diff --git a/refpolicy/Changelog b/refpolicy/Changelog index bc237fc..097ef49 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -7,6 +7,7 @@ dhcp dictd hal + ntp squid * Fri Aug 26 2005 Chris PeBenito - 20050826 diff --git a/refpolicy/policy/modules/admin/firstboot.if b/refpolicy/policy/modules/admin/firstboot.if index 13678e0..868929a 100644 --- a/refpolicy/policy/modules/admin/firstboot.if +++ b/refpolicy/policy/modules/admin/firstboot.if @@ -72,6 +72,24 @@ interface(`firstboot_use_fd',` ######################################## ## +## Do not audit attempts to inherit a +## file descriptor from firstboot. +## +## +## Domain to not audit. +## +# +interface(`firstboot_dontaudit_use_fd',` + gen_require(` + type firstboot_t; + class fd use; + ') + + dontaudit $1 firstboot_t:fd use; +') + +######################################## +## ## Write to a firstboot unnamed pipe. ## ## diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 479a208..8a6c789 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -61,6 +61,7 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0) network_port(mail, tcp,2000,s0) network_port(mysqld, tcp,3306,s0) network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0) +network_port(ntp, udp,123,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) diff --git a/refpolicy/policy/modules/services/ntp.fc b/refpolicy/policy/modules/services/ntp.fc new file mode 100644 index 0000000..3554fcd --- /dev/null +++ b/refpolicy/policy/modules/services/ntp.fc @@ -0,0 +1,19 @@ + +/etc/ntp(d)?\.conf(.sv)? -- context_template(system_u:object_r:net_conf_t,s0) + +/etc/cron\.(daily|weekly)/ntp-simple -- context_template(system_u:object_r:ntpd_exec_t,s0) +/etc/cron\.(daily|weekly)/ntp-server -- context_template(system_u:object_r:ntpd_exec_t,s0) + +/etc/ntp/step-tickers -- context_template(system_u:object_r:net_conf_t,s0) +/etc/ntp/data(/.*)? context_template(system_u:object_r:ntp_drift_t,s0) + +/usr/sbin/ntpd -- context_template(system_u:object_r:ntpd_exec_t,s0) +/usr/sbin/ntpdate -- context_template(system_u:object_r:ntpdate_exec_t,s0) + +/var/lib/ntp(/.*)? context_template(system_u:object_r:ntp_drift_t,s0) + +/var/log/ntp.* -- context_template(system_u:object_r:ntpd_log_t,s0) +/var/log/ntpstats(/.*)? context_template(system_u:object_r:ntpd_log_t,s0) +/var/log/xntpd.* -- context_template(system_u:object_r:ntpd_log_t,s0) + +/var/run/ntpd\.pid -- context_template(system_u:object_r:ntpd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/ntp.if b/refpolicy/policy/modules/services/ntp.if new file mode 100644 index 0000000..9c43145 --- /dev/null +++ b/refpolicy/policy/modules/services/ntp.if @@ -0,0 +1,51 @@ +## Network time protocol daemon + +######################################## +## +## Execute ntp server in the ntpd domain. +## +## +## The type of the process performing this action. +## +# +interface(`ntp_domtrans',` + gen_require(` + type ntpd_t, ntpd_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1,ntpd_exec_t,ntpd_t) + + allow $1 ntpd_t:fd use; + allow ntpd_t $1:fd use; + allow ntpd_t $1:fifo_file rw_file_perms; + allow ntpd_t $1:process sigchld; +') + +######################################## +## +## Execute ntp server in the ntpd domain. +## +## +## The type of the process performing this action. +## +# +interface(`ntp_domtrans_ntpdate',` + gen_require(` + type ntpd_t, ntpdate_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1,ntpdate_exec_t,ntpd_t) + + allow $1 ntpd_t:fd use; + allow ntpd_t $1:fd use; + allow ntpd_t $1:fifo_file rw_file_perms; + allow ntpd_t $1:process sigchld; +') diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te new file mode 100644 index 0000000..97a1203 --- /dev/null +++ b/refpolicy/policy/modules/services/ntp.te @@ -0,0 +1,172 @@ + +policy_module(ntp,1.0) + +######################################## +# +# Declarations +# + +type ntp_drift_t; +files_type(ntp_drift_t) + +type ntpd_t; +type ntpd_exec_t; +init_daemon_domain(ntpd_t,ntpd_exec_t) + +type ntpd_log_t; +logging_log_file(ntpd_log_t) + +type ntpd_tmp_t; +files_tmp_file(ntpd_tmp_t) + +type ntpd_var_run_t; +files_pid_file(ntpd_var_run_t) + +type ntpdate_exec_t; +init_system_domain(ntpd_t,ntpdate_exec_t) + +######################################## +# +# Local policy +# + +allow ntpd_t self:capability { kill setgid setuid sys_time ipc_lock sys_chroot }; +# ntpdate wants sys_nice +dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; +allow ntpd_t self:process { signal_perms setcap setsched }; +allow ntpd_t self:fifo_file { read write getattr }; +allow ntpd_t self:unix_dgram_socket create_socket_perms; +allow ntpd_t self:unix_stream_socket create_socket_perms; +allow ntpd_t self:netlink_route_socket r_netlink_socket_perms; +allow ntpd_t self:tcp_socket create_stream_socket_perms; +allow ntpd_t self:udp_socket { create_socket_perms sendto recvfrom }; + +allow ntpd_t ntp_drift_t:dir rw_dir_perms; +allow ntpd_t ntp_drift_t:file