diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 7eac43f..0db398e 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -21,6 +21,8 @@ ftp kudzu radvd + sasl + webalizer * Thu Sep 22 2005 Chris PeBenito - 20050922 - Make logrotate, sendmail, sshd, and rpm policies diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 183552e..1a06638 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -30,6 +30,9 @@ gen_tunable(allow_httpd_anon_write,false) ## Allow system to run with kerberos gen_tunable(allow_kerberos,false) +## Allow sasl to read shadow +gen_tunable(allow_saslauthd_read_shadow,false) + ## allow host key based authentication gen_tunable(allow_ssh_keysign,false) diff --git a/refpolicy/policy/modules/apps/webalizer.fc b/refpolicy/policy/modules/apps/webalizer.fc new file mode 100644 index 0000000..6f0aa03 --- /dev/null +++ b/refpolicy/policy/modules/apps/webalizer.fc @@ -0,0 +1,10 @@ + +# +# /usr +# +/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0) + +# +# /var +# +/var/lib/webalizer(/.*) gen_context(system_u:object_r:webalizer_var_lib_t,s0) diff --git a/refpolicy/policy/modules/apps/webalizer.if b/refpolicy/policy/modules/apps/webalizer.if new file mode 100644 index 0000000..4c7a274 --- /dev/null +++ b/refpolicy/policy/modules/apps/webalizer.if @@ -0,0 +1 @@ +## Web server log analysis diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te new file mode 100644 index 0000000..8602aba --- /dev/null +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -0,0 +1,113 @@ + +policy_module(webalizer,1.0) + +######################################## +# +# Declarations +# +type webalizer_t; +type webalizer_exec_t; +domain_type(webalizer_t) +domain_entry_file(webalizer_t,webalizer_exec_t) +role system_r types webalizer_t; + +type webalizer_etc_t; #, usercanread; +files_type(webalizer_etc_t) + +type webalizer_usage_t; +files_type(webalizer_usage_t) + +type webalizer_tmp_t; +files_tmp_file(webalizer_tmp_t) + +type webalizer_var_lib_t; +files_type(webalizer_var_lib_t) + +type webalizer_write_t; +files_type(webalizer_write_t) + +######################################## +# +# Local policy +# +allow webalizer_t self:capability dac_override; +allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow webalizer_t self:fd use; +allow webalizer_t self:fifo_file rw_file_perms; +allow webalizer_t self:shm create_shm_perms; +allow webalizer_t self:sem create_sem_perms; +allow webalizer_t self:msgq create_msgq_perms; +allow webalizer_t self:msg { send receive }; +allow webalizer_t self:unix_dgram_socket create_socket_perms; +allow webalizer_t self:unix_stream_socket create_stream_socket_perms; +allow webalizer_t self:unix_dgram_socket sendto; +allow webalizer_t self:unix_stream_socket connectto; +allow webalizer_t self:tcp_socket connected_stream_socket_perms; +allow webalizer_t self:udp_socket { connect connected_socket_perms }; + +allow webalizer_t webalizer_etc_t:file { getattr read }; + +allow webalizer_t webalizer_tmp_t:dir create_dir_perms; +allow webalizer_t webalizer_tmp_t:file create_file_perms; +files_create_tmp_files(webalizer_t, webalizer_tmp_t, { file dir }) + +allow webalizer_t webalizer_var_lib_t:file create_file_perms; +allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms; +files_create_var_lib(webalizer_t,webalizer_var_lib_t) + +kernel_read_kernel_sysctl(webalizer_t) +kernel_read_system_state(webalizer_t) + +corenet_tcp_sendrecv_all_if(webalizer_t) +corenet_udp_sendrecv_all_if(webalizer_t) +corenet_raw_sendrecv_all_if(webalizer_t) +corenet_udp_sendrecv_all_nodes(webalizer_t) +corenet_tcp_sendrecv_all_nodes(webalizer_t) +corenet_raw_sendrecv_all_nodes(webalizer_t) +corenet_tcp_sendrecv_all_ports(webalizer_t) +corenet_udp_sendrecv_all_ports(webalizer_t) +corenet_tcp_bind_all_nodes(webalizer_t) +corenet_udp_bind_all_nodes(webalizer_t) + +fs_search_auto_mountpoints(webalizer_t) + +files_read_etc_files(webalizer_t) +files_read_etc_runtime_files(webalizer_t) + +libs_use_ld_so(webalizer_t) +libs_use_shared_libs(webalizer_t) + +logging_list_logs(webalizer_t) +logging_send_syslog_msg(webalizer_t) + +miscfiles_read_localization(webalizer_t) + +sysnet_read_config(webalizer_t) + +userdom_use_unpriv_users_fd(webalizer_t) + +optional_policy(`nis.te',` + nis_use_ypbind(webalizer_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(webalizer_t) +') + +optional_policy(`cron.te',` + cron_system_entry(webalizer_t,webalizer_exec_t) +') + +ifdef(`TODO',` +# a "run" interface needs to be +# added, and have sysadm_t use it +# in a optional_policy block. + +allow webalizer_t httpd_log_t:dir { getattr read search }; +allow webalizer_t httpd_log_t:file { read getattr }; +allow webalizer_t httpd_log_t:lnk_file { getattr read }; + +allow webalizer_t httpd_sys_content_t:dir create_dir_perms; +allow webalizer_t httpd_sys_content_t:file create_file_perms; +allow webalizer_t httpd_sys_content_t:lnk_file create_lnk_perms; +') diff --git a/refpolicy/policy/modules/services/sasl.fc b/refpolicy/policy/modules/services/sasl.fc new file mode 100644 index 0000000..2bc1dd8 --- /dev/null +++ b/refpolicy/policy/modules/services/sasl.fc @@ -0,0 +1,10 @@ + +# +# /usr +# +/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) + +# +# /var +# +/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/sasl.if