diff --git a/refpolicy/Changelog b/refpolicy/Changelog index ead8afb..275d6bc 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -14,7 +14,9 @@ alsa automount cdrecord + daemontools (Petre Rodan) ddcprobe + djbdns (Petre Rodan) fetchmail irc java @@ -22,6 +24,7 @@ logwatch (Dan Walsh) openct prelink (Dan Walsh) + publicfile (Petre Rodan) readahead roundup screen @@ -29,6 +32,7 @@ slrnpull smartmon sysstat + ucspitcp (Petre Rodan) usbmodules vbetool (Dan Walsh) diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 0dcf3a2..a0cb9e7 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.1.2) +policy_module(apache,1.1.3) # # NOTES: @@ -395,6 +395,10 @@ tunable_policy(`httpd_tty_comm',` userdom_dontaudit_use_sysadm_terms(httpd_t) ') +optional_policy(`daemontools',` + daemontools_service_domain(httpd_t, httpd_exec_t) +') + optional_policy(`kerberos',` kerberos_use(httpd_t) ') diff --git a/refpolicy/policy/modules/services/djbdns.fc b/refpolicy/policy/modules/services/djbdns.fc new file mode 100644 index 0000000..fdb6652 --- /dev/null +++ b/refpolicy/policy/modules/services/djbdns.fc @@ -0,0 +1,9 @@ + +/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0) +/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0) +/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0) + +/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0) +/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0) +/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0) + diff --git a/refpolicy/policy/modules/services/djbdns.if b/refpolicy/policy/modules/services/djbdns.if new file mode 100644 index 0000000..7f1bda3 --- /dev/null +++ b/refpolicy/policy/modules/services/djbdns.if @@ -0,0 +1,53 @@ +## small and secure DNS daemon + +######################################## +## +## Create a set of derived types for djbdns +## components that are directly supervised by daemontools. +## +## +## The prefix to be used for deriving type names. +## +# +template(`djbdns_daemontools_domain_template',` + + type djbdns_$1_t; + type djbdns_$1_exec_t; + type djbdns_$1_conf_t; + files_config_file(djbdns_$1_conf_t) + + domain_type(djbdns_$1_t) + domain_entry_file(djbdns_$1_t,djbdns_$1_exec_t) + role system_r types djbdns_$1_t; + + daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t) + daemontools_read_svc(djbdns_$1_t) + + allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; + allow djbdns_$1_t self:tcp_socket create_stream_socket_perms; + allow djbdns_$1_t self:udp_socket create_socket_perms; + allow djbdns_$1_t port_t:udp_socket name_bind; + + allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms; + allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms; + + corenet_tcp_sendrecv_all_if(djbdns_$1_t) + corenet_udp_sendrecv_all_if(djbdns_$1_t) + corenet_tcp_sendrecv_all_nodes(djbdns_$1_t) + corenet_udp_sendrecv_all_nodes(djbdns_$1_t) + corenet_tcp_sendrecv_all_ports(djbdns_$1_t) + corenet_udp_sendrecv_all_ports(djbdns_$1_t) + corenet_non_ipsec_sendrecv(djbdns_$1_t) + corenet_tcp_bind_all_nodes(djbdns_$1_t) + corenet_udp_bind_all_nodes(djbdns_$1_t) + + corenet_tcp_bind_dns_port(djbdns_$1_t) + corenet_udp_bind_dns_port(djbdns_$1_t) + + files_search_var(djbdns_$1_t) + + libs_use_ld_so(djbdns_$1_t) + libs_use_shared_libs(djbdns_$1_t) + +') + diff --git a/refpolicy/policy/modules/services/djbdns.te b/refpolicy/policy/modules/services/djbdns.te new file mode 100644 index 0000000..a51e8c6 --- /dev/null +++ b/refpolicy/policy/modules/services/djbdns.te @@ -0,0 +1,47 @@ + +policy_module(djbdns,1.0.0) + +######################################## +# +# Declarations +# + +type djbdns_axfrdns_t; +type djbdns_axfrdns_exec_t; +type djbdns_axfrdns_conf_t; +domain_type(djbdns_axfrdns_t) +domain_entry_file(djbdns_axfrdns_t,djbdns_axfrdns_exec_t) +role system_r types djbdns_axfrdns_t; +files_config_file(djbdns_axfrdns_conf_t) + +djbdns_daemontools_domain_template(dnscache) + +djbdns_daemontools_domain_template(tinydns) + +######################################## +# +# Local