create_file_perms; + +can_exec(ntpd_t,ntpd_exec_t) + +allow ntpd_t ntpd_log_t:file create_file_perms; +allow ntpd_t ntpd_log_t:dir { rw_dir_perms setattr }; +logging_create_log(ntpd_t,ntpd_log_t,{ file dir }) + +# for some reason it creates a file in /tmp +allow ntpd_t ntpd_tmp_t:dir create_dir_perms; +allow ntpd_t ntpd_tmp_t:file create_file_perms; +files_create_tmp_files(ntpd_t, ntpd_tmp_t, { file dir }) + +allow ntpd_t ntpd_var_run_t:file create_file_perms; +files_create_pid(ntpd_t,ntpd_var_run_t) + +kernel_read_kernel_sysctl(ntpd_t) +kernel_read_system_state(ntpd_t) + +corenet_tcp_sendrecv_all_if(ntpd_t) +corenet_udp_sendrecv_all_if(ntpd_t) +corenet_raw_sendrecv_all_if(ntpd_t) +corenet_tcp_sendrecv_all_nodes(ntpd_t) +corenet_udp_sendrecv_all_nodes(ntpd_t) +corenet_raw_sendrecv_all_nodes(ntpd_t) +corenet_tcp_sendrecv_all_ports(ntpd_t) +corenet_udp_sendrecv_all_ports(ntpd_t) +corenet_tcp_bind_all_nodes(ntpd_t) +corenet_udp_bind_all_nodes(ntpd_t) +corenet_udp_bind_ntp_port(ntpd_t) + +dev_read_sysfs(ntpd_t) +# for SSP +dev_read_urand(ntpd_t) + +fs_getattr_all_fs(ntpd_t) +fs_search_auto_mountpoints(ntpd_t) + +term_dontaudit_use_console(ntpd_t) + +corecmd_exec_bin(ntpd_t) +corecmd_exec_sbin(ntpd_t) +corecmd_exec_ls(ntpd_t) +corecmd_exec_shell(ntpd_t) + +domain_use_wide_inherit_fd(ntpd_t) +domain_dontaudit_list_all_domains_proc(ntpd_t) + +files_read_etc_files(ntpd_t) +files_read_etc_runtime_files(ntpd_t) +files_read_usr_files(ntpd_t) +files_list_var_lib(ntpd_t) + +init_exec_script(ntpd_t) +init_use_fd(ntpd_t) +init_use_script_pty(ntpd_t) + +libs_use_ld_so(ntpd_t) +libs_use_shared_libs(ntpd_t) + +logging_send_syslog_msg(ntpd_t) + +miscfiles_read_localization(ntpd_t) + +sysnet_read_config(ntpd_t) + +userdom_dontaudit_use_unpriv_user_fd(ntpd_t) +userdom_dontaudit_list_sysadm_home_dir(ntpd_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(ntpd_t) + term_dontaudit_use_generic_pty(ntpd_t) + files_dontaudit_read_root_file(ntpd_t) +') + +optional_policy(`crond.te',` + # for cron jobs + # system_crond_t is not right, cron is not doing what it should + cron_system_entry(ntpd_t,ntpd_exec_t) +') + +optional_policy(`firstboot.te',` + firstboot_dontaudit_use_fd(ntpd_t) +') + +optional_policy(`logrotate.te',` + logrotate_exec(ntpd_t) +') + +optional_policy(`mount.te',` + mount_send_nfs_client_request(ntpd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(ntpd_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(ntpd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(ntpd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(ntpd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(ntpd_t) +') + +# so the start script can change firewall entries +allow initrc_t net_conf_t:file { getattr read ioctl }; + +allow ntpd_t sysadm_t:udp_socket sendto; +allow sysadm_t ntpd_t:udp_socket recvfrom; + +allow sysadm_t ntpd_t:udp_socket sendto; +allow ntpd_t sysadm_t:udp_socket recvfrom; + +ifdef(`winbind.te', ` +allow ntpd_t winbind_var_run_t:dir r_dir_perms; +allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; +') +') dnl end TODO diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index e328537..dc7a989 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -489,10 +489,10 @@ interface(`files_mount_all_file_type_fs',` interface(`files_unmount_all_file_type_fs',` gen_require(` attribute file_type; - filesystem mount; + filesystem unmount; ') - allow $1 file_type:filesystem mount; + allow $1 file_type:filesystem unmount; ') ######################################## diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 669ebee..fc717a6 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -117,6 +117,7 @@ corecmd_exec_sbin(dhcpc_t) corecmd_exec_shell(dhcpc_t) domain_use_wide_inherit_fd(dhcpc_t) +domain_dontaudit_list_all_domains_proc(dhcpc_t) files_read_etc_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t) @@ -187,7 +188,7 @@ optional_policy(`nscd.te',` optional_policy(`ntpd.te',` # dhclient sometimes starts ntpd init_exec_script(dhcpc_t) - ntpd_domtrans(dhcpc_t) + ntp_domtrans(dhcpc_t) ') optional_policy(`selinuxutil.te',` @@ -204,12 +205,9 @@ optional_policy(`userdomain.te',` ') ifdef(`TODO',` - optional_policy(`rhgb.te',` rhgb_domain(dhcpc_t) ') - -dontaudit dhcpc_t domain:dir getattr; ') dnl endif TODO ######################################## diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 5ea3c02..2a8d5b4 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1508,6 +1508,24 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',` ######################################## ## +## Do not audit attempts to list the sysadm +## users home directory. +## +## +## Domain to not audit. +## +# +interface(`userdom_dontaudit_list_sysadm_home_dir',` + gen_require(` + type sysadm_home_dir_t; + class dir r_dir_perms; + ') + + dontaudit $1 sysadm_home_dir_t:dir r_dir_perms; +') + +######################################## +## ## Read files in the sysadm users home directory. ## ##