diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te new file mode 100644 index 0000000..fcfef78 --- /dev/null +++ b/refpolicy/policy/modules/admin/netutils.te @@ -0,0 +1,228 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +policy_module(devices,1.0) + +######################################## +# +# Declarations +# + +type netutils_t; +type netutils_exec_t; +domain_make_system_domain(netutils_t,netutils_exec_t) +role system_r types netutils_t; + +type netutils_tmp_t; +files_make_file(netutils_tmp_t) + +type ping_t; #, nscd_client_domain; +type ping_exec_t; +domain_make_system_domain(ping_t,ping_exec_t) +role system_r types ping_t; + +type traceroute_t; #, nscd_client_domain; +type traceroute_exec_t; +domain_make_system_domain(traceroute_t,traceroute_exec_t) +role system_r types traceroute_t; + +# +# Control users use of ping and traceroute +# +bool user_ping false; + +######################################## +# +# Netutils local policy +# + +# Perform network administration operations and have raw access to the network. +allow netutils_t self:capability { net_admin net_raw setuid setgid }; +allow netutils_t self:process { sigkill sigstop signull signal }; +allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; +allow netutils_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow netutils_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow netutils_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + +allow netutils_t netutils_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +allow netutils_t netutils_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir }) + +corenetwork_network_tcp_on_all_interfaces(netutils_t) +corenetwork_network_raw_on_all_interfaces(netutils_t) +corenetwork_network_udp_on_all_interfaces(netutils_t) +corenetwork_network_tcp_on_all_nodes(netutils_t) +corenetwork_network_raw_on_all_nodes(netutils_t) +corenetwork_network_udp_on_all_nodes(netutils_t) +corenetwork_network_tcp_on_all_ports(netutils_t) +corenetwork_network_udp_on_all_ports(netutils_t) +corenetwork_bind_tcp_on_all_nodes(netutils_t) +corenetwork_bind_udp_on_all_nodes(netutils_t) + +filesystem_get_persistent_filesystem_attributes(netutils_t) + +init_use_file_descriptors(netutils_t) +init_script_use_pseudoterminal(netutils_t) + +domain_use_widely_inheritable_file_descriptors(netutils_t) + +files_read_general_system_config(netutils_t) +# for nscd +files_ignore_search_system_state_data_directory(netutils_t) + +libraries_use_dynamic_loader(netutils_t) +libraries_read_shared_libraries(netutils_t) + +logging_send_system_log_message(netutils_t) + +miscfiles_read_localization(netutils_t) + +ifdef(`TODO',` +role sysadm_r types netutils_t; + +can_ypbind(netutils_t) + +domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t) + +# Inherit and use descriptors from init. +allow netutils_t userdomain:fd use; + +# Access terminals. +allow netutils_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') +allow netutils_t proc_t:dir search; + +') dnl end TODO + +######################################## +# +# Ping local policy +# + +allow ping_t self:capability setuid; +dontaudit ping_t self:capability sys_tty_config; + +allow ping_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow ping_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; + +corenetwork_network_tcp_on_all_interfaces(ping_t) +corenetwork_network_udp_on_all_interfaces(ping_t) +corenetwork_network_raw_on_all_interfaces(ping_t) +corenetwork_network_raw_on_all_nodes(ping_t) +corenetwork_network_tcp_on_all_nodes(ping_t) +corenetwork_network_udp_on_all_nodes(ping_t) +corenetwork_network_tcp_on_all_ports(ping_t) +corenetwork_network_udp_on_all_ports(ping_t) +corenetwork_bind_udp_on_all_nodes(ping_t) +corenetwork_bind_tcp_on_all_nodes(ping_t) + +filesystem_ignore_get_persistent_filesystem_attributes(ping_t) + +terminal_ignore_use_controlling_terminal(ping_t) + +domain_use_widely_inheritable_file_descriptors(ping_t) + +files_read_general_system_config(ping_t) + +libraries_use_dynamic_loader(ping_t) +libraries_read_shared_libraries(ping_t) + +sysnetwork_read_network_config(ping_t) + +logging_send_system_log_message(ping_t) + +if (user_ping) { + terminal_use_all_users_physical_terminals(ping_t) + terminal_use_all_users_pseudoterminals(ping_t) +} + +ifdef(`TODO',` +role