diff --git a/cinder.te b/cinder.te index 488a7a659..a05691d8f 100644 --- a/cinder.te +++ b/cinder.te @@ -159,6 +159,8 @@ kernel_read_kernel_sysctls(cinder_volume_t) logging_send_syslog_msg(cinder_volume_t) +systemd_dbus_chat_logind(cinder_volume_t) + optional_policy(` lvm_domtrans(cinder_volume_t) ') diff --git a/ganesha.fc b/ganesha.fc new file mode 100644 index 000000000..c723bfb97 --- /dev/null +++ b/ganesha.fc @@ -0,0 +1,12 @@ +/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0) + +/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) + +/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) + +/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) + +/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) +/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) + +/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0) diff --git a/ganesha.if b/ganesha.if new file mode 100644 index 000000000..4c347e5cc --- /dev/null +++ b/ganesha.if @@ -0,0 +1,146 @@ +## policy for ganesha + +######################################## +## +## Execute ganesha_exec_t in the ganesha domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ganesha_domtrans',` + gen_require(` + type ganesha_t, ganesha_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ganesha_exec_t, ganesha_t) +') + +###################################### +## +## Execute ganesha in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ganesha_exec',` + gen_require(` + type ganesha_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, ganesha_exec_t) +') +######################################## +## +## Read ganesha PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ganesha_read_pid_files',` + gen_require(` + type ganesha_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t) +') + +######################################## +## +## Execute ganesha server in the ganesha domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ganesha_systemctl',` + gen_require(` + type ganesha_t; + type ganesha_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_read_fifo_file_passwd_run($1) + allow $1 ganesha_unit_file_t:file read_file_perms; + allow $1 ganesha_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, ganesha_t) +') + + +######################################## +## +## Send and receive messages from +## ganesha over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`ganesha_dbus_chat',` + gen_require(` + type ganesha_t; + class dbus send_msg; + ') + + allow $1 ganesha_t:dbus send_msg; + allow ganesha_t $1:dbus send_msg; +') + +######################################## +## +## All of the rules required to administrate +## an ganesha environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`ganesha_admin',` + gen_require(` + type ganesha_t; + type ganesha_var_run_t; + type ganesha_unit_file_t; + ') + + allow $1 ganesha_t:process { signal_perms }; + ps_process_pattern($1, ganesha_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 ganesha_t:process ptrace; + ') + + files_search_pids($1) + admin_pattern($1, ganesha_var_run_t) + + ganesha_systemctl($1) + admin_pattern($1, ganesha_unit_file_t) + allow $1 ganesha_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/ganesha.te b/ganesha.te new file mode 100644 index 000000000..f25a3f34d --- /dev/null +++ b/ganesha.te @@ -0,0 +1,111 @@ +policy_module(ganesha, 1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Allow ganesha to read/write fuse files +##

+##
+gen_tunable(ganesha_use_fusefs, false) + +type ganesha_t; +type ganesha_exec_t; +init_daemon_domain(ganesha_t, ganesha_exec_t) + +type ganesha_var_log_t; +logging_log_file(ganesha_var_log_t) + +type ganesha_var_run_t; +files_pid_file(ganesha_var_run_t) + +type ganesha_tmp_t; +files_tmp_file(ganesha_tmp_t) + +type ganesha_unit_file_t; +systemd_unit_file(ganesha_unit_file_t) + +######################################## +# +# ganesha local policy +# +dontaudit ganesha_t self:capability net_admin; + +allow ganesha_t self:capability { dac_read_search dac_override }; +allow ganesha_t self:capability2 block_suspend; +allow ganesha_t self:process { setcap setrlimit }; +allow ganesha_t self:fifo_file rw_fifo_file_perms; +allow ganesha_t self:unix_stream_socket create_stream_socket_perms; +allow ganesha_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) +manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) +manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) +files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file }) + +manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t) +manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t) +logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir }) + +manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t) +manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t) +files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir }) + +kernel_read_system_state(ganesha_t) +kernel_search_network_sysctl(ganesha_t) +kernel_read_net_sysctls(ganesha_t) + +auth_use_nsswitch(ganesha_t) + +corenet_tcp_bind_nfs_port(ganesha_t) +corenet_tcp_connect_generic_port(ganesha_t) +corenet_tcp_connect_gluster_port(ganesha_t) +corenet_udp_bind_dey_keyneg_port(ganesha_t) +corenet_tcp_bind_dey_keyneg_port(ganesha_t) +corenet_udp_bind_nfs_port(ganesha_t) +corenet_udp_bind_all_rpc_ports(ganesha_t) +corenet_tcp_bind_all_rpc_ports(ganesha_t) +corenet_tcp_bind_mountd_port(ganesha_t) +corenet_udp_bind_mountd_port(ganesha_t) +corenet_tcp_connect_virt_migration_port(ganesha_t) +corenet_tcp_connect_all_rpc_ports(ganesha_t) + +dev_rw_infiniband_dev(ganesha_t) +dev_read_gpfs(ganesha_t) +dev_read_rand(ganesha_t) + +logging_send_syslog_msg(ganesha_t) + +sysnet_dns_name_resolve(ganesha_t) + +optional_policy(` + dbus_system_bus_client(ganesha_t) + dbus_connect_system_bus(ganesha_t) + unconfined_dbus_chat(ganesha_t) +') + +optional_policy(` + glusterd_read_conf(ganesha_t) + glusterd_read_lib_files(ganesha_t) + glusterd_manage_pid(ganesha_t) +') + +optional_policy(` + kerberos_read_keytab(ganesha_t) +') + +optional_policy(` + rpc_manage_nfs_state_data_dir(ganesha_t) + rpc_read_nfs_state_data(ganesha_t) + rpcbind_stream_connect(ganesha_t) +') + +tunable_policy(`ganesha_use_fusefs',` + fs_manage_fusefs_dirs(ganesha_t) + fs_manage_fusefs_files(ganesha_t) + fs_read_fusefs_symlinks(ganesha_t) + fs_getattr_fusefs(ganesha_t) +') diff --git a/glusterd.fc b/glusterd.fc index e42e81f5f..9806f50ae 100644 --- a/glusterd.fc +++ b/glusterd.fc @@ -23,8 +23,3 @@ /var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) /var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) /var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) - -/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) -/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) -/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0) - diff --git a/glusterd.if b/glusterd.if index a62e355ac..291191f17 100644 --- a/glusterd.if +++ b/glusterd.if @@ -135,7 +135,6 @@ interface(`glusterd_manage_log',` manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t) manage_files_pattern($1, glusterd_log_t, glusterd_log_t) manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t) - logging_log_named_filetrans($1, glusterd_log_t, file, "ganesha.log") ') ###################################### diff --git a/glusterd.te b/glusterd.te index 7804cbaf4..2bcedd014 100644 --- a/glusterd.te +++ b/glusterd.te @@ -64,8 +64,6 @@ files_type(glusterd_var_lib_t) type glusterd_brick_t; files_type(glusterd_brick_t) -typealias glusterd_log_t alias ganesha_var_log_t; - ######################################## # # Local policy @@ -270,6 +268,11 @@ optional_policy(` ') ') +optional_policy(` + ganesha_systemctl(glusterd_t) + ganesha_dbus_chat(glusterd_t) +') + optional_policy(` hostname_exec(glusterd_t) ') @@ -310,8 +313,8 @@ optional_policy(` optional_policy(` rpc_systemctl_nfsd(glusterd_t) rpc_systemctl_rpcd(glusterd_t) + rpc_domtrans_nfsd(glusterd_t) - rpc_dbus_chat_nfsd(glusterd_t) rpc_domtrans_rpcd(glusterd_t) rpc_manage_nfs_state_data(glusterd_t) rpc_manage_nfs_state_data_dir(glusterd_t) diff --git a/modemmanager.te b/modemmanager.te index 5a177cd5a..c7fd00ea0 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -29,7 +29,7 @@ kernel_read_system_state(modemmanager_t) corecmd_exec_bin(modemmanager_t) -dev_read_sysfs(modemmanager_t) +dev_rw_sysfs(modemmanager_t) dev_read_urand(modemmanager_t) dev_rw_modem(modemmanager_t) diff --git a/nagios.te b/nagios.te index a5e1cfda8..4141c6374 100644 --- a/nagios.te +++ b/nagios.te @@ -217,6 +217,9 @@ tunable_policy(`nagios_run_sudo',` selinux_compute_access_vector(nagios_t) + systemd_write_inherited_logind_sessions_pipes(nagios_t) + systemd_dbus_chat_logind(nagios_t) + logging_send_audit_msgs(nagios_t) ') @@ -365,6 +368,9 @@ tunable_policy(`nagios_run_sudo',` selinux_compute_access_vector(nrpe_t) + systemd_write_inherited_logind_sessions_pipes(nrpe_t) + systemd_dbus_chat_logind(nrpe_t) + logging_send_audit_msgs(nrpe_t) ') @@ -375,6 +381,13 @@ optional_policy(` ') ') +optional_policy(` + tunable_policy(`nagios_run_sudo',` + sssd_read_config(nrpe_t) + sssd_manage_lib_files(nrpe_t) + sssd_read_pid_files(nrpe_t) + ') +') tunable_policy(`nagios_use_nfs',` fs_manage_nfs_files(nrpe_t) @@ -616,3 +629,7 @@ optional_policy(` optional_policy(` unconfined_domain(nagios_unconfined_plugin_t) ') + +optional_policy(` + systemd_dbus_chat_logind(nagios_unconfined_plugin_t) +') diff --git a/nova.te b/nova.te index 2259a5192..af8dd5527 100644 --- a/nova.te +++ b/nova.te @@ -124,6 +124,7 @@ corenet_sendrecv_dns_server_packets(nova_domain) corenet_sendrecv_dhcpd_server_packets(nova_domain) auth_use_nsswitch(nova_t) +auth_use_pam(nova_t) auth_read_passwd(nova_domain) dev_read_sysfs(nova_domain) @@ -132,7 +133,7 @@ dev_read_rand(nova_domain) fs_getattr_all_fs(nova_domain) -init_read_utmp(nova_domain) +init_rw_utmp(nova_domain) libs_exec_ldconfig(nova_domain) diff --git a/rhcs.te b/rhcs.te index 0e8b031bb..c029ccd71 100644 --- a/rhcs.te +++ b/rhcs.te @@ -265,7 +265,7 @@ optional_policy(` ') optional_policy(` - rpc_dbus_chat_nfsd(cluster_t) + ganesha_dbus_chat(cluster_t) ') optional_policy(` diff --git a/rpc.fc b/rpc.fc index b08ec8d2d..38a2f0911 100644 --- a/rpc.fc +++ b/rpc.fc @@ -1,5 +1,3 @@ - - # # /etc # @@ -11,10 +9,6 @@ /usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) /usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) -/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) -/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) -/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) - # # /sbin # @@ -33,15 +27,12 @@ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) - # # /var # /var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) /var/run/sm-notify.* gen_context(system_u:object_r:rpcd_var_run_t,s0) -/var/run/ganesha.* gen_context(system_u:object_r:rpcd_var_run_t,s0) /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) diff --git a/rpc.if b/rpc.if index 2ee527f2a..79a2a9c48 100644 --- a/rpc.if +++ b/rpc.if @@ -530,24 +530,3 @@ interface(`rpc_gssd_noatsecure',` allow $1 gssd_t:process { noatsecure rlimitinh }; ') - -######################################## -## -## Send and receive messages from -## ganesha over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_dbus_chat_nfsd',` - gen_require(` - type nfsd_t; - class dbus send_msg; - ') - - allow $1 nfsd_t:dbus send_msg; - allow nfsd_t $1:dbus send_msg; -') diff --git a/rpc.te b/rpc.te index f4df4fda2..b9665f773 100644 --- a/rpc.te +++ b/rpc.te @@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t) type var_lib_nfs_t; files_mountpoint(var_lib_nfs_t) -type nfsd_tmp_t; -files_tmp_file(nfsd_tmp_t) - -typealias nfsd_t alias ganesha_t; -typealias nfsd_exec_t alias ganesha_exec_t; -typealias nfsd_unit_file_t alias ganesha_unit_file_t; - ######################################## # # Common rpc domain local policy @@ -234,17 +227,8 @@ optional_policy(` allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_rawio sys_resource }; -allow nfsd_t self:process { setcap }; - allow nfsd_t exports_t:file read_file_perms; -manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) -manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) -files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir }) - -manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t) -files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file }) - # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) @@ -318,16 +302,6 @@ tunable_policy(`nfs_export_all_ro',` files_read_non_security_files(nfsd_t) ') -optional_policy(` - glusterd_manage_log(nfsd_t) - glusterd_manage_pid(nfsd_t) -') - -optional_policy(` - dbus_system_bus_client(nfsd_t) - dbus_acquire_svc_system_dbusd(nfsd_t) -') - optional_policy(` mount_exec(nfsd_t) mount_manage_pid_files(nfsd_t) @@ -357,6 +331,8 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) +domain_manage_all_domains_keyrings(gssd_t) + fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) diff --git a/rpm.te b/rpm.te index 7394a0dfc..4402cbe09 100644 --- a/rpm.te +++ b/rpm.te @@ -34,6 +34,7 @@ logging_log_file(rpm_log_t) type rpm_var_lib_t; files_type(rpm_var_lib_t) +files_mountpoint(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; type rpm_var_cache_t; diff --git a/snapper.fc b/snapper.fc index 4f4bdb397..0a43846a8 100644 --- a/snapper.fc +++ b/snapper.fc @@ -7,6 +7,7 @@ /mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) /\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) + /usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) /var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) /etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) diff --git a/snapper.te b/snapper.te index 8c9e4a200..5be6d3542 100644 --- a/snapper.te +++ b/snapper.te @@ -22,7 +22,7 @@ files_type(snapperd_data_t) # # snapperd local policy # -allow snapperd_t self:capability { dac_read_search fowner sys_admin }; +allow snapperd_t self:capability { dac_read_search dac_override fowner sys_admin }; allow snapperd_t self:process setsched; allow snapperd_t self:fifo_file rw_fifo_file_perms; @@ -57,6 +57,8 @@ files_read_all_files(snapperd_t) files_read_all_symlinks(snapperd_t) files_list_all(snapperd_t) files_manage_isid_type_dirs(snapperd_t) +files_manage_non_security_dirs(snapperd_t) +files_relabel_non_security_files(snapperd_t) fs_getattr_all_fs(snapperd_t) fs_mount_xattr_fs(snapperd_t) diff --git a/sysstat.te b/sysstat.te index a2690e315..efb2f855c 100644 --- a/sysstat.te +++ b/sysstat.te @@ -44,6 +44,7 @@ dev_read_urand(sysstat_t) files_search_var(sysstat_t) files_read_etc_runtime_files(sysstat_t) +files_search_all_mountpoints(sysstat_t) fs_getattr_all_fs(sysstat_t) fs_list_inotifyfs(sysstat_t)