policy for axfrdns component +# + +files_config_file(djbdns_axfrdns_conf_t) + +daemontools_ipc_domain(djbdns_axfrdns_t) +daemontools_read_svc(djbdns_axfrdns_t) + +allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; + +allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir r_dir_perms; +allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file r_file_perms; + +allow djbdns_axfrdns_t djbdns_tinydns_t:dir r_dir_perms; +allow djbdns_axfrdns_t djbdns_tinydns_t:file r_file_perms; + +allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir r_dir_perms; +allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file r_file_perms; + +files_search_var(djbdns_axfrdns_t) + +libs_use_ld_so(djbdns_axfrdns_t) +libs_use_shared_libs(djbdns_axfrdns_t) + +ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index d83523a..b00211c 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp,1.1.1) +policy_module(ftp,1.1.2) ######################################## # @@ -193,6 +193,10 @@ optional_policy(`cron',` ') ') +optional_policy(`daemontools',` + daemontools_service_domain(ftpd_t, ftpd_exec_t) +') + optional_policy(`inetd',` #reh: typeattributes not allowed in conditionals yet. #tunable_policy(`! ftpd_is_daemon',` diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index bbfa13d..5ac8547 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -1,5 +1,5 @@ -policy_module(mysql,1.1.0) +policy_module(mysql,1.1.1) ######################################## # @@ -121,6 +121,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(mysqld_t) ') +optional_policy(`daemontools',` + daemontools_service_domain(mysqld_t, mysqld_exec_t) +') + optional_policy(`mount',` mount_send_nfs_client_request(mysqld_t) ') @@ -140,12 +144,3 @@ optional_policy(`selinuxutil',` optional_policy(`udev',` udev_read_db(mysqld_t) ') - -ifdef(`TODO',` -optional_policy(`daemontools',` - domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) - mysqld_signal(svc_start_t) - - svc_ipc_domain(mysqld_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/services/publicfile.fc b/refpolicy/policy/modules/services/publicfile.fc new file mode 100644 index 0000000..5b20b68 --- /dev/null +++ b/refpolicy/policy/modules/services/publicfile.fc @@ -0,0 +1,7 @@ + +/usr/bin/ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) +/usr/bin/httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) + +# this is the place where online content located +# set this to suit your needs +#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0) diff --git a/refpolicy/policy/modules/services/publicfile.if b/refpolicy/policy/modules/services/publicfile.if new file mode 100644 index 0000000..5b07592 --- /dev/null +++ b/refpolicy/policy/modules/services/publicfile.if @@ -0,0 +1 @@ +## publicfile supplies files to the public through HTTP and FTP diff --git a/refpolicy/policy/modules/services/publicfile.te b/refpolicy/policy/modules/services/publicfile.te new file mode 100644 index 0000000..ceab2ae --- /dev/null +++ b/refpolicy/policy/modules/services/publicfile.te @@ -0,0 +1,39 @@ + +policy_module(publicfile,1.0.0) + +######################################## +# +# Declarations +# + +type publicfile_t; +type publicfile_exec_t; +init_system_domain(publicfile_t,publicfile_exec_t) +role system_r types publicfile_t; + +type publicfile_content_t; +files_type(publicfile_content_t) + +######################################## +# +# Local policy +# + +allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; +allow publicfile_t publicfile_content_t:dir r_dir_perms; +allow publicfile_t publicfile_content_t:file r_file_perms; + +files_search_var(publicfile_t) + +libs_use_ld_so(publicfile_t) +libs_use_shared_libs(publicfile_t) + +optional_policy(`daemontools',` + daemontools_ipc_domain(publicfile_t) +') + +optional_policy(`ucspitcp',` + ucspitcp_service_domain(publicfile_t, publicfile_exec_t) +') + +#allow publicfile_t initrc_t:tcp_socket { read write }; diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index d439016..cac34c8 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -1,5 +1,5 @@ -policy_module(rsync,1.1.0) +policy_module(rsync,1.1.2) ######################################## # @@ -87,6 +87,10 @@ tunable_policy(`allow_rsync_anon_write',` miscfiles_manage_public_files(rsync_t) ') +optional_policy(`daemontools',` + daemontools_service_domain(rsync_t, rsync_exec_t) +') + optional_policy(`kerberos',` kerberos_use(rsync_t) ') diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index db4955f..9cd121c 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.1.1) +policy_module(spamassassin,1.1.2) ######################################## # @@ -136,6 +136,10 @@ optional_policy(`cron',` cron_system_entry(spamd_t,spamd_exec_t) ') +optional_policy(`daemontools',` + daemontools_service_domain(spamd_t,spamd_exec_t) +') + optional_policy(`nis',` nis_use_ypbind(spamd_t) ') diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index e0697b8..79a51c7 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.1.1) +policy_module(ssh,1.1.2) ######################################## # @@ -113,6 +113,10 @@ ifdef(`targeted_policy',`',` userdom_signal_unpriv_users(sshd_t) ') + optional_policy(`daemontools',` + daemontools_service_domain(sshd_t, sshd_exec_t) + ') + optional_policy(`rpm',` rpm_use_script_fd(sshd_t) ') diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index 923c05c..07f2551 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -103,6 +103,10 @@ ifdef(`distro_gentoo', ` files_dontaudit_read_root_file(stunnel_t) ') + optional_policy(`daemontools',` + daemontools_service_domain(stunnel_t, stunnel_exec_t) + ') + optional_policy(`mount',` mount_send_nfs_client_request(stunnel_t) ') diff --git a/refpolicy/policy/modules/services/ucspitcp.fc b/refpolicy/policy/modules/services/ucspitcp.fc new file mode 100644 index 0000000..667d0b5 --- /dev/null +++ b/refpolicy/policy/modules/services/ucspitcp.fc @@ -0,0 +1,3 @@ + +/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0) +/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0) diff --git a/refpolicy/policy/modules/services/ucspitcp.if b/refpolicy/policy/modules/services/ucspitcp.if new file mode 100644 index 0000000..0d1990d --- /dev/null +++ b/refpolicy/policy/modules/services/ucspitcp.if @@ -0,0 +1,36 @@ +## ucspitcp policy +## +## +## Policy for DJB's ucspi-tcpd +## +## + +######################################## +## +## Define a specified domain as a ucspitcp service. +## +## +## Domain allowed access. +## +## +## The type associated with the process program. +## +# +interface(`ucspitcp_service_domain', ` + gen_require(` + type ucspitcp_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1,$2) + + role system_r types $1; + + domain_auto_trans(ucspitcp_t, $2, $1) + + allow $1 ucspitcp_t:fd use; + allow $1 ucspitcp_t:process sigchld; + allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms; +') + diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te new file mode 100644 index 0000000..cdaa0fb --- /dev/null +++ b/refpolicy/policy/modules/services/ucspitcp.te @@ -0,0 +1,90 @@ + +policy_module(ucspitcp,1.0.0) + +######################################## +# +# Declarations +# + +type rblsmtpd_t; +type rblsmtpd_exec_t; +init_system_domain(rblsmtpd_t,rblsmtpd_exec_t) +role system_r types rblsmtpd_t; + +type ucspitcp_t; +type ucspitcp_exec_t; +init_system_domain(ucspitcp_t,ucspitcp_exec_t) +role system_r types ucspitcp_t; + +######################################## +# +# Local policy for rblsmtpd +# + +ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t) + +allow rblsmtpd_t self:process { fork sigchld }; + +corecmd_search_bin(rblsmtpd_t) + +corenet_tcp_sendrecv_all_if(rblsmtpd_t) +corenet_udp_sendrecv_all_if(rblsmtpd_t) +corenet_tcp_sendrecv_all_nodes(rblsmtpd_t) +corenet_udp_sendrecv_all_nodes(rblsmtpd_t) +corenet_tcp_sendrecv_all_ports(rblsmtpd_t) +corenet_udp_sendrecv_all_ports(rblsmtpd_t) +corenet_non_ipsec_sendrecv(rblsmtpd_t) +corenet_tcp_bind_all_nodes(rblsmtpd_t) +corenet_udp_bind_generic_port(rblsmtpd_t) + +files_read_etc_files(rblsmtpd_t) +files_search_var(rblsmtpd_t) + +libs_use_ld_so(rblsmtpd_t) +libs_use_shared_libs(rblsmtpd_t) + +optional_policy(`daemontools',` + daemontools_ipc_domain(rblsmtpd_t) +') + +######################################## +# +# Local policy for tcpserver +# + +allow ucspitcp_t self:capability { net_bind_service setgid setuid }; +allow ucspitcp_t self:fifo_file { read write }; +allow ucspitcp_t self:process { fork sigchld }; +allow ucspitcp_t self:tcp_socket create_stream_socket_perms; + +corecmd_search_bin(ucspitcp_t) +corecmd_search_sbin(ucspitcp_t) + +corenet_tcp_sendrecv_all_if(ucspitcp_t) +corenet_udp_sendrecv_all_if(ucspitcp_t) +corenet_tcp_sendrecv_all_nodes(ucspitcp_t) +corenet_udp_sendrecv_all_nodes(ucspitcp_t) +corenet_tcp_sendrecv_all_ports(ucspitcp_t) +corenet_udp_sendrecv_all_ports(ucspitcp_t) +corenet_non_ipsec_sendrecv(ucspitcp_t) +corenet_tcp_bind_all_nodes(ucspitcp_t) +corenet_tcp_bind_ftp_port(ucspitcp_t) +corenet_tcp_bind_ftp_data_port(ucspitcp_t) +corenet_tcp_bind_http_port(ucspitcp_t) +corenet_tcp_bind_smtp_port(ucspitcp_t) +corenet_tcp_bind_dns_port(ucspitcp_t) +corenet_udp_bind_dns_port(ucspitcp_t) +corenet_udp_bind_generic_port(ucspitcp_t) + +files_search_var(ucspitcp_t) +files_read_etc_files(ucspitcp_t) + +libs_use_ld_so(ucspitcp_t) +libs_use_shared_libs(ucspitcp_t) + +sysnet_read_config(ucspitcp_t) + +optional_policy(`daemontools',` + daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t) + daemontools_read_svc(ucspitcp_t) +') diff --git a/refpolicy/policy/modules/system/daemontools.fc b/refpolicy/policy/modules/system/daemontools.fc new file mode 100644 index 0000000..7b7968b --- /dev/null +++ b/refpolicy/policy/modules/system/daemontools.fc @@ -0,0 +1,48 @@ +# +# /service +# + +/service(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) + +# +# /usr +# + +/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0) +/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0) +/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0) +/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0) +/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0) +/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0) + +# +# /var +# + +/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) +/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) + +/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) +/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) +/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) + +/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0) +/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) +/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0) +/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0) + +/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) +/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) diff --git a/refpolicy/policy/modules/system/daemontools.if b/refpolicy/policy/modules/system/daemontools.if new file mode 100644 index 0000000..6bb1348 --- /dev/null +++ b/refpolicy/policy/modules/system/daemontools.if @@ -0,0 +1,147 @@ +## Collection of tools for managing UNIX services +## +## +## Policy for DJB's daemontools +## +## + +######################################## +## +## An ipc channel between the supervised domain and svc_start_t +## +## +## Domain allowed access to svc_start_t. +## +# +interface(`daemontools_ipc_domain',` + gen_require(` + type svc_start_t; + ') + + allow $1 svc_start_t:process sigchld; + allow $1 svc_start_t:fd use; + allow $1 svc_start_t:fifo_file { read write getattr }; + allow svc_start_t $1:process signal; +') + +######################################## +## +## Define a specified domain as a supervised service. +## +## +## Domain allowed access. +## +## +## The type associated with the process program. +## +# +interface(`daemontools_service_domain',` + gen_require(` + type