sysadm_r types ping_t; +in_user_role(ping_t) + +if (user_ping) { + domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) + ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') +} + +# Transition into this domain when you run this program. +domain_auto_trans(sysadm_t, ping_exec_t, ping_t) + +can_ypbind(ping_t) + +# Access the terminal. +allow ping_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') + +# it tries to access /var/run +dontaudit ping_t var_t:dir search; +') dnl end TODO + +######################################## +# +# Traceroute local policy +# + +allow traceroute_t self:capability { net_admin net_raw setuid setgid }; +allow traceroute_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow traceroute_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; + +kernel_read_system_state(traceroute_t) +kernel_read_network_state(traceroute_t) + +corenetwork_network_tcp_on_all_interfaces(traceroute_t) +corenetwork_network_udp_on_all_interfaces(traceroute_t) +corenetwork_network_raw_on_all_interfaces(traceroute_t) +corenetwork_network_raw_on_all_nodes(traceroute_t) +corenetwork_network_tcp_on_all_nodes(traceroute_t) +corenetwork_network_udp_on_all_nodes(traceroute_t) +corenetwork_network_tcp_on_all_ports(traceroute_t) +corenetwork_network_udp_on_all_ports(traceroute_t) +corenetwork_bind_udp_on_all_nodes(traceroute_t) +corenetwork_bind_tcp_on_all_nodes(traceroute_t) + +filesystem_ignore_get_persistent_filesystem_attributes(traceroute_t) + +domain_use_widely_inheritable_file_descriptors(traceroute_t) + +files_read_general_system_config(traceroute_t) +files_ignore_search_system_state_data_directory(traceroute_t) + +libraries_use_dynamic_loader(traceroute_t) +libraries_read_shared_libraries(traceroute_t) + +logging_send_system_log_message(traceroute_t) + +miscfiles_read_localization(traceroute_t) + +#rules needed for nmap +devices_get_random_data(traceroute_t) +devices_get_pseudorandom_data(traceroute_t) +files_read_general_application_resources(traceroute_t) + +if (user_ping) { + terminal_use_all_users_physical_terminals(traceroute_t) + terminal_use_all_users_pseudoterminals(traceroute_t) +} + +ifdef(`TODO',` +role sysadm_r types traceroute_t; + +can_ypbind(traceroute_t) + +# Transition into this domain when you run this program. +domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t) + +# Access the terminal. +allow traceroute_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') + +in_user_role(traceroute_t) +if (user_ping) { + domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) +} + +#rules needed for nmap +dontaudit traceroute_t userdomain:dir search; +') dnl end TODO diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te new file mode 100644 index 0000000..3948ede --- /dev/null +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -0,0 +1,178 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +policy_module(authlogin,1.0) + +######################################## +# +# Declarations +# + +type remote_login_t; #, privuser, privrole, privlog, auth_chkpwd, privowner, nscd_client_domain; +domain_make_domain(remote_login_t) +domain_make_file_descriptors_widely_inheritable(remote_login_t) +authlogin_make_login_program_entrypoint(remote_login_t) +role system_r types remote_login_t; + +type remote_login_tmp_t; +files_make_file(remote_login_tmp_t) + +######################################## +# +# Remote login remote policy +# + +allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow remote_login_t self:process { setrlimit setexec }; +allow remote_login_t self:fd use; +allow remote_login_t self:fifo_file { read getattr lock ioctl write append }; +allow remote_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow remote_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow remote_login_t self:unix_dgram_socket sendto; +allow remote_login_t self:unix_stream_socket connectto; +allow remote_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; +allow remote_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; +allow remote_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow remote_login_t self:msg { send receive }; + +allow remote_login_t remote_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +allow remote_login_t remote_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir }) + +kernel_read_system_state(remote_login_t) +kernel_read_kernel_sysctl(remote_login_t) +kernel_get_selinuxfs_mount_point(remote_login_t) +kernel_validate_selinux_context(remote_login_t) +kernel_compute_selinux_av(remote_login_t) +kernel_compute_create(remote_login_t) +kernel_compute_relabel(remote_login_t) +kernel_compute_reachable_user_contexts(remote_login_t) + +# for SSP/ProPolice +devices_get_pseudorandom_data(remote_login_t) + +filesystem_get_persistent_filesystem_attributes(remote_login_t) + +init_script_modify_runtime_data(remote_login_t) + +domain_read_all_entrypoint_programs(remote_login_t) + +files_read_general_system_config(remote_login_t) +files_read_runtime_system_config(remote_login_t) +files_list_home_directories(remote_login_t) +files_read_general_application_resources(remote_login_t) + +libraries_use_dynamic_loader(remote_login_t) +libraries_read_shared_libraries(remote_login_t) + +selinux_read_config(remote_login_t) +selinux_read_default_contexts(remote_login_t) + +authlogin_ignore_read_shadow_passwords(remote_login_t) +authlogin_modify_login_records(remote_login_t) +authlogin_modify_last_login_log(remote_login_t) +authlogin_pam_execute(remote_login_t) +authlogin_pam_console_manage_runtime_data(remote_login_t) + +miscfiles_read_localization(remote_login_t) + +ifdef(`TODO',` +allow remote_login_t unpriv_userdomain:fd use; +can_ypbind(remote_login_t) +ifdef(`automount.te', ` +allow remote_login_t autofs_t:dir { search getattr }; +') + +allow remote_login_t bin_t:dir r_dir_perms; +allow remote_login_t bin_t:notdevfile_class_set r_file_perms; +allow remote_login_t sbin_t:dir r_dir_perms; +allow remote_login_t sbin_t:notdevfile_class_set r_file_perms; +if (read_default_t) { +allow remote_login_t default_t:dir r_dir_perms; +allow remote_login_t default_t:notdevfile_class_set r_file_perms; +} + +# Read directories and files with the readable_t type. +# This type is a general type for "world"-readable files. +allow remote_login_t readable_t:dir r_dir_perms; +allow remote_login_t readable_t:notdevfile_class_set r_file_perms; + +# Read /var, /var/spool +allow remote_login_t { var_t var_spool_t }:dir search; + +# for when /var/mail is a sym-link +allow remote_login_t var_t:lnk_file read; + +# Read /dev directories and any symbolic links. +allow remote_login_t device_t:lnk_file r_file_perms; + +dontaudit remote_login_t sysfs_t:dir search; + +allow remote_login_t autofs_t:dir { search read getattr }; +allow remote_login_t mnt_t:dir r_dir_perms; + +if (use_nfs_home_dirs) { +r_dir_file(remote_login_t, nfs_t) +} + +if (use_samba_home_dirs) { +r_dir_file(remote_login_t, cifs_t) +} + +# FIXME: what is this for? +ifdef(`xdm.te', ` +allow xdm_t remote_login_t:process signull; +') + +ifdef(`crack.te', ` +allow remote_login_t crack_db_t:file r_file_perms; +') + +# Permit login to search the user home directories. +allow remote_login_t home_dir_type:dir search; + +# Write to /var/log/btmp +allow remote_login_t faillog_t:file { append read write }; + +# Search for mail spool file. +allow remote_login_t mail_spool_t:dir r_dir_perms; +allow remote_login_t mail_spool_t:file getattr; +allow remote_login_t mail_spool_t:lnk_file read; + + +allow remote_login_t mouse_device_t:chr_file { getattr setattr }; + +ifdef(`targeted_policy',` +unconfined_domain(remote_login_t) +domain_auto_trans(remote_login_t, shell_exec_t, unconfined_t) +') + +# Only permit unprivileged user domains to be entered via rlogin, +# since very weak authentication is used. +login_spawn_domain(remote_login, unpriv_userdomain) + +allow remote_login_t devpts_t:dir search; +allow remote_login_t userpty_type:chr_file { setattr write }; + +# Use the pty created by rlogind. +ifdef(`rlogind.te', ` +allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms }; + +# Relabel ptys created by rlogind. +allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto }; +') + +# Use the pty created by telnetd. +ifdef(`telnetd.te', ` +allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms }; + +# Relabel ptys created by telnetd. +allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto }; +') + +allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl }; + +# Allow remote login to resolve host names (passed in via the -h switch) +can_resolve(remote_login_t) + +') dnl endif TODO