diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 58b23ac..aa47aac 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -6,6 +6,7 @@ ktalk portmap samba + snmp zebra * Wed Sep 07 2005 Chris PeBenito - 20050907 diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 8da01a7..13cad13 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -142,6 +142,8 @@ corecmd_shell_domtrans(rpm_t,rpm_script_t) domain_exec_all_entry_files(rpm_t) domain_read_all_domains_state(rpm_t) +domain_getattr_all_domains(rpm_t) +domain_dontaudit_ptrace_all_domains(rpm_t) domain_use_wide_inherit_fd(rpm_t) files_exec_etc_files(rpm_t) @@ -276,6 +278,8 @@ corecmd_exec_bin(rpm_script_t) corecmd_exec_sbin(rpm_script_t) domain_read_all_domains_state(rpm_script_t) +domain_getattr_all_domains(rpm_script_t) +domain_dontaudit_ptrace_all_domains(rpm_script_t) domain_use_wide_inherit_fd(rpm_script_t) domain_exec_all_entry_files(rpm_script_t) domain_signal_all_domains(rpm_script_t) diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index def3a2f..63a82db 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -76,6 +76,25 @@ interface(`storage_dontaudit_setattr_fixed_disk',` ######################################## ## +## Do not audit attempts made by the caller to read +## fixed disk device nodes. +## +## +## The type of the process to not audit. +## +# +interface(`storage_dontaudit_read_fixed_disk',` + gen_require(` + type removable_device_t; + class blk_file { getattr ioctl read }; + + ') + + dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read }; +') + +######################################## +## ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and @@ -426,6 +445,25 @@ interface(`storage_dontaudit_getattr_removable_device',` ######################################## ## +## Do not audit attempts made by the caller to read +## removable devices device nodes. +## +## +## The type of the process to not audit. +## +# +interface(`storage_dontaudit_read_removable_device',` + gen_require(` + type removable_device_t; + class blk_file { getattr ioctl read }; + + ') + + dontaudit $1 removable_device_t:blk_file { getattr ioctl read }; +') + +######################################## +## ## Allow the caller to set the attributes of removable ## devices device nodes. ## diff --git a/refpolicy/policy/modules/services/snmp.fc b/refpolicy/policy/modules/services/snmp.fc new file mode 100644 index 0000000..54c23b5 --- /dev/null +++ b/refpolicy/policy/modules/services/snmp.fc @@ -0,0 +1,26 @@ + +# +# /etc +# + +/etc/snmp/snmp(trap)?d\.conf -- context_template(system_u:object_r:snmpd_etc_t,s0) + +# +# /usr +# +/usr/sbin/snmp(trap)?d -- context_template(system_u:object_r:snmpd_exec_t,s0) + +/usr/share/snmp/mibs/\.index -- context_template(system_u:object_r:snmpd_var_lib_t,s0) + +# +# /var +# +/var/lib/net-snmp(/.*)? context_template(system_u:object_r:snmpd_var_lib_t,s0) +/var/lib/snmp(/.*)? context_template(system_u:object_r:snmpd_var_lib_t,s0) + +/var/log/snmpd\.log -- context_template(system_u:object_r:snmpd_log_t,s0) + +/var/net-snmp(/.*) context_template(system_u:object_r:snmpd_var_lib_t,s0) + +/var/run/snmpd -d context_template(system_u:object_r:snmpd_var_run_t,s0) +/var/run/snmpd\.pid -- context_template(system_u:object_r:snmpd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/snmp.if b/refpolicy/policy/modules/services/snmp.if new file mode 100644 index 0000000..cf9b87a --- /dev/null +++ b/refpolicy/policy/modules/services/snmp.if @@ -0,0 +1 @@ +## Simple network management protocol services diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te new file mode 100644 index 0000000..1d3b3e6 --- /dev/null +++ b/refpolicy/policy/modules/services/snmp.te @@ -0,0 +1,165 @@ + +policy_module(snmp,1.0) + +######################################## +# +# Declarations +# +type snmpd_t; +type snmpd_exec_t; +init_daemon_domain(snmpd_t,snmpd_exec_t) + +type snmpd_etc_t; #, usercanread; +files_type(snmpd_etc_t) + +type snmpd_log_t; +logging_log_file(snmpd_log_t) + +type snmpd_var_run_t; +files_pid_file(snmpd_var_run_t) + +type snmpd_var_lib_t; +files_type(snmpd_var_lib_t) + +######################################## +# +# Local policy +# +allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; +allow snmpd_t self:file { getattr read }; +allow snmpd_t self:fifo_file rw_file_perms; +allow snmpd_t self:tcp_socket create_stream_socket_perms; +allow snmpd_t self:unix_dgram_socket create_socket_perms; +allow snmpd_t self:unix_stream_socket create_socket_perms; + +allow snmpd_t snmpd_etc_t:file { getattr read }; + +allow snmpd_t snmpd_log_t:file create_file_perms; +logging_create_log(snmpd_t,snmpd_log_t) + +allow snmpd_t snmpd_var_lib_t:file create_file_perms; +allow snmpd_t snmpd_var_lib_t:dir