svc_run_t; + ') + + domain_auto_trans(svc_run_t, $2, $1) + daemontools_ipc_domain($1) + + allow svc_run_t $1:process signal; + allow $1 svc_run_t:fd use; +') + +######################################## +## +## Execute in the svc_start_t domain. +## +## +## Domain allowed access. +## +# +interface(`daemontools_domtrans_start',` + gen_require(` + type svc_start_t, svc_start_exec_t; + ') + + domain_auto_trans($1, svc_start_exec_t, svc_start_t) + + allow $1 svc_start_t:fd use; + allow svc_start_t $1:fd use; + allow svc_start_t $1:fifo_file rw_file_perms; + allow svc_start_t $1:process sigchld; +') + +######################################## +## +## Execute in the svc_run_t domain. +## +## +## Domain allowed access. +## +# +interface(`daemontools_domtrans_run',` + gen_require(` + type svc_run_t, svc_run_exec_t; + ') + + domain_auto_trans($1, svc_run_exec_t, svc_run_t) + + allow $1 svc_run_t:fd use; + allow svc_run_t $1:fd use; + allow svc_run_t $1:fifo_file rw_file_perms; + allow svc_run_t $1:process sigchld; +') + +######################################## +## +## Execute in the svc_multilog_t domain. +## +## +## Domain allowed access. +## +# +interface(`daemontools_domtrans_multilog',` + gen_require(` + type svc_multilog_t, svc_multilog_exec_t; + ') + + domain_auto_trans($1, svc_multilog_exec_t, svc_multilog_t) + + allow $1 svc_multilog_t:fd use; + allow svc_multilog_t $1:fd use; + allow svc_multilog_t $1:fifo_file rw_file_perms; + allow svc_multilog_t $1:process sigchld; +') + +######################################## +## +## Allow a domain to read svc_svc_t files. +## +## +## Domain allowed access. +## +# +interface(`daemontools_read_svc',` + gen_require(` + type svc_svc_t; + ') + + allow $1 svc_svc_t:dir r_dir_perms; + allow $1 svc_svc_t:file r_file_perms; +') + +######################################## +## +## Allow a domain to create svc_svc_t files. +## +## +## Domain allowed access. +## +# +interface(`daemontools_manage_svc',` + gen_require(` + type svc_svc_t; + ') + + allow $1 svc_svc_t:dir create_dir_perms; + allow $1 svc_svc_t:fifo_file create_file_perms; + allow $1 svc_svc_t:file create_file_perms; + allow $1 svc_svc_t:lnk_file { read create }; +') diff --git a/refpolicy/policy/modules/system/daemontools.te b/refpolicy/policy/modules/system/daemontools.te new file mode 100644 index 0000000..037c993 --- /dev/null +++ b/refpolicy/policy/modules/system/daemontools.te @@ -0,0 +1,120 @@ + +policy_module(daemontools,1.0.0) + +######################################## +# +# Declarations +# + +type svc_conf_t; +files_type(svc_conf_t) + +type svc_log_t; +files_type(svc_log_t) + +type svc_multilog_t; +type svc_multilog_exec_t; +domain_type(svc_multilog_t) +domain_entry_file(svc_multilog_t,svc_multilog_exec_t) +role system_r types svc_multilog_t; + +type svc_run_t; +type svc_run_exec_t; +domain_type(svc_run_t) +domain_entry_file(svc_run_t,svc_run_exec_t) +role system_r types svc_run_t; + +type svc_start_t; +type svc_start_exec_t; +init_domain(svc_start_t,svc_start_exec_t) +init_system_domain(svc_start_t,svc_start_exec_t) +role system_r types svc_start_t; + +type svc_svc_t; +files_type(svc_svc_t) + +######################################## +# +# multilog local policy +# + +# multilog creates /service/*/log/status +allow svc_multilog_t svc_svc_t:dir rw_dir_perms; +allow svc_multilog_t svc_svc_t:file create_file_perms; + +init_use_fd(svc_multilog_t) + +libs_use_ld_so(svc_multilog_t) +libs_use_shared_libs(svc_multilog_t) + +# writes to /var/log/*/* +logging_manage_generic_logs(svc_multilog_t) + +daemontools_ipc_domain(svc_multilog_t) + +######################################## +# +# local policy for binaries that impose +# a given environment to supervised daemons +# ie. softlimit, setuidgid, envuidgid, envdir, fghack .. +# + +allow svc_run_t self:capability { setgid setuid chown fsetid }; +allow svc_run_t self:process setrlimit; +allow svc_run_t self:fifo_file rw_file_perms; +allow svc_run_t self:unix_stream_socket