diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index aa2e9dd..5b0672a 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.11.6) +policy_module(corenetwork, 1.11.7) ######################################## # @@ -69,6 +69,7 @@ network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) network_port(afs_vl, udp,7003,s0) +network_port(agentx, udp,705,s0, tcp,705,s0) network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc index 6722878..589f671 100644 --- a/policy/modules/services/consolekit.fc +++ b/policy/modules/services/consolekit.fc @@ -1,3 +1,5 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if index bb4ae1c..f625dcf 100644 --- a/policy/modules/services/consolekit.if +++ b/policy/modules/services/consolekit.if @@ -38,3 +38,22 @@ interface(`consolekit_dbus_chat',` allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; ') + +######################################## +## +## Read consolekit log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`consolekit_read_log',` + gen_require(` + type consolekit_log_t; + ') + + read_files_pattern($1, consolekit_log_t, consolekit_log_t) + files_search_pids($1) +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te index 7d2281a..abb4b9d 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -1,5 +1,5 @@ -policy_module(consolekit, 1.4.0) +policy_module(consolekit, 1.4.1) ######################################## # @@ -10,6 +10,9 @@ type consolekit_t; type consolekit_exec_t; init_daemon_domain(consolekit_t, consolekit_exec_t) +type consolekit_log_t; +files_pid_file(consolekit_log_t) + type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -24,36 +27,69 @@ allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; allow consolekit_t self:unix_dgram_socket create_socket_perms; +manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +logging_log_filetrans(consolekit_t, consolekit_log_t, file) + +manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -files_pid_filetrans(consolekit_t, consolekit_var_run_t, file) +files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) kernel_read_system_state(consolekit_t) corecmd_exec_bin(consolekit_t) +corecmd_exec_shell(consolekit_t) dev_read_urand(consolekit_t) dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) +domain_dontaudit_ptrace_all_domains(consolekit_t) files_read_etc_files(consolekit_t) +files_read_usr_files(consolekit_t) # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) fs_list_inotifyfs(consolekit_t) +mcs_ptrace_all(consolekit_t) + term_use_all_terms(consolekit_t) auth_use_nsswitch(consolekit_t) +init_telinit(consolekit_t) +init_rw_utmp(consolekit_t) + +logging_send_syslog_msg(consolekit_t) + miscfiles_read_localization(consolekit_t) +userdom_dontaudit_read_user_home_content_files(consolekit_t) + +hal_ptrace(consolekit_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_list_nfs(consolekit_t) + fs_dontaudit_rw_nfs_files(consolekit_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_list_cifs(consolekit_t) + fs_dontaudit_rw_cifs_files(consolekit_t) +') + optional_policy(` dbus_system_bus_client(consolekit_t) - dbus_connect_system_bus(consolekit_t) - hal_dbus_chat(consolekit_t) + optional_policy(` + hal_dbus_chat(consolekit_t) + ') + + optional_policy(` + rpm_dbus_chat(consolekit_t) + ') optional_policy(` unconfined_dbus_chat(consolekit_t) @@ -64,3 +100,8 @@ optional_policy(` xserver_read_user_xauth(consolekit_t) xserver_stream_connect(consolekit_t) ') + +optional_policy(` + #reading .Xauthity + unconfined_stream_connect(consolekit_t) +') diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te index 73cbeb8..03c3dda 100644 --- a/policy/modules/services/dcc.te +++ b/policy/modules/services/dcc.te @@ -1,5 +1,5 @@ -policy_module(dcc, 1.7.1) +policy_module(dcc, 1.7.2) ######################################## # @@ -140,6 +140,7 @@ corenet_all_recvfrom_netlabel(dcc_client_t) corenet_udp_sendrecv_generic_if(dcc_client_t) corenet_udp_sendrecv_generic_node(dcc_client_t) corenet_udp_sendrecv_all_ports(dcc_client_t) +corenet_udp_bind_generic_node(dcc_client_t) files_read_etc_files(dcc_client_t) files_read_etc_runtime_files(dcc_client_t) diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if index dcec818..88c5ede 100644 --- a/policy/modules/services/exim.if +++ b/policy/modules/services/exim.if @@ -117,6 +117,46 @@ interface(`exim_append_log',` ######################################## ## +## Allow the specified domain to manage exim's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`exim_manage_log',` + gen_require(` + type exim_log_t; + ') + + manage_files_pattern($1, exim_log_t, exim_log_t) + logging_search_logs($1) +') + +######################################## +## +## Create, read, write, and delete +## exim spool dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`exim_manage_spool_dirs',` + gen_require(` + type exim_spool_t; + ') + + manage_dirs_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) +') + +######################################## +## ## Read