diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 15dd368..c92a2d1 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -13,6 +13,7 @@ pegasus postfix radius + rpc spamassassin xdm diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 933d75c..68f3292 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -23,6 +23,9 @@ gen_tunable(allow_ftpd_anon_write,false) ## Allow gpg executable stack gen_tunable(allow_gpg_execstack,false) +## Allow gssd to read temp directory. +gen_tunable(allow_gssd_read_tmp,true) + ## Allow Apache to modify public files ## used for public file transfer services. gen_tunable(allow_httpd_anon_write,false) @@ -84,6 +87,12 @@ gen_tunable(httpd_unified,false) ## Generally this is used for dynamic DNS. gen_tunable(named_write_master_zones,false) +## Allow nfs to be exported read/write. +gen_tunable(nfs_export_all_rw,false) + +## Allow nfs to be exported read only +gen_tunable(nfs_export_all_ro,false) + ## Allow pppd to load kernel modules for certain modems gen_tunable(pppd_can_insmod,false) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index d5c32a9..3ce30eb 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -526,6 +526,58 @@ interface(`fs_read_cifs_files',` ######################################## ## +## Read all noxattrfs directories. +## +## +## Domain allowed access. +## +# +interface(`fs_list_noxattr_fs',` + gen_require(` + attribute noxattrfs; + ') + + allow $1 noxattrfs:dir r_dir_perms; + +') + +######################################## +## +## Read all noxattrfs files. +## +## +## Domain allowed access. +## +# +interface(`fs_read_noxattr_fs_files',` + gen_require(` + attribute noxattrfs; + ') + + allow $1 noxattrfs:dir search; + allow $1 noxattrfs:file r_file_perms; + +') + +######################################## +## +## Read all noxattrfs symbolic links. +## +## +## Domain allowed access. +## +# +interface(`fs_read_noxattr_fs_symlinks',` + gen_require(` + attribute noxattrfs; + ') + + allow $1 noxattrfs:dir search; + allow $1 noxattrfs:lnk_file r_file_perms; +') + +######################################## +## ## Do not audit attempts to read ## files on a CIFS or SMB filesystem. ## @@ -1152,6 +1204,78 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## +## Read directories of RPC file system pipes. +## +## +## The type of the domain reading the symbolic links. +## +# +interface(`fs_read_rpc_dirs',` + gen_require(` + type rpc_pipefs_t; + class dir { getattr read search }; + ') + + allow $1 rpc_pipefs_t:dir { getattr read search }; + +') + +######################################## +## +## Read files of RPC file system pipes. +## +## +## The type of the domain reading the symbolic links. +## +# +interface(`fs_read_rpc_files',` + gen_require(` + type rpc_pipefs_t; + class file { read getattr }; + ') + + allow $1 rpc_pipefs_t:file { read getattr }; + +') + +######################################## +## +## Read symbolic links of RPC file system pipes. +## +## +## The type of the domain reading the symbolic links. +## +# +interface(`fs_read_rpc_symlinks',` + gen_require(` + type rpc_pipefs_t; + class lnk_file { getattr read }; + ') + + allow $1 rpc_pipefs_t:lnk_file { getattr read }; + +') + +######################################## +## +## Read sockets of RPC file system pipes. +## +## +## The type of the domain reading the symbolic links. +## +# +interface(`fs_read_rpc_sockets',` + gen_require(` + type rpc_pipefs_t; + class sock_file { read write }; + ') + + allow $1 rpc_pipefs_t:sock_file { read write }; + +') + +######################################## +## ## Create, read, write, and delete directories ## on a NFS filesystem. ## @@ -1399,6 +1523,43 @@ interface(`fs_getattr_nfsd_fs',` ######################################## ## +## Search