diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 1c753fa..7cd5112 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils, 1.8.3) +policy_module(netutils, 1.8.4) ######################################## # @@ -50,7 +50,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) -kernel_read_sysctl(netutils_t) +kernel_read_all_sysctls(netutils_t) corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_netlabel(netutils_t) @@ -140,6 +140,10 @@ userdom_use_user_terminals(ping_t) ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) + + optional_policy(` + nagios_dontaudit_rw_pipes(ping_t) + ') ') tunable_policy(`user_ping',` diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 7e551dc..07d0a84 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -7,6 +7,7 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -32,6 +33,8 @@ ifdef(`distro_redhat',` # # /etc # +/etc/acpi/actions(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0) @@ -67,6 +70,8 @@ ifdef(`distro_redhat',` /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0) +/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) @@ -140,6 +145,7 @@ ifdef(`distro_gentoo',` /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -209,7 +215,14 @@ ifdef(`distro_gentoo',` /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index e6feeb6..0fcd718 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands, 1.11.1) +policy_module(corecommands, 1.11.2) ######################################## # diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index bb46175..c87c9ec 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -1612,6 +1612,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',` ######################################## ## +## Connect TCP sockets to all ports > 1024. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`corenet_tcp_connect_all_unreserved_ports',` + gen_require(` + attribute port_type, reserved_port_type; + ') + + allow $1 { port_type -reserved_port_type }:tcp_socket name_connect; +') + +######################################## +## ## Do not audit attempts to connect TCP sockets ## all reserved ports. ## @@ -1687,6 +1705,24 @@ interface(`corenet_rw_tun_tap_dev',` ######################################## ## +## Getattr the point-to-point device. +## +## +## +## The domain allowed access. +## +## +# +interface(`corenet_getattr_ppp_dev',` + gen_require(` + type ppp_device_t; + ') + + allow $1 ppp_device_t:chr_file getattr; +') + +######################################## +## ## Read and write the point-to-point device. ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 78e96ba..7e624f8 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.11.7) +policy_module(corenetwork, 1.11.8) ######################################## # diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 7316b09..5667bcc 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -525,7 +525,7 @@ interface(`domain_search_all_domains_state',` ') kernel_search_proc($1) - allow $1 domain:dir search; + allow $1 domain:dir search_dir_perms; ') ######################################## @@ -629,6 +629,7 @@ interface(`domain_read_confined_domains_state',` dontaudit $1 unconfined_domain_type:dir search_dir_perms; dontaudit $1 unconfined_domain_type:file read_file_perms; + dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms; ') ######################################## diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 2546240..ecd8e56 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -1,5 +1,5 @@ -policy_module(domain, 1.6.0) +policy_module(domain, 1.6.1) ######################################## # @@ -145,7 +145,7 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; -allow unconfined_domain_type domain:file read_file_perms; +allow unconfined_domain_type domain:file rw_file_perms; allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 61aa432..30cfa49 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -5,6 +5,7 @@ /.* gen_context(system_u:object_r:default_t,s0) / -d gen_context(system_u:object_r:root_t,s0) /\.journal <> +/afs -d gen_context(system_u:object_r:mnt_t,s0) /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 282a1cf..d76b28b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -928,6 +928,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) + # this is only relabelfrom since there should be no + # device nodes with file types. relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -1096,6 +1098,24 @@ interface(`files_relabelto_all_file_type_fs',` ######################################## ## +## Relabel a filesystem to the type of a file. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_all_file_type_fs',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:filesystem { relabelfrom relabelto }; +') + +######################################## +## ## Mount all filesystems with the type of a file. ## ## @@ -2307,6 +2327,25 @@ interface(`files_rw_isid_type_dirs',` ######################################## ## +## Delete directories on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_isid_type_dirs',` + gen_require(` + type file_t; + ') + + delete_dirs_pattern($1, file_t, file_t) +') + +######################################## +## ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## @@ -2364,6 +2403,25 @@ interface(`files_read_isid_type_files',` ######################################## ## +## Delete files on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_isid_type_files',` + gen_require(` + type file_t; + ') + + delete_files_pattern($1, file_t, file_t) +') + +######################################## +## ## Create, read, write, and delete files ## on new filesystems that have not yet been