diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 3f37de7..26d9393 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,6 +1,7 @@ - Fix errors uncovered by sediff. - Added policies: kudzu + radvd * Thu Sep 22 2005 Chris PeBenito - 20050922 - Make logrotate, sendmail, sshd, and rpm policies diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 3427eb5..caa4615 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -29,7 +29,7 @@ allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow kudzu_t self:unix_dgram_socket create_socket_perms; allow kudzu_t self:udp_socket { create ioctl }; -allow kudzu_t kudzu_tmp_t:{ dir } create_file_perms; +allow kudzu_t kudzu_tmp_t:dir create_file_perms; allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms; files_create_tmp_files(kudzu_t, kudzu_tmp_t, { file dir chr_file }) @@ -81,7 +81,6 @@ domain_use_wide_inherit_fd(kudzu_t) files_search_var(kudzu_t) files_search_locks(kudzu_t) -files_exec_etc_files(kudzu_t) files_manage_etc_files(kudzu_t) files_manage_etc_runtime_files(kudzu_t) files_manage_mnt_files(kudzu_t) @@ -98,8 +97,6 @@ init_use_fd(kudzu_t) init_use_script_pty(kudzu_t) init_unix_connect_script(kudzu_t) -libs_exec_ld_so(kudzu_t) -libs_exec_lib_files(kudzu_t) libs_use_ld_so(kudzu_t) libs_use_shared_libs(kudzu_t) # Read /usr/lib/gconv/gconv-modules.* @@ -110,6 +107,7 @@ logging_send_syslog_msg(kudzu_t) miscfiles_read_localization(kudzu_t) modutils_read_module_conf(kudzu_t) +modutils_domtrans_insmod(kudzu_t) sysnet_read_config(kudzu_t) @@ -130,6 +128,10 @@ optional_policy(`gpm.te',` gpm_getattr_gpmctl(kudzu_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(kudzu_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(kudzu_t) ') @@ -139,6 +141,7 @@ optional_policy(`udev.te',` ') ifdef(`TODO',` +allow kudzu_t modules_conf_t:file unlink; optional_policy(`rhgb.te',` rhgb_domain(kudzu_t) ') diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index d744ed9..27328b3 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -43,6 +43,12 @@ interface(`nis_use_ypbind',` corenet_tcp_connect_reserved_port($1) corenet_tcp_connect_generic_port($1) corenet_dontaudit_tcp_connect_all_reserved_ports($1) + + sysnet_read_config($1) + + optional_policy(`mount.te',` + mount_send_nfs_client_request($1) + ') ',` dontaudit $1 var_yp_t:dir search; ') diff --git a/refpolicy/policy/modules/services/radvd.fc b/refpolicy/policy/modules/services/radvd.fc new file mode 100644 index 0000000..8f9e5b3 --- /dev/null +++ b/refpolicy/policy/modules/services/radvd.fc @@ -0,0 +1,7 @@ + +/etc/radvd\.conf -- context_template(system_u:object_r:radvd_etc_t,s0) + +/usr/sbin/radvd -- context_template(system_u:object_r:radvd_exec_t,s0) + +/var/run/radvd\.pid -- context_template(system_u:object_r:radvd_var_run_t,s0) +/var/run/radvd(/.*)? context_template(system_u:object_r:radvd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/radvd.if b/refpolicy/policy/modules/services/radvd.if new file mode 100644 index 0000000..6fe38b7 --- /dev/null +++ b/refpolicy/policy/modules/services/radvd.if @@ -0,0 +1 @@ +## IPv6 router advertisement daemon diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te new file mode 100644 index 0000000..d2569ea --- /dev/null +++ b/refpolicy/policy/modules/services/radvd.te @@ -0,0 +1,102 @@ + +policy_module(radvd,1.0) + +######################################## +# +# Declarations +# +type radvd_t; +type radvd_exec_t; +init_daemon_domain(radvd_t,radvd_exec_t) + +type radvd_var_run_t; +files_pid_file(radvd_var_run_t) + +type radvd_etc_t; #, usercanread; +files_type(radvd_etc_t) + +######################################## +# +# Local