diff --git a/refpolicy/policy/modules/admin/amanda.fc b/refpolicy/policy/modules/admin/amanda.fc new file mode 100644 index 0000000..2780ecb --- /dev/null +++ b/refpolicy/policy/modules/admin/amanda.fc @@ -0,0 +1,72 @@ + +/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) +/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) +/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) +/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) + +/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) + +/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0) + +/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) +/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0) +/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +/usr/lib(64)?/amanda/amlogroll -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/amplot\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0) +/usr/lib(64)?/amanda/amplot\.g -- gen_context(system_u:object_r:amanda_script_exec_t,s0) +/usr/lib(64)?/amanda/amplot\.gp -- gen_context(system_u:object_r:amanda_script_exec_t,s0) +/usr/lib(64)?/amanda/amtrmidx -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/amtrmlog -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/calcsize -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/chg-chio -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/chg-chs -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/chg-manual -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/chg-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/chg-multi -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/chg-rth -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/chg-scsi -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/chg-zd-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/driver -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/dumper -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/killpgrp -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/patch-system -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/planner -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/rundump -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/runtar -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/selfcheck -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/sendbackup -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/sendsize -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/taper -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/versionsuffix -- gen_context(system_u:object_r:amanda_exec_t,s0) + +/usr/sbin/amadmin -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amcheck -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amcheckdb -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amcleanup -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amdump -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amflush -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amgetconf -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amlabel -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amoverview -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amplot -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) +/usr/sbin/amreport -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amrestore -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amrmtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amstatus -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amtoc -- gen_context(system_u:object_r:amanda_user_exec_t,s0) +/usr/sbin/amverify -- gen_context(system_u:object_r:amanda_user_exec_t,s0) + +/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0) +/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0) +/var/lib/amanda/\.bashrc -- gen_context(system_u:object_r:amanda_shellconfig_t,s0) +/var/lib/amanda/\.profile -- gen_context(system_u:object_r:amanda_shellconfig_t,s0) +/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0) +/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0) +/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0) + +/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) diff --git a/refpolicy/policy/modules/admin/amanda.if b/refpolicy/policy/modules/admin/amanda.if new file mode 100644 index 0000000..ca3b683 --- /dev/null +++ b/refpolicy/policy/modules/admin/amanda.if @@ -0,0 +1,64 @@ +## Automated backup program. + +######################################## +## +## Execute amrecover in the amanda_recover domain. +## +## +## The type of the process performing this action. +## +# +interface(`amanda_domtrans_recover',` + gen_require(` + type amanda_recover_t, amanda_recover_exec_t; + ') + + domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t) + + allow $1 amanda_recover_t:fd use; + allow amanda_recover_t $1:fd use; + allow amanda_recover_t $1:fifo_file rw_file_perms; + allow amanda_recover_t $1:process sigchld; +') + +######################################## +## +## Execute amrecover in the amanda_recover domain, and +## allow the specified role the amanda_recover domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the amanda_recover domain. +## +## +## The type of the terminal allow the amanda_recover domain to use. +## +# +interface(`amanda_run_recover',` + gen_require(` + type amanda_recover_t; + ') + + amanda_domtrans_recover($1) + role $2 types amanda_recover_t; + allow amanda_recover_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Search amanda library directories. +## +## +## The type of the process performing this action. +## +# +interface(`amanda_search_lib',` + gen_require(` + type amanda_usr_lib_t; + ') + + allow $1 amanda_usr_lib_t:dir search; + files_search_usr($1) +') diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te new file mode 100644 index 0000000..7c18402 --- /dev/null +++ b/refpolicy/policy/modules/admin/amanda.te @@ -0,0 +1,247 @@ + +policy_module(amanda,1.0) + +####################################### +# +# Declarations +# + +type amanda_t; +type amanda_inetd_exec_t; +inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t) +role system_r types amanda_t; + +type amanda_exec_t; +domain_entry_file(amanda_t,amanda_exec_t) + +type amanda_log_t; +logging_log_file(amanda_log_t) + +# type for amanda configurations files +type amanda_config_t; +files_type(amanda_config_t) + +# type for files in /usr/lib/amanda +type amanda_usr_lib_t; +files_type(amanda_usr_lib_t) + +# type for all files in /var/lib/amanda +type amanda_var_lib_t; +files_type(amanda_var_lib_t) + +# type for all files in /var/lib/amanda/gnutar-lists/ +type amanda_gnutarlists_t; +files_type(amanda_gnutarlists_t) + +# type for user startable files +type amanda_user_exec_t; +files_type(amanda_user_exec_t) + +# type for same awk and other scripts +type amanda_script_exec_t; +files_type(amanda_script_exec_t) + +# type for the shell configuration files +type amanda_shellconfig_t; +files_type(amanda_shellconfig_t) + +type amanda_tmp_t; +files_tmp_file(amanda_tmp_t) + +# type for /etc/amandates +type amanda_amandates_t; +files_type(amanda_amandates_t) + +# type for /etc/dumpdates +type amanda_dumpdates_t; +files_type(amanda_dumpdates_t) + +# type for amanda data +type amanda_data_t; +files_type(amanda_data_t) + +# type for amrecover +type amanda_recover_t; +type amanda_recover_exec_t; +domain_type(amanda_recover_t) +domain_entry_file(amanda_recover_t,amanda_recover_exec_t) +role system_r types amanda_recover_t; + +# type for recover files ( restored data ) +type amanda_recover_dir_t; +files_type(amanda_recover_dir_t) + +######################################## +# +# Amanda local policy +# + +allow amanda_t self:capability { chown dac_override setuid }; +allow amanda_t self:process { setpgid signal }; +allow amanda_t self:fifo_file { getattr read write ioctl lock }; +allow amanda_t self:unix_stream_socket create_stream_socket_perms; +allow amanda_t self:unix_dgram_socket create_socket_perms; +allow amanda_t self:tcp_socket create_stream_socket_perms; +allow amanda_t self:udp_socket create_socket_perms; + +# access to amanda_amandates_t +allow amanda_t amanda_amandates_t:file { getattr lock read write }; + +# configuration files -> read only +allow amanda_t