diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc index e590273..3bd847a 100644 --- a/policy/modules/services/prelude.fc +++ b/policy/modules/services/prelude.fc @@ -1,11 +1,18 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) +/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0) +/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) +/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) + /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) +/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) +/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) /usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) - +/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) +/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) /var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) - /var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) /var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index f2f66b9..737be4f 100644 --- a/policy/modules/services/prelude.if +++ b/policy/modules/services/prelude.if @@ -56,6 +56,45 @@ interface(`prelude_signal_audisp',` ######################################## ## +## Read the prelude spool files +## +## +## +## Domain allowed access. +## +## +# +interface(`prelude_read_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## +## Manage to prelude-manager spool files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`prelude_manage_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) + manage_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## ## All of the rules required to administrate ## an prelude environment ## @@ -64,6 +103,11 @@ interface(`prelude_signal_audisp',` ## Domain allowed access. ## ## +## +## +## Role allowed access. +## +## ## # interface(`prelude_admin',` @@ -71,6 +115,10 @@ interface(`prelude_admin',` type prelude_t, prelude_spool_t; type prelude_var_run_t, prelude_var_lib_t; type prelude_audisp_t, prelude_audisp_var_run_t; + type prelude_initrc_exec_t; + + type prelude_lml_t, prelude_lml_tmp_t; + type prelude_lml_var_run_t; ') allow $1 prelude_t:process { ptrace signal_perms }; @@ -79,11 +127,18 @@ interface(`prelude_admin',` allow $1 prelude_audisp_t:process { ptrace signal_perms }; ps_process_pattern($1, prelude_audisp_t) - manage_files_pattern($1, prelude_spool_t, prelude_spool_t) - - manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t) + allow $1 prelude_lml_t:process { ptrace signal_perms }; + ps_process_pattern($1, prelude_lml_t) - manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t) + init_labeled_script_domtrans($1, prelude_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 prelude_initrc_exec_t system_r; + allow $2 system_r; - manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t) + admin_pattern($1, prelude_spool_t) + admin_pattern($1, prelude_var_lib_t) + admin_pattern($1, prelude_var_run_t) + admin_pattern($1, prelude_audisp_var_run_t) + admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_var_run_t) ') diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te index aa31eca..cc4a00e 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te @@ -1,5 +1,5 @@ -policy_module(prelude, 1.0.2) +policy_module(prelude, 1.0.3) ######################################## # @@ -10,9 +10,15 @@ type prelude_t; type prelude_exec_t; init_daemon_domain(prelude_t, prelude_exec_t) +type prelude_initrc_exec_t; +init_script_file(prelude_initrc_exec_t) + type prelude_spool_t; files_type(prelude_spool_t) +type prelude_log_t; +logging_log_file(prelude_log_t) + type prelude_var_run_t; files_pid_file(prelude_var_run_t) @@ -22,21 +28,43 @@ files_type(prelude_var_lib_t) type prelude_audisp_t; type prelude_audisp_exec_t; init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) +logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) type prelude_audisp_var_run_t; files_pid_file(prelude_audisp_var_run_t) +type prelude_correlator_t; +type prelude_correlator_exec_t; +init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) +role system_r types prelude_correlator_t; + +type prelude_correlator_config_t; +files_config_file(prelude_correlator_config_t) + +type prelude_lml_t; +type prelude_lml_exec_t; +init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) + +type prelude_lml_tmp_t; +files_tmp_file(prelude_lml_tmp_t) + +type prelude_lml_var_run_t; +files_pid_file(prelude_lml_var_run_t) + ######################################## # # prelude local policy # -allow prelude_t self:capability sys_tty_config; +allow prelude_t self:capability { dac_override sys_tty_config }; allow prelude_t self:fifo_file rw_file_perms; allow prelude_t self:unix_stream_socket create_stream_socket_perms; allow prelude_t self:netlink_route_socket r_netlink_socket_perms; allow prelude_t self:tcp_socket create_stream_socket_perms; +manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t) +logging_log_filetrans(prelude_t, prelude_log_t, file) + manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t) manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t) files_search_spool(prelude_t) @@ -49,6 +77,9 @@ manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) files_pid_filetrans(prelude_t, prelude_var_run_t, file) +kernel_read_system_state(prelude_t) +kernel_read_sysctl(prelude_t) + corecmd_search_bin(prelude_t) corenet_all_recvfrom_unlabeled(prelude_t) @@ -56,15 +87,20 @@ corenet_all_recvfrom_netlabel(prelude_t) corenet_tcp_sendrecv_generic_if(prelude_t) corenet_tcp_sendrecv_generic_node(prelude_t) corenet_tcp_bind_generic_node(prelude_t) +corenet_tcp_bind_prelude_port(prelude_t) +corenet_tcp_connect_prelude_port(prelude_t) +corenet_tcp_connect_postgresql_port(prelude_t) dev_read_rand(prelude_t) dev_read_urand(prelude_t) -# Init script handling -domain_use_interactive_fds(prelude_t) - files_read_etc_files(prelude_t) +files_read_etc_runtime_files(prelude_t) files_read_usr_files(prelude_t) +files_search_tmp(prelude_t) +files_search_tmp(prelude_t) + +fs_rw_anon_inodefs_files(prelude_t) auth_use_nsswitch(prelude_t) @@ -86,7 +122,7 @@ optional_policy(` # # prelude_audisp local policy # - +allow prelude_audisp_t self:capability dac_override; allow prelude_audisp_t self:fifo_file rw_file_perms; allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; @@ -100,6 +136,9 @@ files_search_spool(prelude_audisp_t) manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t) files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file) +kernel_read_sysctl(prelude_audisp_t) +kernel_read_system_state(prelude_audisp_t) + corecmd_search_bin(prelude_audisp_t) corenet_all_recvfrom_unlabeled(prelude_audisp_t) @@ -107,6 +146,7 @@ corenet_all_recvfrom_netlabel(prelude_audisp_t) corenet_tcp_sendrecv_generic_if(prelude_audisp_t) corenet_tcp_sendrecv_generic_node(prelude_audisp_t) corenet_tcp_bind_generic_node(prelude_audisp_t) +corenet_tcp_connect_prelude_port(prelude_audisp_t) dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) @@ -115,11 +155,120 @@ dev_read_urand(prelude_audisp_t) domain_use_interactive_fds(prelude_audisp_t) files_read_etc_files(prelude_audisp_t) +files_read_etc_runtime_files(prelude_audisp_t) +files_search_tmp(prelude_audisp_t) logging_send_syslog_msg(prelude_audisp_t) miscfiles_read_localization(prelude_audisp_t) +sysnet_dns_name_resolve(prelude_audisp_t) + +######################################## +# +# prelude_correlator local policy +# + +allow prelude_correlator_t self:capability dac_override; +allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; +allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; + +allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; +read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) + +kernel_read_sysctl(prelude_correlator_t) + +corecmd_search_bin(prelude_correlator_t) + +corenet_all_recvfrom_unlabeled(prelude_correlator_t) +corenet_all_recvfrom_netlabel(prelude_correlator_t) +corenet_tcp_sendrecv_generic_if(prelude_correlator_t) +corenet_tcp_sendrecv_generic_node(prelude_correlator_t) +corenet_tcp_connect_prelude_port(prelude_correlator_t) + +dev_read_rand(prelude_correlator_t) +dev_read_urand(prelude_correlator_t) + +files_read_etc_files(prelude_correlator_t) +files_read_usr_files(prelude_correlator_t) +files_search_spool(prelude_correlator_t) + +logging_send_syslog_msg(prelude_correlator_t) + +miscfiles_read_localization(prelude_correlator_t) + +sysnet_dns_name_resolve(prelude_correlator_t) + +prelude_manage_spool(prelude_correlator_t) + +######################################## +# +# prelude_lml local declarations +# + +allow prelude_lml_t self:capability dac_override; +allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; +allow prelude_lml_t self:unix_dgram_socket { write create connect }; +allow prelude_lml_t self:fifo_file rw_fifo_file_perms; +allow prelude_lml_t self:unix_stream_socket connectto; + +manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) +files_list_tmp(prelude_lml_t) + +manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) +files_search_spool(prelude_lml_t) + +manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) +manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) +files_search_var_lib(prelude_lml_t) + +manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) +files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) + +kernel_read_system_state(prelude_lml_t) +kernel_read_sysctl(prelude_lml_t) + +corecmd_exec_bin(prelude_lml_t) + +corenet_tcp_sendrecv_generic_if(prelude_lml_t) +corenet_tcp_sendrecv_generic_node(prelude_lml_t) +corenet_tcp_recvfrom_netlabel(prelude_lml_t) +corenet_tcp_recvfrom_unlabeled(prelude_lml_t) +corenet_sendrecv_unlabeled_packets(prelude_lml_t) +corenet_tcp_connect_prelude_port(prelude_lml_t) + +dev_read_rand(prelude_lml_t) +dev_read_urand(prelude_lml_t) + +files_list_etc(prelude_lml_t) +files_read_etc_files(prelude_lml_t) +files_read_etc_runtime_files(prelude_lml_t) + +fs_rw_anon_inodefs_files(prelude_lml_t) + +auth_use_nsswitch(prelude_lml_t) + +libs_exec_lib_files(prelude_lml_t) +libs_read_lib_files(prelude_lml_t) + +logging_send_syslog_msg(prelude_lml_t) +logging_read_generic_logs(prelude_lml_t) + +miscfiles_read_localization(prelude_lml_t) + +sysnet_dns_name_resolve(prelude_lml_t) + +userdom_read_all_users_state(prelude_lml_t) + +optional_policy(` + apache_search_sys_content(prelude_lml_t) + apache_read_log(prelude_lml_t) +') + ######################################## # # prewikka_cgi Declarations @@ -127,7 +276,22 @@ miscfiles_read_localization(prelude_audisp_t) optional_policy(` apache_content_template(prewikka) + + can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) + files_read_etc_files(httpd_prewikka_script_t) + files_search_tmp(httpd_prewikka_script_t) + + kernel_read_sysctl(httpd_prewikka_script_t) + kernel_search_network_sysctl(httpd_prewikka_script_t) + + corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) + + auth_use_nsswitch(httpd_prewikka_script_t) + + logging_send_syslog_msg(httpd_prewikka_script_t) + + apache_search_sys_content(httpd_prewikka_script_t) optional_policy(` mysql_search_db(httpd_prewikka_script_t)