NFS server directories. +## +## +## The type of the domain doing the +## search on nfsd directories. +## +# +interface(`fs_search_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + class dir search; + ') + + allow $1 nfsd_fs_t:dir search; +') + +######################################## +## +## Read and write NFS server files. +## +## +## The type of the domain doing the +## read or write on nfsd files. +## +# +interface(`fs_rw_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + class file rw_file_perms; + ') + + allow $1 nfsd_fs_t:file rw_file_perms; +') + + +######################################## +## ## Mount a RAM filesystem. ## ## diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index ad4a432..21b89ab 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -724,6 +724,23 @@ interface(`kernel_dontaudit_search_network_state',` ######################################## ## +## Allow searching of network state directory. +## +## +## The process type reading the state. +## +## +# +interface(`kernel_search_network_state',` + gen_require(` + type proc_net_t; + ') + + allow $1 proc_net_t:dir search; +') + +######################################## +## ## Allow caller to read the network state information. ## ## @@ -745,6 +762,27 @@ interface(`kernel_read_network_state',` ######################################## ## +## Allow caller to read the network state symbolic links. +## +## +## The process type reading the state. +## +## +# +interface(`kernel_read_network_state_symlinks',` + gen_require(` + type proc_t, proc_net_t; + class dir r_dir_perms; + class lnk_file r_file_perms; + ') + + allow $1 proc_t:dir search; + allow $1 proc_net_t:dir r_dir_perms; + allow $1 proc_net_t:lnk_file r_file_perms; +') + +######################################## +## ## Do not audit attempts by caller to search ## the base directory of sysctls. ## @@ -763,6 +801,24 @@ interface(`kernel_dontaudit_search_sysctl',` ######################################## ## +## Allow access to read sysctl directories. +## +## +## The process type to allow to read sysctl directories. +## +## +# +interface(`kernel_read_sysctl',` + gen_require(` + type sysctl_t; + class dir r_dir_perms; + ') + + allow $1 sysctl_t:dir r_dir_perms; +') + +######################################## +## ## Allow caller to read the device sysctls. ## ## diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 39b9e4e..87f988e 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -221,6 +221,53 @@ ifdef(`targeted_policy',` unconfined_domain_template(kernel_t) ') +optional_policy(`rpc.te',` + # nfs kernel server needs kernel UDP access. It is less risky and painful + # to just give it everything. + allow kernel_t self:tcp_socket create_stream_socket_perms; + allow kernel_t self:udp_socket { connect }; + allow kernel_t self:tcp_socket connected_socket_perms; + allow kernel_t self:udp_socket connected_socket_perms; + + # nfs kernel server needs kernel UDP access. It is less risky and painful + # to just give it everything. + corenet_udp_sendrecv_all_if(kernel_t) + corenet_udp_sendrecv_all_nodes(kernel_t) + corenet_tcp_bind_all_nodes(kernel_t) + corenet_udp_bind_all_nodes(kernel_t) + corenet_tcp_sendrecv_all_ports(kernel_t) + corenet_udp_sendrecv_all_ports(kernel_t) + + auth_dontaudit_getattr_shadow(kernel_t) + + sysnet_read_config(kernel_t) + + rpc_manage_nfs_ro_content(kernel_t) + rpc_manage_nfs_rw_content(kernel_t) + + rpc_udp_rw_nfs_sockets(kernel_t) + #rpc_udp_sendto_sockets(kernel_t) + rpc_udp_sendto_nfs(kernel_t) + + tunable_policy(`nfs_export_all_ro',` + fs_list_noxattr_fs(kernel_t) + fs_read_noxattr_fs_files(kernel_t) + fs_read_noxattr_fs_symlinks(kernel_t) + + auth_read_all_dirs_except_shadow(kernel_t) + auth_read_all_files_except_shadow(kernel_t) + auth_read_all_symlinks_except_shadow(kernel_t) + ') + + tunable_policy(`nfs_export_all_rw',` + fs_list_noxattr_fs(kernel_t) + fs_read_noxattr_fs_files(kernel_t) + fs_read_noxattr_fs_symlinks(kernel_t) + + auth_manage_all_files_except_shadow(kernel_t) + ') +') + ######################################## # # Unlabeled