diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 61f46ad..016682c 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -67,6 +67,7 @@ optional_policy(`authlogin.te', ` optional_policy(`cron.te',` cron_read_pipe(consoletype_t) + cron_use_system_job_fd(consoletype_t) ') optional_policy(`firstboot.te',` @@ -95,8 +96,6 @@ optional_policy(`userdomain.te',` ifdef(`TODO',` allow consoletype_t nfs_t:file write; -allow consoletype_t system_crond_t:fd use; - optional_policy(`xdm.te', ` allow consoletype_t xdm_tmp_t:file rw_file_perms; ') diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index f39a053..7ad75c4 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -120,8 +120,10 @@ optional_policy(`samba.te',` ') optional_policy(`usermanage.te',` - usermanage_domtrans_useradd(firstboot_t) + usermanage_domtrans_chfn(firstboot_t) usermanage_domtrans_groupadd(firstboot_t) + usermanage_domtrans_passwd(firstboot_t) + usermanage_domtrans_useradd(firstboot_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 1a1e714..5ddfe4b 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -85,6 +85,8 @@ corecmd_exec_ls(logrotate_t) domain_signal_all_domains(logrotate_t) domain_use_wide_inherit_fd(logrotate_t) domain_getattr_all_entry_files(logrotate_t) +# Read /proc/PID directories for all domains. +domain_read_all_domains_state(logrotate_t) files_read_usr_files(logrotate_t) files_read_etc_files(logrotate_t) @@ -163,21 +165,11 @@ optional_policy(`squid.te',` ') ifdef(`TODO',` - -#from privmail this needs more work: -allow mta_user_agent logrotate_t:fd use; -allow mta_user_agent logrotate_t:process sigchld; -allow mta_user_agent logrotate_t:fifo_file { read write }; - ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;') # it should not require this allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search }; -# Read /proc/PID directories for all domains. -allow logrotate_t domain:notdevfile_class_set r_file_perms; -allow logrotate_t domain:dir r_dir_perms; - # for /var/backups on Debian ifdef(`backup.te', ` rw_dir_create_file(logrotate_t, backup_store_t) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 01b3216..b6ce0ea 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(devices,1.0) +policy_module(netutils,1.0) ######################################## # diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index bb43066..1da113f 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -6,11 +6,12 @@ policy_module(rpm,1.0) # Declarations # -type rpm_t; #, priv_system_role; +type rpm_t; type rpm_exec_t; init_system_domain(rpm_t,rpm_exec_t) domain_obj_id_change_exempt(rpm_t) domain_role_change_exempt(rpm_t) +domain_system_change_exempt(rpm_t) domain_wide_inherit_fd(rpm_t) role system_r types rpm_t; @@ -30,9 +31,10 @@ type rpm_var_lib_t; files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; -type rpm_script_t; #, admin, privmem, priv_system_role; +type rpm_script_t; type rpm_script_exec_t; domain_obj_id_change_exempt(rpm_script_t) +domain_system_change_exempt(rpm_script_t) corecmd_shell_entry_type(rpm_script_t) domain_type(rpm_script_t) domain_entry_file(rpm_t,rpm_script_exec_t) @@ -92,7 +94,7 @@ fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file } # Access /var/lib/rpm files allow rpm_t rpm_var_lib_t:file create_file_perms; allow rpm_t rpm_var_lib_t:dir rw_dir_perms; -#files_create_private_libraries(rpm_t,rpm_var_lib_t,dir) +files_create_var_lib(rpm_t,rpm_var_lib_t,dir) kernel_read_system_state(rpm_t) kernel_read_kernel_sysctl(rpm_t) @@ -114,7 +116,7 @@ dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) #devices_manage_all_device_types(rpm_t) -#fs_manage_nfs_dir(rpm_t) +fs_manage_nfs_dirs(rpm_t) fs_manage_nfs_files(rpm_t) fs_manage_nfs_symlinks(rpm_t) fs_getattr_all_fs(rpm_t) @@ -183,10 +185,6 @@ ifdef(`TODO',` # cjp: this seems way out of place role sysadm_r types initrc_t; -type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t; - -dontaudit rpm_t domain:process ptrace; - # read/write/create any files in the system dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; allow