labeled. ## @@ -2820,6 +2878,7 @@ interface(`files_search_kernel_modules',` ') allow $1 modules_object_t:dir search_dir_perms; + read_lnk_files_pattern($1, modules_object_t, modules_object_t) ') ######################################## @@ -3546,7 +3605,7 @@ interface(`files_delete_usr_dirs',` type usr_t; ') - allow $1 usr_t:file delete_dir_perms; + delete_dirs_pattern($1, usr_t, usr_t) ') ######################################## @@ -4413,6 +4472,28 @@ interface(`files_read_all_locks',` ######################################## ## +## manage all lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_all_locks',` + gen_require(` + attribute lockfile; + type var_t, var_lock_t; + ') + + allow $1 { var_t var_lock_t }:dir search_dir_perms; + manage_dirs_pattern($1, lockfile, lockfile) + manage_files_pattern($1, lockfile, lockfile) + manage_lnk_files_pattern($1, lockfile, lockfile) +') + +######################################## +## ## Create an object in the locks directory, with a private ## type using a type transition. ## @@ -4532,7 +4613,8 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') - read_files_pattern($1, { var_t var_run_t }, var_run_t) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) ') ######################################## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 13f52cf..498e39a 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files, 1.11.0) +policy_module(files, 1.11.1) ######################################## # @@ -199,7 +199,7 @@ fs_associate_ramfs(file_type) # Rules for all tmp file types # -allow tmpfile tmp_t:filesystem associate; +allow file_type tmp_t:filesystem associate; fs_associate_tmpfs(tmpfile) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 1879be0..d6ec546 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -157,7 +157,7 @@ interface(`kernel_signal',` type kernel_t; ') - allow kernel_t $1:process signal; + allow $1 kernel_t:process signal; ') ######################################## @@ -817,7 +817,7 @@ interface(`kernel_dontaudit_read_system_state',` type proc_t; ') - dontaudit $1 proc_t:file { getattr read }; + dontaudit $1 proc_t:file read_file_perms; ') ######################################## @@ -1183,6 +1183,25 @@ interface(`kernel_write_xen_state',` ######################################## ## +## Allow attempts to list all proc directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_list_all_proc',` + gen_require(` + attribute proc_type; + ') + + allow $1 proc_type:dir list_dir_perms; + allow $1 proc_type:file getattr; +') + +######################################## +## ## Do not audit attempts to list all proc directories. ## ## @@ -1197,6 +1216,7 @@ interface(`kernel_dontaudit_list_all_proc',` ') dontaudit $1 proc_type:dir list_dir_perms; + dontaudit $1 proc_type:file getattr; ') ######################################## @@ -1232,10 +1252,11 @@ interface(`kernel_dontaudit_search_sysctl',` # interface(`kernel_read_sysctl',` gen_require(` - type sysctl_t; + type sysctl_t, proc_t; ') list_dirs_pattern($1, proc_t, sysctl_t) + read_files_pattern($1, sysctl_t, sysctl_t) ') ######################################## @@ -1568,6 +1589,25 @@ interface(`kernel_dontaudit_search_kernel_sysctl',` ######################################## ## +## Read generic crypto sysctls. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_crypto_sysctls',` + gen_require(` + type proc_t, sysctl_t, sysctl_crypto_t; + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) +') + +######################################## +## ## Read generic kernel sysctls. ## ## @@ -1767,6 +1807,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; + dontaudit $1 sysctl_type:file getattr; ') ######################################## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index d3d685a..4fa91a3 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel, 1.10.3) +policy_module(kernel, 1.10.4) ######################################## # @@ -100,6 +100,7 @@ type proc_net_t, proc_type; genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) type proc_xen_t, proc_type; +files_mountpoint(proc_xen_t) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) # @@ -120,6 +121,10 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) type sysctl_rpc_t, sysctl_type; genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) +# /proc/sys/crypto directory and files +type sysctl_crypto_t, sysctl_type; +genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0) + # /proc/sys/fs directory and files type sysctl_fs_t, sysctl_type; files_mountpoint(sysctl_fs_t) @@ -198,6 +203,8 @@ allow kernel_t self:fifo_file rw_fifo_file_perms; allow kernel_t self:sock_file read_sock_file_perms; allow kernel_t self:fd use; +allow kernel_t debugfs_t:dir search_dir_perms; + allow kernel_t proc_t:dir list_dir_perms; allow kernel_t proc_t:file read_file_perms; allow kernel_t proc_t:lnk_file read_lnk_file_perms; diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index c76ba8b..82691c0 100644 --- a/policy/modules/services/nagios.if +++ b/policy/modules/services/nagios.if @@ -2,6 +2,26 @@ ######################################## ## +## Do not audit attempts to read or write nagios +## unnamed pipes. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`nagios_dontaudit_rw_pipes',` + gen_require(` + type nagios_t; + ') + + dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## ## Allow the specified domain to read ## nagios configuration files. ## diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index e872fe5..0828a9c 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -1,5 +1,5 @@ -policy_module(nagios, 1.7.1) +policy_module(nagios, 1.7.2) ######################################## #