process local policy diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if index c2934b9..ba50160 100644 --- a/refpolicy/policy/modules/services/portmap.if +++ b/refpolicy/policy/modules/services/portmap.if @@ -77,3 +77,40 @@ interface(`portmap_udp_sendto',` allow $1 portmap_t:udp_socket sendto; allow portmap_t $1:udp_socket recvfrom; ') + +######################################## +## +## Send and receive UDP network traffic from portmap. +## +## +## Domain allowed access. +## +# +interface(`portmap_udp_sendrecv',` + gen_require(` + type portmap_t; + ') + + allow $1 portmap_t:udp_socket sendto; + allow portmap_t $1:udp_socket recvfrom; + allow portmap_t $1:udp_socket sendto; + allow $1 portmap_t:udp_socket recvfrom; +') + +######################################## +## +## Connect to portmap over a TCP socket +## +## +## The type of the process performing this action. +## +# +interface(`portmap_tcp_connect',` + gen_require(` + type portmap_t; + ') + + allow $1 portmap_t:tcp_socket { connectto recvfrom }; + allow portmap_t $1:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1) +') diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index be80b85..5c4e9ce 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -45,6 +45,7 @@ kernel_read_kernel_sysctl(portmap_t) kernel_list_proc(portmap_t) kernel_read_proc_symlinks(portmap_t) kernel_udp_sendfrom(portmap_t) +kernel_tcp_recvfrom(portmap_t) corenet_tcp_sendrecv_all_if(portmap_t) corenet_udp_sendrecv_all_if(portmap_t) @@ -118,6 +119,10 @@ optional_policy(`nscd.te',` nscd_use_socket(portmap_t) ') +optional_policy(`rpc.te',` + rpc_udp_sendto_nfs(portmap_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(portmap_t) ') diff --git a/refpolicy/policy/modules/services/rpc.fc b/refpolicy/policy/modules/services/rpc.fc new file mode 100644 index 0000000..ac3475e --- /dev/null +++ b/refpolicy/policy/modules/services/rpc.fc @@ -0,0 +1,25 @@ +# +# /etc +# +/etc/exports -- gen_context(system_u:object_r:exports_t,s0) + +# +# /sbin +# +/sbin/rpc\..* -- gen_context(system_u:object_r:rpc_exec_t,s0) + +# +# /usr +# +/usr/sbin/exportfs -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpc_exec_t,s0) +/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) +/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) + +# +# /var +# +/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpc_var_run_t,s0) +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpc_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if new file mode 100644 index 0000000..06e0066 --- /dev/null +++ b/refpolicy/policy/modules/services/rpc.if @@ -0,0 +1,263 @@ +## Remote Procedure Call Daemon for managment of network based process communication + +####################################### +## +## The template to define a rpc domain. +## +## +##

+## This template creates a domain to be used for +## a new rpc daemon. +##

+##