exim spool files. ## ## diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index 0c03c52..d757887 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -1,5 +1,5 @@ -policy_module(exim, 1.3.2) +policy_module(exim, 1.3.3) ######################################## # @@ -8,6 +8,13 @@ policy_module(exim, 1.3.2) ## ## +## Allow exim to connect to databases (postgres, mysql) +## +## +gen_tunable(exim_can_connect_db, false) + +## +## ## Allow exim to read unprivileged user files. ## ## @@ -24,6 +31,10 @@ gen_tunable(exim_manage_user_files, false) type exim_t; type exim_exec_t; init_daemon_domain(exim_t, exim_exec_t) +mta_mailserver(exim_t, exim_exec_t) +mta_mailserver_user_agent(exim_t) +application_executable_file(exim_exec_t) +mta_agent_executable(exim_exec_t) type exim_log_t; logging_log_file(exim_log_t) @@ -42,10 +53,12 @@ files_pid_file(exim_var_run_t) # exim local policy # -allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown }; +allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; +allow exim_t self:process { setrlimit setpgid }; allow exim_t self:fifo_file rw_fifo_file_perms; allow exim_t self:unix_stream_socket create_stream_socket_perms; allow exim_t self:tcp_socket create_stream_socket_perms; +allow exim_t self:udp_socket create_socket_perms; can_exec(exim_t,exim_exec_t) @@ -66,14 +79,17 @@ manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) kernel_read_kernel_sysctls(exim_t) - +kernel_read_network_state(exim_t) kernel_dontaudit_read_system_state(exim_t) corecmd_search_bin(exim_t) corenet_all_recvfrom_unlabeled(exim_t) +corenet_all_recvfrom_netlabel(exim_t) corenet_tcp_sendrecv_generic_if(exim_t) +corenet_udp_sendrecv_generic_if(exim_t) corenet_tcp_sendrecv_generic_node(exim_t) +corenet_udp_sendrecv_generic_node(exim_t) corenet_tcp_sendrecv_all_ports(exim_t) corenet_tcp_bind_generic_node(exim_t) corenet_tcp_bind_smtp_port(exim_t) @@ -82,6 +98,8 @@ corenet_tcp_connect_auth_port(exim_t) corenet_tcp_connect_smtp_port(exim_t) corenet_tcp_connect_ldap_port(exim_t) corenet_tcp_connect_inetd_child_port(exim_t) +# connect to spamassassin +corenet_tcp_connect_spamd_port(exim_t) dev_read_rand(exim_t) dev_read_urand(exim_t) @@ -89,20 +107,34 @@ dev_read_urand(exim_t) # Init script handling domain_use_interactive_fds(exim_t) +files_search_usr(exim_t) +files_search_var(exim_t) files_read_etc_files(exim_t) +files_read_etc_runtime_files(exim_t) + +fs_getattr_xattr_fs(exim_t) +fs_list_inotifyfs(exim_t) auth_use_nsswitch(exim_t) logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) - -sysnet_dns_name_resolve(exim_t) +miscfiles_read_certs(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) mta_read_aliases(exim_t) -mta_rw_spool(exim_t) +mta_read_config(exim_t) +mta_manage_spool(exim_t) +mta_mailserver_delivery(exim_t) + +tunable_policy(`exim_can_connect_db',` + corenet_tcp_connect_mysqld_port(exim_t) + corenet_sendrecv_mysqld_client_packets(exim_t) + corenet_tcp_connect_postgresql_port(exim_t) + corenet_sendrecv_postgresql_client_packets(exim_t) +') tunable_policy(`exim_read_user_files',` userdom_read_user_home_content_files(exim_t) @@ -114,3 +146,51 @@ tunable_policy(`exim_manage_user_files',` userdom_read_user_tmp_files(exim_t) userdom_write_user_tmp_files(exim_t) ') + +optional_policy(` + clamav_domtrans_clamscan(exim_t) + clamav_stream_connect(exim_t) +') + +optional_policy(` + cron_read_pipes(exim_t) + cron_rw_system_job_pipes(exim_t) +') + +optional_policy(` + cyrus_stream_connect(exim_t) +') + +optional_policy(` + kerberos_keytab_template(exim, exim_t) +') + +optional_policy(` + mailman_read_data_files(exim_t) + mailman_domtrans(exim_t) +') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` + mysql_stream_connect(exim_t) + ') +') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` + postgresql_stream_connect(exim_t) + ') +') + +optional_policy(` + procmail_domtrans(exim_t) +') + +optional_policy(` + sasl_connect(exim_t) +') + +optional_policy(` + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) +') diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc index 2bc5cb9..623c8fa 100644 --- a/policy/modules/services/snmp.fc +++ b/policy/modules/services/snmp.fc @@ -20,5 +20,5 @@ /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) -/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 0306b0a..58e79fd 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -1,5 +1,5 @@ -policy_module(snmp, 1.9.2) +policy_module(snmp, 1.9.3) ######################################## # @@ -71,6 +71,7 @@ corenet_udp_bind_generic_node(snmpd_t) corenet_tcp_bind_snmp_port(snmpd_t) corenet_udp_bind_snmp_port(snmpd_t) corenet_sendrecv_snmp_server_packets(snmpd_t) +corenet_tcp_connect_agentx_port(snmpd_t) dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t)
+## Allow exim to connect to databases (postgres, mysql) +##
## Allow exim to read unprivileged user files. ##