diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 3579887..01b3216 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -121,9 +121,18 @@ sysnet_dns_name_resolve(ping_t) logging_send_syslog_msg(ping_t) -tunable_policy(`user_ping',` +ifdef(`hide_broken_symptoms',` + init_dontaudit_use_fd(ping_t) +') + +ifdef(`targeted_policy',` term_use_all_user_ttys(ping_t) term_use_all_user_ptys(ping_t) +',` + tunable_policy(`user_ping',` + term_use_all_user_ttys(ping_t) + term_use_all_user_ptys(ping_t) + ') ') optional_policy(`nis.te',` @@ -134,6 +143,10 @@ optional_policy(`nscd.te',` nscd_use_socket(ping_t) ') +optional_policy(`pcmcia.te',` + pcmcia_use_cardmgr_fd(ping_t) +') + optional_policy(`sysnetwork.te',` optional_policy(`hotplug.te',` hotplug_use_fd(ping_t) @@ -146,9 +159,6 @@ tunable_policy(`user_ping',` domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') ') -ifdef(`cardmgr.te',` - allow ping_t cardmgr_t:fd use; -') ') dnl end TODO ######################################## diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 13cad13..bb43066 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -6,10 +6,11 @@ policy_module(rpm,1.0) # Declarations # -type rpm_t; #, admin, privmem, priv_system_role; +type rpm_t; #, priv_system_role; type rpm_exec_t; init_system_domain(rpm_t,rpm_exec_t) domain_obj_id_change_exempt(rpm_t) +domain_role_change_exempt(rpm_t) domain_wide_inherit_fd(rpm_t) role system_r types rpm_t; @@ -179,6 +180,8 @@ optional_policy(`nis.te',` ') ifdef(`TODO',` +# cjp: this seems way out of place +role sysadm_r types initrc_t; type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t; diff --git a/refpolicy/policy/modules/admin/tmpreaper.te b/refpolicy/policy/modules/admin/tmpreaper.te index a2afcf3..c236076 100644 --- a/refpolicy/policy/modules/admin/tmpreaper.te +++ b/refpolicy/policy/modules/admin/tmpreaper.te @@ -37,6 +37,7 @@ libs_use_shared_libs(tmpreaper_t) logging_send_syslog_msg(tmpreaper_t) miscfiles_read_localization(tmpreaper_t) +miscfiles_delete_man_pages(tmpreaper_t) cron_system_entry(tmpreaper_t,tmpreaper_exec_t) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 978c2b0..4953fae 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -675,6 +675,38 @@ interface(`dev_setattr_all_chr_files',` ######################################## ## +## Dontaudit read on all block file device nodes. +## +## +## Domain to not audit. +## +# +interface(`dev_dontaudit_read_all_blk_files',` + gen_require(` + attribute device_node; + ') + + dontaudit $1 device_node:blk_file { getattr read }; +') + +######################################## +## +## Dontaudit read on all character file device nodes. +## +## +## Domain to not audit. +## +# +interface(`dev_dontaudit_read_all_chr_files',` + gen_require(` + attribute device_node; + ') + + dontaudit $1 device_node:chr_file { getattr read }; +') + +######################################## +## ## Read, write, create, and delete all block device files. ## ## @@ -2171,6 +2203,44 @@ interface(`dev_dontaudit_setattr_video_dev',` ######################################## ## +## Get the attributes of X server miscellaneous devices. +## +## +## Domain allowed access. +## +# +interface(`dev_getattr_xserver_misc_dev',` + gen_require(` + type device_t, xserver_misc_device_t; + class dir r_dir_perms; + class chr_file getattr; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 xserver_misc_device_t:chr_file getattr; +') + +######################################## +## +## Set the attributes of X server miscellaneous devices. +## +## +## Domain allowed access. +## +# +interface(`dev_setattr_xserver_misc_dev',` + gen_require(` + type device_t, xserver_misc_device_t; + class dir r_dir_perms; + class chr_file setattr; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 xserver_misc_device_t:chr_file setattr; +') + +######################################## +## ## Read and write to the zero device (/dev/zero). ## ## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index a3c784f..e987e51 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1969,6 +1969,23 @@ interface(`fs_set_all_quotas',` ######################################## ## +## Relabelfrom all filesystems. +## +## +## The type of the domain doing the +## getattr on the filesystem. +## +# +interface(`fs_relabelfrom_all_fs',` + gen_require(` + attribute filesystem_type; + ') + + allow $1 filesystem_type:filesystem relabelfrom; +') + +######################################## +## ## List all directories with a filesystem type. ## ## diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index d4d9bf7..78e4cfe 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -203,6 +203,16 @@ files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) +ifdef(`TODO',` +ifdef(`targeted_policy', ` +unconfined_domain(kernel_t) +') +ifdef(`mls_policy', ` +# run init with maximum MLS range +range_transition kernel_t init_exec_t s0 - s9:c0.c127; +') +') dnl end TODO + ######################################## # # Unlabeled process local policy diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index f8dd882..d33b92d 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -287,7 +287,7 @@ logging_read_generic_logs(system_crond_t) logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) -miscfiles_read_man_pages(system_crond_t) +miscfiles_manage_man_pages(system_crond_t) seutil_read_config(system_crond_t) @@ -311,6 +311,10 @@ tunable_policy(`cron_can_relabel',` seutil_read_file_contexts(system_crond_t) ') +optional_policy(`mysql.te',` + mysql_read_config(system_crond_t) +') + optional_policy(`nis.te',` nis_use_ypbind(system_crond_t) ') diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index 10fc119..1ad01fb 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -88,5 +88,5 @@ optional_policy(`nscd.te',` ') ifdef(`TODO',` -r_dir_file(rsync_t, ftpd_anon_t) +anonymous_domain(rsync) ') dnl end TODO diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index daf9875..03bc86d 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -279,6 +279,7 @@ ifdef(`TODO',` optional_policy(`rhgb.te',` rhgb_domain(smbd_t) ') +anonymous_domain(smbd) can_winbind(smbd_t) ') diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 6fab73a..ca7b37e 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -438,8 +438,10 @@ template(`ssh_server_template', ` auth_domtrans_chk_passwd($1_t) auth_rw_login_records($1_t) auth_rw_lastlog($1_t) + auth_append_faillog($1_t) corecmd_read_bin_symlink($1_t) + corecmd_getattr_bin_file($1_t) # for sshd subsystems, such as sftp-server. corecmd_getattr_bin_file($1_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 3bfa449..20850a0 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -381,6 +381,24 @@ interface(`auth_relabelto_shadow',` ') ####################################### +## +## Append to the login failure log. +## +## +## Domain allowed access. +## +# +interface(`auth_append_faillog',` + gen_require(` + type faillog_t; + class file { getattr append }; + ') + + logging_search_logs($1) + allow $1 faillog_t:file { getattr append }; +') + +####################################### # # auth_rw_faillog(domain) # diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 0769638..e1fb21d 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -167,6 +167,8 @@ dev_getattr_snd_dev(pam_console_t) dev_setattr_snd_dev(pam_console_t) dev_getattr_video_dev(pam_console_t) dev_setattr_video_dev(pam_console_t) +dev_getattr_xserver_misc_dev(pam_console_t) +dev_setattr_xserver_misc_dev(pam_console_t) fs_search_auto_mountpoints(pam_console_t) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index f16a8bf..c6de011 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -186,8 +186,8 @@ dev_read_sysfs(sysfs_t) # perhaps this should be blk_files? dev_relabel_generic_symlinks(lvm_t) # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... -dev_dontaudit_getattr_all_chr_files(lvm_t) -dev_dontaudit_getattr_all_blk_files(lvm_t) +dev_dontaudit_read_all_chr_files(lvm_t) +dev_dontaudit_read_all_blk_files(lvm_t) dev_dontaudit_getattr_generic_chr_file(lvm_t) dev_dontaudit_getattr_generic_blk_file(lvm_t) dev_dontaudit_getattr_generic_pipe(lvm_t) @@ -264,4 +264,5 @@ optional_policy(`gnome-pty-helper.te', ` optional_policy(`rhgb.te',` rhgb_domain(lvm_t) ') +dontaudit lvm_t xconsole_device_t:fifo_file getattr; ') dnl end TODO diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index b86b245..7a553a1 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -70,10 +70,10 @@ interface(`miscfiles_legacy_read_localization',` ######################################## ## -## Allow process to read man pages +## Read man pages ## ## -## Type type of the process performing this action. +## Domain allowed access. ## # interface(`miscfiles_read_man_pages',` @@ -92,6 +92,51 @@ interface(`miscfiles_read_man_pages',` ######################################## ## +## Delete man pages +## +## +## Domain allowed access. +## +# cjp: added for tmpreaper +# +interface(`miscfiles_delete_man_pages',` + gen_require(` + type man_t; + class dir { setattr rw_dir_perms rmdir }; + class file { getattr unlink }; + class lnk_file { getattr unlink }; + ') + + files_search_usr($1) + allow $1 man_t:dir { setattr rw_dir_perms rmdir }; + allow $1 man_t:file { getattr unlink }; + allow $1 man_t:lnk_file { getattr unlink }; +') + +######################################## +## +## Create, read, write, and delete man pages +## +## +## Domain allowed access. +## +# +interface(`miscfiles_manage_man_pages',` + gen_require(` + type man_t; + class dir create_dir_perms; + class file create_file_perms; + class lnk_file r_file_perms; + ') + + files_search_usr($1) + allow $1 man_t:dir create_dir_perms; + allow $1 man_t:file create_file_perms; + allow $1 man_t:lnk_file r_file_perms; +') + +######################################## +## ## Read TeX data ## ## diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index ae357bf..ad198c2 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -127,9 +127,12 @@ optional_policy(`rpm.te',` rpm_rw_pipe(insmod_t) ') -#optional_policy(`xserver.te',` -# xserver_getattr_log(insmod_t) -#') +ifdef(`TODO',` +optional_policy(`xserver.te',` + xserver_getattr_log(insmod_t) + allow insmod_t xserver_misc_device_t:chr_file { read write }; +') +') ######################################## # diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 4e5d709..09570be 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -43,7 +43,7 @@ fs_getattr_xattr_fs(mount_t) fs_mount_all_fs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) -fs_relabelfrom_xattr_fs(mount_t) +fs_relabelfrom_all_fs(mount_t) fs_search_auto_mountpoints(mount_t) fs_use_tmpfs_chr_dev(mount_t) diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if index 96cddbf..c86414e 100644 --- a/refpolicy/policy/modules/system/pcmcia.if +++ b/refpolicy/policy/modules/system/pcmcia.if @@ -11,9 +11,6 @@ interface(`pcmcia_domtrans_cardmgr',` gen_require(` type cardmgr_t, cardmgr_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,cardmgr_exec_t,cardmgr_t) @@ -26,6 +23,22 @@ interface(`pcmcia_domtrans_cardmgr',` ######################################## ## +## Inherit and use file descriptors from cardmgr. +## +## +## Domain allowed access. +## +# +interface(`pcmcia_use_cardmgr_fd',` + gen_require(` + type cardmgr_t; + ') + + allow $1 cardmgr_t:fd use; +') + +######################################## +## ## Execute cardctl in the cardmgr domain. ## ## @@ -35,9 +48,6 @@ interface(`pcmcia_domtrans_cardmgr',` interface(`pcmcia_domtrans_cardctl',` gen_require(` type cardmgr_t, cardctl_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,cardctl_exec_t,cardmgr_t) @@ -66,7 +76,6 @@ interface(`pcmcia_domtrans_cardctl',` interface(`pcmcia_run_cardctl',` gen_require(` type cardmgr_t; - class chr_file rw_term_perms; ') pcmcia_domtrans_cardctl($1) @@ -85,8 +94,6 @@ interface(`pcmcia_run_cardctl',` interface(`pcmcia_read_pid',` gen_require(` type cardmgr_var_run_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_pids($1) @@ -106,8 +113,6 @@ interface(`pcmcia_read_pid',` interface(`pcmcia_manage_pid',` gen_require(` type cardmgr_var_run_t; - class dir rw_dir_perms; - class file create_file_perms; ') files_search_pids($1) @@ -127,8 +132,6 @@ interface(`pcmcia_manage_pid',` interface(`pcmcia_manage_runtime_chr',` gen_require(` type cardmgr_var_run_t; - class dir rw_dir_perms; - class chr_file create_file_perms; ') files_search_pids($1) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index cc19cb5..ea798ea 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -288,6 +288,8 @@ selinux_compute_relabel_context(restorecon_t) selinux_compute_user_contexts(restorecon_t) term_use_unallocated_tty(restorecon_t) +term_use_all_user_ttys(restorecon_t) +term_use_all_user_ptys(restorecon_t) init_use_fd(restorecon_t) init_use_script_pty(restorecon_t) @@ -332,6 +334,9 @@ ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; +ifdef(`dpkg.te', ` +domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t) +') ') dnl endif TODO ################################# diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te index 3901bc4..640309a 100644 --- a/strict/domains/misc/kernel.te +++ b/strict/domains/misc/kernel.te @@ -28,6 +28,11 @@ allow kernel_t { usbfs_t usbdevfs_t }:dir search; # Run init in the init_t domain. domain_auto_trans(kernel_t, init_exec_t, init_t) +ifdef(`mls_policy', ` +# run init with maximum MLS range +range_transition kernel_t init_exec_t s0 - s9:c0.c127; +') + # Share state with the init process. allow kernel_t init_t:process share; @@ -65,4 +70,6 @@ can_loadpol(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. can_exec(kernel_t, bin_t) - +ifdef(`targeted_policy', ` +unconfined_domain(kernel_t) +') diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te index 43d6bbe..536824f 100644 --- a/strict/domains/program/crond.te +++ b/strict/domains/program/crond.te @@ -128,9 +128,8 @@ allow system_crond_t var_lib_t:dir rw_dir_perms; allow system_crond_t var_lib_t:file create_file_perms; # Update whatis files. -allow system_crond_t catman_t:dir create_dir_perms; -allow system_crond_t catman_t:file create_file_perms; -allow system_crond_t man_t:file r_file_perms; +allow system_crond_t man_t:dir create_dir_perms; +allow system_crond_t man_t:file create_file_perms; allow system_crond_t man_t:lnk_file read; # Write /var/lock/makewhatis.lock. diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te index b3df265..c5ce785 100644 --- a/strict/domains/program/lvm.te +++ b/strict/domains/program/lvm.te @@ -97,10 +97,11 @@ allow lvm_t devpts_t:dir { search getattr read }; read_locale(lvm_t) # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... -dontaudit lvm_t device_type:{ chr_file blk_file } getattr; +dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read }; dontaudit lvm_t ttyfile:chr_file getattr; dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr; dontaudit lvm_t devpts_t:dir { getattr read }; +dontaudit lvm_t xconsole_device_t:fifo_file getattr; ifdef(`gpm.te', ` dontaudit lvm_t gpmctl_t:sock_file getattr; diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te index 64028d6..dbdae1b 100644 --- a/strict/domains/program/modutil.te +++ b/strict/domains/program/modutil.te @@ -116,6 +116,7 @@ allow insmod_t modules_object_t:file write; allow insmod_t { var_t var_log_t }:dir search; ifdef(`xserver.te', ` allow insmod_t xserver_log_t:file getattr; +allow insmod_t xserver_misc_device_t:chr_file { read write }; ') rw_dir_create_file(insmod_t, var_log_ksyms_t) allow insmod_t { etc_t etc_runtime_t }:file { getattr read }; diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te index 9efd6a4..ab6c359 100644 --- a/strict/domains/program/mount.te +++ b/strict/domains/program/mount.te @@ -68,7 +68,7 @@ rhgb_domain(mount_t) # for localization allow mount_t lib_t:file { getattr read }; allow mount_t autofs_t:dir read; -allow mount_t fs_t:filesystem relabelfrom; +allow mount_t fs_type:filesystem relabelfrom; # # This rule needs to be generalized. Only admin, initrc should have it. # diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te index 1bd9073..ea0315b 100644 --- a/strict/domains/program/mysqld.te +++ b/strict/domains/program/mysqld.te @@ -88,4 +88,7 @@ allow userdomain mysqld_var_run_t:sock_file write; } ') +ifdef(`crond.te', ` +allow system_crond_t mysqld_etc_t:file { getattr read }; +') allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te index cbb84af..ed85882 100644 --- a/strict/domains/program/pamconsole.te +++ b/strict/domains/program/pamconsole.te @@ -30,7 +30,7 @@ r_dir_file(pam_console_t, pam_var_console_t) allow pam_console_t device_t:dir { getattr read }; allow pam_console_t device_t:lnk_file { getattr read }; # mouse_device_t is for joy sticks -allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr }; +allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr }; allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr }; allow pam_console_t mnt_t:dir r_dir_perms; diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te index 3a54e81..c0c664f 100644 --- a/strict/domains/program/ping.te +++ b/strict/domains/program/ping.te @@ -17,7 +17,9 @@ role system_r types ping_t; in_user_role(ping_t) type ping_exec_t, file_type, sysadmfile, exec_type; -ifdef(`targeted_policy', `', ` +ifdef(`targeted_policy', ` + allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms; +', ` bool user_ping false; if (user_ping) { @@ -55,4 +57,7 @@ dontaudit ping_t fs_t:filesystem getattr; dontaudit ping_t var_t:dir search; dontaudit ping_t devtty_t:chr_file { read write }; dontaudit ping_t self:capability sys_tty_config; +ifdef(`hide_broken_symptoms', ` +allow ping_t init_t:fd use; +') diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te index adc364d..54cad6f 100644 --- a/strict/domains/program/portmap.te +++ b/strict/domains/program/portmap.te @@ -58,7 +58,7 @@ role system_r types portmap_helper_t; domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) dontaudit portmap_helper_t self:capability { net_admin }; allow portmap_helper_t self:capability { net_bind_service }; -allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms; +allow portmap_helper_t initrc_var_run_t:file rw_file_perms; file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file) allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; can_network(portmap_helper_t) diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te index 058dcd1..0e3a278 100644 --- a/strict/domains/program/restorecon.te +++ b/strict/domains/program/restorecon.te @@ -17,11 +17,12 @@ type restorecon_exec_t, file_type, sysadmfile, exec_type; role system_r types restorecon_t; role sysadm_r types restorecon_t; +role secadm_r types restorecon_t; allow restorecon_t initrc_devpts_t:chr_file { read write ioctl }; -allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl }; +allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl }; -domain_auto_trans({ initrc_t sysadm_t }, restorecon_exec_t, restorecon_t) +domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t) allow restorecon_t { userdomain init_t privfd }:fd use; uses_shlib(restorecon_t) @@ -44,6 +45,9 @@ allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr rela ifdef(`distro_redhat', ` allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; ') +ifdef(`dpkg.te', ` +domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t) +') allow restorecon_t ptyfile:chr_file getattr; diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te index e245f57..8405e84 100644 --- a/strict/domains/program/rpm.te +++ b/strict/domains/program/rpm.te @@ -114,7 +114,7 @@ allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms; allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms; -type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role; +type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role; # policy for rpm scriptlet role system_r types rpm_script_t; uses_shlib(rpm_script_t) @@ -194,6 +194,7 @@ domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t) domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t) domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t) +role sysadm_r types initrc_t; domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t) ifdef(`bootloader.te', ` domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t) diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te index c7d5378..8786fb8 100644 --- a/strict/domains/program/rsync.te +++ b/strict/domains/program/rsync.te @@ -14,6 +14,6 @@ inetd_child_domain(rsync) type rsync_data_t, file_type, sysadmfile; r_dir_file(rsync_t, rsync_data_t) -r_dir_file(rsync_t, ftpd_anon_t) +anonymous_domain(rsync) diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te index a1570b6..1ce50e5 100644 --- a/strict/domains/program/samba.te +++ b/strict/domains/program/samba.te @@ -79,6 +79,7 @@ allow smbd_t usr_t:file { getattr read }; # Access Samba shares. create_dir_file(smbd_t, samba_share_t) +anonymous_domain(smbd) ifdef(`logrotate.te', ` # the application should be changed diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te index 221ec7a..28c9bea 100644 --- a/strict/domains/program/ssh.te +++ b/strict/domains/program/ssh.te @@ -115,6 +115,9 @@ can_create_pty($1, `, server_pty') allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom }; dontaudit sshd_t userpty_type:chr_file relabelfrom; +allow $1_t faillog_t:file { append getattr }; +allow $1_t sbin_t:file getattr; + # Allow checking users mail at login allow $1_t { var_spool_t mail_spool_t }:dir search; allow $1_t mail_spool_t:lnk_file read; diff --git a/strict/domains/program/tmpreaper.te b/strict/domains/program/tmpreaper.te index 8b2111b..2373a50 100644 --- a/strict/domains/program/tmpreaper.te +++ b/strict/domains/program/tmpreaper.te @@ -16,8 +16,8 @@ role system_r types tmpreaper_t; system_crond_entry(tmpreaper_exec_t, tmpreaper_t) uses_shlib(tmpreaper_t) # why does it need setattr? -allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir }; -allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink }; +allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir }; +allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink }; allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink }; allow tmpreaper_t self:process { fork sigchld }; allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te index b744fe5..4ff37c7 100644 --- a/strict/macros/core_macros.te +++ b/strict/macros/core_macros.te @@ -361,6 +361,7 @@ define(`can_loadpol',` # Get the selinuxfs mount point via /proc/self/mounts. allow $1 proc_t:dir search; allow $1 proc_t:lnk_file read; +allow $1 proc_t:file { getattr read }; allow $1 self:dir search; allow $1 self:file { getattr read }; # Access selinuxfs. diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te index b4cccc4..cdde6aa 100644 --- a/strict/macros/global_macros.te +++ b/strict/macros/global_macros.te @@ -595,6 +595,18 @@ allow $1 self:capability sys_admin; ')dnl end polyinstantiater # +# Domain that is allow to read anonymous data off the network +# without providing authentication. +# Also define boolean to allow anonymous writing +# +define(`anonymous_domain', ` +r_dir_file($1_t, ftpd_anon_t) +bool allow_$1_anon_write false; +if (allow_$1_anon_write) { +create_dir_file($1_t,ftpd_anon_rw_t) +} +') +# # Define a domain that can do anything, so that it is # effectively unconfined by the SELinux policy. This # means that it is only restricted by the normal Linux @@ -727,3 +739,15 @@ allow $1 removable_device_t:blk_file r_file_perms; allow $1 removable_t:filesystem getattr; ') + +define(`authentication_domain', ` +can_ypbind($1) +can_kerberos($1) +can_ldap($1) +can_resolve($1) +can_winbind($1) +r_dir_file($1, cert_t) +allow $1 { random_device_t urandom_device_t }:chr_file { getattr read }; +allow $1 self:capability { audit_write audit_control }; +dontaudit $1 shadow_t:file { getattr read }; +') diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te index d5eaca1..0c8817a 100644 --- a/strict/macros/network_macros.te +++ b/strict/macros/network_macros.te @@ -16,9 +16,7 @@ allow $1 self:$2_socket connected_socket_perms; # Allow the domain to send or receive using any network interface. # netif_type is a type attribute for all network interface types. # -allow $1 netif_type:netif { $2_send rawip_send }; -allow $1 netif_type:netif { $2_recv rawip_recv }; - +allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv }; # # Allow the domain to send to or receive from any node. # node_type is a type attribute for all node types.