diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 65fbe15..af360bc 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -42,6 +42,25 @@ interface(`corenet_udp_send_generic_if',` ######################################## ## +## Dontaudit attempts to send UDP network traffic +## on generic interfaces. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_udp_send_generic_if',` + gen_require(` + type netif_t; + ') + + dontaudit $1 netif_t:netif udp_send; +') + +######################################## +## ## Receive UDP network traffic on generic interfaces. ## ## @@ -60,6 +79,25 @@ interface(`corenet_udp_receive_generic_if',` ######################################## ## +## Do not audit attempts to receive UDP network +## traffic on generic interfaces. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_udp_receive_generic_if',` + gen_require(` + type netif_t; + ') + + dontaudit $1 netif_t:netif udp_recv; +') + +######################################## +## ## Send and Receive UDP network traffic on generic interfaces. ## ## @@ -75,6 +113,22 @@ interface(`corenet_udp_sendrecv_generic_if',` ######################################## ## +## Do not audit attempts to send and receive UDP network +## traffic on generic interfaces. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_udp_sendrecv_generic_if',` + corenet_dontaudit_udp_send_generic_if($1) + corenet_dontaudit_udp_receive_generic_if($1) +') + +######################################## +## ## Send raw IP packets on generic interfaces. ## ## @@ -438,6 +492,25 @@ interface(`corenet_udp_send_all_nodes',` ######################################## ## +## Do not audit attempts to send UDP network +## traffic on any nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_udp_send_all_nodes',` + gen_require(` + attribute node_type; + ') + + dontaudit $1 node_type:node udp_send; +') + +######################################## +## ## Receive UDP network traffic on all nodes. ## ## @@ -456,6 +529,25 @@ interface(`corenet_udp_receive_all_nodes',` ######################################## ## +## Do not audit attempts to receive UDP +## network traffic on all nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_udp_receive_all_nodes',` + gen_require(` + attribute node_type; + ') + + dontaudit $1 node_type:node udp_recv; +') + +######################################## +## ## Send and receive UDP network traffic on all nodes. ## ## @@ -471,6 +563,22 @@ interface(`corenet_udp_sendrecv_all_nodes',` ######################################## ## +## Do not audit attempts to send and receive UDP +## network traffic on any nodes nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_udp_sendrecv_all_nodes',` + corenet_dontaudit_udp_send_all_nodes($1) + corenet_dontaudit_udp_receive_all_nodes($1) +') + +######################################## +## ## Send raw IP packets on all nodes. ## ## @@ -1312,6 +1420,22 @@ interface(`corenet_non_ipsec_sendrecv',` ######################################## ## +## Do not audit attempts to send and receive +## messages on a non-encrypted (no IPSEC) network +## session. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_non_ipsec_sendrecv',` + kernel_dontaudit_sendrecv_unlabeled_association($1) +') + +######################################## +## ## Send generic client packets. ## ## diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4 index 51908e2..c20c7a4 100644 --- a/policy/modules/kernel/corenetwork.if.m4 +++ b/policy/modules/kernel/corenetwork.if.m4 @@ -360,6 +360,25 @@ interface(`corenet_udp_send_$1_port',` ######################################## ## +## Do not audit attempts to send UDP traffic on the $1 port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_send_$1_port',` + gen_require(` + $3 $1_$2; + ') + + dontaudit dollarsone $1_$2:udp_socket send_msg; +') + +######################################## +## ## Receive UDP traffic on the $1 port. ## ## @@ -379,6 +398,25 @@ interface(`corenet_udp_receive_$1_port',` ######################################## ## +## Do not audit attempts to receive UDP traffic on the $1 port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_receive_$1_port',` + gen_require(` + $3 $1_$2; + ') + + dontaudit dollarsone $1_$2:udp_socket recv_msg; +') + +######################################## +## ## Send and receive UDP traffic on the $1 port. ## ## @@ -395,6 +433,23 @@ interface(`corenet_udp_sendrecv_$1_port',` ######################################## ## +## Do not audit attempts to send and receive +## UDP traffic on the $1 port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_sendrecv_$1_port',` + corenet_dontaudit_udp_send_$1_port(dollarsone) + corenet_dontaudit_udp_receive_$1_port(dollarsone) +') + +######################################## +## ## Bind TCP sockets to the $1 port. ## ## @@ -474,6 +529,25 @@ interface(`corenet_send_$1_packets',` ######################################## ## +## Do not audit attempts to send $1 packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_send_$1_packets',` + gen_require(` + type $1_packet_t; + ') + + dontaudit dollarsone $1_packet_t:packet send; +') + +######################################## +## ## Receive $1 packets. ## ## @@ -493,6 +567,25 @@ interface(`corenet_receive_$1_packets',` ######################################## ## +## Do not audit attempts to receive $1 packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_dontaudit_receive_$1_packets',` + gen_require(` + type $1_packet_t; + ') + + dontaudit dollarsone $1_packet_t:packet recv; +') + +######################################## +## ## Send and receive $1 packets. ## ## @@ -509,6 +602,22 @@ interface(`corenet_sendrecv_$1_packets',` ######################################## ## +## Do not audit attempts to send and receive $1 packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_sendrecv_$1_packets',` + corenet_dontaudit_send_$1_packets(dollarsone) + corenet_dontaudit_receive_$1_packets(dollarsone) +') + +######################################## +## ## Relabel packets to $1 the packet type. ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 169e582..65dfdd0 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.1.15) +policy_module(corenetwork,1.1.16) ######################################## # diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 8583729..918657b 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -147,6 +147,24 @@ interface(`dev_create_generic_dirs',` ######################################## ## +## Delete a directory in the device directory. +## +## +## +## Domain allowed to create the directory. +## +## +# +interface(`dev_delete_generic_dirs',` + gen_require(` + type device_t; + ') + + allow $1 device_t:dir { del_entry_dir_perms rmdir }; +') + +######################################## +## ## Allow full relabeling (to and from) of directories in /dev. ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 6f30f63..bc5b1c0 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.1.21) +policy_module(devices,1.1.22) ######################################## # diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index c390959..a9d4601 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -3349,41 +3349,41 @@ interface(`files_usr_filetrans',` ######################################## ## -## Execute programs in /usr/src in the caller domain. +## Do not audit attempts to search /usr/src. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_exec_usr_src_files',` +interface(`files_dontaudit_search_src',` gen_require(` - type usr_t, src_t; + type src_t; ') - allow $1 usr_t:dir search; - allow $1 src_t:dir r_dir_perms; - allow $1 src_t:lnk_file r_file_perms; - can_exec($1,src_t) + dontaudit $1 src_t:dir search; ') ######################################## ## -## Do not audit attempts to search /usr/src. +## Get the attributes of files in /usr/src. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_search_src',` +interface(`files_getattr_usr_src_files',` gen_require(` - type src_t; + type usr_t, src_t; ') - dontaudit $1 src_t:dir search; + allow $1 { usr_t src_t }:dir search_dir_perms; + + allow $1 src_t:lnk_file { getattr read }; + allow $1 src_t:file getattr; ') ######################################## @@ -3408,6 +3408,27 @@ interface(`files_read_usr_src_files',` ######################################## ## +## Execute programs in /usr/src in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_exec_usr_src_files',` + gen_require(` + type usr_t, src_t; + ') + + allow $1 usr_t:dir search; + allow $1 src_t:dir r_dir_perms; + allow $1 src_t:lnk_file r_file_perms; + can_exec($1,src_t) +') + +######################################## +## ## Install a system.map into the /boot directory. ## ## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index dea8e5c..81e4660 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.16) +policy_module(files,1.2.17) ######################################## # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 2aa08cc..11e0807 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -2133,6 +2133,39 @@ interface(`kernel_sendrecv_unlabeled_association',` ######################################## ## +## Do not audit attempts to send and receive messages +## from an unlabeled IPSEC association. +## +## +##