b/refpolicy/policy/modules/services/sasl.if new file mode 100644 index 0000000..3cba13b --- /dev/null +++ b/refpolicy/policy/modules/services/sasl.if @@ -0,0 +1 @@ +## SASL authentication server diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te new file mode 100644 index 0000000..56c6cf4 --- /dev/null +++ b/refpolicy/policy/modules/services/sasl.te @@ -0,0 +1,108 @@ + +policy_module(sasl,1.0) + +######################################## +# +# Declarations +# + +type saslauthd_t; +type saslauthd_exec_t; +init_daemon_domain(saslauthd_t,saslauthd_exec_t) + +type saslauthd_var_run_t; +files_pid_file(saslauthd_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit saslauthd_t self:capability sys_tty_config; +allow saslauthd_t self:process signal_perms; +allow saslauthd_t self:fifo_file { read write }; +allow saslauthd_t self:unix_dgram_socket create_socket_perms; +allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; +allow saslauthd_t self:tcp_socket create_socket_perms; + +allow saslauthd_t saslauthd_var_run_t:file create_file_perms; +allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; +allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms; +files_create_pid(saslauthd_t,saslauthd_var_run_t) + +kernel_read_kernel_sysctl(saslauthd_t) +kernel_read_system_state(saslauthd_t) + +corenet_tcp_sendrecv_all_if(saslauthd_t) +corenet_raw_sendrecv_all_if(saslauthd_t) +corenet_tcp_sendrecv_all_nodes(saslauthd_t) +corenet_raw_sendrecv_all_nodes(saslauthd_t) +corenet_tcp_sendrecv_all_ports(saslauthd_t) +corenet_tcp_bind_all_nodes(saslauthd_t) +corenet_tcp_connect_pop_port(saslauthd_t) + +dev_read_sysfs(saslauthd_t) +dev_read_urand(saslauthd_t) + +fs_getattr_all_fs(saslauthd_t) +fs_search_auto_mountpoints(saslauthd_t) + +term_dontaudit_use_console(saslauthd_t) + +auth_domtrans_chk_passwd(saslauthd_t) + +domain_use_wide_inherit_fd(saslauthd_t) + +files_read_etc_files(saslauthd_t) +files_search_var_lib(saslauthd_t) +files_dontaudit_getattr_home_dir(saslauthd_t) + +init_use_fd(saslauthd_t) +init_use_script_pty(saslauthd_t) +init_dontaudit_unix_connect_script(saslauthd_t) + +libs_use_ld_so(saslauthd_t) +libs_use_shared_libs(saslauthd_t) + +logging_send_syslog_msg(saslauthd_t) + +miscfiles_read_localization(saslauthd_t) +miscfiles_read_certs(saslauthd_t) + +seutil_dontaudit_read_config(saslauthd_t) + +sysnet_read_config(saslauthd_t) + +userdom_dontaudit_use_unpriv_user_fd(saslauthd_t) +userdom_dontaudit_search_sysadm_home_dir(saslauthd_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(saslauthd_t) + term_dontaudit_use_generic_pty(saslauthd_t) + files_dontaudit_read_root_file(saslauthd_t) +') + +# cjp: typeattribute doesnt work in conditionals yet +#tunable_policy(`allow_saslauthd_read_shadow',` +# auth_read_shadow(saslauthd_t) +#') + +optional_policy(`mysql.te',` + mysql_search_db_dir(saslauthd_t) + mysql_stream_connect(saslauthd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(saslauthd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(saslauthd_t) +') + + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(saslauthd_t) +') +') diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 87a1c41..8fe9c87 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1499,8 +1499,7 @@ interface(`files_manage_isid_type_chr_node',` ######################################## ## -## Do not audit attempts to get the -## attributes of the home directories root +## Get the attributes of the home directories root ## (/home). ## ## @@ -1510,10 +1509,27 @@ interface(`files_manage_isid_type_chr_node',` interface(`files_getattr_home_dir',` gen_require(` type home_root_t; - class dir search; ') - allow $1 home_root_t:dir search; + allow $1 home_root_t:dir getattr; +') + +######################################## +## +## Do not audit attempts to get the +## attributes of the home directories root +## (/home). +## +## +## Domain to not audit. +## +# +interface(`files_dontaudit_getattr_home_dir',` + gen_require(` + type home_root_t; + ') + + dontaudit $1 home_root_t:dir getattr; ') ######################################## diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 33f7bb8..a75d182 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -423,6 +423,24 @@ interface(`init_unix_connect_script',` ######################################## ## +## Dont audit the specified domain connecting to +## init scripts with a unix domain stream socket. +## +## +## Domain allowed access. +## +# +interface(`init_dontaudit_unix_connect_script',` + gen_require(` + type initrc_t; + class unix_stream_socket connectto; + ') + + dontaudit $1 initrc_t:unix_stream_socket connectto; +') + +######################################## +## ## Read init scripts. ## ## diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index bcec6d9..c57eb21 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -130,6 +130,23 @@ interface(`logging_search_logs',` ####################################### ## +## List the contents of the generic log directory (/var/log). +## +## +## Domain allowed access. +## +# +interface(`logging_list_logs',` + gen_require(` + type var_log_t; + ') + + files_search_var($1) + allow $1 var_log_t:dir r_dir_perms; +') + +####################################### +## ## Read and write the generic log directory (/var/log). ## ##