diff --git a/Changelog b/Changelog index 23fe8d4..06ef194 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Add tcpd_wrapped_domain() for services that use tcp wrappers. - Update MLS constraints from LSPP evaluated policy. - Allow initrc_t file descriptors to be inherited regardless of MLS level. Accordingly drop MLS permissions from daemons that inherit from any level. @@ -16,6 +17,7 @@ - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. - Added modules: application + bitlbee (Devin Carraway) brctl (Dan Walsh) * Fri Jun 29 2007 Chris PeBenito - 20070629 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index bf24b64..b0f5d5f 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.10) +policy_module(corenetwork,1.2.11) ######################################## # @@ -67,6 +67,7 @@ network_port(afs_vl, udp,7003,s0) network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) +network_port(aol, tcp,5190,s0, udp,5190,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) network_port(auth, tcp,113,s0) @@ -112,6 +113,8 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(lmtp, tcp,24,s0, udp,24,s0) network_port(mail, tcp,2000,s0) +network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(monopd, tcp,1234,s0) network_port(mysqld, tcp,3306,s0) network_port(nessus, tcp,1241,s0) diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc new file mode 100644 index 0000000..b9c9c53 --- /dev/null +++ b/policy/modules/services/bitlbee.fc @@ -0,0 +1,3 @@ +/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) +/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) +/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if new file mode 100644 index 0000000..d2cc8ae --- /dev/null +++ b/policy/modules/services/bitlbee.if @@ -0,0 +1,22 @@ +## Bitlbee service + +######################################## +## +## Read bitlbee configuration files +## +## +## +## Domain allowed accesss. +## +## +# +interface(`bitlbee_read_config',` + gen_require(` + type bitlbee_conf_t; + ') + + files_search_etc($1) + allow $1 bitlbee_conf_t:dir { getattr read search }; + allow $1 bitlbee_conf_t:file { read getattr }; +') + diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te new file mode 100644 index 0000000..8a4006e --- /dev/null +++ b/policy/modules/services/bitlbee.te @@ -0,0 +1,70 @@ + +policy_module(bitlbee, 1.0.0) + +######################################## +# +# Declarations +# + +type bitlbee_t; +type bitlbee_exec_t; +init_daemon_domain(bitlbee_t, bitlbee_exec_t) +inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) + +type bitlbee_conf_t; +files_config_file(bitlbee_conf_t) + +type bitlbee_var_t; +files_type(bitlbee_var_t) + +######################################## +# +# Local policy +# +# + +allow bitlbee_t self:udp_socket create_socket_perms; +allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; +allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; + +bitlbee_read_config(bitlbee_t) + +# user account information is read and edited at runtime; give the usual +# r/w access to bitlbee_var_t +manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) +files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) + +corenet_all_recvfrom_unlabeled(bitlbee_t) +corenet_udp_sendrecv_generic_if(bitlbee_t) +corenet_udp_sendrecv_generic_node(bitlbee_t) +corenet_udp_sendrecv_lo_node(bitlbee_t) +corenet_tcp_sendrecv_generic_if(bitlbee_t) +corenet_tcp_sendrecv_generic_node(bitlbee_t) +corenet_tcp_sendrecv_lo_node(bitlbee_t) +# Allow bitlbee to connect to jabber servers +corenet_tcp_connect_jabber_client_port(bitlbee_t) +corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) +# to AIM servers: +corenet_tcp_connect_aol_port(bitlbee_t) +corenet_tcp_sendrecv_aol_port(bitlbee_t) +# and to MMCC (Yahoo IM) servers: +corenet_tcp_connect_mmcc_port(bitlbee_t) +corenet_tcp_sendrecv_mmcc_port(bitlbee_t) +# and to MSNP (MSN Messenger) servers: +corenet_tcp_connect_msnp_port(bitlbee_t) +corenet_tcp_sendrecv_msnp_port(bitlbee_t) + +files_read_etc_files(bitlbee_t) +files_search_pids(bitlbee_t) +# grant read-only access to the user help files +files_read_usr_files(bitlbee_t) + +libs_legacy_use_shared_libs(bitlbee_t) +libs_use_ld_so(bitlbee_t) + +sysnet_dns_name_resolve(bitlbee_t) + +optional_policy(` + # normally started from inetd using tcpwrappers, so use those entry points + tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) +') diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te index 7f88b61..af69106 100644 --- a/policy/modules/services/finger.te +++ b/policy/modules/services/finger.te @@ -1,5 +1,5 @@ -policy_module(finger,1.4.0) +policy_module(finger,1.4.1) ######################################## # @@ -8,8 +8,8 @@ policy_module(finger,1.4.0) type fingerd_t; type fingerd_exec_t; -init_daemon_domain(fingerd_t,fingerd_exec_t) -inetd_tcp_service_domain(fingerd_t,fingerd_exec_t) +init_daemon_domain(fingerd_t, fingerd_exec_t) +inetd_tcp_service_domain(fingerd_t, fingerd_exec_t) type