create_stream_socket_perms; + +allow svc_run_t svc_conf_t:dir r_dir_perms; +allow svc_run_t svc_conf_t:file r_file_perms; + +can_exec(svc_run_t svc_run_exec_t) + +kernel_read_system_state(svc_run_t) + +corecmd_exec_bin(svc_run_t) +corecmd_exec_sbin(svc_run_t) +corecmd_exec_shell(svc_run_t) +corecmd_exec_ls(svc_run_t) + +files_read_etc_files(svc_run_t) +files_read_etc_runtime_files(svc_run_t) +files_search_pids(svc_run_t) +files_search_var_lib(svc_run_t) + +init_use_script_fd(svc_run_t) +init_use_fd(svc_run_t) + +libs_use_ld_so(svc_run_t) +libs_use_shared_libs(svc_run_t) + +daemontools_domtrans_multilog(svc_run_t) +daemontools_read_svc(svc_run_t) + +######################################## +# +# local policy for service monitoring programs +# ie svc, svscan, supervise ... +# + +allow svc_start_t svc_run_t:process signal; + +allow svc_start_t self:fifo_file rw_file_perms; +allow svc_start_t self:capability kill; +allow svc_start_t self:unix_stream_socket create_socket_perms; + +can_exec(svc_start_t svc_start_exec_t) + +corecmd_read_sbin_symlink(svc_start_t) +corecmd_exec_bin(svc_start_t) +corecmd_exec_shell(svc_start_t) + +files_read_etc_files(svc_start_t) +files_read_etc_runtime_files(svc_start_t) +files_search_var(svc_start_t) +files_search_pids(svc_start_t) + +libs_use_ld_so(svc_start_t) +libs_use_shared_libs(svc_start_t) + +daemontools_domtrans_run(svc_start_t) +daemontools_manage_svc(svc_start_t) diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc index 895a601..8a11fb6 100644 --- a/refpolicy/policy/modules/system/init.fc +++ b/refpolicy/policy/modules/system/init.fc @@ -25,9 +25,11 @@ ifdef(`targeted_policy', `', ` /sbin/init -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` -/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) +/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) /sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0) /sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) +/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) +/sbin/svcinit -- gen_context(system_u:object_r:initrc_exec_t,s0) ') # @@ -41,6 +43,7 @@ ifdef(`distro_gentoo', ` # ifdef(`distro_gentoo', ` /var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) +/var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 308a0b8..062a7b4 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.1.3) +policy_module(init,1.1.4) gen_require(` class passwd rootok; @@ -386,7 +386,7 @@ userdom_read_all_user_files(initrc_t) # started from init should be placed in their own domain. userdom_use_sysadm_terms(initrc_t) -ifdef(`distro_debian', ` +ifdef(`distro_debian',` dev_setattr_dev_dir(initrc_t) fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir) @@ -512,6 +512,10 @@ optional_policy(`cups',` cups_read_log(initrc_t) ') +optional_policy(`daemontools',` + daemontools_manage_svc(initrc_t) +') + optional_policy(`dbus',` dbus_connect_system_bus(initrc_t) dbus_send_system_bus_msg(initrc_t) diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc index 7d07518..934c86e 100644 --- a/refpolicy/policy/modules/system/logging.fc +++ b/refpolicy/policy/modules/system/logging.fc @@ -19,6 +19,9 @@ ifdef(`distro_suse', ` /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') +/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) /var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255) @@ -29,3 +32,6 @@ ifdef(`distro_suse', ` /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) + +/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index b9cb9e8..8f1d53f 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.0.1) +policy_module(selinuxutil,1.0.2) gen_require(` bool secure_mode; @@ -449,6 +449,10 @@ ifdef(`targeted_policy',`',` miscfiles_read_localization(run_init_t) logging_send_syslog_msg(run_init_t) + + optional_policy(`daemontools',` + daemontools_domtrans_start(run_init_t) + ') ') dnl end ifdef targeted policy ifdef(`TODO',`
+## Policy for DJB's ucspi-tcpd +##
+## Policy for DJB's daemontools +##