diff --git a/refpolicy/Changelog b/refpolicy/Changelog index efd171c..7125eb1 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -13,7 +13,9 @@ - Fix errors uncovered by sediff. - Added policies: anaconda + bluetooth dmidecode + finger ftp kudzu radvd diff --git a/refpolicy/policy/modules/services/bluetooth.fc b/refpolicy/policy/modules/services/bluetooth.fc new file mode 100644 index 0000000..f61784d --- /dev/null +++ b/refpolicy/policy/modules/services/bluetooth.fc @@ -0,0 +1,19 @@ +# +# /etc +# +/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) + +# +# /usr +# +/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + +/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + +# +# /var +# +/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/bluetooth.if b/refpolicy/policy/modules/services/bluetooth.if new file mode 100644 index 0000000..d61362a --- /dev/null +++ b/refpolicy/policy/modules/services/bluetooth.if @@ -0,0 +1 @@ +## Bluetooth tools and system services. diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te new file mode 100644 index 0000000..0c237cc --- /dev/null +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -0,0 +1,122 @@ + +policy_module(bluetooth,1.0) + +######################################## +# +# Declarations +# +type bluetooth_t; +type bluetooth_exec_t; +init_daemon_domain(bluetooth_t,bluetooth_exec_t) + +type bluetooth_conf_t; +files_type(bluetooth_conf_t) + +type bluetooth_lock_t; +files_lock_file(bluetooth_lock_t) + +type bluetooth_tmp_t; +files_tmp_file(bluetooth_tmp_t) + +type bluetooth_var_run_t; +files_pid_file(bluetooth_var_run_t) + +######################################## +# +# Local policy +# +allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; +dontaudit bluetooth_t self:capability sys_tty_config; +allow bluetooth_t self:process signal_perms; +allow bluetooth_t self:socket create_stream_socket_perms; +allow bluetooth_t self:unix_dgram_socket create_socket_perms; +allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; +allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect }; +allow bluetooth_t self:udp_socket create_socket_perms; + +allow bluetooth_t bluetooth_conf_t:dir search; +allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; + +allow bluetooth_t bluetooth_lock_t:file create_file_perms; +files_create_lock(bluetooth_t,bluetooth_lock_t) + +allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms; +allow bluetooth_t bluetooth_tmp_t:file create_file_perms; +files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir }) + +allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms; +allow bluetooth_t bluetooth_var_run_t:file create_file_perms; +allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms; +files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctl(bluetooth_t) +kernel_list_proc(bluetooth_t) +kernel_read_proc_symlinks(bluetooth_t) + +corenet_tcp_sendrecv_all_if(bluetooth_t) +corenet_udp_sendrecv_all_if(bluetooth_t) +corenet_raw_sendrecv_all_if(bluetooth_t) +corenet_tcp_sendrecv_all_nodes(bluetooth_t) +corenet_udp_sendrecv_all_nodes(bluetooth_t) +corenet_raw_sendrecv_all_nodes(bluetooth_t) +corenet_tcp_bind_all_nodes(bluetooth_t) +corenet_udp_bind_all_nodes(bluetooth_t) +corenet_tcp_sendrecv_all_ports(bluetooth_t) +corenet_udp_sendrecv_all_ports(bluetooth_t) + +dev_read_sysfs(bluetooth_t) +dev_rw_usbfs(bluetooth_t) + +fs_getattr_all_fs(bluetooth_t) +fs_search_auto_mountpoints(bluetooth_t) + +term_dontaudit_use_console(bluetooth_t) + +corecmd_exec_bin(bluetooth_t) + +domain_use_wide_inherit_fd(bluetooth_t) + +init_use_fd(bluetooth_t) +init_use_script_pty(bluetooth_t) + +libs_use_ld_so(bluetooth_t) +libs_use_shared_libs(bluetooth_t) + +logging_send_syslog_msg(bluetooth_t) + +miscfiles_read_localization(bluetooth_t) + +sysnet_read_config(bluetooth_t) + +userdom_dontaudit_use_unpriv_user_fd(bluetooth_t) +userdom_dontaudit_use_sysadm_pty(bluetooth_t) +userdom_dontaudit_search_sysadm_home_dir(bluetooth_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(bluetooth_t) + term_dontaudit_use_generic_pty(bluetooth_t) + files_dontaudit_read_root_file(bluetooth_t) +') + +optional_policy(`dbus.te',` + dbus_system_bus_client_template(bluetooth,bluetooth_t) + dbus_send_system_bus_msg(bluetooth_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(bluetooth_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(bluetooth_t) +') + +optional_policy(`udev.te',` + udev_read_db(bluetooth_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(bluetooth_t) +') +') diff --git a/refpolicy/policy/modules/services/finger.fc b/refpolicy/policy/modules/services/finger.fc new file mode 100644 index 0000000..c861192 --- /dev/null +++ b/refpolicy/policy/modules/services/finger.fc @@ -0,0 +1,19 @@ +# fingerd + +# +# /etc +# +/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0) + +/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) + +# +# /usr +# +/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) +/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) + +# +# /var +# +/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0) diff --git a/refpolicy/policy/modules/services/finger.if b/refpolicy/policy/modules/services/finger.if new file mode 100644 index 0000000..41fbe1f --- /dev/null +++ b/refpolicy/policy/modules/services/finger.if @@ -0,0 +1,40 @@ +## Finger user information service. + +######################################## +## +## Execute fingerd in the fingerd domain. +## +## +## The type of the process performing this action. +## +# +interface(`finger_domtrans',` + gen_require(` + type fingerd_t, fingerd_exec_t; + ') + + domain_auto_trans($1,fingerd_exec_t,fingerd_t) + + allow $1 fingerd_t:fd use; + allow fingerd_t $1:fd use; + allow fingerd_t $1:fifo_file rw_file_perms; + allow fingerd_t $1:process sigchld; +') + +######################################## +## +## Allow the specified domain to connect to fingerd with a tcp socket. +## +## +## Domain allowed access. +## +# +interface(`finger_tcp_connect',` + gen_require(` + type fingerd_t; + ') + + kernel_tcp_recvfrom($1) + allow $1 fingerd_t:tcp_socket { connectto recvfrom }; + allow fingerd_t $1:tcp_socket { acceptfrom recvfrom }; +') diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te new file mode 100644 index 0000000..33213fe --- /dev/null +++ b/refpolicy/policy/modules/services/finger.te @@ -0,0 +1,134 @@ + +policy_module(finger,1.0) + +######################################## +# +# Declarations +# +type fingerd_t; +type fingerd_exec_t; +init_daemon_domain(fingerd_t,fingerd_exec_t) +inetd_tcp_service_domain(fingerd_t,fingerd_exec_t) + +type fingerd_etc_t; #, usercanread; +files_type(fingerd_etc_t) + +type fingerd_log_t; +logging_log_file(fingerd_log_t) + +type fingerd_var_run_t; +files_pid_file(fingerd_var_run_t) + +######################################## +# +# Local policy +# +allow fingerd_t self:capability { setgid setuid }; +dontaudit fingerd_t self:capability { sys_tty_config fsetid }; +allow fingerd_t self:process signal_perms; +allow fingerd_t self:fifo_file { read write getattr }; +allow fingerd_t self:tcp_socket connected_stream_socket_perms; +allow fingerd_t self:udp_socket create_socket_perms; +allow fingerd_t self:unix_dgram_socket create_socket_perms; +allow fingerd_t self:unix_stream_socket create_socket_perms; + +allow fingerd_t fingerd_var_run_t:file create_file_perms; +allow fingerd_t fingerd_var_run_t:dir rw_dir_perms; +files_create_pid(fingerd_t,fingerd_var_run_t) + +allow fingerd_t fingerd_etc_t:file r_file_perms; +allow fingerd_t fingerd_etc_t:dir r_dir_perms; +allow fingerd_t fingerd_etc_t:lnk_file { getattr read }; + +allow fingerd_t fingerd_log_t:file create_file_perms; +logging_create_log(fingerd_t,fingerd_log_t) + +kernel_read_kernel_sysctl(fingerd_t) +kernel_read_system_state(fingerd_t) +kernel_tcp_recvfrom(fingerd_t) + +corenet_tcp_sendrecv_all_if(fingerd_t) +corenet_udp_sendrecv_all_if(fingerd_t) +corenet_raw_sendrecv_all_if(fingerd_t) +corenet_tcp_sendrecv_all_nodes(fingerd_t) +corenet_udp_sendrecv_all_nodes(fingerd_t) +corenet_raw_sendrecv_all_nodes(fingerd_t) +corenet_tcp_sendrecv_all_ports(fingerd_t) +corenet_udp_sendrecv_all_ports(fingerd_t) +corenet_tcp_bind_all_nodes(fingerd_t) +corenet_udp_bind_all_nodes(fingerd_t) +corenet_tcp_bind_fingerd_port(fingerd_t) + +dev_read_sysfs(fingerd_t) + +fs_getattr_all_fs(fingerd_t) +fs_search_auto_mountpoints(fingerd_t) + +term_search_ptys(fingerd_t) +term_dontaudit_use_console(fingerd_t) +term_getattr_all_user_ttys(fingerd_t) +term_getattr_all_user_ptys(fingerd_t) + +auth_read_lastlog(fingerd_t) + +corecmd_exec_bin(fingerd_t) +corecmd_exec_sbin(fingerd_t) +corecmd_exec_shell(fingerd_t) + +domain_use_wide_inherit_fd(fingerd_t) + +files_getattr_home_dir(fingerd_t) +files_read_