+## +## The type of daemon to be used. +## +# +template(`rpc_domain_template', ` + ######################################## + # + # Declarations + # + + type $1_t; + type $1_exec_t; + init_daemon_domain($1_t,$1_exec_t) + domain_use_wide_inherit_fd($1_t) + + #################################### + # + # Local Policy + # + + dontaudit $1_t self:capability { net_admin sys_tty_config }; + allow $1_t self:capability net_bind_service; + allow $1_t self:process signal_perms; + allow $1_t self:unix_dgram_socket create_socket_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:netlink_route_socket r_netlink_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + + allow $1_t var_lib_nfs_t:dir create_dir_perms; + allow $1_t var_lib_nfs_t:file create_file_perms; + + kernel_list_proc($1_t) + kernel_read_proc_symlinks($1_t) + kernel_read_kernel_sysctl($1_t) + # bind to arbitary unused ports + kernel_rw_rpc_sysctl($1_t) + + dev_read_sysfs($1_t) + + corenet_tcp_sendrecv_all_if($1_t) + corenet_udp_sendrecv_all_if($1_t) + corenet_raw_sendrecv_all_if($1_t) + corenet_tcp_sendrecv_all_nodes($1_t) + corenet_udp_sendrecv_all_nodes($1_t) + corenet_raw_sendrecv_all_nodes($1_t) + corenet_tcp_sendrecv_all_ports($1_t) + corenet_udp_sendrecv_all_ports($1_t) + corenet_tcp_bind_all_nodes($1_t) + corenet_udp_bind_all_nodes($1_t) + corenet_tcp_bind_reserved_port($1_t) + corenet_tcp_bind_reserved_port($1_t) + corenet_tcp_connect_all_ports($1_t) + # do not log when it tries to bind to a port belonging to another domain + corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) + corenet_dontaudit_udp_bind_all_reserved_ports($1_t) + # bind to arbitary unused ports + corenet_tcp_bind_generic_port($1_t) + + fs_search_auto_mountpoints($1_t) + + term_dontaudit_use_console($1_t) + + files_read_etc_files($1_t) + files_read_etc_runtime_files($1_t) + files_search_var($1_t) + files_search_var_lib_dir($1_t) + + init_use_fd($1_t) + init_use_script_pty($1_t) + + libs_use_ld_so($1_t) + libs_use_shared_libs($1_t) + + logging_send_syslog_msg($1_t) + + miscfiles_read_localization($1_t) + + sysnet_read_config($1_t) + + userdom_dontaudit_use_unpriv_user_fd($1_t) + + ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty($1_t) + term_dontaudit_use_generic_pty($1_t) + files_dontaudit_read_root_file($1_t) + ') + + optional_policy(`mount.te',` + mount_send_nfs_client_request($1_t) + ') + + optional_policy(`nis.te',` + nis_use_ypbind($1_t) + ') + + optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole($1_t) + ') + + optional_policy(`udev.te', ` + udev_read_db($1_t) + ') + + ifdef(`TODO',` + optional_policy(`rhgb.te',` + rhgb_domain($1_t) + ') + ') +') + +######################################## +## +## Send UDP network traffic to rpc and recieve UDP traffic from rpc. +## +## +## The type of the process performing this action. +## +# +interface(`rpc_udp_sendto',` + gen_require(` + type rpc_t; + ') + + allow $1 rpc_t:udp_socket sendto; + allow rpc_t $1:udp_socket recvfrom; +') + +######################################## +## +## Allow read access to exports. +## +## +## The type of the process performing this action. +## +# +interface(`rpc_read_exports',` + gen_require(` + type exports_t; + ') + + allow $1 exports_t:file r_file_perms; +') + +######################################## +## +## Allow write access to exports. +## +## +## The type of the process performing this action. +## +# +interface(`rpc_write_exports',` + gen_require(` + type exports_t; + ') + + allow $1 exports_t:file write; +') + +######################################## +## +## Execute domain in nfsd domain. +## +## +## The type of the process performing this action. +## +# +interface(`rpc_domtrans_nfsd',` + gen_require(` + type nfsd_t, nfsd_exec_t; + ') + + domain_auto_trans($1,nfsd_exec_t,nfsd_t) + + allow $1 nfsd_t:fd use; + allow nfsd_t $1:fd use; + allow nfsd_t $1:fifo_file rw_file_perms; + allow nfsd_t $1:process sigchld; +') + +######################################## +## +## Allow domain to create read and write NFS directories. +## +## +## Domain allowed access. +## +# +interface(`rpc_manage_nfs_rw_content',` + gen_require(` + type nfsd_rw_t; + ') + + allow $1 nfsd_rw_t:dir manage_dir_perms; + allow $1 nfsd_rw_t:file