amanda_config_t:file { getattr read }; + +# access to amandas data structure +allow amanda_t amanda_data_t:dir { read search write }; +allow amanda_t amanda_data_t:file { read write }; + +# access to amanda_dumpdates_t +allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; + +can_exec(amanda_t,amanda_exec_t) + +# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) +allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; +allow amanda_t amanda_gnutarlists_t:file manage_file_perms; +allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms; + +allow amanda_t amanda_log_t:file create_file_perms; +allow amanda_t amanda_log_t:dir rw_dir_perms; +logging_create_log(amanda_t,amanda_log_t,{ file dir }) + +allow amanda_t amanda_tmp_t:dir create_dir_perms; +allow amanda_t amanda_tmp_t:file create_file_perms; +files_create_tmp_files(amanda_t, amanda_tmp_t, { file dir }) + +kernel_read_system_state(amanda_t) +kernel_read_kernel_sysctl(amanda_t) +kernel_dontaudit_getattr_unlabeled_file(amanda_t) + +corenet_tcp_sendrecv_all_if(amanda_t) +corenet_udp_sendrecv_all_if(amanda_t) +corenet_raw_sendrecv_all_if(amanda_t) +corenet_tcp_sendrecv_all_nodes(amanda_t) +corenet_udp_sendrecv_all_nodes(amanda_t) +corenet_raw_sendrecv_all_nodes(amanda_t) +corenet_tcp_bind_all_nodes(amanda_t) +corenet_udp_bind_all_nodes(amanda_t) +corenet_tcp_sendrecv_all_ports(amanda_t) +corenet_udp_sendrecv_all_ports(amanda_t) + +dev_getattr_all_blk_files(amanda_t) +dev_getattr_all_blk_files(amanda_t) + +fs_getattr_xattr_fs(amanda_t) +fs_list_all(amanda_t) + +storage_raw_read_fixed_disk(amanda_t) + +files_read_etc_files(amanda_t) +files_read_etc_runtime_files(amanda_t) +files_list_all_dirs(amanda_t) +files_read_all_files(amanda_t) +files_read_all_symlinks(amanda_t) +files_read_all_blk_nodes(amanda_t) +files_read_all_chr_nodes(amanda_t) +files_getattr_all_pipes(amanda_t) +files_getattr_all_sockets(amanda_t) + +corecmd_exec_shell(amanda_t) +corecmd_exec_sbin(amanda_t) +corecmd_exec_bin(amanda_t) + +libs_use_ld_so(amanda_t) +libs_use_shared_libs(amanda_t) + +sysnet_read_config(amanda_t) + +optional_policy(`authlogin.te',` + auth_read_shadow(amanda_t) +') + +optional_policy(`logging.te',` + logging_send_syslog_msg(amanda_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(amanda_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(amanda_t) +') + +######################################## +# +# Amanda recover local policy + +allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service }; +allow amanda_recover_t self:process { sigkill sigstop signal }; +allow amanda_recover_t self:fifo_file { getattr ioctl read write }; +allow amanda_recover_t self:unix_stream_socket { connect create read write }; +allow amanda_recover_t self:tcp_socket create_stream_socket_perms; +allow amanda_recover_t self:udp_socket create_socket_perms; + +allow amanda_recover_t amanda_log_t:dir rw_dir_perms; +allow amanda_recover_t amanda_log_t:file manage_file_perms; +allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms; + +# access to amanda_recover_dir_t +allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms; +allow amanda_recover_t amanda_recover_dir_t:file create_file_perms; +allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms; +allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms; +allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms; +userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ file lnk_file sock_file fifo_file }) + +allow amanda_recover_t amanda_tmp_t:dir create_dir_perms; +allow amanda_recover_t amanda_tmp_t:file create_file_perms; +allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms; +allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms; +allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms; +files_create_tmp_files(amanda_recover_t,amanda_tmp_t,{ file lnk_file sock_file fifo_file }) + +kernel_read_system_state(amanda_recover_t) +kernel_read_kernel_sysctl(amanda_recover_t) + +corenet_tcp_sendrecv_all_if(amanda_recover_t) +corenet_udp_sendrecv_all_if(amanda_recover_t) +corenet_raw_sendrecv_all_if(amanda_recover_t) +corenet_tcp_sendrecv_all_nodes(amanda_recover_t) +corenet_udp_sendrecv_all_nodes(amanda_recover_t) +corenet_raw_sendrecv_all_nodes(amanda_recover_t) +corenet_tcp_sendrecv_all_ports(amanda_recover_t) +corenet_udp_sendrecv_all_ports(amanda_recover_t) +corenet_tcp_bind_all_nodes(amanda_recover_t) +corenet_udp_bind_all_nodes(amanda_recover_t) +corenet_tcp_connect_amanda_port(amanda_recover_t) + +corecmd_exec_shell(amanda_recover_t) +corecmd_exec_bin(amanda_recover_t) + +domain_use_wide_inherit_fd(amanda_recover_t) + +files_read_etc_files(amanda_recover_t) +files_read_etc_runtime_files(amanda_recover_t) +files_search_tmp(amanda_recover_t) +files_search_pids(amanda_recover_t) + +fstools_domtrans(amanda_t) + +libs_use_ld_so(amanda_recover_t) +libs_use_shared_libs(amanda_recover_t) + +logging_search_logs(amanda_recover_t) + +miscfiles_read_localization(amanda_recover_t) + +sysnet_read_config(amanda_recover_t) + +userdom_search_sysadm_home_subdirs(amanda_recover_t) + +optional_policy(`mount.te',` + mount_send_nfs_client_request(amanda_recover_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(amanda_recover_t) +') diff --git a/refpolicy/policy/modules/services/radius.fc b/refpolicy/policy/modules/services/radius.fc new file mode 100644 index 0000000..576f54f --- /dev/null +++ b/refpolicy/policy/modules/services/radius.fc @@ -0,0 +1,19 @@ + +/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) + +/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) + +/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) + +/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) + +/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) +/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/radius.if b/refpolicy/policy/modules/services/radius.if new file mode 100644 index 0000000..c3b31d7 --- /dev/null +++ b/refpolicy/policy/modules/services/radius.if @@ -0,0 +1,21 @@ +## RADIUS authentication and accounting server. + +######################################## +## +## Use radius over a UDP connection. +## +## +## Domain allowed access. +## +# +interface(`radius_use',` + gen_require(` + type radius_t; + ') + + allow $1 radiusd_t:udp_socket sendto; + allow radiusd_t $1:udp_socket recvfrom; + + allow radiusd_t $1:udp_socket sendto; + allow $1 radiusd_t:udp_socket recvfrom; +') diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te new file mode 100644 index 0000000..4e165b6 --- /dev/null +++ b/refpolicy/policy/modules/services/radius.te @@ -0,0 +1,137 @@ + +policy_module(radius,1.0) + +######################################## +# +# Declarations +# + +type radiusd_t; +type radiusd_exec_t; +init_daemon_domain(radiusd_t,radiusd_exec_t) + +type radiusd_etc_t; #, usercanread; +files_type(radiusd_etc_t) + +type radiusd_log_t; +logging_log_file(radiusd_log_t) + +type radiusd_var_run_t; +files_pid_file(radiusd_var_run_t) + +######################################## +# +# Local policy +# + +# fsetid is for gzip which needs it when run from scripts +# gzip also needs chown access to preserve GID for radwtmp files +allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; +dontaudit radiusd_t self:capability sys_tty_config; +allow radiusd_t self:process setsched; +allow radiusd_t self:fifo_file rw_file_perms; +allow radiusd_t self:unix_stream_socket create_stream_socket_perms; +allow radiusd_t self:tcp_socket create_stream_socket_perms; +allow radiusd_t self:udp_socket create_socket_perms; + +allow radiusd_t radiusd_etc_t:file r_file_perms; +allow radiusd_t radiusd_etc_t:dir r_dir_perms; +allow radiusd_t radiusd_etc_t:lnk_file { getattr read }; +files_search_etc(radiusd_t) + +allow radiusd_t radiusd_log_t:file create_file_perms; +allow radiusd_t radiusd_log_t:dir { create rw_dir_perms }; +logging_create_log(radiusd_t,radiusd_log_t,{ file dir }) + +allow radiusd_t radiusd_var_run_t:file create_file_perms; +allow radiusd_t radiusd_var_run_t:dir