rpm_t ttyfile:chr_file unlink; @@ -312,10 +310,6 @@ seutil_domtrans_restorecon(rpm_script_t) userdom_use_all_user_fd(rpm_script_t) -if (allow_execmem) { - allow rpm_script_t self:process execmem; -} - # this should be tunable_policy, but # typeattribute does not work in conditionals ifdef(`unlimitedRPM',` @@ -323,6 +317,10 @@ ifdef(`unlimitedRPM',` unconfined_domain_template(rpm_script_t) ') +tunable_policy(`allow_execmem',` + allow rpm_script_t self:process execmem; +') + optional_policy(`bootloader.te',` bootloader_domtrans(rpm_script_t) ') diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 4452dee..b3ed57c 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -96,6 +96,9 @@ fs_search_auto_mountpoints(chfn_t) # for SSP dev_read_urand(chfn_t) +auth_domtrans_chk_passwd(chfn_t) +auth_dontaudit_read_shadow(chfn_t) + # can exec /sbin/unix_chkpwd corecmd_search_bin(chfn_t) corecmd_search_sbin(chfn_t) @@ -117,31 +120,23 @@ miscfiles_read_localization(chfn_t) logging_send_syslog_msg(chfn_t) -auth_domtrans_chk_passwd(chfn_t) -auth_dontaudit_read_shadow(chfn_t) +# uses unix_chkpwd for checking passwords +seutil_dontaudit_search_config(chfn_t) userdom_use_unpriv_users_fd(chfn_t) +# user generally runs this from their home directory, so do not audit a search +# on user home dir +userdom_dontaudit_search_all_users_home(chfn_t) optional_policy(`nis.te',` nis_use_ypbind(chfn_t) ') ifdef(`TODO',` -ifdef(`firstboot.te',` -domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t) -') - ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;') # allow checking if a shell is executable allow chfn_t shell_exec_t:file execute; - -# user generally runs this from their home directory, so do not audit a search -# on user home dir -dontaudit chfn_t { user_home_dir_type user_home_type }:dir search; - -# uses unix_chkpwd for checking passwords -dontaudit chfn_t selinux_config_t:dir search; ') dnl endif TODO ######################################## @@ -180,16 +175,11 @@ libs_use_shared_libs(crack_t) logging_send_syslog_msg(crack_t) -ifdef(`TODO',` -ifdef(`crond.te', ` -domain_auto_trans(system_crond_t, crack_exec_t, crack_t) -allow crack_t crond_t:fifo_file rw_file_perms; -allow crack_t crond_t:fd use; -allow crack_t crond_t:process sigchld; -') +userdom_dontaudit_search_sysadm_home_dir(crack_t) -dontaudit crack_t sysadm_home_dir_t:dir { getattr search }; -') dnl endif TODO +optional_policy(`cron.te',` + cron_system_entry(crack_t,crack_exec_t) +') ######################################## # @@ -250,6 +240,8 @@ auth_rw_lastlog(groupadd_t) seutil_read_config(groupadd_t) userdom_use_unpriv_users_fd(groupadd_t) +# for when /root is the cwd +userdom_dontaudit_search_sysadm_home_dir(groupadd_t) optional_policy(`nis.te',` nis_use_ypbind(groupadd_t) @@ -265,15 +257,11 @@ optional_policy(`rpm.te',` ') ifdef(`TODO',` - # Update /etc/shadow and /etc/passwd allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto }; # Access terminals. ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;') - -# for when /root is the cwd -dontaudit groupadd_t sysadm_home_dir_t:dir search; ') dnl end TODO ######################################## @@ -314,6 +302,8 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) +auth_manage_shadow(passwd_t) + # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_script_pid(passwd_t) @@ -323,6 +313,7 @@ domain_use_wide_inherit_fd(passwd_t) files_read_etc_runtime_files(passwd_t) files_manage_etc_files(passwd_t) files_search_var(passwd_t) +files_dontaudit_search_pids(passwd_t) libs_use_ld_so(passwd_t) libs_use_shared_libs(passwd_t) @@ -331,20 +322,18 @@ logging_send_syslog_msg(passwd_t) miscfiles_read_localization(passwd_t) -auth_manage_shadow(passwd_t) +seutil_dontaudit_search_config(passwd_t) userdom_use_unpriv_users_fd(passwd_t) +# user generally runs this from their home directory, so do not audit a search +# on user home dir +userdom_dontaudit_search_all_users_home(passwd_t) optional_policy(`nis.te',` nis_use_ypbind(passwd_t) ') ifdef(`TODO',` - -ifdef(`firstboot.te',` -domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t) -') - # Update /etc/shadow and /etc/passwd allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; @@ -354,18 +343,10 @@ ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;') # allow checking if a shell is executable allow passwd_t shell_exec_t:file execute; -# user generally runs this from their home directory, so do not audit a search -# on user home dir -dontaudit passwd_t { user_home_dir_type user_home_type }:dir search; - # make sure that getcon succeeds allow passwd_t userdomain:dir search; allow passwd_t userdomain:file read; allow passwd_t userdomain:process getattr; - -dontaudit passwd_t selinux_config_t:dir search; - -dontaudit passwd_t var_run_t:dir search; ') dnl endif TODO ######################################## @@ -424,6 +405,8 @@ domain_use_wide_inherit_fd(sysadm_passwd_t) files_manage_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) +# for nscd lookups +files_dontaudit_search_pids(sysadm_passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. @@ -436,7 +419,12 @@ miscfiles_read_localization(sysadm_passwd_t) logging_send_syslog_msg(sysadm_passwd_t) +seutil_dontaudit_search_config(sysadm_passwd_t) + userdom_use_unpriv_users_fd(sysadm_passwd_t) +# user generally runs this from their home directory, so do not audit a search +# on user home dir +userdom_dontaudit_search_all_users_home(sysadm_passwd_t) optional_policy(`nis.te',` nis_use_ypbind(sysadm_passwd_t) @@ -452,20 +440,9 @@ ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;') # allow checking if a shell is executable allow sysadm_passwd_t shell_exec_t:file execute; -# user generally runs this from their home directory, so do not audit a search -# on user home dir -dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search; - # Update /etc/shadow and /etc/passwd allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; -# for vipw - vi looks in the root home directory for config -dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search }; - -# for nscd lookups -dontaudit sysadm_passwd_t var_run_t:dir search; - -dontaudit sysadm_passwd_t selinux_config_t:dir search; ifdef(`targeted_policy', ` role system_r types sysadm_passwd_t; allow sysadm_passwd_t devpts_t:chr_file rw_file_perms; @@ -534,6 +511,12 @@ seutil_read_config(useradd_t) seutil_read_file_contexts(useradd_t) userdom_use_unpriv_users_fd(useradd_t) +# for when /root is the cwd +userdom_dontaudit_search_sysadm_home_dir(useradd_t) +# Add/remove user home directories +userdom_create_user_home_dir(useradd_t) +userdom_manage_user_home_dir(useradd_t) +userdom_create_user_home(useradd_t,notdevfile_class_set) mta_manage_spool(useradd_t) @@ -551,21 +534,12 @@ optional_policy(`rpm.te',` ') ifdef(`TODO',` - # Update /etc/shadow and /etc/passwd allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto }; # Access terminals. ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;') -# for when /root is the cwd -dontaudit useradd_t sysadm_home_dir_t:dir search; - -# Add/remove user home directories -file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir) -file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t) - # /var/mail is a link to /var/spool/mail allow useradd_t mail_spool_t:lnk_file read; - ') dnl end TODO diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te index 0eba8d1..b95df4e 100644 --- a/refpolicy/policy/modules/admin/vpn.te +++ b/refpolicy/policy/modules/admin/vpn.te @@ -96,6 +96,7 @@ sysnet_create_config(vpnc_t) sysnet_manage_config(vpnc_t) userdom_use_all_user_fd(vpnc_t) +userdom_dontaudit_search_all_users_home(vpnc_t) optional_policy(`mount.te',` mount_send_nfs_client_request(vpnc_t) @@ -108,7 +109,3 @@ optional_policy(`nis.te',` optional_policy(`nscd.te',` nscd_use_socket(vpnc_t) ') - -ifdef(`TODO',` -dontaudit vpnc_t user_home_dir_type:dir search; -') diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index e642b2a..6689e65 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -98,6 +98,8 @@ template(`cron_per_userdomain_template',` fs_getattr_all_fs($1_crond_t) domain_exec_all_entry_files($1_crond_t) + # quiet