manage_file_perms; + allow $1 nfsd_rw_t:lnk_file create_lnk_perms; +') + +######################################## +## +## Allow domain to create read and write NFS directories. +## +## +## Domain allowed access. +## +# +interface(`rpc_manage_nfs_ro_content',` + gen_require(` + type nfsd_ro_t; + ') + + allow $1 nfsd_ro_t:dir manage_dir_perms; + allow $1 nfsd_ro_t:file manage_file_perms; + allow $1 nfsd_ro_t:lnk_file create_lnk_perms; +') + +######################################## +## +## Allow domain to read and write to an NFS UDP socket. +## +## +## Domain allowed access. +## +# +interface(`rpc_udp_rw_nfs_sockets',` + gen_require(` + type nfsd_t; + ') + + allow $1 nfsd_t:udp_socket rw_socket_perms; + +') + +######################################## +## +## Allow NFS to send UDP network traffic +## the specified domain and recieve from it. +## +## +## The type of the receiving domain. +## +# +interface(`rpc_udp_sendto_nfs',` + gen_require(` + type nfsd_t; + ') + + allow nfsd_t $1:udp_socket sendto; + allow $1 nfsd_t:udp_socket recvfrom; +') diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te new file mode 100644 index 0000000..19e8aab --- /dev/null +++ b/refpolicy/policy/modules/services/rpc.te @@ -0,0 +1,143 @@ + +policy_module(rpc,1.0) + +######################################## +# +# Declarations +# + +type exports_t; +files_type(exports_t) + +rpc_domain_template(gssd) + +type gssd_tmp_t; +files_tmp_file(gssd_tmp_t) + +type rpc_var_run_t; +files_pid_file(rpc_var_run_t) + +# rpc_t is the domain of rpc daemons. +# rpc_exec_t is the type of rpc daemon programs. +rpc_domain_template(rpc) + +rpc_domain_template(nfsd) + +type nfsd_rw_t; +files_type(nfsd_rw_t) + +type nfsd_ro_t; +files_type(nfsd_ro_t) + +type var_lib_nfs_t; +files_type(var_lib_nfs_t) + +######################################## +# +# RPC local policy +# + +allow rpc_t self:fifo_file rw_file_perms; +allow rpc_t self:file { getattr read }; + +dontaudit userdomain exports_t:file getattr; +allow rpc_t rpc_var_run_t:file create_file_perms; +allow rpc_t rpc_var_run_t:dir create_dir_perms; +allow rpc_t rpc_var_run_t:dir setattr; +files_create_pid(rpc_t,rpc_var_run_t) + +kernel_search_network_state(rpc_t) +# for rpc.rquotad +kernel_read_sysctl(rpc_t) + +fs_read_rpc_dirs(rpc_t) +fs_read_rpc_files(rpc_t) +fs_read_rpc_symlinks(rpc_t) +fs_read_rpc_sockets(rpc_t) +term_use_controlling_term(rpc_t) + +seutil_dontaudit_search_config(rpc_t) + +# rpc_t needs to talk to the portmap_t domain +portmap_udp_sendrecv(rpc_t) + +ifdef(`distro_redhat', ` + allow rpc_t self:capability { chown dac_override setgid setuid }; +') + +######################################## +# +# NFSD local policy +# + +allow nfsd_t self:capability { sys_admin sys_resource }; + +allow nfsd_t exports_t:file { getattr read }; +allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; + +# for /proc/fs/nfs/exports - should we have a new type? +kernel_read_system_state(nfsd_t) +kernel_read_network_state(nfsd_t) +kernel_udp_sendfrom(nfsd_t) +kernel_tcp_recvfrom(nfsd_t) + +fs_mount_nfsd_fs(nfsd_t) +fs_search_nfsd_fs(nfsd_t) +fs_getattr_all_fs(nfsd_t) +fs_rw_nfsd_fs(nfsd_t) + +term_use_controlling_term(nfsd_t) + +# does not really need this, but it is easier to just allow it +files_search_pids(nfsd_t) +# for exportfs and rpc.mountd +files_getattr_tmp_dir(nfsd_t) + +portmap_tcp_connect(nfsd_t) +portmap_udp_sendrecv(nfsd_t) + +tunable_policy(`nfs_export_all_rw',` + auth_read_all_dirs_except_shadow(nfsd_t) + fs_read_noxattr_fs_files(nfsd_t) +') + +tunable_policy(`nfs_export_all_ro',` + auth_read_all_dirs_except_shadow(nfsd_t) + fs_read_noxattr_fs_files(nfsd_t) +') + +######################################## +# +# GSSD local policy +# + +allow gssd_t