diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 1579c5f..eddbb0d 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -142,6 +142,7 @@ miscfiles_read_localization(bootloader_t) seutil_read_binary_pol(bootloader_t) seutil_read_loadpol(bootloader_t) +seutil_dontaudit_search_config(bootloader_t) ifdef(`distro_debian',` allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; @@ -197,12 +198,13 @@ optional_policy(`rpm.te',` rpm_rw_pipe(bootloader_t) ') -ifdef(`TODO',` +optional_policy(`userdomain.te',` + userdom_dontaudit_search_staff_home_dir(bootloader_t) + userdom_dontaudit_search_sysadm_home_dir(bootloader_t) +') -dontaudit bootloader_t selinux_config_t:dir search; -dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search; +ifdef(`TODO',` dontaudit bootloader_t devpts_t:dir create_dir_perms; - ifdef(`distro_debian', ` allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 6425337..254ad48 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1490,6 +1490,41 @@ interface(`fs_search_tmpfs',` ') ######################################## +## +## List the contents of generic tmpfs directories. +## +## +## Domain allowed access. +## +# +interface(`fs_list_tmpfs',` + gen_require(` + type tmpfs_t; + class dir r_dir_perms; + ') + + allow $1 tmpfs_t:dir r_dir_perms; +') + +######################################## +## +## Do not audit attempts to list the +## contents of generic tmpfs directories. +## +## +## Domain to not audit. +## +# +interface(`fs_dontaudit_list_tmpfs',` + gen_require(` + type tmpfs_t; + class dir r_dir_perms; + ') + + dontaudit $1 tmpfs_t:dir r_dir_perms; +') + +######################################## # # fs_create_tmpfs_data(domain,derivedtype,[class]) # diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 789a910..b018245 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -174,6 +174,40 @@ interface(`kernel_sendto_unix_dgram_socket',` ######################################## ## +## Receive messages from kernel TCP sockets. +## +## +## Domain allowed access. +## +# +interface(`kernel_tcp_recvfrom',` + gen_require(` + type kernel_t; + class tcp_socket recvfrom; + ') + + allow $1 kernel_t:tcp_socket recvfrom; +') + +######################################## +## +## Receive messages from kernel UDP sockets. +## +## +## Domain allowed access. +## +# +interface(`kernel_udp_recvfrom',` + gen_require(` + type kernel_t; + class udp_socket recvfrom; + ') + + allow $1 kernel_t:udp_socket recvfrom; +') + +######################################## +## ## Allows caller to load kernel modules ## ## diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 3e20842..b3a4540 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -446,6 +446,24 @@ interface(`term_getattr_unallocated_ttys',` ######################################## ## +## Do not audit attempts to get the attributes +## of all unallocated tty device nodes. +## +## +## The type of the process performing this action. +## +# +interface(`term_dontaudit_getattr_unallocated_ttys',` + gen_require(` + type tty_device_t; + class chr_file getattr; + ') + + dontaudit $1 tty_device_t:chr_file getattr; +') + +######################################## +## ## Set the attributes of all unallocated ## tty device nodes. ## diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 33cbc57..80135b7 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -386,10 +386,28 @@ interface(`domain_dontaudit_getattr_all_sockets',` ') ######################################## -## +## +## Do not audit attempts to get the attributes +## of all domains TCP sockets. +## +## +## The type of the process performing this action. +## +# +interface(`domain_dontaudit_getattr_all_tcp_sockets',` + gen_require(` + attribute domain; + class tcp_socket getattr; + ') + + dontaudit $1 domain:tcp_socket getattr; +') + +######################################## +## ## Do not audit attempts to get the attributes ## of all domains UDP sockets. -## +## ## ## The type of the process performing this action. ## @@ -404,21 +422,39 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',` ') ######################################## -## -## Do not audit attempts to get the attributes -## of all domains TCP sockets. -## +## +## Do not audit attempts to read or write +## all domains UDP sockets. +## ## ## The type of the process performing this action. ## # -interface(`domain_dontaudit_getattr_all_tcp_sockets',` +interface(`domain_dontaudit_rw_all_udp_sockets',` gen_require(` attribute domain; - class tcp_socket getattr; + class udp_socket { read write }; ') - dontaudit $1 domain:tcp_socket getattr; + dontaudit $1 domain:udp_socket { read write }; +') + +######################################## +## +## Do not audit attempts to read or write +## all domains key sockets. +## +## +## The type of the process performing this action. +## +# +interface(`domain_dontaudit_rw_all_key_sockets',` + gen_require(` + attribute domain; + class key_socket { read write }; + ') + + dontaudit $1 domain:key_socket { read write }; ') ######################################## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 23482f4..ae54049 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -371,6 +371,11 @@ optional_policy(`hotplug.te',` modutils_read_mods_deps(initrc_t) ') +optional_policy(`ipsec.te',` + ipsec_read_config(initrc_t) + ipsec_manage_pid(initrc_t) +') + optional_policy(`kerberos.te',` kerberos_use(initrc_t) ') @@ -391,6 +396,10 @@ optional_policy(`nis.te',` nis_list_var_yp(initrc_t) ') +optional_policy(`raid.te',` + raid_manage_mdadm_pid(initrc_t) +') + optional_policy(`rhgb.te',` corecmd_shell_entry_type(initrc_t) ') diff --git a/refpolicy/policy/modules/system/ipsec.if b/refpolicy/policy/modules/system/ipsec.if index 023e4f6..b17231e 100644 --- a/refpolicy/policy/modules/system/ipsec.if +++ b/refpolicy/policy/modules/system/ipsec.if @@ -23,3 +23,91 @@ interface(`ipsec_domtrans',` allow ipsec_t $1:fifo_file rw_file_perms; allow ipsec_t $1:process sigchld; ') + +######################################## +## +## Connect to an IPSEC unix domain stream socket. +## +## +## The type of the process performing this action. +## +# +interface(`ipsec_connectto_unix_stream_socket',` + gen_require(` + type ipsec_t; + class unix_stream_socket connectto; + ') + + allow $1 ipsec_t:unix_stream_socket connectto; +') + +######################################## +## +## Get the attributes of an IPSEC key socket. +## +## +## The type of the process performing this action. +## +# +interface(`ipsec_getattr_key_socket',` + gen_require(` + type ipsec_t; + class key_socket getattr; + ') + + allow $1 ipsec_t:key_socket getattr; +') + +######################################## +## +## Execute the IPSEC management program in the caller domain. +## +## +## The type of the process performing this action. +## +# +interface(`ipsec_exec_mgmt',` + gen_require(` + type ipsec_exec_t; + ') + + can_exec($1,ipsec_exec_t) +') + +######################################## +## +## Read the IPSEC configuration +## +## +## The type of the process performing this action. +## +# +interface(`ipsec_read_config',` + gen_require(` + type ipsec_conf_file_t; + class file r_file_perms; + ') + + files_search_etc($1) + allow $1 ipsec_conf_file_t:file r_file_perms; +') + +######################################## +## +## Create, read, write, and delete the IPSEC pid files. +## +## +## The type of the process performing this action. +## +# +interface(`ipsec_manage_pid',` + gen_require(` + type ipsec_var_run_t; + class dir rw_dir_perms; + class file create_file_perms; + ') + + files_search_pids($1) + allow $1 ipsec_var_run_t:dir rw_dir_perms; + allow $1 ipsec_var_run_t:file create_file_perms; +') diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index 2d0832f..a73e707 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -21,7 +21,7 @@ type ipsec_key_file_t; type ipsec_var_run_t; files_pid_file(ipsec_var_run_t) -type ipsec_mgmt_t; #, privlog, admin, privmodule, nscd_client_domain; +type ipsec_mgmt_t; # admin, privmodule; type ipsec_mgmt_exec_t; init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t) role system_r types ipsec_mgmt_t; @@ -204,8 +204,10 @@ dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) fs_getattr_xattr_fs(ipsec_mgmt_t) +fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) +term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) # the default updown script wants to run route corecmd_exec_sbin(ipsec_mgmt_t) @@ -214,6 +216,12 @@ corecmd_exec_sbin(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) domain_use_wide_inherit_fd(ipsec_mgmt_t) +# denials when ps tries to search /proc. Do not audit these denials. +domain_dontaudit_list_all_domains_proc(ipsec_mgmt_t) +# suppress audit messages about unnecessary socket access +# cjp: this seems excessive +domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) +domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) @@ -243,32 +251,13 @@ optional_policy(`consoletype.te',` consoletype_exec(ipsec_mgmt_t) ') -ifdef(`TODO',` -# denials when ps tries to search /proc. Do not audit these denials. -dontaudit ipsec_mgmt_t domain:dir r_dir_perms; - -# suppress audit messages about unnecessary socket access -dontaudit ipsec_mgmt_t domain:key_socket { read write }; -dontaudit ipsec_mgmt_t domain:udp_socket { read write }; - -# allow pluto to search the root directory (not sure why, but mostly harmless) -# Are these all really necessary? -dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr; +optional_policy(`nscd.te',` + nscd_use_socket(ipsec_mgmt_t) +') +ifdef(`TODO',` # ideally it would not need this. It wants to write to /root/.rnd file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) -allow ipsec_mgmt_t tmpfs_t:dir { getattr read }; allow ipsec_mgmt_t dev_fs:file_class_set getattr; - -# allow system administrator to use the ipsec script to look -# at things (e.g., ipsec auto --status) -# probably should create an ipsec_admin role for this kind of thing -can_exec(sysadm_t, ipsec_mgmt_exec_t) -allow sysadm_t ipsec_t:unix_stream_socket connectto; -# for lsof -allow sysadm_t ipsec_t:key_socket getattr; - -rw_dir_create_file(initrc_t, ipsec_var_run_t) -allow initrc_t ipsec_conf_file_t:file { getattr read ioctl }; ') dnl end TODO diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 4ffffdb..269e7e7 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -239,6 +239,11 @@ files_dontaudit_search_isid_type_dir(syslogd_t) allow syslogd_t self:capability