create_dir_perms; +files_create_usr(snmpd_t,snmpd_var_lib_t) +files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir }) +files_create_var_lib(snmpd_t,snmpd_var_lib_t) + +allow snmpd_t snmpd_var_run_t:file create_file_perms; +allow snmpd_t snmpd_var_run_t:dir rw_dir_perms; +files_create_pid(snmpd_t,snmpd_var_run_t) + +kernel_read_kernel_sysctl(snmpd_t) +kernel_read_net_sysctl(snmpd_t) +kernel_read_proc_symlinks(snmpd_t) +kernel_read_system_state(snmpd_t) +kernel_read_network_state(snmpd_t) + +corenet_tcp_sendrecv_all_if(snmpd_t) +corenet_raw_sendrecv_all_if(snmpd_t) +corenet_tcp_sendrecv_all_nodes(snmpd_t) +corenet_raw_sendrecv_all_nodes(snmpd_t) +corenet_tcp_sendrecv_all_ports(snmpd_t) +corenet_tcp_bind_all_nodes(snmpd_t) +corenet_tcp_bind_snmp_port(snmpd_t) +corenet_udp_bind_snmp_port(snmpd_t) + +dev_list_sysfs(snmpd_t) +dev_read_sysfs(snmpd_t) +dev_read_urand(snmpd_t) +dev_read_rand(snmpd_t) + +fs_getattr_all_fs(snmpd_t) +fs_search_auto_mountpoints(snmpd_t) + +storage_dontaudit_read_fixed_disk(snmpd_t) +storage_dontaudit_read_removable_device(snmpd_t) + +term_dontaudit_use_console(snmpd_t) + +corecmd_exec_bin(snmpd_t) +corecmd_exec_sbin(snmpd_t) +corecmd_exec_shell(snmpd_t) + +domain_use_wide_inherit_fd(snmpd_t) +domain_read_all_domains_state(snmpd_t) + +files_read_etc_files(snmpd_t) +files_read_usr_files(snmpd_t) +files_read_etc_runtime_files(snmpd_t) +files_search_home(snmpd_t) + +init_read_script_pid(snmpd_t) +init_use_fd(snmpd_t) +init_use_script_pty(snmpd_t) +init_dontaudit_write_script_pid(snmpd_t) + +libs_use_ld_so(snmpd_t) +libs_use_shared_libs(snmpd_t) + +logging_send_syslog_msg(snmpd_t) + +miscfiles_read_localization(snmpd_t) + +seutil_dontaudit_search_config(snmpd_t) + +sysnet_read_config(snmpd_t) + +userdom_dontaudit_use_unpriv_user_fd(snmpd_t) +userdom_dontaudit_search_sysadm_home_dir(snmpd_t) + +ifdef(`distro_redhat', ` + optional_policy(`rpm.te', ` + rpm_read_db(snmpd_t) + ') +') + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(snmpd_t) + term_dontaudit_use_generic_pty(snmpd_t) + files_dontaudit_read_root_file(snmpd_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(snmpd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(snmpd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(snmpd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(snmpd_t) +') + + +ifdef(`TODO',` +can_udp_send(sysadm_t, snmpd_t) +can_udp_send(snmpd_t, sysadm_t) + +ifdef(`distro_redhat', ` + optional_policy(`rpm.te', ` + dontaudit snmpd_t rpm_var_lib_t:dir write; + dontaudit snmpd_t rpm_var_lib_t:file write; + ') +') + +dontaudit snmpd_t rpc_pipefs_t:dir getattr; +allow snmpd_t rpc_pipefs_t:dir getattr; + +optional_policy(`amanda.te', ` + dontaudit snmpd_t amanda_dumpdates_t:file { getattr read }; +') + +optional_policy(`cupsd.te', ` + allow snmpd_t cupsd_rw_etc_t:file { getattr read }; +') + +allow snmpd_t var_lib_nfs_t:dir search; + +optional_policy(`rhgb.te',` + rhgb_domain(snmpd_t) +') +') dnl end TODO diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 7ecdbf7..6f56a29 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -455,25 +455,34 @@ interface(`domain_read_all_domains_state',` class dir r_dir_perms; class lnk_file r_file_perms; class file r_file_perms; - class process { getattr ptrace }; ') kernel_search_proc($1) allow $1 domain:dir r_dir_perms; allow $1 domain:lnk_file r_file_perms; allow $1 domain:file r_file_perms; - allow $1 domain:process getattr; +') - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $1 domain:process ptrace; +######################################## +## +## Get the attributes of all domains of all domains. +## +## +## Domain allowed access. +## +# +interface(`domain_getattr_all_domains',` + gen_require(` + attribute domain; + class process getattr; + ') + + allow $1 domain:process getattr; ') ######################################## ## -## Read the process state (/proc/pid) of all domains. +## Read the process state (/proc/pid) of all confined domains. ## ## ## Domain allowed access. @@ -485,7 +494,6 @@ interface(`domain_read_confined_domains_state',` class dir r_dir_perms; class lnk_file r_file_perms; class file r_file_perms; - class process { getattr ptrace }; ') kernel_search_proc($1) @@ -495,11 +503,76 @@ interface(`domain_read_confined_domains_state',` allow $1 { domain -unconfined_domain }:process getattr; dontaudit $1 unconfined_domain:dir search; +') + +######################################## +## +## Get the attributes of all confined domains. +## +## +## Domain allowed access. +## +# +interface(`domain_getattr_confined_domains',` + gen_require(` + attribute domain, unconfined_domain; + class process getattr; + ') + + allow $1 { domain -unconfined_domain }:process getattr; +') + +######################################## +## +## Do not audit attempts to ptrace all domains. +## +## +##