self:capability { dac_override dac_read_search setuid }; +allow gssd_t self:fifo_file { read write }; + +allow gssd_t gssd_tmp_t:dir create_dir_perms; +allow gssd_t gssd_tmp_t:file create_file_perms; +files_create_tmp_files(gssd_t, gssd_tmp_t, { file dir }) + +kernel_read_network_state(gssd_t) +kernel_read_network_state_symlinks(gssd_t) + +dev_read_urand(gssd_t) + +fs_read_rpc_dirs(gssd_t) +fs_read_rpc_sockets(gssd_t) +fs_read_rpc_files(gssd_t) + +files_read_tmp(gssd_t) +files_read_tmp_files(gssd_t) +files_read_tmp_symlinks(gssd_t) + +tunable_policy(`allow_gssd_read_tmp',` + userdom_list_unpriv_user_tmp(gssd_t) + userdom_read_unpriv_user_tmp_files(gssd_t) + userdom_read_unpriv_user_tmp_symlinks(gssd_t) +') + +optional_policy(`kerberos.te',` + kerberos_use(gssd_t) + kerberos_read_keytab(gssd_t) +') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 5dc7695..1829987 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -650,6 +650,69 @@ interface(`auth_delete_pam_console_data',` ######################################## ## +## Read all directories on the filesystem, except +## the shadow passwords and listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +# +interface(`auth_read_all_dirs_except_shadow',` + gen_require(` + type shadow_t; + ') + + files_read_all_dirs_except($1,$2 -shadow_t) +') + +######################################## +## +## Read all files on the filesystem, except +## the shadow passwords and listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +# +interface(`auth_read_all_files_except_shadow',` + gen_require(` + type shadow_t; + ') + + files_read_all_files_except($1,$2 -shadow_t) +') + +######################################## +## +## Read all symbolic links on the filesystem, except +## the shadow passwords and listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +# +interface(`auth_read_all_symlinks_except_shadow',` + gen_require(` + type shadow_t; + ') + + files_read_all_symlinks_except($1,$2 -shadow_t) +') + +######################################## +## ## Relabel all files on the filesystem, except ## the shadow passwords and listed exceptions. ## diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index a306ffe..59d562a 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -403,6 +403,73 @@ interface(`files_read_all_files',` ######################################## ## +## Read all directories on the filesystem, except +## the listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +# +interface(`files_read_all_dirs_except',` + gen_require(` + attribute file_type; + ') + + allow $1 { file_type $2 }:dir r_dir_perms; +') + +######################################## +## +## Read all files on the filesystem, except +## the listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +# +interface(`files_read_all_files_except',` + gen_require(` + attribute file_type; + ') + + allow $1 { file_type $2 }:dir search; + allow $1 { file_type $2 }:file r_file_perms; + +') + +######################################## +## +## Read all symbloic links on the filesystem, except +## the listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +# +interface(`files_read_all_symlinks_except',` + gen_require(` + attribute file_type; + ') + + allow $1 { file_type $2 }:dir search; + allow $1 { file_type $2 }:lnk_file r_file_perms; + +') + +######################################## +## ## Get the attributes of all symbolic links. ## ## @@ -1941,6 +2008,23 @@ interface(`files_dontaudit_getattr_tmp_dir',` ######################################## ## +## Allow domain to getattr on /tmp directory. +## +## +## The type of the process performing this action. +## +# +interface(`files_getattr_tmp_dir',` + gen_require(` + type tmp_t; + class dir getattr; + ') + + allow $1 tmp_t:dir getattr; +') + +######################################## +## ## Search the tmp directory (/tmp). ## ## @@ -1958,6 +2042,57 @@ interface(`files_search_tmp',` ######################################## ## +## Read the tmp directory (/tmp). +## +## +## The type of the process performing this action. +## +# +interface(`files_read_tmp',` + gen_require(` + type tmp_t; + class dir r_dir_perms; + ') + + allow $1 tmp_t:dir r_dir_perms; +') + +######################################## +## +## Read files in the tmp directory (/tmp). +## +## +## The type of the process performing this action. +## +# +interface(`files_read_tmp_files',` + gen_require(` + type tmp_t; + class file r_file_perms; + ') + + allow $1 tmp_t:file r_file_perms; +') + +######################################## +## +## Read symbolic links in the tmp directory (/tmp). +## +## +## The type of the process performing this action. +## +# +interface(`files_read_tmp_symlinks',` + gen_require(` + type tmp_t; + class lnk_file r_file_perms; + ') + + allow $1 tmp_t:lnk_file r_file_perms; +') + +######################################## +## ## Set the attributes of all tmp directories. ## ## @@ -2371,6 +2506,24 @@ interface(`files_create_var',` ######################################## ## +## Search directories in /var/lib. +## +## +## The type of the process performing this action. +## +# +interface(`files_search_var_lib_dir',` + gen_require(` + type var_t, var_lib_t; + class dir search; + ') + + allow $1 var_t:dir search; + allow $1 var_lib_t:dir search; +') + +######################################## +## ## Get the attributes of the /var/lib directory. ## ## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index ae6c889..70c9cd6 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -426,6 +426,11 @@ ifdef(`distro_redhat',` optional_policy(`bind.te',` bind_manage_config_dir(initrc_t) ') + + optional_policy(`rpc.te',` + #for /etc/rc.d/init.d/nfs to create /etc/exports + rpc_write_exports(initrc_t) + ') ') ifdef(`targeted_policy',` @@ -551,6 +556,10 @@ optional_policy(`raid.te',` raid_manage_mdadm_pid(initrc_t) ') +optional_policy(`rpc.te',` + rpc_read_exports(initrc_t) +') + optional_policy(`postgresql.te',` postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 541f199..5cef4cc 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -2247,6 +2247,54 @@ interface(`userdom_read_unpriv_user_home_files',` ######################################## ## +## Read all unprivileged users temporary directories. +## +## +## Domain allowed access. +## +# +interface(`userdom_list_unpriv_user_tmp',` + gen_require(` + attribute user_tmpfile; + ') + + allow $1 user_tmpfile:dir list_dir_perms; +') + +######################################## +## +## Read all unprivileged users temporary files. +## +## +## Domain allowed access. +## +# +interface(`userdom_read_unpriv_user_tmp_files',` + gen_require(` + attribute user_tmpfile; + ') + + allow $1 user_tmpfile:file { read getattr }; +') + +######################################## +## +## Read all unprivileged users temporary symbolic links. +## +## +## Domain allowed access. +## +# +interface(`userdom_read_unpriv_user_tmp_symlinks',` + gen_require(` + attribute user_tmpfile; + ') + + allow $1 user_tmpfile:lnk_file { getattr read }; +') + +######################################## +## ## Write all unprivileged users files in /tmp ## ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index cda95a5..e23c94d 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -218,6 +218,10 @@ ifdef(`targeted_policy',` netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`rpc.te',` + rpc_domtrans_nfsd(sysadm_t) + ') + optional_policy(`ntp.te',` ntp_stub() corenet_udp_bind_ntp_port(sysadm_t)