etc_files(fingerd_t) +files_read_etc_runtime_files(fingerd_t) + +init_read_script_pid(fingerd_t) +init_dontaudit_write_script_pid(fingerd_t) +init_use_fd(fingerd_t) +init_use_script_pty(fingerd_t) + +libs_use_ld_so(fingerd_t) +libs_use_shared_libs(fingerd_t) + +logging_send_syslog_msg(fingerd_t) + +mta_getattr_spool(fingerd_t) + +sysnet_read_config(fingerd_t) + +miscfiles_read_localization(fingerd_t) + +userdom_read_unpriv_user_home_files(fingerd_t) +userdom_dontaudit_use_unpriv_user_fd(fingerd_t) +userdom_dontaudit_search_sysadm_home_dir(fingerd_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(fingerd_t) + term_dontaudit_use_generic_pty(fingerd_t) + files_dontaudit_read_root_file(fingerd_t) +') + +optional_policy(`cron.te',` + cron_system_entry(fingerd_t,fingerd_exec_t) +') + +optional_policy(`logrotate.te',` + logrotate_exec(fingerd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(fingerd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(fingerd_t) +') + +optional_policy(`udev.te',` + udev_read_db(fingerd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(fingerd_t) +') +') diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te index d3f4e1e..e53da04 100644 --- a/refpolicy/policy/modules/services/tcpd.te +++ b/refpolicy/policy/modules/services/tcpd.te @@ -51,6 +51,10 @@ sysnet_read_config(tcpd_t) inetd_domtrans_child(tcpd_t) +optional_policy(`finger.te',` + finger_domtrans(tcpd_t) +') + optional_policy(`nis.te',` nis_use_ypbind(tcpd_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index c0c5095..59469f2 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -407,13 +407,33 @@ interface(`auth_rw_faillog',` ') ####################################### +## +## Read the last logins log. +## +## +## Domain allowed access. +## # -# auth_rw_lastlog(domain) +interface(`auth_read_lastlog',` + gen_require(` + type lastlog_t; + ') + + logging_search_logs($1) + allow $1 lastlog_t:file { getattr read }; +') + +####################################### +## +## Read and write to the last logins log. +## +## +## Domain allowed access. +## # interface(`auth_rw_lastlog',` gen_require(` type lastlog_t; - class file { getattr read write setattr }; ') logging_search_logs($1) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9abd2ae..8f1ce3d 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -429,6 +429,10 @@ optional_policy(`bind.te',` ') +optional_policy(`bluetooth.te',` + dev_read_usbfs(initrc_t) +') + optional_policy(`cpucontrol.te',` cpucontrol_stub() dev_getattr_cpu(initrc_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index bcfde85..912c027 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -318,6 +318,10 @@ template(`base_user_template',` ') ') + optional_policy(`finger.te',` + finger_tcp_connect($1_t) + ') + optional_policy(`inetd.te',` inetd_tcp_connect($1_t) ') @@ -1644,6 +1648,26 @@ interface(`userdom_use_sysadm_pty',` ######################################## ## +## Dont audit attempts to read and write sysadm ptys. +## +## +## Domain to not audit. +## +# +interface(`userdom_dontaudit_use_sysadm_pty',` + ifdef(`targeted_policy',` + term_dontaudit_use_generic_pty($1) + ',` + gen_require(` + type sysadm_devpts_t; + ') + + dontaudit $1 sysadm_devpts_t:chr_file { read write }; + ') +') + +######################################## +## ## Read and write sysadm ttys and ptys. ## ## @@ -2022,6 +2046,23 @@ interface(`userdom_create_user_home',` ######################################## ## +## Don't audit search on the user home subdirectory. +## +## +## Domain allowed access. +## +# +interface(`userdom_dontaudit_search_user_home_dirs',` + gen_require(` + type user_home_t; + class dir search; + ') + + dontaudit $1 user_home_t:dir search; +') + +######################################## +## ## Create, read, write, and delete ## subdirectories of generic user ## home directories. @@ -2121,6 +2162,24 @@ interface(`userdom_manage_user_home_sockets',` ######################################## ## +## Read all unprivileged users home directory +## files. +## +## +## Domain allowed access. +## +# +interface(`userdom_read_unpriv_user_home_files',` + gen_require(` + type user_home_dir_type, user_home_type; + ') + + allow $1 user_home_dir_type:dir search; + allow $1 user_home_type:file r_file_perms; +') + +######################################## +## ## Write all unprivileged users files in /tmp ## ##