other ps operations + domain_dontaudit_read_all_domains_state($1_crond_t) files_read_usr_files($1_crond_t) files_exec_etc_files($1_crond_t) @@ -113,6 +115,8 @@ template(`cron_per_userdomain_template',` libs_exec_ld_so($1_crond_t) files_read_etc_runtime_files($1_crond_t) + files_read_var_files($1_crond_t) + files_search_spool($1_crond_t) logging_search_logs($1_crond_t) @@ -126,6 +130,13 @@ template(`cron_per_userdomain_template',` userdom_manage_user_tmp_sockets($1,$1_crond_t) # Run scripts in user home directory and access shared libs. userdom_exec_user_home_files($1,$1_crond_t) + # Access user files and dirs. +# userdom_manage_user_home_subdir_dirs($1,$1_crond_t) + userdom_manage_user_home_subdir_files($1,$1_crond_t) + userdom_manage_user_home_subdir_symlinks($1,$1_crond_t) + userdom_manage_user_home_subdir_pipes($1,$1_crond_t) + userdom_manage_user_home_subdir_sockets($1,$1_crond_t) +# userdom_create_user_home($1,$1_crond_t,notdevfile_class_set) tunable_policy(`fcron_crond', ` allow crond_t $1_cron_spool_t:file create_file_perms; @@ -136,9 +147,6 @@ template(`cron_per_userdomain_template',` ') ifdef(`TODO',` - # Access user files and dirs. - file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t) - allow $1_crond_t tmp_t:dir rw_dir_perms; type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t; @@ -150,13 +158,6 @@ template(`cron_per_userdomain_template',` dontaudit $1_mail_t crond_t:fifo_file write; allow mta_user_agent $1_crond_t:fd use; ') - - allow $1_crond_t var_spool_t:dir search; - allow $1_crond_t var_t:dir r_dir_perms; - allow $1_crond_t var_t:file r_file_perms; - - # quiet other ps operations - dontaudit $1_crond_t domain:dir { getattr search }; ') dnl endif TODO ############################## @@ -171,6 +172,12 @@ template(`cron_per_userdomain_template',` allow $1_crontab_t $2:fifo_file rw_file_perms; allow $1_crontab_t $2:process sigchld; + # crontab shows up in user ps + allow $2 $1_crontab_t:dir { search getattr read }; + allow $2 $1_crontab_t:{ file lnk_file } { read getattr }; + allow $2 $1_crontab_t:process getattr; + dontaudit $2 $1_crontab_t:process ptrace; + # for ^Z allow $2 $1_crontab_t:process signal; @@ -229,15 +236,10 @@ template(`cron_per_userdomain_template',` ') ifdef(`TODO',` - can_ps($1_t, $1_crontab_t) - - dontaudit $1_crontab_t proc_t:dir search; - allow $1_crond_t tmp_t:dir rw_dir_perms; type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t; # Read user crontabs - allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; dontaudit $1_crontab_t $1_home_dir_t:dir write; # Inherit and use descriptors from gnome-pty-helper. diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index c8f3573..214eb03 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -13,7 +13,7 @@ files_type(anacron_exec_t) type cron_spool_t; files_type(cron_spool_t) -type crond_t; #, privmail +type crond_t; type crond_exec_t; init_daemon_domain(crond_t,crond_exec_t) domain_wide_inherit_fd(crond_t) @@ -31,7 +31,7 @@ files_type(crontab_exec_t) type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) -type system_crond_t; #, privmail +type system_crond_t; init_daemon_domain(system_crond_t,anacron_exec_t) corecmd_shell_entry_type(system_crond_t) role system_r types system_crond_t; @@ -100,6 +100,9 @@ domain_use_wide_inherit_fd(crond_t) files_read_etc_files(crond_t) files_read_generic_spools(crond_t) +# Read from /var/spool/cron. +files_search_var_lib(crond_t) +files_search_default(crond_t) init_use_fd(crond_t) init_use_script_pty(crond_t) @@ -117,6 +120,8 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fd(crond_t) +mta_send_mail(crond_t) + ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. @@ -169,10 +174,6 @@ optional_policy(`rhgb.te', ` rhgb_domain(crond_t) ') -# Read from /var/spool/cron. -allow crond_t var_lib_t:dir search; -allow crond_t default_t:dir search; - # crond tries to search /root. Not sure why. allow crond_t sysadm_home_dir_t:dir r_dir_perms; @@ -257,6 +258,8 @@ corecmd_exec_bin(system_crond_t) corecmd_exec_sbin(system_crond_t) domain_exec_all_entry_files(system_crond_t) +# quiet other ps operations +domain_dontaudit_read_all_domains_state(system_crond_t) files_exec_etc_files(system_crond_t) files_read_etc_files(system_crond_t) @@ -296,6 +299,8 @@ miscfiles_manage_man_pages(system_crond_t) seutil_read_config(system_crond_t) +mta_send_mail(system_crond_t) + ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. @@ -342,9 +347,6 @@ optional_policy(`squid.te',` ifdef(`TODO',` dontaudit userdomain system_crond_t:fd use; -# quiet other ps operations -dontaudit system_crond_t domain:dir { getattr search }; - # Do not audit attempts to search unlabeled directories (e.g. slocate). dontaudit system_crond_t unlabeled_t:dir r_dir_perms; dontaudit system_crond_t unlabeled_t:file r_file_perms; diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 12869b9..25db7d4 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -6,7 +6,7 @@ policy_module(inetd,1.0) # Declarations # -type inetd_t; # ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem') +type inetd_t; type inetd_exec_t; init_daemon_domain(inetd_t,inetd_exec_t) @@ -127,6 +127,11 @@ optional_policy(`mount.te',` mount_send_nfs_client_request(inetd_t) ') +# Communicate with the portmapper. +optional_policy(`portmap.te',` + portmap_udp_sendto(inetd_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(inetd_t) ') @@ -146,13 +151,9 @@ ifdef(`unlimitedInetd', ` ') ifdef(`TODO',` - optional_policy(`rhgb.te',` rhgb_domain(inetd_t) ') - -# Communicate with the portmapper. -ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') ') dnl TODO ######################################## diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index da1ded3..27fac58 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -145,9 +145,6 @@ ifdef(`TODO',` optional_policy(`rhgb.te',` rhgb_domain(kadmind_t) ') - -# cjp: not sure, but I think this has no effect -can_tcp_connect(kerberos_admin_port_t, kadmind_t) ') dnl end TODO ######################################## @@ -250,9 +247,4 @@ optional_policy(`rhgb.te',` # Allow user programs to talk to KDC allow krb5kdc_t userdomain:udp_socket recvfrom; allow userdomain krb5kdc_t:udp_socket recvfrom; - -# cjp: not sure, but I think these have no effect -can_udp_send(kerberos_port_t, krb5kdc_t) -can_udp_send(krb5kdc_t, kerberos_port_t) -can_tcp_connect(kerberos_port_t, krb5kdc_t) ') dnl end TODO diff --git a/refpolicy/policy/modules/services/ldap.if b/refpolicy/policy/modules/services/ldap.if index 833e02c..2f3b0ea 100644 --- a/refpolicy/policy/modules/services/ldap.if +++ b/refpolicy/policy/modules/services/ldap.if @@ -35,3 +35,21 @@ interface(`ldap_read_config',` files_search_etc($1) allow $1 slapd_etc_t:file { getattr read }; ') + +######################################## +## +## Use LDAP over TCP connection. +## +## +## Domain allowed access. +## +# +interface(`ldap_use',` + gen_require(` + type slapd_t; + ') + + allow $1 slapd_t:tcp_socket { connectto recvfrom }; + allow slapd_t $1:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1) +') diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index e55e70d..18ec509 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -59,6 +59,7 @@ files_create_pid(slapd_t,slapd_var_run_t) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctl(slapd_t) +kernel_tcp_recvfrom(slapd_t) corenet_tcp_sendrecv_all_if(slapd_t) corenet_udp_sendrecv_all_if(slapd_t) @@ -124,7 +125,4 @@ r_dir_file(slapd_t, cert_t) optional_policy(`rhgb.te',` rhgb_domain(slapd_t) ') -# allow any domain to connect to the LDAP server -# cjp: how does this relate to the old can_ldap() macro? -can_tcp_connect(domain, slapd_t) ') dnl end TODO diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index abb9b6e..0e5f6f7 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -2,7 +2,7 @@ policy_module(nscd,1.0) gen_require(` - class nscd { admin getstat }; + class nscd all_nscd_perms; ') ######################################## diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te index 717ac4a..ba7c21b 