+## Do not audit attempts to send and receive messages +## from an unlabeled IPSEC association. Network +## connections that are not protected +## by IPSEC have use an unlabeled +## assocation. +##

+##

+## The corenetwork interface +## corenet_dontaudit_non_ipsec_sendrecv() should +## be used instead of this one. +##

+##
+## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_sendrecv_unlabeled_association',` + gen_require(` + type unlabeled_t; + ') + + dontaudit $1 unlabeled_t:association { sendto recvfrom }; +') + +######################################## +## ## Send and receive unlabeled packets. ## ## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 34b4d1b..5fe4843 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.3.15) +policy_module(kernel,1.3.16) ######################################## # diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index a801eba..0735073 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -470,9 +470,10 @@ template(`ssh_server_template', ` allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_file_perms; allow $1_t self:process { signal setsched setrlimit setexec }; - - allow $1_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; - allow $1_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown }; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + # ssh agent connections: + allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 232c005..399e913 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.3.10) +policy_module(ssh,1.3.11) ######################################## # diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index e6a6745..8900a5b 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -1,5 +1,5 @@ -policy_module(getty,1.1.3) +policy_module(getty,1.1.4) ######################################## # @@ -105,6 +105,20 @@ logging_send_syslog_msg(getty_t) miscfiles_read_localization(getty_t) +ifdef(`distro_gentoo',` + # Gentoo default /etc/issue makes agetty + # do a DNS lookup for the hostname + dontaudit getty_t self:udp_socket create_socket_perms; + + corenet_dontaudit_non_ipsec_sendrecv(getty_t) + corenet_dontaudit_udp_sendrecv_generic_if(getty_t) + corenet_dontaudit_udp_sendrecv_all_nodes(getty_t) + corenet_dontaudit_udp_sendrecv_dns_port(getty_t) + corenet_dontaudit_sendrecv_dns_client_packets(getty_t) + + sysnet_dontaudit_read_config(getty_t) +') + ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(getty_t) term_dontaudit_use_generic_ptys(getty_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 2ee4fe0..d35db82 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.3.23) +policy_module(init,1.3.24) gen_require(` class passwd rootok; @@ -411,6 +411,12 @@ ifdef(`distro_gentoo',` dev_create_generic_dirs(initrc_t) term_create_console_dev(initrc_t) + # unfortunately /sbin/rc does stupid tricks + # with /dev/.rcboot to decide if we are in + # early init + dev_create_generic_dirs(initrc_t) + dev_delete_generic_dirs(initrc_t) + # needed until baselayout is fixed to have the # restorecon on /dev to again be immediately after # mounting tmpfs on /dev diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 5184b74..4e702a8 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils,1.1.5) +policy_module(modutils,1.1.6) gen_require(` bool secure_mode_insmod; @@ -277,6 +277,7 @@ userdom_dontaudit_search_sysadm_home_dirs(update_modules_t) ifdef(`distro_gentoo',` files_search_pids(update_modules_t) + files_getattr_usr_src_files(update_modules_t) optional_policy(` consoletype_exec(update_modules_t)