rw_dir_perms; +files_create_pid(radiusd_t,radiusd_var_run_t) + +kernel_read_kernel_sysctl(radiusd_t) +kernel_read_system_state(radiusd_t) + +corenet_tcp_sendrecv_all_if(radiusd_t) +corenet_udp_sendrecv_all_if(radiusd_t) +corenet_raw_sendrecv_all_if(radiusd_t) +corenet_tcp_sendrecv_all_nodes(radiusd_t) +corenet_udp_sendrecv_all_nodes(radiusd_t) +corenet_raw_sendrecv_all_nodes(radiusd_t) +corenet_tcp_bind_all_nodes(radiusd_t) +corenet_udp_bind_all_nodes(radiusd_t) +corenet_tcp_sendrecv_all_ports(radiusd_t) +corenet_udp_sendrecv_all_ports(radiusd_t) +corenet_udp_bind_radacct_port(radiusd_t) +corenet_udp_bind_radius_port(radiusd_t) +# for RADIUS proxy port +corenet_udp_bind_generic_port(radiusd_t) + +dev_read_sysfs(radiusd_t) + +fs_getattr_all_fs(radiusd_t) +fs_search_auto_mountpoints(radiusd_t) + +term_dontaudit_use_console(radiusd_t) + +auth_read_shadow(radiusd_t) + +corecmd_exec_bin(radiusd_t) +corecmd_exec_shell(radiusd_t) + +domain_use_wide_inherit_fd(radiusd_t) + +files_read_usr_files(radiusd_t) +files_read_etc_files(radiusd_t) +files_read_etc_runtime_files(radiusd_t) + +init_use_fd(radiusd_t) +init_use_script_pty(radiusd_t) + +libs_use_ld_so(radiusd_t) +libs_use_shared_libs(radiusd_t) +libs_exec_lib_files(radiusd_t) + +logging_send_syslog_msg(radiusd_t) + +miscfiles_read_localization(radiusd_t) + +sysnet_read_config(radiusd_t) + +userdom_dontaudit_use_unpriv_user_fd(radiusd_t) +userdom_dontaudit_search_sysadm_home_dir(radiusd_t) +userdom_dontaudit_getattr_sysadm_home_dir(radiusd_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(radiusd_t) + term_dontaudit_use_generic_pty(radiusd_t) + files_dontaudit_read_root_file(radiusd_t) +') + +optional_policy(`cron.te',` + cron_system_entry(radiusd_t,radiusd_exec_t) +') + +optional_policy(`logrotate.te', ` + logrotate_exec(radiusd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(radiusd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(radiusd_t) +') + +optional_policy(`snmp.te',` + snmp_use(radiusd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(radiusd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(radiusd_t) +') +') dnl end TODO diff --git a/refpolicy/policy/modules/services/snmp.if b/refpolicy/policy/modules/services/snmp.if index cf9b87a..0da887b 100644 --- a/refpolicy/policy/modules/services/snmp.if +++ b/refpolicy/policy/modules/services/snmp.if @@ -1 +1,19 @@ ## Simple network management protocol services + +######################################## +## +## Use snmp over a TCP connection. +## +## +## Domain allowed access. +## +# +interface(`snmp_use',` + gen_require(` + type snmpd_t; + ') + + allow $1 snmpd_t:tcp_socket { connectto recvfrom }; + allow snmpd_t $1:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1) +') diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 10adf7d..9505b71 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -52,6 +52,7 @@ kernel_read_net_sysctl(snmpd_t) kernel_read_proc_symlinks(snmpd_t) kernel_read_system_state(snmpd_t) kernel_read_network_state(snmpd_t) +kernel_tcp_recvfrom(snmpd_t) corenet_tcp_sendrecv_all_if(snmpd_t) corenet_raw_sendrecv_all_if(snmpd_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index b6284ff..a8c077d 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1740,7 +1740,7 @@ interface(`userdom_rw_sysadm_pipe',` ## home directory. ## ## -## Domain to not audit. +## Domain allowed access. ## # interface(`userdom_getattr_sysadm_home_dir',` @@ -1753,6 +1753,24 @@ interface(`userdom_getattr_sysadm_home_dir',` ######################################## ## +## Do not audit attempts to get the +## attributes of the sysadm users +## home directory. +## +## +## Domain to not audit. +## +# +interface(`userdom_dontaudit_getattr_sysadm_home_dir',` + gen_require(` + type sysadm_home_dir_t; + ') + + dontaudit $1 sysadm_home_dir_t:dir getattr; +') + +######################################## +## ## Search the sysadm users home directory. ## ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 5c3d0cd..cda95a5 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -235,6 +235,10 @@ ifdef(`targeted_policy',` quota_run(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`radius.te',` + radius_use(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`rpm.te',` rpm_run(sysadm_t,sysadm_r,admin_terminal) ')