100644 --- a/refpolicy/policy/modules/services/rshd.te +++ b/refpolicy/policy/modules/services/rshd.te @@ -86,7 +86,4 @@ ifdef(`TODO',` optional_policy(`rlogind.te', ` allow rshd_t rlogind_tmp_t:file rw_file_perms; ') - -allow rshd_t selinux_config_t:lnk_file { getattr read }; -allow rshd_t default_context_t:lnk_file { getattr read }; ') diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 03bc86d..b73bd1d 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -21,6 +21,7 @@ files_type(samba_log_t) type samba_net_t; domain_type(samba_net_t) +role system_r types samba_net_t; type samba_net_exec_t; domain_entry_file(samba_net_t,samba_net_exec_t) @@ -126,7 +127,6 @@ optional_policy(`nscd.te',` ') ifdef(`TODO',` -role system_r types samba_net_t; in_user_role(samba_net_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 1e34ffc..5afaeea 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -32,13 +32,6 @@ template(`authlogin_per_userdomain_template',` gen_require(` attribute can_read_shadow_passwords; type chkpwd_exec_t, system_chkpwd_t, shadow_t; - class file rx_file_perms; - class process { getattr transition sigchld }; - class capability setuid; - class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; - class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; - class fd use; - class fifo_file rw_file_perms; ') type $1_chkpwd_t, can_read_shadow_passwords; @@ -63,6 +56,8 @@ template(`authlogin_per_userdomain_template',` allow $1_chkpwd_t $2:fifo_file rw_file_perms; allow $1_chkpwd_t $2:process sigchld; + dontaudit $2 shadow_t:file { getattr read }; + # is_selinux_enabled kernel_read_system_state($1_chkpwd_t) @@ -114,7 +109,6 @@ template(`authlogin_per_userdomain_template',` ifdef(`TODO',` can_winbind($1) r_dir_file($1, cert_t) - dontaudit $1 shadow_t:file { getattr read }; ') ') diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 6e5af0f..5da415f 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -71,6 +71,11 @@ interface(`domain_type',` unconfined_sigchld($1) ') + # allow any domain to connect to the LDAP server + optional_policy(`ldap.te',` + ldap_use($1) + ') + # this seems highly questionable: optional_policy(`rpm.te',` rpm_use_fd($1) @@ -131,6 +136,24 @@ interface(`domain_dyntrans_type',` ######################################## ## +## Makes caller and execption to the constraint +## preventing changing to the system user +## identity and system role. +## +## +## Domain allowed access. +## +# +interface(`domain_system_change_exempt',` + gen_require(` + attribute can_system_change; + ') + + typeattribute $1 can_system_change; +') + +######################################## +## ## Makes caller an exception to the constraint preventing ## changing of user identity. ## diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 514724b..10118fe 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -78,6 +78,8 @@ corecmd_exec_shell(hotplug_t) corecmd_exec_sbin(hotplug_t) domain_use_wide_inherit_fd(hotplug_t) +# for ps +domain_dontaudit_read_all_domains_state(hotplug_t) files_read_etc_files(hotplug_t) files_manage_etc_runtime_files(hotplug_t) @@ -187,16 +189,9 @@ optional_policy(`rhgb.te',` rhgb_domain(hotplug_t) ') -# for ps -dontaudit hotplug_t domain:dir { getattr search }; dontaudit hotplug_t { init_t kernel_t }:file read; optional_policy(`hald.te', ` allow hotplug_t hald_t:unix_dgram_socket sendto; ') - -# this block goes to hald: -optional_policy(`hotplug.te',` - hotplug_read_config(hald_t) -') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index 5a0665c..f65de87 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -6,7 +6,7 @@ policy_module(raid,1.0) # Declarations # -type mdadm_t; # privmail +type mdadm_t; type mdadm_exec_t; init_daemon_domain(mdadm_t,mdadm_exec_t) role system_r types mdadm_t; @@ -67,6 +67,8 @@ miscfiles_read_localization(mdadm_t) userdom_dontaudit_use_unpriv_user_fd(mdadm_t) userdom_dontaudit_use_sysadm_tty(mdadm_t) +mta_send_mail(mdadm_t) + ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(mdadm_t) term_dontaudit_use_generic_pty(mdadm_t)