+## Do not audit attempts to ptrace all domains. +##

+##

+## Generally this needs to be suppressed because procps tries to access +## /proc/pid/environ and this now triggers a ptrace check in recent kernels +## (2.4 and 2.6). +##

+##
+## +## Domain allowed access. +## +# +interface(`domain_dontaudit_ptrace_all_domains',` + gen_require(` + attribute domain; + class process ptrace; + ') + + dontaudit $1 domain:process ptrace; +') + +######################################## +## +## Do not audit attempts to ptrace confined domains. +## +## +##

+## Do not audit attempts to ptrace confined domains. +##

+##

+## Generally this needs to be suppressed because procps tries to access +## /proc/pid/environ and this now triggers a ptrace check in recent kernels +## (2.4 and 2.6). +##

+##
+## +## Domain allowed access. +## +# +interface(`domain_dontaudit_ptrace_confined_domains',` + gen_require(` + attribute domain, unconfined_domain; + class process ptrace; + ') - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. dontaudit $1 { domain -unconfined_domain }:process ptrace; ') @@ -518,19 +591,12 @@ interface(`domain_dontaudit_read_all_domains_state',` class dir r_dir_perms; class lnk_file r_file_perms; class file r_file_perms; - class process { getattr ptrace }; ') dontaudit $1 domain:dir r_dir_perms; dontaudit $1 domain:lnk_file r_file_perms; dontaudit $1 domain:file r_file_perms; dontaudit $1 domain:process getattr; - - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $1 domain:process ptrace; ') ######################################## diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 9c57f5b..a31f3e8 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1716,6 +1716,35 @@ interface(`files_read_usr_symlinks',` ######################################## ## +## Create objects in the /usr directory +## +## +## Domain allowed access. +## +## +## The type of the object to be created +## +## +## The object class. If not specified, file is used. +## +# +interface(`files_create_usr',` + gen_require(` + type usr_t; + class dir rw_dir_perms; + ') + + allow $1 usr_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $1 usr_t:file $2; + ',` + type_transition $1 usr_t:$3 $2; + ') +') + +######################################## +## ## Execute programs in /usr/src in the caller domain. ## ## @@ -1876,6 +1905,35 @@ interface(`files_manage_var_symlinks',` ######################################## ## +## Create objects in the /var directory +## +## +## Domain allowed access. +## +## +## The type of the object to be created +## +## +## The object class. If not specified, file is used. +## +# +interface(`files_create_var',` + gen_require(` + type var_t; + class dir rw_dir_perms; + ') + + allow $1 var_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $1 var_t:file $2; + ',` + type_transition $1 var_t:$3 $2; + ') +') + +######################################## +## ## Get the attributes of the /var/lib directory. ## ## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 5d03d77..5533bc8 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -277,6 +277,8 @@ domain_sigstop_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) +domain_getattr_all_domains(initrc_t) +domain_dontaudit_ptrace_all_domains(initrc_t) domain_getsession_all_domains(initrc_t) domain_use_wide_inherit_fd(initrc_t) domain_exec_all_entry_files(initrc_t) diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 387500f..461415a 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -73,6 +73,8 @@ domain_use_wide_inherit_fd(cardmgr_t) domain_exec_all_entry_files(cardmgr_t) # Read /proc/PID directories for all domains (for fuser). domain_read_confined_domains_state(cardmgr_t) +domain_getattr_confined_domains(cardmgr_t) +domain_dontaudit_ptrace_confined_domains(cardmgr_t) # cjp: these look excessive: domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t) domain_dontaudit_getattr_all_sockets(cardmgr_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index d105ae8..488bb20 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -787,6 +787,8 @@ template(`admin_user_template',` domain_setpriority_all_domains($1_t) domain_read_all_domains_state($1_t) + domain_getattr_all_domains($1_t) + domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) domain_signal_all_domains($1_t)