policy +# +allow radvd_t self:capability { setgid setuid net_raw }; +dontaudit radvd_t self:capability sys_tty_config; +allow radvd_t self:process signal_perms; +allow radvd_t self:unix_dgram_socket create_socket_perms; +allow radvd_t self:unix_stream_socket create_socket_perms; +allow radvd_t self:rawip_socket create_socket_perms; +allow radvd_t self:tcp_socket create_stream_socket_perms; +allow radvd_t self:udp_socket create_socket_perms; + +allow radvd_t radvd_etc_t:file { getattr read }; + +allow radvd_t radvd_var_run_t:file create_file_perms; +allow radvd_t radvd_var_run_t:dir rw_dir_perms; +files_create_pid(radvd_t,radvd_var_run_t) + +kernel_read_kernel_sysctl(radvd_t) +kernel_read_net_sysctl(radvd_t) +kernel_read_network_state(radvd_t) +kernel_read_system_state(radvd_t) + +corenet_tcp_sendrecv_all_if(radvd_t) +corenet_udp_sendrecv_all_if(radvd_t) +corenet_raw_sendrecv_all_if(radvd_t) +corenet_tcp_sendrecv_all_nodes(radvd_t) +corenet_udp_sendrecv_all_nodes(radvd_t) +corenet_raw_sendrecv_all_nodes(radvd_t) +corenet_tcp_sendrecv_all_ports(radvd_t) +corenet_udp_sendrecv_all_ports(radvd_t) +corenet_tcp_bind_all_nodes(radvd_t) +corenet_udp_bind_all_nodes(radvd_t) + +dev_read_sysfs(radvd_t) + +fs_getattr_all_fs(radvd_t) +fs_search_auto_mountpoints(radvd_t) + +term_dontaudit_use_console(radvd_t) + +domain_use_wide_inherit_fd(radvd_t) + +files_read_etc_files(radvd_t) +files_list_usr(radvd_t) + +init_use_fd(radvd_t) +init_use_script_pty(radvd_t) + +libs_use_ld_so(radvd_t) +libs_use_shared_libs(radvd_t) + +logging_send_syslog_msg(radvd_t) + +miscfiles_read_localization(radvd_t) + +sysnet_read_config(radvd_t) + +userdom_dontaudit_use_unpriv_user_fd(radvd_t) +userdom_dontaudit_search_sysadm_home_dir(radvd_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(radvd_t) + term_dontaudit_use_generic_pty(radvd_t) + files_dontaudit_read_root_file(radvd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(radvd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(radvd_t) +') + +optional_policy(`udev.te',` + udev_read_db(radvd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(radvd_t) +') +') diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 1d3b3e6..7892b20 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -118,6 +118,10 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(snmpd_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(snmpd_t) +') + optional_policy(`nscd.te',` nscd_use_socket(snmpd_t) ') @@ -130,11 +134,6 @@ optional_policy(`udev.te', ` udev_read_db(snmpd_t) ') -optional_policy(`nis.te',` - nis_use_ypbind(snmpd_t) -') - - ifdef(`TODO',` can_udp_send(sysadm_t, snmpd_t) can_udp_send(snmpd_t, sysadm_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 2a3682d..cb29bc3 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -475,6 +475,7 @@ optional_policy(`mysql.te',` ') optional_policy(`nis.te',` + nis_use_ypbind(initrc_t) nis_udp_sendto_ypbind(initrc_t) nis_list_var_yp(initrc_t) ') diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 9d40ca4..cb1c083 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -121,6 +121,10 @@ optional_policy(`mount.te',` mount_domtrans(insmod_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(insmod_t) +') + optional_policy(`nscd.te',` nscd_use_socket(insmod_t) ') diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index fe0b5a2..8e7a311 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -161,6 +161,10 @@ optional_policy(`hotplug.te',` hotplug_read_config(udev_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(udev_t) +') + optional_policy(`nscd.te',` nscd_use_socket(udev_t) ')