trunk: 3 patches from dan.

This commit is contained in:
Chris PeBenito 2008-10-09 18:06:24 +00:00
parent 04d2861035
commit 06099da657
10 changed files with 128 additions and 20 deletions

View File

@ -1,5 +1,5 @@
policy_module(corenetwork, 1.2.20)
policy_module(corenetwork, 1.2.21)
########################################
#
@ -75,6 +75,7 @@ network_port(amavisd_send, tcp,10025,s0)
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict

View File

@ -313,7 +313,7 @@ interface(`kerberos_admin',`
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
type krb5kdc_principal_t, krb5kdc_tmp_t;
type krb5kdc_var_run_t, krb5_host_rcache_t;
type kadmind_spool_t, kadmind_var_lib_t, kpropd_t;
type kpropd_t;
')
allow $1 kadmind_t:process { ptrace signal_perms };
@ -333,15 +333,9 @@ interface(`kerberos_admin',`
logging_list_logs($1)
admin_pattern($1, kadmind_log_t)
files_list_spool($1)
admin_pattern($1, kadmind_spool_t)
files_list_tmp($1)
admin_pattern($1, kadmind_tmp_t)
files_list_var_lib($1)
admin_pattern($1, kadmind_var_lib_t)
files_list_pids($1)
admin_pattern($1, kadmind_var_run_t)

View File

@ -1,3 +1,4 @@
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
#
# /usr

View File

@ -34,14 +34,20 @@ interface(`sasl_connect',`
interface(`sasl_admin',`
gen_require(`
type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
type saslauthd_initrc_exec_t;
')
allow $1 saslauthd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, saslauthd_t)
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 saslauthd_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t)
admin_pattern($1, saslauthd_tmp_t)
files_list_pids($1)
manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t)
admin_pattern($1, saslauthd_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(sasl, 1.9.0)
policy_module(sasl, 1.9.1)
########################################
#
@ -17,6 +17,9 @@ type saslauthd_t;
type saslauthd_exec_t;
init_daemon_domain(saslauthd_t, saslauthd_exec_t)
type saslauthd_initrc_exec_t;
init_script_file(saslauthd_initrc_exec_t)
type saslauthd_tmp_t;
files_tmp_file(saslauthd_tmp_t)
@ -99,7 +102,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
')
optional_policy(`
kerberos_read_keytab(saslauthd_t)
kerberos_keytab_template(saslauthd, saslauthd_t)
')
optional_policy(`

View File

@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0)
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)

View File

@ -1 +1,60 @@
## <summary>Snort network intrusion detection system</summary>
########################################
## <summary>
## Execute a domain transition to run snort.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`snort_domtrans',`
gen_require(`
type snort_t, snort_exec_t;
')
domtrans_pattern($1, snort_exec_t, snort_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an snort environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the snort domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`snort_admin',`
gen_require(`
type snort_t, snort_var_run_t, snort_log_t;
type snort_initrc_exec_t;
')
allow $1 snort_t:process { ptrace signal_perms };
ps_process_pattern($1, snort_t)
init_labeled_script_domtrans($1, snort_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 snort_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, snort_etc_t)
files_search_etc($1)
admin_pattern($1, snort_log_t)
logging_search_logs($1)
admin_pattern($1, snort_var_run_t)
files_search_pids($1)
')

View File

@ -1,5 +1,5 @@
policy_module(snort, 1.5.0)
policy_module(snort, 1.5.1)
########################################
#
@ -11,7 +11,10 @@ type snort_exec_t;
init_daemon_domain(snort_t, snort_exec_t)
type snort_etc_t;
files_type(snort_etc_t)
files_config_file(snort_etc_t)
type snort_initrc_exec_t;
init_script_file(snort_initrc_exec_t)
type snort_log_t;
logging_log_file(snort_log_t)
@ -34,6 +37,8 @@ allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read wr
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
# Snort IPS node. unverified.
allow snort_t self:netlink_firewall_socket { bind create getattr };
allow snort_t snort_etc_t:dir list_dir_perms;
allow snort_t snort_etc_t:file read_file_perms;
@ -67,6 +72,8 @@ corenet_tcp_sendrecv_all_ports(snort_t)
corenet_udp_sendrecv_all_ports(snort_t)
dev_read_sysfs(snort_t)
dev_read_rand(snort_t)
dev_read_urand(snort_t)
domain_use_interactive_fds(snort_t)
@ -76,6 +83,8 @@ files_dontaudit_read_etc_runtime_files(snort_t)
fs_getattr_all_fs(snort_t)
fs_search_auto_mountpoints(snort_t)
init_read_utmp(snort_t)
libs_use_ld_so(snort_t)
libs_use_shared_libs(snort_t)

View File

@ -847,6 +847,7 @@ interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
')
allow $1 auditd_t:process { ptrace signal_perms };
@ -862,6 +863,11 @@ interface(`logging_admin_audit',`
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
logging_run_auditctl($1, $2, $3)
init_labeled_script_domtrans($1, auditd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
')
########################################
@ -874,6 +880,11 @@ interface(`logging_admin_audit',`
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## User role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_admin_syslog',`
@ -882,6 +893,7 @@ interface(`logging_admin_syslog',`
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
type syslogd_initrc_exec_t;
')
allow $1 syslogd_t:process { ptrace signal_perms };
@ -909,6 +921,11 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 syslogd_initrc_exec_t system_r;
allow $2 system_r;
')
########################################
@ -935,5 +952,5 @@ interface(`logging_admin_syslog',`
#
interface(`logging_admin',`
logging_admin_audit($1, $2, $3)
logging_admin_syslog($1)
logging_admin_syslog($1, $2)
')

View File

@ -1,5 +1,5 @@
policy_module(logging, 1.11.4)
policy_module(logging, 1.11.5)
########################################
#
@ -130,6 +130,7 @@ allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file { getattr read write };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
@ -151,9 +152,19 @@ dev_read_sysfs(auditd_t)
fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)
selinux_search_fs(auditctl_t)
corenet_all_recvfrom_unlabeled(auditd_t)
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_all_nodes(auditd_t)
corenet_tcp_sendrecv_all_ports(auditd_t)
corenet_tcp_bind_all_nodes(auditd_t)
corenet_tcp_bind_audit_port(auditd_t)
corenet_sendrecv_audit_server_packets(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
corecmd_exec_bin(auditd_t)
@ -236,6 +247,8 @@ logging_send_syslog_msg(audisp_t)
miscfiles_read_localization(audisp_t)
sysnet_dns_name_resolve(audisp_t)
########################################
#
# Audit remote logger local policy
@ -247,6 +260,8 @@ corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_all_if(audisp_remote_t)
corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
corenet_tcp_connect_audit_port(audisp_remote_t)
corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)