fingerd_etc_t; files_config_file(fingerd_etc_t) @@ -34,15 +34,15 @@ allow fingerd_t self:udp_socket create_socket_perms; allow fingerd_t self:unix_dgram_socket create_socket_perms; allow fingerd_t self:unix_stream_socket create_socket_perms; -manage_files_pattern(fingerd_t,fingerd_var_run_t,fingerd_var_run_t) -files_pid_filetrans(fingerd_t,fingerd_var_run_t,file) +manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t) +files_pid_filetrans(fingerd_t, fingerd_var_run_t, file) -allow fingerd_t fingerd_etc_t:dir r_dir_perms; -read_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t) -read_lnk_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t) +allow fingerd_t fingerd_etc_t:dir list_dir_perms; +read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) +read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) allow fingerd_t fingerd_log_t:file manage_file_perms; -logging_log_filetrans(fingerd_t,fingerd_log_t,file) +logging_log_filetrans(fingerd_t, fingerd_log_t, file) kernel_read_kernel_sysctls(fingerd_t) kernel_read_system_state(fingerd_t) @@ -105,7 +105,7 @@ ifdef(`targeted_policy',` ') optional_policy(` - cron_system_entry(fingerd_t,fingerd_exec_t) + cron_system_entry(fingerd_t, fingerd_exec_t) ') optional_policy(` @@ -125,5 +125,9 @@ optional_policy(` ') optional_policy(` + tcpd_wrapped_domain(fingerd_t, fingerd_exec_t) +') + +optional_policy(` udev_read_db(fingerd_t) ') diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 174139b..64840dc 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -1,5 +1,5 @@ -policy_module(nagios,1.3.0) +policy_module(nagios,1.3.1) ######################################## # @@ -8,11 +8,11 @@ policy_module(nagios,1.3.0) type nagios_t; type nagios_exec_t; -init_daemon_domain(nagios_t,nagios_exec_t) +init_daemon_domain(nagios_t, nagios_exec_t) type nagios_cgi_t; type nagios_cgi_exec_t; -init_system_domain(nagios_cgi_t,nagios_cgi_exec_t) +init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) type nagios_etc_t; files_config_file(nagios_etc_t) @@ -28,7 +28,7 @@ files_pid_file(nagios_var_run_t) type nrpe_t; type nrpe_exec_t; -init_daemon_domain(nrpe_t,nrpe_exec_t) +init_daemon_domain(nrpe_t, nrpe_exec_t) type nrpe_etc_t; files_config_file(nrpe_etc_t) @@ -45,20 +45,20 @@ allow nagios_t self:fifo_file rw_file_perms; allow nagios_t self:tcp_socket create_stream_socket_perms; allow nagios_t self:udp_socket create_socket_perms; -read_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t) -read_lnk_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t) +read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) allow nagios_t nagios_etc_t:dir list_dir_perms; -manage_files_pattern(nagios_t,nagios_log_t,nagios_log_t) -manage_fifo_files_pattern(nagios_t,nagios_log_t,nagios_log_t) -logging_log_filetrans(nagios_t,nagios_log_t,{ file dir }) +manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +logging_log_filetrans(nagios_t, nagios_log_t, { file dir }) -manage_dirs_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t) -manage_files_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t) +manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) +manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir }) -manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t) -files_pid_filetrans(nagios_t,nagios_var_run_t,file) +manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) +files_pid_filetrans(nagios_t, nagios_var_run_t, file) kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) @@ -142,16 +142,16 @@ optional_policy(` allow nagios_cgi_t self:process signal_perms; allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -read_files_pattern(nagios_cgi_t,nagios_t,nagios_t) -read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t) +read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) +read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t) +read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t) +read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) +read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) kernel_read_system_state(nagios_cgi_t) @@ -218,7 +218,7 @@ ifdef(`targeted_policy',` ') optional_policy(` - inetd_tcp_service_domain(nrpe_t,nrpe_exec_t) + inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) ') optional_policy(` @@ -226,5 +226,9 @@ optional_policy(` ') optional_policy(` + tcpd_wrapped_domain(nrpe_t, nrpe_exec_t) +') + +optional_policy(` udev_read_db(nrpe_t) ') diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te index 7978f66..3d55bc1 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -1,5 +1,5 @@ -policy_module(rlogin,1.4.0) +policy_module(rlogin,1.4.1) ######################################## # @@ -8,7 +8,7 @@ policy_module(rlogin,1.4.0) type rlogind_t; type rlogind_exec_t; -inetd_service_domain(rlogind_t,rlogind_exec_t) +inetd_service_domain(rlogind_t, rlogind_exec_t) role system_r types rlogind_t; type rlogind_devpts_t; #, userpty_type; @@ -39,12 +39,12 @@ term_create_pty(rlogind_t,rlogind_devpts_t) # for /usr/lib/telnetlogin can_exec(rlogind_t, rlogind_exec_t) -manage_dirs_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t) -manage_files_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t) +manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) +manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir }) -manage_files_pattern(rlogind_t,rlogind_var_run_t,rlogind_var_run_t) -files_pid_filetrans(rlogind_t,rlogind_var_run_t,file) +manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) +files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) @@ -96,6 +96,10 @@ optional_policy(` kerberos_read_keytab(rlogind_t) ') +optional_policy(` + tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) +') + ifdef(`TODO',` # Allow krb5 rlogind to use fork and open /dev/tty for use allow rlogind_t userpty_type:chr_file setattr; diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te index b3b6103..0b0373a 100644 --- a/policy/modules/services/rshd.te +++ b/policy/modules/services/rshd.te @@ -1,5 +1,5 @@ -policy_module(rshd,1.3.1) +policy_module(rshd,1.3.2) ######################################## # @@ -7,7 +7,7 @@ policy_module(rshd,1.3.1) # type rshd_t; type rshd_exec_t; -inetd_tcp_service_domain(rshd_t,rshd_exec_t) +inetd_tcp_service_domain(rshd_t, rshd_exec_t) domain_subj_id_change_exemption(rshd_t) domain_role_change_exemption(rshd_t) role system_r types rshd_t; @@ -88,8 +88,6 @@ optional_policy(` nscd_socket_use(rshd_t) ') -ifdef(`TODO',` optional_policy(` - allow rshd_t rlogind_tmp_t:file rw_file_perms; -') + tcpd_wrapped_domain(rshd_t,rshd_exec_t) ') diff --git a/policy/modules/services/tcpd.if b/policy/modules/services/tcpd.if index 82958cf..98dc24b 100644 --- a/policy/modules/services/tcpd.if +++ b/policy/modules/services/tcpd.if @@ -15,5 +15,31 @@ interface(`tcpd_domtrans',` type tcpd_t, tcpd_exec_t; ') - domtrans_pattern($1,tcpd_exec_t,tcpd_t) + domtrans_pattern($1, tcpd_exec_t, tcpd_t) +') + +######################################## +## +## Create a domain for services that +## utilize tcp wrappers. +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +# +interface(`tcpd_wrapped_domain',` + gen_require(` + type tcpd_t; + role system_r; + ') + + domtrans_pattern(tcpd_t, $2, $1) + role system_r types $1; ') diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te index 8925d48..acf506a 100644 --- a/policy/modules/services/tcpd.te +++ b/policy/modules/services/tcpd.te @@ -1,5 +1,5 @@ -policy_module(tcpd,1.2.0) +policy_module(tcpd,1.2.1) ######################################## # @@ -7,7 +7,7 @@ policy_module(tcpd,1.2.0) # type tcpd_t; type tcpd_exec_t; -inetd_tcp_service_domain(tcpd_t,tcpd_exec_t) +inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) role system_r types tcpd_t; type tcpd_tmp_t; @@ -19,8 +19,8 @@ files_tmp_file(tcpd_tmp_t) # allow tcpd_t self:tcp_socket create_stream_socket_perms; -manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t) -manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t) +manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) +manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) corenet_all_recvfrom_unlabeled(tcpd_t) @@ -50,25 +50,5 @@ sysnet_read_config(tcpd_t) inetd_domtrans_child(tcpd_t) optional_policy(` - finger_domtrans(tcpd_t) -') - -optional_policy(` nis_use_ypbind(tcpd_t) ') - -optional_policy(` - nagios_domtrans_nrpe(tcpd_t) -') - -optional_policy(` - rlogin_domtrans(tcpd_t) -') - -optional_policy(` - rshd_domtrans(tcpd_t) -') - -optional_policy(` - uwimap_domtrans(tcpd_t) -') diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te index ab20a88..5ba1f99 100644 --- a/policy/modules/services/uwimap.te +++ b/policy/modules/services/uwimap.te @@ -1,5 +1,5 @@ -policy_module(uwimap,1.3.0) +policy_module(uwimap,1.3.1) ######################################## # @@ -8,8 +8,8 @@ policy_module(uwimap,1.3.0) type imapd_t; type imapd_exec_t; -init_daemon_domain(imapd_t,imapd_exec_t) -inetd_tcp_service_domain(imapd_t,imapd_exec_t) +init_daemon_domain(imapd_t, imapd_exec_t) +inetd_tcp_service_domain(imapd_t, imapd_exec_t) type imapd_tmp_t; files_tmp_file(imapd_tmp_t) @@ -28,12 +28,12 @@ allow imapd_t self:process signal_perms; allow imapd_t self:fifo_file rw_fifo_file_perms; allow imapd_t self:tcp_socket create_stream_socket_perms; -manage_dirs_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t) -manage_files_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t) +manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) +manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) -manage_files_pattern(imapd_t,imapd_var_run_t,imapd_var_run_t) -files_pid_filetrans(imapd_t,imapd_var_run_t,file) +manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t) +files_pid_filetrans(imapd_t, imapd_var_run_t, file) kernel_read_kernel_sysctls(imapd_t) kernel_list_proc(imapd_t) @@ -93,5 +93,9 @@ optional_policy(` ') optional_policy(` + tcpd_wrapped_domain(imapd_t, imapd_exec_t) +') + +optional_policy(` udev_read_db(imapd_t) ')