search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + ######################################## ## ## All of the rules required to administrate an mysql environment diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 86fe1b7..6180428 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -1,5 +1,5 @@ -policy_module(mysql, 1.10.3) +policy_module(mysql, 1.10.4) ######################################## # @@ -10,6 +10,10 @@ type mysqld_t; type mysqld_exec_t; init_daemon_domain(mysqld_t, mysqld_exec_t) +type mysqld_safe_t; +type mysqld_safe_exec_t; +init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) + type mysqld_var_run_t; files_pid_file(mysqld_var_run_t) @@ -121,3 +125,34 @@ optional_policy(` optional_policy(` udev_read_db(mysqld_t) ') + +####################################### +# +# Local mysqld_safe policy +# + +allow mysqld_safe_t self:capability { dac_override fowner chown }; +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + +domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) + +allow mysqld_safe_t mysqld_log_t:file manage_file_perms; +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) + +kernel_read_system_state(mysqld_safe_t) + +dev_list_sysfs(mysqld_safe_t) + +files_read_etc_files(mysqld_safe_t) +files_read_usr_files(mysqld_safe_t) + +corecmd_exec_bin(mysqld_safe_t) + +hostname_exec(mysqld_safe_t) + +miscfiles_read_localization(mysqld_safe_t) + +mysql_append_db_files(mysqld_safe_t) +mysql_read_config(mysqld_safe_t) +mysql_search_pid_files(mysqld_safe_t) +mysql_write_log(mysqld_safe_t) diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc index 80e894b..98c7728 100644 --- a/policy/modules/services/squid.fc +++ b/policy/modules/services/squid.fc @@ -8,5 +8,7 @@ /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) /var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) +/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) \ No newline at end of file diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if index e7ea606..0ae57d7 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -21,6 +21,24 @@ interface(`squid_domtrans',` ######################################## ## +## Execute squid +## +## +## +## The type of the process performing this action. +## +## +# +interface(`squid_exec',` + gen_require(` + type squid_exec_t; + ') + + can_exec($1, squid_exec_t) +') + +######################################## +## ## Send generic signals to squid. ## ## diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 6ce86fd..f6df97e 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -1,5 +1,5 @@ -policy_module(squid, 1.8.2) +policy_module(squid, 1.8.3) ######################################## # @@ -118,6 +118,7 @@ dev_read_urand(squid_t) fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) +fs_list_inotifyfs(squid_t) selinux_dontaudit_getattr_dir(squid_t) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te index 6e720f7..cd2af5c 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -1,5 +1,5 @@ -policy_module(tor, 1.5.2) +policy_module(tor, 1.5.3) ######################################## # @@ -34,7 +34,7 @@ files_pid_file(tor_var_run_t) # tor local policy # -allow tor_t self:capability { setgid setuid }; +allow tor_t self:capability { setgid setuid sys_tty_config }; allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index 0048738..879bb1e 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -55,6 +55,7 @@ ifdef(`distro_gentoo',` /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) +/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -94,6 +95,7 @@ ifdef(`distro_gentoo',` # /var # /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) +/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) -/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 8983ba6..bbe2c04 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm, 1.10.2) +policy_module(lvm, 1.10.3) ######################################## # @@ -44,9 +44,9 @@ files_tmp_file(lvm_tmp_t) # Cluster LVM daemon local policy # -allow clvmd_t self:capability { sys_admin mknod }; +allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; dontaudit clvmd_t self:capability sys_tty_config; -allow clvmd_t self:process signal_perms; +allow clvmd_t self:process { signal_perms setsched }; dontaudit clvmd_t self:process ptrace; allow clvmd_t self:socket create_socket_perms; allow clvmd_t self:fifo_file rw_fifo_file_perms; @@ -85,10 +85,15 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t) corenet_sendrecv_generic_server_packets(clvmd_t) dev_read_sysfs(clvmd_t) +dev_manage_generic_symlinks(clvmd_t) +dev_relabel_generic_dev_dirs(clvmd_t) +dev_manage_generic_blk_files(clvmd_t) dev_manage_generic_chr_files(clvmd_t) dev_rw_lvm_control(clvmd_t) dev_dontaudit_getattr_all_blk_files(clvmd_t) dev_dontaudit_getattr_all_chr_files(clvmd_t) +dev_create_generic_dirs(clvmd_t) +dev_delete_generic_dirs(clvmd_t) files_read_etc_files(clvmd_t) files_list_usr(clvmd_t) @@ -99,19 +104,26 @@ fs_dontaudit_list_tmpfs(clvmd_t) fs_dontaudit_read_removable_files(clvmd_t) storage_dontaudit_getattr_removable_dev(clvmd_t) +storage_manage_fixed_disk(clvmd_t) +storage_dev_filetrans_fixed_disk(clvmd_t) +storage_relabel_fixed_disk(clvmd_t) +storage_raw_read_fixed_disk(clvmd_t) domain_use_interactive_fds(clvmd_t) -storage_raw_read_fixed_disk(clvmd_t) - auth_use_nsswitch(clvmd_t) +init_dontaudit_getattr_initctl(clvmd_t) + logging_send_syslog_msg(clvmd_t) miscfiles_read_localization(clvmd_t) seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) +seutil_read_config(clvmd_t) +seutil_read_file_contexts(clvmd_t) +seutil_search_default_contexts(clvmd_t) userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_user_home_dirs(clvmd_t) @@ -119,6 +131,12 @@ userdom_dontaudit_search_user_home_dirs(clvmd_t) lvm_domtrans(clvmd_t) lvm_read_config(clvmd_t) +ifdef(`distro_redhat',` + optional_policy(` + unconfined_domain(clvmd_t) + ') +') + optional_policy(` ccs_stream_connect(clvmd_t) ') @@ -143,17 +161,19 @@ optional_policy(` # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid -allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio }; +# net_admin for multipath +allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; allow lvm_t self:file rw_file_perms; -allow lvm_t self:fifo_file rw_file_perms; +allow lvm_t self:fifo_file rw_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; -allow lvm_t clvmd_t:unix_stream_socket connectto; +allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) @@ -185,6 +205,7 @@ read_lnk_files_pattern(lvm_t,lvm_etc_t,lvm_etc_t) manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) files_etc_filetrans(lvm_t,lvm_metadata_t,file) +files_search_mnt(lvm_t) kernel_read_system_state(lvm_t) kernel_read_kernel_sysctls(lvm_t) @@ -192,6 +213,7 @@ kernel_read_kernel_sysctls(lvm_t) kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) +kernel_use_fds(lvm_t) selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) @@ -244,7 +266,9 @@ corecmd_exec_bin(lvm_t) corecmd_exec_shell(lvm_t) domain_use_interactive_fds(lvm_t) +domain_read_all_domains_state(lvm_t) +files_read_usr_files(lvm_t) files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: @@ -268,6 +292,10 @@ userdom_use_user_terminals(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) + + optional_policy(` + unconfined_domain(lvm_t) + ') ') optional_policy(` @@ -283,5 +311,24 @@ optional_policy(` ') optional_policy(` + dbus_system_bus_client(lvm_t) + + hal_dbus_chat(lvm_t) +') + +optional_policy(` + modutils_domtrans_insmod(lvm_t) +') + +optional_policy(` + rpm_manage_script_tmp_files(lvm_t) +') + +optional_policy(` udev_read_db(lvm_t) ') + +optional_policy(` + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +')