diff --git a/Changelog b/Changelog index b03fb48..92c273d 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,7 @@ +* Tue Nov 17 2009 Chris PeBenito - 2.20091117 - Add separate x_pointer and x_keyboard classes inheriting from x_device. From Eamon Walsh. -- Deprecated the userdom_xwindwos_client_template(). +- Deprecated the userdom_xwindows_client_template(). - Misc Gentoo fixes from Corentin Labbe. - Debian policykit fixes from Martin Orr. - Fix unconfined_r use of unconfined_java_t. @@ -19,9 +20,11 @@ kdump (Dan Walsh) modemmanager(Dan Walsh) nslcd (Dan Walsh) + puppet (Craig Grube) rtkit (Dan Walsh) seunshare (Dan Walsh) shorewall (Dan Walsh) + tgtd (Matthew Ife) tuned (Miroslav Grepl) xscreensaver (Corentin Labbe) diff --git a/VERSION b/VERSION index 6e27344..72bfd29 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20090730 +2.20091117 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 6620e4c..6760c95 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -376,6 +376,7 @@ class system syslog_read syslog_mod syslog_console + module_request } # diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te index 60df2cd..9a5d7e9 100644 --- a/policy/modules/admin/certwatch.te +++ b/policy/modules/admin/certwatch.te @@ -1,5 +1,5 @@ -policy_module(certwatch, 1.4.1) +policy_module(certwatch, 1.5.0) ######################################## # diff --git a/policy/modules/admin/kismet.fc b/policy/modules/admin/kismet.fc index d4daa52..dae60e5 100644 --- a/policy/modules/admin/kismet.fc +++ b/policy/modules/admin/kismet.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0) + /usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) /var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te index 49ed789..b645b3c 100644 --- a/policy/modules/admin/kismet.te +++ b/policy/modules/admin/kismet.te @@ -1,5 +1,5 @@ -policy_module(kismet, 1.3.1) +policy_module(kismet, 1.4.1) ######################################## # @@ -11,6 +11,9 @@ type kismet_exec_t; application_domain(kismet_t, kismet_exec_t) role system_r types kismet_t; +type kismet_home_t; +userdom_user_home_content(kismet_home_t) + type kismet_log_t; logging_log_file(kismet_log_t) @@ -39,6 +42,11 @@ allow kismet_t self:unix_dgram_socket { create_socket_perms sendto }; allow kismet_t self:unix_stream_socket create_stream_socket_perms; allow kismet_t self:tcp_socket create_stream_socket_perms; +manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) +manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) +manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t) +userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir }) + manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) allow kismet_t kismet_log_t:dir setattr; logging_log_filetrans(kismet_t, kismet_log_t, { file dir }) diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index fa7a62a..2d3cd3a 100644 --- a/policy/modules/admin/mrtg.te +++ b/policy/modules/admin/mrtg.te @@ -1,5 +1,5 @@ -policy_module(mrtg, 1.7.1) +policy_module(mrtg, 1.8.0) ######################################## # diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index c3154d1..6af6e8a 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -1,5 +1,5 @@ -policy_module(portage, 1.8.1) +policy_module(portage, 1.9.0) ######################################## # diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index 91889d5..15621d8 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink, 1.7.1) +policy_module(prelink, 1.8.0) ######################################## # diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index 43398ed..be33808 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -1,5 +1,5 @@ -policy_module(readahead, 1.9.1) +policy_module(readahead, 1.10.0) ######################################## # diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te index 5c74496..0e02977 100644 --- a/policy/modules/admin/tzdata.te +++ b/policy/modules/admin/tzdata.te @@ -19,6 +19,8 @@ application_domain(tzdata_t, tzdata_exec_t) files_read_etc_files(tzdata_t) files_search_spool(tzdata_t) +fs_getattr_xattr_fs(tzdata_t) + term_dontaudit_list_ptys(tzdata_t) locallogin_dontaudit_use_fds(tzdata_t) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 1865872..e07b009 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage, 1.13.1) +policy_module(usermanage, 1.14.0) ######################################## # @@ -243,6 +243,10 @@ optional_policy(` ') optional_policy(` + puppet_rw_tmp(groupadd_t) +') + +optional_policy(` rpm_use_fds(groupadd_t) rpm_rw_pipes(groupadd_t) ') @@ -521,6 +525,10 @@ optional_policy(` ') optional_policy(` + puppet_rw_tmp(useradd_t) +') + +optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 08d917d..bdd2b1b 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -1,5 +1,5 @@ -policy_module(vpn, 1.11.1) +policy_module(vpn, 1.12.0) ######################################## # diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te index 7a98be8..6dd7816 100644 --- a/policy/modules/apps/awstats.te +++ b/policy/modules/apps/awstats.te @@ -1,5 +1,5 @@ -policy_module(awstats, 1.1.1) +policy_module(awstats, 1.2.0) ######################################## # diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te index 31d2978..01c19b7 100644 --- a/policy/modules/apps/calamaris.te +++ b/policy/modules/apps/calamaris.te @@ -1,5 +1,5 @@ -policy_module(calamaris, 1.5.0) +policy_module(calamaris, 1.5.1) ######################################## # @@ -59,12 +59,12 @@ files_read_etc_runtime_files(calamaris_t) libs_read_lib_files(calamaris_t) +auth_use_nsswitch(calamaris_t) + logging_send_syslog_msg(calamaris_t) miscfiles_read_localization(calamaris_t) -sysnet_read_config(calamaris_t) - userdom_dontaudit_list_user_home_dirs(calamaris_t) squid_read_log(calamaris_t) @@ -80,7 +80,3 @@ optional_policy(` optional_policy(` mta_send_mail(calamaris_t) ') - -optional_policy(` - nis_use_ypbind(calamaris_t) -') diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index 57ad303..f09ab37 100644 --- a/policy/modules/apps/cdrecord.te +++ b/policy/modules/apps/cdrecord.te @@ -1,5 +1,5 @@ -policy_module(cdrecord, 2.1.1) +policy_module(cdrecord, 2.2.0) ######################################## # diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te index 2bd8572..6e40443 100644 --- a/policy/modules/apps/cpufreqselector.te +++ b/policy/modules/apps/cpufreqselector.te @@ -1,5 +1,5 @@ -policy_module(cpufreqselector, 1.0.1) +policy_module(cpufreqselector, 1.1.0) ######################################## # diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 9d162a8..b8c96f6 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -1,5 +1,5 @@ -policy_module(gpg, 2.1.1) +policy_module(gpg, 2.2.1) ######################################## # @@ -104,11 +104,36 @@ files_dontaudit_search_var(gpg_t) auth_use_nsswitch(gpg_t) -miscfiles_read_localization(gpg_t) - logging_send_syslog_msg(gpg_t) +miscfiles_read_localization(gpg_t) + userdom_use_user_terminals(gpg_t) +# sign/encrypt user files +userdom_manage_user_tmp_files(gpg_t) +userdom_manage_user_home_content_files(gpg_t) + +mta_write_config(gpg_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gpg_t) + fs_manage_nfs_files(gpg_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gpg_t) + fs_manage_cifs_files(gpg_t) +') + +optional_policy(` + xserver_use_xdm_fds(gpg_t) + xserver_rw_xdm_pipes(gpg_t) +') + +optional_policy(` + cron_system_entry(gpg_t, gpg_exec_t) + cron_read_system_job_tmp_files(gpg_t) +') ######################################## # @@ -146,23 +171,13 @@ files_read_etc_files(gpg_helper_t) auth_use_nsswitch(gpg_helper_t) userdom_use_user_terminals(gpg_helper_t) -# sign/encrypt user files -userdom_manage_user_tmp_files(gpg_t) -userdom_manage_user_home_content_files(gpg_t) tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_t) - fs_manage_nfs_files(gpg_t) + fs_dontaudit_rw_nfs_files(gpg_helper_t) ') tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_t) - fs_manage_cifs_files(gpg_t) -') - -optional_policy(` - xserver_use_xdm_fds(gpg_t) - xserver_rw_xdm_pipes(gpg_t) + fs_dontaudit_rw_cifs_files(gpg_helper_t) ') ######################################## diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index 47ea763..8285ec9 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -1,5 +1,5 @@ -policy_module(java, 2.1.1) +policy_module(java, 2.2.0) ######################################## # diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 53c0e82..61ac720 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -45,6 +45,12 @@ interface(`mozilla_role',` relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) + + mozilla_dbus_chat($2) + + optional_policy(` + pulseaudio_role($1, mozilla_t) + ') ') ######################################## @@ -64,6 +70,7 @@ interface(`mozilla_read_user_home_files',` allow $1 mozilla_home_t:dir list_dir_perms; allow $1 mozilla_home_t:file read_file_perms; + allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; userdom_search_user_home_dirs($1) ') @@ -88,6 +95,43 @@ interface(`mozilla_write_user_home_files',` ######################################## ## +## Dontaudit attempts to read/write mozilla home directory content +## +## +## +## Domain allowed access. +## +## +# +interface(`mozilla_dontaudit_rw_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + dontaudit $1 mozilla_home_t:file rw_file_perms; +') + +######################################## +## +## Dontaudit attempts to write mozilla home directory content +## +## +## +## Domain allowed access. +## +## +# +interface(`mozilla_dontaudit_manage_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + dontaudit $1 mozilla_home_t:dir manage_dir_perms; + dontaudit $1 mozilla_home_t:file manage_file_perms; +') + +######################################## +## ## Run mozilla in the mozilla domain. ## ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 7957bc9..e7428a1 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -1,5 +1,5 @@ -policy_module(mozilla, 2.1.0) +policy_module(mozilla, 2.1.1) ######################################## # @@ -59,6 +59,7 @@ manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) userdom_search_user_home_dirs(mozilla_t) +userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir) # Mozpluggerrc allow mozilla_t mozilla_conf_t:file read_file_perms; @@ -75,7 +76,7 @@ kernel_read_network_state(mozilla_t) kernel_read_system_state(mozilla_t) kernel_read_net_sysctls(mozilla_t) -# Look for plugins +# Look for plugins corecmd_list_bin(mozilla_t) # for bash - old mozilla binary corecmd_exec_shell(mozilla_t) @@ -97,6 +98,7 @@ corenet_tcp_connect_http_cache_port(mozilla_t) corenet_tcp_connect_ftp_port(mozilla_t) corenet_tcp_connect_ipp_port(mozilla_t) corenet_tcp_connect_generic_port(mozilla_t) +corenet_tcp_connect_soundd_port(mozilla_t) corenet_sendrecv_http_client_packets(mozilla_t) corenet_sendrecv_http_cache_client_packets(mozilla_t) corenet_sendrecv_ftp_client_packets(mozilla_t) @@ -114,6 +116,8 @@ dev_read_sound(mozilla_t) dev_dontaudit_rw_dri(mozilla_t) dev_getattr_sysfs_dirs(mozilla_t) +domain_dontaudit_read_all_domains_state(mozilla_t) + files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_etc_files(mozilla_t) @@ -231,6 +235,10 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_t) dbus_session_bus_client(mozilla_t) + + optional_policy(` + networkmanager_dbus_chat(mozilla_t) + ') ') optional_policy(` diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te index ba4de0c..04db46b 100644 --- a/policy/modules/apps/podsleuth.te +++ b/policy/modules/apps/podsleuth.te @@ -1,5 +1,5 @@ -policy_module(podsleuth, 1.2.0) +policy_module(podsleuth, 1.2.1) ######################################## # @@ -71,6 +71,8 @@ miscfiles_read_localization(podsleuth_t) sysnet_dns_name_resolve(podsleuth_t) +userdom_signal_unpriv_users(podsleuth_t) + optional_policy(` dbus_system_bus_client(podsleuth_t) diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index a29cbc7..bb5bbc8 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -1,5 +1,5 @@ -policy_module(pulseaudio, 1.0.1) +policy_module(pulseaudio, 1.1.0) ######################################## # diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te index 84d4e08..1a8edea 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -1,5 +1,5 @@ -policy_module(qemu, 1.2.1) +policy_module(qemu, 1.3.0) ######################################## # diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if index d14975b..3a5e0ea 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -80,6 +80,11 @@ template(`screen_role_template',` relabel_files_pattern($3, screen_home_t, screen_home_t) relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) + manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) + manage_files_pattern($3, screen_var_run_t, screen_var_run_t) + manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) + manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) + kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te index a7b7cf2..3a80da1 100644 --- a/policy/modules/apps/screen.te +++ b/policy/modules/apps/screen.te @@ -1,5 +1,5 @@ -policy_module(screen, 2.1.1) +policy_module(screen, 2.2.1) ######################################## # diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index dbdf448..7f47897 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -41,6 +41,14 @@ interface(`seunshare_run',` seunshare_domtrans($1) role $2 types seunshare_t; + + allow $1 seunshare_t:process signal_perms; + + ifdef(`hide_broken_symptoms', ` + dontaudit seunshare_t $1:tcp_socket rw_socket_perms; + dontaudit seunshare_t $1:udp_socket rw_socket_perms; + dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; + ') ') ######################################## diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te index dcec4bf..5e810f2 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te @@ -1,5 +1,5 @@ -policy_module(seunshare, 1.0.0) +policy_module(seunshare, 1.0.1) ######################################## # @@ -16,7 +16,7 @@ role system_r types seunshare_t; # seunshare local policy # -allow seunshare_t self:capability setpcap; +allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; allow seunshare_t self:process { setexec signal getcap setcap }; allow seunshare_t self:fifo_file rw_file_perms; @@ -30,6 +30,16 @@ files_mounton_all_poly_members(seunshare_t) auth_use_nsswitch(seunshare_t) +logging_send_syslog_msg(seunshare_t) + miscfiles_read_localization(seunshare_t) userdom_use_user_terminals(seunshare_t) + +ifdef(`hide_broken_symptoms', ` + fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + + optional_policy(` + mozilla_dontaudit_manage_user_home_files(seunshare_t) + ') +') diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index 6d05487..778fe33 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -1,5 +1,5 @@ -policy_module(vmware, 2.1.1) +policy_module(vmware, 2.2.0) ######################################## # diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te index aaf313b..c5710c8 100644 --- a/policy/modules/apps/webalizer.te +++ b/policy/modules/apps/webalizer.te @@ -1,5 +1,5 @@ -policy_module(webalizer, 1.9.1) +policy_module(webalizer, 1.10.0) ######################################## # diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te index d8e0c92..66b51e7 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -1,5 +1,5 @@ -policy_module(wireshark, 2.0.1) +policy_module(wireshark, 2.1.0) ######################################## # diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 6b30d66..f1b1de2 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -54,6 +54,8 @@ ifdef(`distro_redhat',` /etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0) +/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) @@ -123,8 +125,9 @@ ifdef(`distro_gentoo',` # /sbin -d gen_context(system_u:object_r:bin_t,s0) /sbin/.* gen_context(system_u:object_r:bin_t,s0) -/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) +/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) +/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) # # /opt @@ -135,7 +138,6 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -211,6 +213,8 @@ ifdef(`distro_gentoo',` /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) @@ -220,7 +224,10 @@ ifdef(`distro_gentoo',` /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -263,6 +270,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 52bb593..a6e68d7 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -447,7 +447,7 @@ interface(`corecmd_bin_domtrans',` type bin_t; ') - corecmd_bin_spec_domtrans($1,$2) + corecmd_bin_spec_domtrans($1, $2) type_transition $1 bin_t:process $2; ') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 9c152aa..d5cf845 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands, 1.12.0) +policy_module(corecommands, 1.12.1) ######################################## # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index c62a95e..37a97d7 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.12.1) +policy_module(corenetwork, 1.13.0) ######################################## # @@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) +network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) network_port(radacct, udp,1646,s0, udp,1813,s0) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 94b4bc4..a241ea1 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -47,8 +47,10 @@ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) +/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0) /dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) /dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) +/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) @@ -61,10 +63,12 @@ /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) /dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) +/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) @@ -82,6 +86,7 @@ /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0) /dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) @@ -101,7 +106,8 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -168,6 +174,7 @@ ifdef(`distro_gentoo',` ifdef(`distro_redhat',` # originally from named.fc +/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index dec0e02..2b7ad83 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',` relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) relabelfrom_fifo_files_pattern($1, device_t, device_node) relabelfrom_sock_files_pattern($1, device_t, device_node) - relabel_blk_files_pattern($1, device_t,{ device_t device_node }) - relabel_chr_files_pattern($1, device_t,{ device_t device_node }) + relabel_blk_files_pattern($1, device_t, { device_t device_node }) + relabel_chr_files_pattern($1, device_t, { device_t device_node }) ') ######################################## @@ -1692,6 +1692,78 @@ interface(`dev_read_kmsg',` ######################################## ## +## Get the attributes of the ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_ksm_dev',` + gen_require(` + type device_t, ksm_device_t; + ') + + getattr_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## +## Set the attributes of the ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_ksm_dev',` + gen_require(` + type device_t, ksm_device_t; + ') + + setattr_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## +## Read the ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_ksm',` + gen_require(` + type device_t, ksm_device_t; + ') + + read_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## +## Read and write to ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_ksm',` + gen_require(` + type device_t, ksm_device_t; + ') + + rw_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## ## Get the attributes of the kvm devices. ## ## @@ -1762,6 +1834,61 @@ interface(`dev_rw_kvm',` rw_chr_files_pattern($1, device_t, kvm_device_t) ') +###################################### +## +## Read the lirc device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_lirc',` + gen_require(` + type device_t, lirc_device_t; + ') + + read_chr_files_pattern($1, device_t, lirc_device_t) +') + +###################################### +## +## Read and write the lirc device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_lirc',` + gen_require(` + type device_t, lirc_device_t; + ') + + rw_chr_files_pattern($1, device_t, lirc_device_t) +') + +###################################### +## +## Automatic type transition to the type +## for lirc device nodes when created in /dev. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_filetrans_lirc',` + gen_require(` + type device_t, lirc_device_t; + ') + + filetrans_pattern($1, device_t, lirc_device_t, chr_file) +') + ######################################## ## ## Read the lvm comtrol device. @@ -1800,6 +1927,24 @@ interface(`dev_rw_lvm_control',` ######################################## ## +## Do not audit attempts to read and write lvm control device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_dontaudit_rw_lvm_control',` + gen_require(` + type lvm_control_t; + ') + + dontaudit $1 lvm_control_t:chr_file rw_file_perms; +') + +######################################## +## ## Delete the lvm control device. ## ## @@ -2046,6 +2191,78 @@ interface(`dev_dontaudit_rw_misc',` ######################################## ## +## Get the attributes of the modem devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_modem_dev',` + gen_require(` + type device_t, modem_device_t; + ') + + getattr_chr_files_pattern($1, device_t, modem_device_t) +') + +######################################## +## +## Set the attributes of the modem devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_modem_dev',` + gen_require(` + type device_t, modem_device_t; + ') + + setattr_chr_files_pattern($1, device_t, modem_device_t) +') + +######################################## +## +## Read the modem devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_modem',` + gen_require(` + type device_t, modem_device_t; + ') + + read_chr_files_pattern($1, device_t, modem_device_t) +') + +######################################## +## +## Read and write to modem devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_modem',` + gen_require(` + type device_t, modem_device_t; + ') + + rw_chr_files_pattern($1, device_t, modem_device_t) +') + +######################################## +## ## Get the attributes of the mouse devices. ## ## @@ -2305,6 +2522,24 @@ interface(`dev_setattr_null_dev',` ######################################## ## +## Delete the null device (/dev/null). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_delete_null',` + gen_require(` + type device_t, null_device_t; + ') + + delete_chr_files_pattern($1, device_t, null_device_t) +') + +######################################## +## ## Read and write to the null device (/dev/null). ## ## @@ -3599,6 +3834,24 @@ interface(`dev_write_watchdog',` ######################################## ## +## Read and write the the wireless device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_wireless',` + gen_require(` + type device_t, wireless_device_t; + ') + + rw_chr_files_pattern($1, device_t, wireless_device_t) +') + +######################################## +## ## Read and write Xen devices. ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index c37a400..1b536ec 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices, 1.8.2) +policy_module(devices, 1.9.1) ######################################## # @@ -84,6 +84,12 @@ type kmsg_device_t; dev_node(kmsg_device_t) # +# ksm_device_t is the type of /dev/ksm +# +type ksm_device_t; +dev_node(ksm_device_t) + +# # kvm_device_t is the type of # /dev/kvm # @@ -91,6 +97,12 @@ type kvm_device_t; dev_node(kvm_device_t) # +# Type for /dev/lirc +# +type lirc_device_t; +dev_node(lirc_device_t) + +# # Type for /dev/mapper/control # type lvm_control_t; @@ -110,6 +122,12 @@ type misc_device_t; dev_node(misc_device_t) # +# A general type for modem devices. +# +type modem_device_t; +dev_node(modem_device_t) + +# # A more general type for mouse devices. # type mouse_device_t; @@ -123,7 +141,7 @@ dev_node(mtrr_device_t) genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0) # -# network control devices +# network control devices # type netcontrol_device_t; dev_node(netcontrol_device_t) @@ -137,13 +155,13 @@ mls_trusted_object(null_device_t) sid devnull gen_context(system_u:object_r:null_device_t,s0) # -# Type for /dev/nvram +# Type for /dev/nvram # type nvram_device_t; dev_node(nvram_device_t) # -# Type for /dev/pmu +# Type for /dev/pmu # type power_device_t; dev_node(power_device_t) @@ -153,7 +171,7 @@ dev_node(printer_device_t) mls_file_write_within_range(printer_device_t) # -# qemu control devices +# qemu control devices # type qemu_device_t; dev_node(qemu_device_t) @@ -224,6 +242,12 @@ dev_node(vmware_device_t) type watchdog_device_t; dev_node(watchdog_device_t) +# +# wireless control devices +# +type wireless_device_t; +dev_node(wireless_device_t) + type xen_device_t; dev_node(xen_device_t) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 87442ec..f5b7880 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -100,7 +100,7 @@ interface(`files_pid_file',` ######################################## ## -## Make the specified type a +## Make the specified type a ## configuration file. ## ## @@ -110,12 +110,16 @@ interface(`files_pid_file',` ## # interface(`files_config_file',` + gen_require(` + attribute configfile; + ') files_type($1) + typeattribute $1 configfile; ') ######################################## ## -## Make the specified type a +## Make the specified type a ## polyinstantiated directory. ## ## @@ -1066,7 +1070,7 @@ interface(`files_dontaudit_search_all_dirs',` ## ## # -# dwalsh: This interface is to allow quotacheck to work on a +# dwalsh: This interface is to allow quotacheck to work on a # a filesystem mounted with the --context switch # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957 # @@ -1150,6 +1154,102 @@ interface(`files_unmount_all_file_type_fs',` allow $1 file_type:filesystem unmount; ') +############################################# +## +## Manage all configuration directories on filesystem +## +## +## +## The type of domain performing this action +## +## +## +# +interface(`files_manage_config_dirs',` + gen_require(` + attribute configfile; + ') + + manage_dirs_pattern($1, configfile, configfile) +') + +######################################### +## +## Relabel configuration directories +## +## +## +## Type of domain performing this action +## +## +## +# +interface(`files_relabel_config_dirs',` + gen_require(` + attribute configfile; + ') + + relabel_dirs_pattern($1, configfile, configfile) +') + +######################################## +## +## Read config files in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_config_files',` + gen_require(` + attribute configfile; + ') + + allow $1 configfile:dir list_dir_perms; + read_files_pattern($1, configfile, configfile) + read_lnk_files_pattern($1, configfile, configfile) +') + +########################################### +## +## Manage all configuration files on filesystem +## +## +## +## The type of domain performing this action +## +## +## +# +interface(`files_manage_config_files',` + gen_require(` + attribute configfile; + ') + + manage_files_pattern($1, configfile, configfile) +') + +####################################### +## +## Relabel configuration files +## +## +## +## Type of domain performing this action +## +## +## +# +interface(`files_relabel_config_files',` + gen_require(` + attribute configfile; + ') + + relabel_files_pattern($1, configfile, configfile) +') + ######################################## ## ## Mount a filesystem on all mount points. @@ -1487,6 +1587,25 @@ interface(`files_boot_filetrans',` ######################################## ## +## read files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_read_boot_files',` + gen_require(` + type boot_t; + ') + + manage_files_pattern($1, boot_t, boot_t) +') + +######################################## +## ## Create, read, write, and delete files ## in the /boot directory. ## @@ -1715,6 +1834,25 @@ interface(`files_dontaudit_list_default',` ######################################## ## +## Create, read, write, and delete directories with +## the default file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_default_dirs',` + gen_require(` + type default_t; + ') + + manage_dirs_pattern($1, default_t, default_t) +') + +######################################## +## ## Mount a filesystem on a directory with the default file type. ## ## @@ -1789,6 +1927,25 @@ interface(`files_dontaudit_read_default_files',` ######################################## ## +## Create, read, write, and delete files with +## the default file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_default_files',` + gen_require(` + type default_t; + ') + + manage_files_pattern($1, default_t, default_t) +') + +######################################## +## ## Read symbolic links with the default file type. ## ## @@ -1913,6 +2070,25 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') +########################################## +## +## Manage generic directories in /etc +## +## +## +## Domain allowed access +## +## +## +# +interface(`files_manage_etc_dirs',` + gen_require(` + type etc_t; + ') + + manage_dirs_pattern($1, etc_t, etc_t) +') + ######################################## ## ## Read generic files in /etc. @@ -2460,7 +2636,7 @@ interface(`files_manage_isid_type_symlinks',` ######################################## ## -## Read and write block device nodes on new filesystems +## Read and write block device nodes on new filesystems ## that have not yet been labeled. ## ## @@ -3392,8 +3568,26 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## +## List all tmp directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_all_tmp',` + gen_require(` + attribute tmpfile; + ') + + allow $1 tmpfile:dir list_dir_perms; +') + +######################################## +## ## Do not audit attempts to get the attributes -## of all tmp files. +## of all tmp files. ## ## ## @@ -3412,7 +3606,7 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ######################################## ## ## Allow attempts to get the attributes -## of all tmp files. +## of all tmp files. ## ## ## @@ -3431,7 +3625,7 @@ interface(`files_getattr_all_tmp_files',` ######################################## ## ## Do not audit attempts to get the attributes -## of all tmp sock_file. +## of all tmp sock_file. ## ## ## @@ -4222,6 +4416,24 @@ interface(`files_list_var_lib',` list_dirs_pattern($1, var_t, var_lib_t) ') +########################################### +## +## Read-write /var/lib directories +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_var_lib_dirs',` + gen_require(` + type var_lib_t; + ') + + rw_dirs_pattern($1, var_lib_t, var_lib_t) +') + ######################################## ## ## Create objects in the /var/lib directory @@ -4955,7 +5167,7 @@ interface(`files_polyinstantiate_all',` selinux_compute_member($1) # Need sys_admin capability for mounting - allow $1 self:capability { chown fsetid sys_admin }; + allow $1 self:capability { chown fsetid sys_admin fowner }; # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 3ae897d..7b08d20 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files, 1.12.0) +policy_module(files, 1.12.1) ######################################## # @@ -11,6 +11,7 @@ attribute files_unconfined_type; attribute lockfile; attribute mountpoint; attribute pidfile; +attribute configfile; # For labeling types that are to be polyinstantiated attribute polydir; @@ -52,7 +53,7 @@ files_mountpoint(default_t) # # etc_t is the type of the system etc directories. # -type etc_t; +type etc_t, configfile; files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; @@ -219,7 +220,7 @@ fs_associate_tmpfs(tmpfsfile) allow files_unconfined_type file_type:{ file chr_file } ~execmod; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; -# Mount/unmount any filesystem with the context= option. +# Mount/unmount any filesystem with the context= option. allow files_unconfined_type file_type:filesystem *; tunable_policy(`allow_execmod',` diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index 7be4ddf..b029773 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1 +1 @@ -# This module currently does not have any file contexts. +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index b2c058a..eb723b4 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -310,6 +310,26 @@ interface(`fs_rw_anon_inodefs_files',` ######################################## ## +## Do not audit attempts to read or write files on +## anon_inodefs file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_rw_anon_inodefs_files',` + gen_require(` + type anon_inodefs_t; + + ') + + dontaudit $1 anon_inodefs_t:file rw_file_perms; +') + +######################################## +## ## Mount an automount pseudo filesystem. ## ## @@ -462,7 +482,7 @@ interface(`fs_manage_autofs_symlinks',` ######################################## ## ## Get the attributes of directories on -## binfmt_misc filesystems. +## binfmt_misc filesystems. ## ## ## @@ -1149,6 +1169,44 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') +####################################### +## +## Create, read, write, and delete dirs +## on a configfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_configfs_dirs',` + gen_require(` + type configfs_t; + ') + + manage_dirs_pattern($1, configfs_t, configfs_t) +') + +####################################### +## +## Create, read, write, and delete files +## on a configfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_configfs_files',` + gen_require(` + type configfs_t; + ') + + manage_files_pattern($1, configfs_t, configfs_t) +') + ######################################## ## ## Mount a DOS filesystem, such as @@ -1248,7 +1306,7 @@ interface(`fs_relabelfrom_dos_fs',` ######################################## ## -## Search dosfs filesystem. +## Search dosfs filesystem. ## ## ## @@ -1537,7 +1595,25 @@ interface(`fs_rw_hugetlbfs_files',` ######################################## ## -## Search inotifyfs filesystem. +## Allow the type to associate to hugetlbfs filesystems. +## +## +## +## The type of the object to be associated. +## +## +# +interface(`fs_associate_hugetlbfs',` + gen_require(` + type hugetlbfs_t; + ') + + allow $1 hugetlbfs_t:filesystem associate; +') + +######################################## +## +## Search inotifyfs filesystem. ## ## ## @@ -1555,7 +1631,7 @@ interface(`fs_search_inotifyfs',` ######################################## ## -## List inotifyfs filesystem. +## List inotifyfs filesystem. ## ## ## @@ -2542,6 +2618,42 @@ interface(`fs_search_nfsd_fs',` ######################################## ## +## List NFS server directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_list_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + + allow $1 nfsd_fs_t:dir list_dir_perms; +') + +######################################## +## +## Getattr files on an nfsd filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_nfsd_files',` + gen_require(` + type nfsd_fs_t; + ') + + getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + +######################################## +## ## Read and write NFS server files. ## ## @@ -2687,7 +2799,7 @@ interface(`fs_dontaudit_search_ramfs',` ######################################## ## -## Create, read, write, and delete +## Create, read, write, and delete ## directories on a ramfs. ## ## @@ -2779,7 +2891,7 @@ interface(`fs_write_ramfs_pipes',` ######################################## ## -## Do not audit attempts to write to named +## Do not audit attempts to write to named ## pipes on a ramfs filesystem. ## ## @@ -2816,7 +2928,7 @@ interface(`fs_rw_ramfs_pipes',` ######################################## ## -## Create, read, write, and delete +## Create, read, write, and delete ## named pipes on a ramfs filesystem. ## ## @@ -3572,6 +3684,104 @@ interface(`fs_manage_tmpfs_blk_files',` ######################################## ## +## Mount a XENFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mount_xenfs',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:filesystem mount; +') + +######################################## +## +## Create, read, write, and delete directories +## on a XENFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_xenfs_dirs',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:dir manage_dir_perms; +') + +######################################## +## +## Do not audit attempts to create, read, +## write, and delete directories +## on a XENFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_manage_xenfs_dirs',` + gen_require(` + type xenfs_t; + ') + + dontaudit $1 xenfs_t:dir manage_dir_perms; +') + +######################################## +## +## Create, read, write, and delete files +## on a XENFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_xenfs_files',` + gen_require(` + type xenfs_t; + ') + + manage_files_pattern($1, xenfs_t, xenfs_t) +') + +######################################## +## +## Do not audit attempts to create, +## read, write, and delete files +## on a XENFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_manage_xenfs_files',` + gen_require(` + type xenfs_t; + ') + + dontaudit $1 xenfs_t:file manage_file_perms; +') + +######################################## +## ## Mount all filesystems. ## ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 9821410..12272e5 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem, 1.12.0) +policy_module(filesystem, 1.12.1) ######################################## # @@ -38,7 +38,7 @@ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); # types, and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems that represent objects # like pipes and sockets, so that these objects are labeled with the same -# type as the creating task. +# type as the creating task. fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0); fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0); fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); @@ -93,7 +93,7 @@ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) -genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) +fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); type ibmasmfs_t; fs_type(ibmasmfs_t) @@ -174,6 +174,11 @@ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); allow tmpfs_t noxattrfs:filesystem associate; +type xenfs_t; +fs_noxattr_type(xenfs_t) +files_mountpoint(xenfs_t) +genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0) + ############################## # # Filesystems without extended attribute support @@ -250,7 +255,6 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) -genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) ######################################## @@ -275,7 +279,7 @@ fs_associate_noxattr(noxattrfs) allow filesystem_unconfined_type filesystem_type:filesystem *; -# Create/access other files. fs_type is to pick up various +# Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index d6ec546..8a970d5 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -1,5 +1,5 @@ ## -## Policy for kernel threads, proc filesystem, +## Policy for kernel threads, proc filesystem, ## and unlabeled processes and objects. ## ## @@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',` type kernel_t; ') - kernel_domtrans_to($1,$2) + kernel_domtrans_to($1, $2) ifdef(`enable_mcs',` range_transition kernel_t $2:process $3; @@ -485,11 +485,30 @@ interface(`kernel_clear_ring_buffer',` ######################################## ## +## Allows caller to request the kernel to load a module +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_request_load_module',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:system module_request; +') + +######################################## +## ## Get information on all System V IPC objects. ## ## ## -## +## Domain allowed access. ## ## # @@ -941,6 +960,29 @@ interface(`kernel_dontaudit_getattr_core_if',` ######################################## ## +## Allows caller to read the core kernel interface. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_core_if',` + gen_require(` + type proc_t, proc_kcore_t; + attribute can_dump_kernel; + ') + + allow $1 self:capability sys_rawio; + read_files_pattern($1, proc_t, proc_kcore_t) + list_dirs_pattern($1, proc_t, proc_t) + + typeattribute $1 can_dump_kernel; +') + +######################################## +## ## Allow caller to read kernel messages ## using the /proc/kmsg interface. ## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index faf39a5..400bee5 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel, 1.11.0) +policy_module(kernel, 1.11.2) ######################################## # @@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0) # assertion related attributes attribute can_load_kernmodule; attribute can_receive_kernel_messages; +attribute can_dump_kernel; neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; @@ -37,7 +38,7 @@ ifdef(`enable_mls',` # # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. -# +# type kernel_t, can_load_kernmodule; domain_base_type(kernel_t) mls_rangetrans_source(kernel_t) @@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge # /proc kcore: inaccessible type proc_kcore_t, proc_type; -neverallow ~kern_unconfined proc_kcore_t:file ~getattr; +neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr; genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) type proc_mdstat_t, proc_type; @@ -248,7 +249,7 @@ corenet_send_all_packets(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) -# Mount root file system. Used when loading a policy +# Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) fs_unmount_all_fs(kernel_t) @@ -275,7 +276,7 @@ mcs_process_set_categories(kernel_t) mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) -mls_file_read_all_levels(kernel_t) +mls_file_read_all_levels(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337 @@ -309,7 +310,7 @@ optional_policy(` allow kernel_t self:tcp_socket create_stream_socket_perms; allow kernel_t self:udp_socket create_socket_perms; - # nfs kernel server needs kernel UDP access. It is less risky and painful + # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. corenet_udp_sendrecv_generic_if(kernel_t) corenet_udp_sendrecv_generic_node(kernel_t) @@ -326,7 +327,7 @@ optional_policy(` rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t) - rpc_udp_rw_nfs_sockets(kernel_t) + rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` fs_getattr_noxattr_fs(kernel_t) @@ -355,7 +356,7 @@ optional_policy(` ') optional_policy(` - unconfined_domain(kernel_t) + unconfined_domain_noaudit(kernel_t) ') ######################################## diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 79622ec..1e999d7 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -1,5 +1,5 @@ -policy_module(mcs, 1.1.1) +policy_module(mcs, 1.2.0) ######################################## # diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 5afa664..d1719ca 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -28,6 +28,7 @@ /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) +/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 05d9923..a388e63 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -529,7 +529,7 @@ interface(`storage_dontaudit_read_removable_device',` ') - dontaudit $1 removable_device_t:blk_file { getattr ioctl read }; + dontaudit $1 removable_device_t:blk_file read_blk_file_perms; ') ######################################## diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 7a07c60..fc46c28 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,5 +1,5 @@ -policy_module(storage, 1.7.0) +policy_module(storage, 1.7.1) ######################################## # @@ -13,7 +13,7 @@ attribute scsi_generic_write; attribute storage_unconfined_type; # -# fixed_disk_device_t is the type of +# fixed_disk_device_t is the type of # /dev/hd* and /dev/sd*. # type fixed_disk_device_t; diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc index 592a1ac..3994e57 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc @@ -13,6 +13,7 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) +/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index f89eaba..22fa1c5 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -196,7 +196,7 @@ interface(`term_use_all_terms',` dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; - allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; + allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; ') ######################################## @@ -474,6 +474,24 @@ interface(`term_dontaudit_manage_pty_dirs',` ######################################## ## +## Do not audit attempts to get the attributes +## of generic pty devices. +## +## +## +## The type of the process to not audit. +## +## +# +interface(`term_dontaudit_getattr_generic_ptys',` + gen_require(` + type devpts_t; + ') + + dontaudit $1 devpts_t:chr_file getattr; +') +######################################## +## ## ioctl of generic pty devices. ## ## @@ -575,6 +593,25 @@ interface(`term_dontaudit_use_generic_ptys',` dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') +####################################### +## +## Set the attributes of the tty device +## +## +## +## Domain allowed access. +## +## +# +interface(`term_setattr_controlling_term',` + gen_require(` + type devtty_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 devtty_t:chr_file setattr; +') + ######################################## ## ## Read and write the controlling diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index f7db981..ba85661 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal, 1.7.0) +policy_module(terminal, 1.7.1) ######################################## # @@ -22,7 +22,7 @@ type console_device_t; dev_node(console_device_t) # -# devpts_t is the type of the devpts file system and +# devpts_t is the type of the devpts file system and # the type of the root directory of the file system. # type devpts_t; @@ -44,6 +44,7 @@ mls_trusted_object(devtty_t) type ptmx_t; dev_node(ptmx_t) mls_trusted_object(ptmx_t) +allow ptmx_t devpts_t:filesystem associate; # # tty_device_t is the type of /dev/*tty* diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index fe7c449..3a8f03d 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron, 2.1.2) +policy_module(cron, 2.2.0) gen_require(` class passwd rootok; diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index aa857cb..5c3924d 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus, 1.11.1) +policy_module(dbus, 1.12.0) gen_require(` class dbus all_dbus_perms; diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index afbd2be..7c9b57c 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd, 1.9.2) +policy_module(nscd, 1.10.0) gen_require(` class nscd all_nscd_perms; diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 4ad43ef..8d1f370 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -1,5 +1,5 @@ -policy_module(openvpn, 1.8.2) +policy_module(openvpn, 1.9.0) ######################################## # diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 4334f27..0c4e92c 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -1,5 +1,5 @@ -policy_module(policykit, 1.0.1) +policy_module(policykit, 1.1.0) ######################################## # diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc new file mode 100644 index 0000000..2f1e529 --- /dev/null +++ b/policy/modules/services/puppet.fc @@ -0,0 +1,11 @@ +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) + +/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) +/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) + +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if new file mode 100644 index 0000000..34946a2 --- /dev/null +++ b/policy/modules/services/puppet.if @@ -0,0 +1,31 @@ +## Puppet client daemon +## +##

+## Puppet is a configuration management system written in Ruby. +## The client daemon is responsible for periodically requesting the +## desired system state from the server and ensuring the state of +## the client system matches. +##

+##
+ +################################################ +## +## Read / Write to Puppet temp files. Puppet uses +## some system binaries (groupadd, etc) that run in +## a non-puppet domain and redirects output into temp +## files. +## +## +## +## Domain allowed access +## +## +# +interface(`puppet_rw_tmp', ` + gen_require(` + type puppet_tmp_t; + ') + + allow $1 puppet_tmp_t:file rw_file_perms; + files_search_tmp($1) +') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te new file mode 100644 index 0000000..3cb1741 --- /dev/null +++ b/policy/modules/services/puppet.te @@ -0,0 +1,234 @@ + +policy_module(puppet, 1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Allow Puppet client to manage all file +## types. +##

+##
+gen_tunable(puppet_manage_all_files, false) + +type puppet_t; +type puppet_exec_t; +init_daemon_domain(puppet_t, puppet_exec_t) + +type puppet_etc_t; +files_config_file(puppet_etc_t) + +type puppet_initrc_exec_t; +init_script_file(puppet_initrc_exec_t) + +type puppet_log_t; +logging_log_file(puppet_log_t) + +type puppet_tmp_t; +files_tmp_file(puppet_tmp_t) + +type puppet_var_lib_t; +files_type(puppet_var_lib_t) + +type puppet_var_run_t; +files_pid_file(puppet_var_run_t) + +type puppetmaster_t; +type puppetmaster_exec_t; +init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) + +type puppetmaster_initrc_exec_t; +init_script_file(puppetmaster_initrc_exec_t) + +type puppetmaster_tmp_t; +files_tmp_file(puppetmaster_tmp_t) + +######################################## +# +# Puppet personal policy +# + +allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; +allow puppet_t self:process { signal signull getsched setsched }; +allow puppet_t self:fifo_file rw_fifo_file_perms; +allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +allow puppet_t self:tcp_socket create_stream_socket_perms; +allow puppet_t self:udp_socket create_socket_perms; + +read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) + +manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +files_search_var_lib(puppet_t) + +setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) + +create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) +create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) + +manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + +kernel_dontaudit_search_sysctl(puppet_t) +kernel_dontaudit_search_kernel_sysctl(puppet_t) +kernel_read_system_state(puppet_t) +kernel_read_crypto_sysctls(puppet_t) + +corecmd_exec_bin(puppet_t) +corecmd_exec_shell(puppet_t) + +corenet_all_recvfrom_netlabel(puppet_t) +corenet_all_recvfrom_unlabeled(puppet_t) +corenet_tcp_sendrecv_generic_if(puppet_t) +corenet_tcp_sendrecv_generic_node(puppet_t) +corenet_tcp_bind_generic_node(puppet_t) +corenet_tcp_connect_puppet_port(puppet_t) +corenet_sendrecv_puppet_client_packets(puppet_t) + +dev_read_rand(puppet_t) +dev_read_sysfs(puppet_t) +dev_read_urand(puppet_t) + +domain_read_all_domains_state(puppet_t) +domain_interactive_fd(puppet_t) + +files_manage_config_files(puppet_t) +files_manage_config_dirs(puppet_t) +files_manage_etc_dirs(puppet_t) +files_manage_etc_files(puppet_t) +files_read_usr_symlinks(puppet_t) +files_relabel_config_dirs(puppet_t) +files_relabel_config_files(puppet_t) + +selinux_search_fs(puppet_t) +selinux_set_all_booleans(puppet_t) +selinux_set_generic_booleans(puppet_t) +selinux_validate_context(puppet_t) + +term_dontaudit_getattr_unallocated_ttys(puppet_t) +term_dontaudit_getattr_all_user_ttys(puppet_t) + +init_all_labeled_script_domtrans(puppet_t) +init_domtrans_script(puppet_t) +init_read_utmp(puppet_t) +init_signull_script(puppet_t) + +logging_send_syslog_msg(puppet_t) + +miscfiles_read_hwdata(puppet_t) +miscfiles_read_localization(puppet_t) + +seutil_domtrans_setfiles(puppet_t) +seutil_domtrans_semanage(puppet_t) + +sysnet_dns_name_resolve(puppet_t) +sysnet_run_ifconfig(puppet_t, system_r) + +tunable_policy(`puppet_manage_all_files',` + auth_manage_all_files_except_shadow(puppet_t) +') + +optional_policy(` + consoletype_domtrans(puppet_t) +') + +optional_policy(` + hostname_exec(puppet_t) +') + +optional_policy(` + files_rw_var_files(puppet_t) + + rpm_domtrans(puppet_t) + rpm_manage_db(puppet_t) + rpm_manage_log(puppet_t) +') + +optional_policy(` + unconfined_domain(puppet_t) +') + +optional_policy(` + usermanage_domtrans_groupadd(puppet_t) + usermanage_domtrans_useradd(puppet_t) +') + +######################################## +# +# Pupper master personal policy +# + +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; +allow puppetmaster_t self:process { signal_perms getsched setsched }; +allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; +allow puppetmaster_t self:socket create; +allow puppetmaster_t self:tcp_socket create_stream_socket_perms; +allow puppetmaster_t self:udp_socket create_socket_perms; + +list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) +read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) + +allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; +allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; +logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) + +manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) + +setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) + +manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) +manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) +files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) + +kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) +kernel_read_system_state(puppetmaster_t) +kernel_read_crypto_sysctls(puppetmaster_t) + +corecmd_exec_bin(puppetmaster_t) +corecmd_exec_shell(puppetmaster_t) + +corenet_all_recvfrom_netlabel(puppetmaster_t) +corenet_all_recvfrom_unlabeled(puppetmaster_t) +corenet_tcp_sendrecv_generic_if(puppetmaster_t) +corenet_tcp_sendrecv_generic_node(puppetmaster_t) +corenet_tcp_bind_generic_node(puppetmaster_t) +corenet_tcp_bind_puppet_port(puppetmaster_t) +corenet_sendrecv_puppet_server_packets(puppetmaster_t) + +dev_read_rand(puppetmaster_t) +dev_read_urand(puppetmaster_t) + +domain_read_all_domains_state(puppetmaster_t) + +files_read_etc_files(puppetmaster_t) +files_search_var_lib(puppetmaster_t) + +logging_send_syslog_msg(puppetmaster_t) + +miscfiles_read_localization(puppetmaster_t) + +sysnet_dns_name_resolve(puppetmaster_t) +sysnet_run_ifconfig(puppetmaster_t, system_r) + +optional_policy(` + hostname_exec(puppetmaster_t) +') + +optional_policy(` + files_read_usr_symlinks(puppetmaster_t) + + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) +') diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc new file mode 100644 index 0000000..8294f6f --- /dev/null +++ b/policy/modules/services/tgtd.fc @@ -0,0 +1,3 @@ +/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) +/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) +/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if new file mode 100644 index 0000000..2c0bc5c --- /dev/null +++ b/policy/modules/services/tgtd.if @@ -0,0 +1,11 @@ +## Linux Target Framework Daemon. +## +##

+## Linux target framework (tgt) aims to simplify various +## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation +## and maintenance. Our key goals are the clean integration into +## the scsi-mid layer and implementing a great portion of tgt +## in user space. +##

+##
+ diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te new file mode 100644 index 0000000..917dae8 --- /dev/null +++ b/policy/modules/services/tgtd.te @@ -0,0 +1,67 @@ + +policy_module(tgtd, 1.0.0) + +######################################## +# +# TGTD personal declarations. +# + +type tgtd_t; +type tgtd_exec_t; +init_daemon_domain(tgtd_t, tgtd_exec_t) + +type tgtd_initrc_exec_t; +init_script_file(tgtd_initrc_exec_t) + +type tgtd_tmp_t; +files_tmp_file(tgtd_tmp_t) + +type tgtd_tmpfs_t; +files_tmpfs_file(tgtd_tmpfs_t) + +type tgtd_var_lib_t; +files_type(tgtd_var_lib_t) + +######################################## +# +# TGTD personal policy. +# + +allow tgtd_t self:capability sys_resource; +allow tgtd_t self:process { setrlimit signal }; +allow tgtd_t self:fifo_file rw_fifo_file_perms; +allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow tgtd_t self:shm create_shm_perms; +allow tgtd_t self:sem create_sem_perms; +allow tgtd_t self:tcp_socket create_stream_socket_perms; +allow tgtd_t self:udp_socket create_socket_perms; +allow tgtd_t self:unix_dgram_socket create_socket_perms; + +manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t) +files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file }) + +manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t) +fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file) + +manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) + +kernel_read_fs_sysctls(tgtd_t) + +corenet_all_recvfrom_netlabel(tgtd_t) +corenet_all_recvfrom_unlabeled(tgtd_t) +corenet_tcp_sendrecv_generic_if(tgtd_t) +corenet_tcp_sendrecv_generic_node(tgtd_t) +corenet_tcp_sendrecv_iscsi_port(tgtd_t) +corenet_tcp_bind_generic_node(tgtd_t) +corenet_tcp_bind_iscsi_port(tgtd_t) +corenet_sendrecv_iscsi_server_packets(tgtd_t) + +files_read_etc_files(tgtd_t) + +storage_getattr_fixed_disk_dev(tgtd_t) + +logging_send_syslog_msg(tgtd_t) + +miscfiles_read_localization(tgtd_t) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 243e25c..88fb140 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -1,5 +1,5 @@ -policy_module(virt, 1.2.1) +policy_module(virt, 1.3.0) ######################################## # diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 4025f81..8cfcf84 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver, 3.2.3) +policy_module(xserver, 3.3.0) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if index 8e4b8c2..06e7b0a 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if @@ -99,5 +99,23 @@ interface(`application_exec_all',` interface(`application_domain',` application_type($1) application_executable_file($2) - domain_entry_file($1,$2) + domain_entry_file($1, $2) +') + +######################################## +## +## Send signull to all application domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`application_signull',` + gen_require(` + attribute application_domain_type; + ') + + allow $1 application_domain_type:process signull; ') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te index c80f2ce..5fa76a6 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te @@ -1,5 +1,5 @@ -policy_module(application, 1.1.0) +policy_module(application, 1.1.1) # Attribute of user applications attribute application_domain_type; @@ -11,3 +11,7 @@ optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) ') + +optional_policy(` + sudo_sigchld(application_domain_type) +') diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc index 7432278..cf61a55 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -6,6 +6,7 @@ /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index d1ce63c..1bab191 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools, 1.13.0) +policy_module(fstools, 1.13.1) ######################################## # @@ -144,6 +144,7 @@ logging_send_syslog_msg(fsadm_t) miscfiles_read_localization(fsadm_t) modutils_read_module_config(fsadm_t) +modutils_read_module_deps(fsadm_t) seutil_read_config(fsadm_t) @@ -177,4 +178,5 @@ optional_policy(` optional_policy(` xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) ') diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 7637333..f073b54 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -720,6 +720,25 @@ interface(`init_labeled_script_domtrans',` files_search_etc($1) ') +######################################### +## +## Transition to the init script domain +## for all labeled init script types +## +## +## +## Domain allowed access +## +## +# +interface(`init_all_labeled_script_domtrans',` + gen_require(` + attribute init_script_file_type; + ') + + init_labeled_script_domtrans($1, init_script_file_type) +') + ######################################## ## ## Start and stop daemon programs directly. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index efe5277..1ff0596 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -688,6 +688,10 @@ optional_policy(` ') optional_policy(` + puppet_rw_tmp(initrc_t) +') + +optional_policy(` quota_manage_flags(initrc_t) ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index d65ef1e..7dbf57e 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) + /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index a162c77..7ed91dd 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -189,6 +189,31 @@ interface(`ipsec_domtrans_racoon',` ######################################## ## +## Execute racoon and allow the specified role the domain. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`ipsec_run_racoon',` + gen_require(` + type racoon_t; + ') + + ipsec_domtrans_racoon($1) + role $2 types racoon_t; +') + +######################################## +## ## Execute setkey in the setkey domain. ## ## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 8f18cbc..d65140f 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,11 +1,18 @@ -policy_module(ipsec, 1.10.0) +policy_module(ipsec, 1.10.1) ######################################## # # Declarations # +## +##

+## Allow racoon to read shadow +##

+##
+gen_tunable(racoon_read_shadow, false) + type ipsec_t; type ipsec_exec_t; init_daemon_domain(ipsec_t, ipsec_exec_t) @@ -15,6 +22,9 @@ role system_r types ipsec_t; type ipsec_conf_file_t; files_type(ipsec_conf_file_t) +type ipsec_initrc_exec_t; +init_script_file(ipsec_initrc_exec_t) + # type for file(s) containing ipsec keys - RSA or preshared type ipsec_key_file_t; files_type(ipsec_key_file_t) @@ -43,6 +53,9 @@ type racoon_exec_t; init_daemon_domain(racoon_t, racoon_exec_t) role system_r types racoon_t; +type racoon_tmp_t; +files_tmp_file(racoon_tmp_t) + type setkey_t; type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) @@ -53,21 +66,23 @@ role system_r types setkey_t; # ipsec Local policy # -allow ipsec_t self:capability { net_admin dac_override dac_read_search }; +allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice }; dontaudit ipsec_t self:capability sys_tty_config; -allow ipsec_t self:process { signal setsched }; +allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; +allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; + allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) allow ipsec_t ipsec_key_file_t:dir list_dir_perms; -read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) +manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) @@ -82,7 +97,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t) # so try flipping back into the ipsec_mgmt_t domain corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; -allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; +allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:process sigchld; kernel_read_kernel_sysctls(ipsec_t) @@ -92,6 +107,7 @@ kernel_read_proc_symlinks(ipsec_t) kernel_read_system_state(ipsec_t) kernel_read_network_state(ipsec_t) kernel_read_software_raid_state(ipsec_t) +kernel_request_load_module(ipsec_t) kernel_getattr_core_if(ipsec_t) kernel_getattr_message_if(ipsec_t) @@ -120,7 +136,9 @@ dev_read_urand(ipsec_t) domain_use_interactive_fds(ipsec_t) +files_list_tmp(ipsec_t) files_read_etc_files(ipsec_t) +files_read_usr_files(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -159,7 +177,7 @@ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -allow ipsec_mgmt_t self:fifo_file rw_file_perms; +allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -280,6 +298,15 @@ allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms; +allow racoon_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) +manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) +files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) + +can_exec(racoon_t, racoon_exec_t) + +can_exec(racoon_t, setkey_exec_t) # manage pid file manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) @@ -297,6 +324,9 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) +corecmd_exec_shell(racoon_t) +corecmd_exec_bin(racoon_t) + corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_sendrecv_all_if(racoon_t) corenet_udp_sendrecv_all_if(racoon_t) @@ -314,6 +344,8 @@ domain_ipsec_setcontext_all_domains(racoon_t) files_read_etc_files(racoon_t) +fs_dontaudit_getattr_xattr_fs(racoon_t) + # allow racoon to use avc_has_perm to check context on proposed SA selinux_compute_access_vector(racoon_t) @@ -328,6 +360,13 @@ logging_send_audit_msgs(racoon_t) miscfiles_read_localization(racoon_t) +sysnet_exec_ifconfig(racoon_t) + +auth_can_read_shadow_passwords(racoon_t) +tunable_policy(`racoon_read_shadow',` + auth_tunable_read_shadow(racoon_t) +') + ######################################## # # Setkey local policy diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc index ac6c789..13f62a6 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -1,7 +1,13 @@ -/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + +/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index 9012783..6aca04d 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -69,3 +69,99 @@ interface(`iptables_exec',` corecmd_search_bin($1) can_exec($1, iptables_exec_t) ') + +##################################### +## +## Execute iptables in the iptables domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`iptables_initrc_domtrans',` + gen_require(` + type iptables_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, iptables_initrc_exec_t) +') + +##################################### +## +## Set the attributes of iptables config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`iptables_setattr_config',` + gen_require(` + type iptables_conf_t; + ') + + files_search_etc($1) + allow $1 iptables_conf_t:file setattr; +') + +##################################### +## +## Read iptables config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`iptables_read_config',` + gen_require(` + type iptables_conf_t; + ') + + files_search_etc($1) + allow $1 iptables_conf_t:dir list_dir_perms; + read_files_pattern($1, iptables_conf_t, iptables_conf_t) +') + +##################################### +## +## Create files in /etc with the type used for +## the iptables config files. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`iptables_etc_filetrans_config',` + gen_require(` + type iptables_conf_t; + ') + + files_etc_filetrans($1, iptables_conf_t, file) +') + +################################### +## +## Manage iptables config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`iptables_manage_config',` + gen_require(` + type iptables_conf_t; + type etc_t; + ') + + files_search_etc($1) + manage_files_pattern($1, iptables_conf_t, iptables_conf_t) +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index b70500e..7626034 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables, 1.9.1) +policy_module(iptables, 1.10.1) ######################################## # @@ -11,6 +11,12 @@ type iptables_exec_t; init_system_domain(iptables_t, iptables_exec_t) role system_r types iptables_t; +type iptables_initrc_exec_t; +init_script_file(iptables_initrc_exec_t) + +type iptables_conf_t; +files_config_file(iptables_conf_t) + type iptables_tmp_t; files_tmp_file(iptables_tmp_t) @@ -27,6 +33,9 @@ dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:rawip_socket create_socket_perms; +manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) +files_etc_filetrans(iptables_t, iptables_conf_t, file) + manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) @@ -36,6 +45,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) +kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) kernel_read_kernel_sysctls(iptables_t) @@ -100,6 +110,10 @@ optional_policy(` ') optional_policy(` + psad_rw_tmp_files(iptables_t) +') + +optional_policy(` rhgb_dontaudit_use_ptys(iptables_t) ') diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if index 6f0b206..88e3b32 100644 --- a/policy/modules/system/iscsi.if +++ b/policy/modules/system/iscsi.if @@ -17,3 +17,42 @@ interface(`iscsid_domtrans',` domtrans_pattern($1, iscsid_exec_t, iscsid_t) ') + +######################################## +## +## Connect to ISCSI using a unix domain stream socket. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`iscsi_stream_connect',` + gen_require(` + type iscsid_t, iscsi_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t) +') + +######################################## +## +## Read iscsi lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`iscsi_read_lib_files',` + gen_require(` + type iscsi_var_lib_t; + ') + + read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) + allow $1 iscsi_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index c5109df..e53aa29 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -1,5 +1,5 @@ -policy_module(iscsi, 1.6.0) +policy_module(iscsi, 1.6.1) ######################################## # @@ -55,6 +55,7 @@ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) kernel_read_system_state(iscsid_t) +kernel_search_debugfs(iscsid_t) corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) @@ -73,6 +74,6 @@ files_read_etc_files(iscsid_t) logging_send_syslog_msg(iscsid_t) -miscfiles_read_localization(iscsid_t) +auth_use_nsswitch(iscsid_t) -sysnet_dns_name_resolve(iscsid_t) +miscfiles_read_localization(iscsid_t) diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te index a5a7526..fe64278 100644 --- a/policy/modules/system/kdump.te +++ b/policy/modules/system/kdump.te @@ -1,5 +1,5 @@ -policy_module(kdump, 1.0.0) +policy_module(kdump, 1.0.1) ####################################### # @@ -29,6 +29,7 @@ files_read_etc_runtime_files(kdump_t) files_read_kernel_img(kdump_t) kernel_read_system_state(kdump_t) +kernel_read_core_if(kdump_t) dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 0c4f4ba..76a1a05 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries, 2.5.1) +policy_module(libraries, 2.6.0) ######################################## # @@ -118,6 +118,10 @@ optional_policy(` ') optional_policy(` + puppet_rw_tmp(ldconfig_t) +') + +optional_policy(` # When you install a kernel the postinstall builds a initrd image in tmp # and executes ldconfig on it. If you dont allow this kernel installs # blow up. diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 3e7ce07..d244304 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging, 1.14.1) +policy_module(logging, 1.15.0) ######################################## # diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if index 0666bb6..a64ff3e 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -21,6 +21,25 @@ interface(`lvm_domtrans',` ######################################## ## +## Execute lvm programs in the caller domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`lvm_exec',` + gen_require(` + type lvm_exec_t; + ') + + corecmd_search_sbin($1) + can_exec($1, lvm_exec_t) +') + +######################################## +## ## Execute lvm programs in the lvm domain. ## ## @@ -85,3 +104,22 @@ interface(`lvm_manage_config',` manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t) manage_files_pattern($1, lvm_etc_t, lvm_etc_t) ') + +###################################### +## +## Execute a domain transition to run clvmd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`lvm_domtrans_clvmd',` + gen_require(` + type clvmd_t, clvmd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, clvmd_exec_t, clvmd_t) +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 8fcc7d3..3c75228 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm, 1.11.0) +policy_module(lvm, 1.11.1) ######################################## # @@ -10,6 +10,9 @@ type clvmd_t; type clvmd_exec_t; init_daemon_domain(clvmd_t, clvmd_exec_t) +type clvmd_initrc_exec_t; +init_script_file(clvmd_initrc_exec_t) + type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) @@ -102,6 +105,7 @@ fs_getattr_all_fs(clvmd_t) fs_search_auto_mountpoints(clvmd_t) fs_dontaudit_list_tmpfs(clvmd_t) fs_dontaudit_read_removable_files(clvmd_t) +fs_rw_anon_inodefs_files(clvmd_t) storage_dontaudit_getattr_removable_dev(clvmd_t) storage_manage_fixed_disk(clvmd_t) @@ -168,7 +172,7 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; allow lvm_t self:file rw_file_perms; -allow lvm_t self:fifo_file rw_fifo_file_perms; +allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -192,12 +196,12 @@ files_lock_filetrans(lvm_t, lvm_lock_t, file) manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -files_var_lib_filetrans(lvm_t, lvm_var_lib_t,{ dir file }) +files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -files_pid_filetrans(lvm_t, lvm_var_run_t,{ file sock_file }) +files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) @@ -214,6 +218,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) +kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) corecmd_exec_shell(lvm_t) @@ -255,6 +260,10 @@ fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) fs_dontaudit_read_removable_files(lvm_t) fs_dontaudit_getattr_tmpfs_files(lvm_t) +fs_rw_anon_inodefs_files(lvm_t) + +mls_file_read_all_levels(lvm_t) +mls_file_write_to_clearance(lvm_t) selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) @@ -274,9 +283,12 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) +term_use_all_terms(lvm_t) + init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) init_use_script_ptys(lvm_t) +init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -313,7 +325,9 @@ optional_policy(` optional_policy(` dbus_system_bus_client(lvm_t) - hal_dbus_chat(lvm_t) + optional_policy(` + hal_dbus_chat(lvm_t) + ') ') optional_policy(` @@ -329,6 +343,10 @@ optional_policy(` ') optional_policy(` + virt_manage_images(lvm_t) +') + +optional_policy(` xen_append_log(lvm_t) xen_dontaudit_rw_unix_stream_sockets(lvm_t) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 428ce71..783f38e 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -87,6 +87,45 @@ interface(`miscfiles_read_fonts',` ######################################## ## +## Set the attributes on a fonts directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_setattr_fonts_dirs',` + gen_require(` + type fonts_t; + ') + + allow $1 fonts_t:dir setattr; +') + +######################################## +## +## Do not audit attempts to set the attributes +## on a fonts directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_dontaudit_setattr_fonts_dirs',` + gen_require(` + type fonts_t; + ') + + dontaudit $1 fonts_t:dir setattr; +') + +######################################## +## ## Do not audit attempts to write fonts. ## ## @@ -255,6 +294,25 @@ interface(`miscfiles_legacy_read_localization',` ######################################## ## +## Search man pages. +## +## +## +## Domain to not audit. +## +## +# +interface(`miscfiles_search_man_pages',` + gen_require(` + type man_t; + ') + + allow $1 man_t:dir search_dir_perms; + files_search_usr($1) +') + +######################################## +## ## Do not audit attempts to search man pages. ## ## @@ -268,7 +326,7 @@ interface(`miscfiles_dontaudit_search_man_pages',` type man_t; ') - dontaudit $1 man_t:dir search; + dontaudit $1 man_t:dir search_dir_perms; ') ######################################## @@ -358,8 +416,8 @@ interface(`miscfiles_read_public_files',` ') allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms; - read_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t }) - read_lnk_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t }) + read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t }) + read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t }) ') ######################################## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index aa77a21..ef9d197 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,5 +1,5 @@ -policy_module(miscfiles, 1.7.0) +policy_module(miscfiles, 1.7.1) ######################################## # diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc index 688afeb..532181a 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc @@ -1,6 +1,7 @@ /etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) /etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) +/etc/modprobe\.d(/.*)? gen_context(system_u:object_r:modules_conf_t,s0) ifdef(`distro_gentoo',` # gentoo init scripts still manage this file diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index ce4ac17..e1057e3 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -1,5 +1,23 @@ ## Policy for kernel module utilities +###################################### +## +## Getattr the dependencies of kernel modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_getattr_module_deps',` + gen_require(` + type modules_dep_t; + ') + + getattr_files_pattern($1, modules_object_t, modules_dep_t) +') + ######################################## ## ## Read the dependencies of kernel modules. @@ -41,8 +59,8 @@ interface(`modutils_read_module_config',` files_search_etc($1) files_search_boot($1) - allow $1 modules_conf_t:file read_file_perms; - allow $1 modules_conf_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, modules_conf_t, modules_conf_t) + read_lnk_files_pattern($1, modules_conf_t, modules_conf_t) ') ######################################## @@ -61,7 +79,7 @@ interface(`modutils_rename_module_config',` type modules_conf_t; ') - allow $1 modules_conf_t:file rename_file_perms; + rename_files_pattern($1, modules_conf_t, modules_conf_t) ') ######################################## @@ -80,7 +98,26 @@ interface(`modutils_delete_module_config',` type modules_conf_t; ') - allow $1 modules_conf_t:file unlink; + delete_files_pattern($1, modules_conf_t, modules_conf_t) +') + +######################################## +## +## Manage files with the configuration options used when +## loading modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_manage_module_config',` + gen_require(` + type modules_conf_t; + ') + + manage_files_pattern($1, modules_conf_t, modules_conf_t) ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 87b8b7e..20f4fa8 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils, 1.9.0) +policy_module(modutils, 1.9.1) gen_require(` bool secure_mode_insmod; @@ -45,7 +45,7 @@ files_tmp_file(update_modules_tmp_t) can_exec(depmod_t, depmod_exec_t) # Read conf.modules. -allow depmod_t modules_conf_t:file read_file_perms; +read_files_pattern(depmod_t, modules_conf_t, modules_conf_t) allow depmod_t modules_dep_t:file manage_file_perms; files_kernel_modules_filetrans(depmod_t, modules_dep_t, file) @@ -82,8 +82,22 @@ ifdef(`distro_ubuntu',` ') ') +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(depmod_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(depmod_t) +') + optional_policy(` rpm_rw_pipes(depmod_t) + rpm_manage_script_tmp_files(depmod_t) +') + +optional_policy(` + # Read System.map from home directories. + unconfined_domain(depmod_t) ') ######################################## @@ -91,19 +105,23 @@ optional_policy(` # insmod local policy # -allow insmod_t self:capability { dac_override net_raw sys_tty_config }; +allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; -allow insmod_t self:udp_socket create_socket_perms; -allow insmod_t self:rawip_socket create_socket_perms; +allow insmod_t self:udp_socket create_socket_perms; +allow insmod_t self:rawip_socket create_socket_perms; # Read module config and dependency information -allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms; +list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) +read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) +list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) +read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) can_exec(insmod_t, insmod_exec_t) kernel_load_module(insmod_t) kernel_read_system_state(insmod_t) +kernel_read_network_state(insmod_t) kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) @@ -112,6 +130,7 @@ kernel_read_debugfs(insmod_t) kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) +kernel_setsched(insmod_t) corecmd_exec_bin(insmod_t) corecmd_exec_shell(insmod_t) @@ -124,9 +143,6 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) -# cjp: why is this needed? insmod cannot mounton any dir -# and it also transitions to mount -dev_mount_usbfs(insmod_t) domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) @@ -159,17 +175,26 @@ seutil_read_file_contexts(insmod_t) userdom_use_user_terminals(insmod_t) -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(insmod_t) - ') -') +userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { kernel_domtrans_to(insmod_t, insmod_exec_t) } optional_policy(` + alsa_domtrans(insmod_t) +') + +optional_policy(` + firstboot_dontaudit_rw_pipes(insmod_t) + firstboot_dontaudit_rw_stream_sockets(insmod_t) +') + +optional_policy(` + hal_write_log(insmod_t) +') + +optional_policy(` hotplug_search_config(insmod_t) ') @@ -205,7 +230,7 @@ optional_policy(` ') optional_policy(` - unconfined_dontaudit_rw_pipes(insmod_t) + unconfined_domain(insmod_t) ') optional_policy(` @@ -228,7 +253,7 @@ can_exec(update_modules_t, insmod_exec_t) can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration -allow update_modules_t modules_conf_t:file manage_file_perms; +manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t) files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file) files_etc_filetrans(update_modules_t, modules_conf_t, file) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc index 0709927..ed9c70d 100644 --- a/policy/modules/system/raid.fc +++ b/policy/modules/system/raid.fc @@ -1,3 +1,4 @@ +/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0) /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 9814e67..7b23940 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -1,5 +1,5 @@ -policy_module(raid, 1.9.0) +policy_module(raid, 1.9.1) ######################################## # @@ -11,6 +11,9 @@ type mdadm_exec_t; init_daemon_domain(mdadm_t, mdadm_exec_t) role system_r types mdadm_t; +type mdadm_map_t; +files_type(mdadm_map_t) + type mdadm_var_run_t; files_pid_file(mdadm_var_run_t) @@ -24,6 +27,10 @@ dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; +# create .mdadm files in /dev +allow mdadm_t mdadm_map_t:file manage_file_perms; +dev_filetrans(mdadm_t, mdadm_map_t, file) + manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if index dea7f55..8de660e 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if @@ -1,5 +1,24 @@ ## SELinux MLS/MCS label translation service. +######################################## +## +## Execute setrans server in the setrans domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`setrans_initrc_domtrans',` + gen_require(` + type setrans_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, setrans_initrc_exec_t) +') + ####################################### ## ## Allow a domain to translate contexts. diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index a34ab14..98ffab7 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,5 +1,5 @@ -policy_module(setrans, 1.6.0) +policy_module(setrans, 1.6.1) gen_require(` class context contains; diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 9b924c3..53c2e97 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -6,8 +6,11 @@ /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0) +/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) +/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index beec752..0bd4103 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -2,6 +2,24 @@ ######################################## ## +## Send generic signals to udev. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_signal',` + gen_require(` + type udev_t; + ') + + allow $1 udev_t:process signal; +') + +######################################## +## ## Execute udev in the udev domain. ## ## @@ -169,3 +187,23 @@ interface(`udev_rw_db',` dev_list_all_dev_nodes($1) allow $1 udev_tbl_t:file rw_file_perms; ') + +######################################## +## +## Create, read, write, and delete +## udev pid files. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_manage_pid_files',` + gen_require(` + type udev_var_run_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, udev_var_run_t, udev_var_run_t) +') diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 132115c..c86fad8 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev, 1.11.0) +policy_module(udev, 1.11.1) ######################################## # @@ -66,9 +66,11 @@ dev_filetrans(udev_t, udev_tbl_t, file) manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) +manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) kernel_read_system_state(udev_t) +kernel_request_load_module(udev_t) kernel_getattr_core_if(udev_t) kernel_use_fds(udev_t) kernel_read_device_sysctls(udev_t) @@ -99,7 +101,7 @@ dev_relabel_all_dev_nodes(udev_t) dev_relabel_generic_symlinks(udev_t) domain_read_all_domains_state(udev_t) -domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) @@ -111,6 +113,7 @@ files_search_mnt(udev_t) fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) +fs_rw_anon_inodefs_files(udev_t) mcs_ptrace_all(udev_t) @@ -140,6 +143,7 @@ logging_send_syslog_msg(udev_t) logging_send_audit_msgs(udev_t) miscfiles_read_localization(udev_t) +miscfiles_read_hwdata(udev_t) modutils_domtrans_insmod(udev_t) # read modules.inputmap: @@ -194,6 +198,10 @@ optional_policy(` ') optional_policy(` + bluetooth_domtrans(udev_t) +') + +optional_policy(` brctl_domtrans(udev_t) ') @@ -206,10 +214,19 @@ optional_policy(` ') optional_policy(` + cups_domtrans_config(udev_t) +') + +optional_policy(` dbus_system_bus_client(udev_t) ') optional_policy(` + devicekit_read_pid_files(udev_t) + devicekit_dgram_send(udev_t) +') + +optional_policy(` lvm_domtrans(udev_t) ') @@ -228,6 +245,10 @@ optional_policy(` ') optional_policy(` + mount_domtrans(udev_t) +') + +optional_policy(` openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') @@ -242,6 +263,14 @@ optional_policy(` ') optional_policy(` + unconfined_signal(udev_t) +') + +optional_policy(` + vbetool_domtrans(udev_t) +') + +optional_policy(` kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 662e60d..698ce2e 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined, 3.0.1) +policy_module(unconfined, 3.1.0) ######################################## # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 6bdd081..7b7d709 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain, 4.2.4) +policy_module(userdomain, 4.3.0) ######################################## # diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc index 0d60e80..8c827f8 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc @@ -2,6 +2,8 @@ /usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) +/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) + ifdef(`distro_debian',` /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) /usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) @@ -19,14 +21,18 @@ ifdef(`distro_debian',` /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) +/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) +/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) +/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) +/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index 0b1878c..7601079 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -71,7 +71,30 @@ interface(`xen_read_image_files',` ') files_list_var_lib($1) - read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t) + + list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) + read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) +') + +######################################## +## +## Allow the specified domain to read/write +## xend image files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`xen_rw_image_files',` + gen_require(` + type xen_image_t, xend_var_lib_t; + ') + + files_list_var_lib($1) + allow $1 xend_var_lib_t:dir search_dir_perms; + rw_files_pattern($1, xen_image_t, xen_image_t) ') ######################################## @@ -167,11 +190,14 @@ interface(`xen_stream_connect_xenstore',` # interface(`xen_stream_connect',` gen_require(` - type xend_t, xend_var_run_t; + type xend_t, xend_var_run_t, xend_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) + + files_search_var_lib($1) + stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) ') ######################################## diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 40410a7..5dc2292 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -1,11 +1,30 @@ -policy_module(xen, 1.9.0) +policy_module(xen, 1.9.1) ######################################## # # Declarations # +## +##

+## Allow xen to manage nfs files +##

+##
+gen_tunable(xen_use_nfs, false) + +type evtchnd_t; +type evtchnd_exec_t; +init_daemon_domain(evtchnd_t, evtchnd_exec_t) + +# log files +type evtchnd_var_log_t; +logging_log_file(evtchnd_var_log_t) + +# pid files +type evtchnd_var_run_t; +files_pid_file(evtchnd_var_run_t) + # console ptys type xen_devpts_t; term_pty(xen_devpts_t) @@ -42,26 +61,30 @@ logging_log_file(xend_var_log_t) # pid files type xend_var_run_t; files_pid_file(xend_var_run_t) +files_mountpoint(xend_var_run_t) type xenstored_t; type xenstored_exec_t; -domain_type(xenstored_t) -domain_entry_file(xenstored_t, xenstored_exec_t) -role system_r types xenstored_t; +init_daemon_domain(xenstored_t, xenstored_exec_t) + +type xenstored_tmp_t; +files_tmp_file(xenstored_tmp_t) # var/lib files type xenstored_var_lib_t; files_type(xenstored_var_lib_t) +# log files +type xenstored_var_log_t; +logging_log_file(xenstored_var_log_t) + # pid files type xenstored_var_run_t; files_pid_file(xenstored_var_run_t) type xenconsoled_t; type xenconsoled_exec_t; -domain_type(xenconsoled_t) -domain_entry_file(xenconsoled_t, xenconsoled_exec_t) -role system_r types xenconsoled_t; +init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) # pid files type xenconsoled_var_run_t; @@ -72,6 +95,20 @@ type xm_exec_t; domain_type(xm_t) init_system_domain(xm_t, xm_exec_t) +####################################### +# +# evtchnd local policy +# + +manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) + +manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) +manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) +manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) +files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) + ######################################## # # xend local policy @@ -95,7 +132,7 @@ manage_files_pattern(xend_t, xen_image_t, xen_image_t) read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) -allow xend_t xenctl_t:fifo_file manage_file_perms; +allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(xend_t, xenctl_t, fifo_file) manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) @@ -103,31 +140,30 @@ manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) # pid file -allow xend_t xend_var_run_t:dir setattr; +manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file }) +files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) # log files -allow xend_t xend_var_log_t:dir setattr; +manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -logging_log_filetrans(xend_t, xend_var_log_t,{ sock_file file dir }) +logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) # var/lib files for xend manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -files_var_lib_filetrans(xend_t, xend_var_lib_t,{ file dir }) +files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) # transition to store domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) # transition to console -domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t) -allow xenconsoled_t xend_t:fd use; +domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) kernel_read_kernel_sysctls(xend_t) kernel_read_system_state(xend_t) @@ -183,6 +219,8 @@ term_use_generic_ptys(xend_t) term_use_ptmx(xend_t) term_getattr_pty_fs(xend_t) +init_stream_connect_script(xend_t) + locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -208,6 +246,10 @@ xen_stream_connect_xenstore(xend_t) netutils_domtrans(xend_t) optional_policy(` + brctl_domtrans(xend_t) +') + +optional_policy(` consoletype_exec(xend_t) ') @@ -239,6 +281,10 @@ domain_dontaudit_ptrace_all_domains(xenconsoled_t) files_read_usr_files(xenconsoled_t) +fs_list_tmpfs(xenconsoled_t) +fs_manage_xenfs_dirs(xenconsoled_t) +fs_manage_xenfs_files(xenconsoled_t) + term_create_pty(xenconsoled_t, xen_devpts_t) term_use_generic_ptys(xenconsoled_t) term_use_console(xenconsoled_t) @@ -248,7 +294,7 @@ init_use_script_ptys(xenconsoled_t) miscfiles_read_localization(xenconsoled_t) -xen_append_log(xenconsoled_t) +xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) ######################################## @@ -256,20 +302,32 @@ xen_stream_connect_xenstore(xenconsoled_t) # Xen store local policy # -allow xenstored_t self:capability { dac_override mknod ipc_lock }; +allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource }; allow xenstored_t self:unix_stream_socket create_stream_socket_perms; allow xenstored_t self:unix_dgram_socket create_socket_perms; +manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) + # pid file manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) +# log files +manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) + # var/lib files for xenstored manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t,{ file dir sock_file }) +files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file }) + +stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) @@ -304,6 +362,7 @@ xen_append_log(xenstored_t) # allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; +allow xm_t self:process { getsched signal }; # internal communication is often done using fifo and unix sockets. allow xm_t self:fifo_file rw_fifo_file_perms; @@ -312,6 +371,7 @@ allow xm_t self:tcp_socket create_stream_socket_perms; manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) +manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) files_search_var_lib(xm_t) allow xm_t xen_image_t:dir rw_dir_perms; @@ -320,16 +380,19 @@ allow xm_t xen_image_t:blk_file read_blk_file_perms; kernel_read_system_state(xm_t) kernel_read_kernel_sysctls(xm_t) +kernel_read_sysctl(xm_t) kernel_read_xen_state(xm_t) kernel_write_xen_state(xm_t) corecmd_exec_bin(xm_t) +corecmd_exec_shell(xm_t) corenet_tcp_sendrecv_generic_if(xm_t) corenet_tcp_sendrecv_generic_node(xm_t) corenet_tcp_connect_soundd_port(xm_t) dev_read_urand(xm_t) +dev_read_sysfs(xm_t) files_read_etc_runtime_files(xm_t) files_read_usr_files(xm_t) @@ -337,17 +400,58 @@ files_list_mnt(xm_t) # Some common macros (you might be able to remove some) files_read_etc_files(xm_t) +fs_getattr_all_fs(xm_t) +fs_manage_xenfs_dirs(xm_t) +fs_manage_xenfs_files(xm_t) + storage_raw_read_fixed_disk(xm_t) term_use_all_terms(xm_t) +init_stream_connect_script(xm_t) init_rw_script_stream_sockets(xm_t) init_use_fds(xm_t) miscfiles_read_localization(xm_t) -sysnet_read_config(xm_t) +sysnet_dns_name_resolve(xm_t) xen_append_log(xm_t) xen_stream_connect(xm_t) xen_stream_connect_xenstore(xm_t) + +optional_policy(` + virt_manage_images(xm_t) + virt_stream_connect(xm_t) +') + +######################################## +# +# SSH component local policy +# +optional_policy(` + ssh_basic_client_template(xm, xm_t, system_r) + + kernel_read_xen_state(xm_ssh_t) + kernel_write_xen_state(xm_ssh_t) + + fs_manage_xenfs_dirs(xm_ssh_t) + fs_manage_xenfs_files(xm_ssh_t) + + #Should have a boolean wrapping these + fs_list_auto_mountpoints(xend_t) + files_search_mnt(xend_t) + fs_getattr_all_fs(xend_t) + fs_read_dos_files(xend_t) + fs_manage_xenfs_dirs(xend_t) + fs_manage_xenfs_files(xend_t) + + tunable_policy(`xen_use_nfs',` + fs_manage_nfs_files(xend_t) + fs_read_nfs_symlinks(xend_t) + ') + + optional_policy(` + unconfined_domain(xend_t) + ') +') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index e3939d6..caa8121 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -201,7 +201,7 @@ define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') define(`read_file_perms',`{ getattr open read lock ioctl }') define(`mmap_file_perms',`{ getattr open read execute ioctl }') -define(`exec_file_perms',`{ getattr open read execute execute_no_trans }') +define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') define(`append_file_perms',`{ getattr open append lock ioctl }') define(`write_file_perms',`{ getattr open write append lock ioctl }') define(`rw_file_perms',`{ getattr open read write append ioctl lock }') @@ -225,7 +225,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read getattr setattr unlink rename }') +define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') @@ -312,3 +312,8 @@ define(`rw_term_perms', `{ getattr open read write ioctl }') # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') + +# +# Keys +# +define(`manage_key_perms', `{ create link read search setattr view write } ')