net_admin; allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; +ifdef(`distro_suse', ` + # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel + files_create_var_lib(syslogd_t,devlog_t,sock_file) +') + ifdef(`klogd.te', `', ` # Allow access to /proc/kmsg for syslog-ng kernel_read_messages(syslogd_t) @@ -274,11 +279,6 @@ optional_policy(`rhgb.te', ` rhgb_domain(syslogd_t) ') -ifdef(`distro_suse', ` - # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel - file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) -') - # log to the xconsole allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index cfcc67c..61e7674 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -9,8 +9,8 @@ policy_module(miscfiles,1.0) # # catman_t is the type for /var/catman. # -type catman_t; # , tmpfile; -files_type(catman_t) +type catman_t; +files_tmp_file(catman_t) # # cert_t is the type of files in the system certs directories. @@ -46,5 +46,5 @@ files_type(test_file_t) # # for /var/{spool,lib}/texmf index files # -type tetex_data_t; # , tmpfile; -files_type(tetex_data_t) +type tetex_data_t; +files_tmp_file(tetex_data_t) diff --git a/refpolicy/policy/modules/system/raid.if b/refpolicy/policy/modules/system/raid.if index 434ac36..1981606 100644 --- a/refpolicy/policy/modules/system/raid.if +++ b/refpolicy/policy/modules/system/raid.if @@ -24,3 +24,31 @@ interface(`raid_domtrans_mdadm',` allow mdadm_t $1:fifo_file rw_file_perms; allow mdadm_t $1:process sigchld; ') + +######################################## +## +## Create, read, write, and delete the mdadm pid files. +## +## +##

+## Create, read, write, and delete the mdadm pid files. +##

+##

+## Added for use in the init module. +##

+##
+## +## The type of the process performing this action. +## +# +interface(`raid_manage_mdadm_pid',` + gen_require(` + type mdadm_var_run_t; + class file create_file_perms; + ') + + # FIXME: maybe should have a type_transition. not + # clear what this is doing, from the original + # mdadm policy + allow $1 mdadm_var_run_t:file create_file_perms; +') diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index 43bb0aa..8d28d83 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -1,6 +1,9 @@ -#DESC mdadm - Linux RAID tool + +policy_module(mdadm,1.0) + +######################################## # -# Author: Colin Walters +# Declarations # type mdadm_t; @@ -11,6 +14,11 @@ role system_r types mdadm_t; type mdadm_var_run_t; files_pid_file(mdadm_var_run_t) +######################################## +# +# Local policy +# + allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; @@ -28,6 +36,7 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) fs_search_auto_mountpoints(mdadm_t) +fs_dontaudit_list_tmpfs(mdadm_t) # RAID block device access storage_manage_fixed_disk(mdadm_t) @@ -77,13 +86,8 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` -allow initrc_t mdadm_var_run_t:file create_file_perms; - # Ignore attempts to read every device file -dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr }; - -# Other random ignores -dontaudit mdadm_t tmpfs_t:dir r_dir_perms; +dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr }; allow mdadm_t var_t:dir getattr; ') dnl TODO diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 6d49f92..d2e306e 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -99,6 +99,31 @@ interface(`unconfined_domtrans',` ') ######################################## +## +## Execute specified programs in the unconfined domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the unconfined domain. +## +## +## The type of the terminal allow the unconfined domain to use. +## +# +interface(`unconfined_run',` + gen_require(` + type unconfined_t; + class chr_file rw_term_perms; + ') + + unconfined_domtrans($1) + role $2 types unconfined_t; + allow unconfined_t $3:chr_file rw_term_perms; +') + +######################################## ## ## Transition to the unconfined domain by executing a shell. ## diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 68cd0b1..48845cc 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -20,9 +20,6 @@ unconfined_domain_template(unconfined_t) logging_send_syslog_msg(unconfined_t) -#role sysadm_r types unconfined_t; -#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t) - ifdef(`targeted_policy',` allow unconfined_t self:system syslog_read; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index dbada2c..1d6b5f0 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -122,6 +122,16 @@ ifdef(`targeted_policy',` hostname_run(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`ipsec.te',` + # allow system administrator to use the ipsec script to look + # at things (e.g., ipsec auto --status) + # probably should create an ipsec_admin role for this kind of thing + ipsec_exec_mgmt(sysadm_t) + ipsec_connectto_unix_stream_socket(sysadm_t) + # for lsof + ipsec_getattr_key_socket(sysadm_t) + ') + optional_policy(`iptables.te',` iptables_run(sysadm_t,sysadm_r,admin_terminal) ') @@ -176,6 +186,10 @@ ifdef(`targeted_policy',` sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`unconfined.te',` + unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`usermanage.te',` usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)