trunk: 3 patches from dan.
This commit is contained in:
parent
04d2861035
commit
06099da657
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corenetwork, 1.2.20)
|
policy_module(corenetwork, 1.2.21)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -75,6 +75,7 @@ network_port(amavisd_send, tcp,10025,s0)
|
|||||||
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
|
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
|
||||||
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
||||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
||||||
|
network_port(audit, tcp,60,s0)
|
||||||
network_port(auth, tcp,113,s0)
|
network_port(auth, tcp,113,s0)
|
||||||
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
||||||
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
||||||
|
@ -313,7 +313,7 @@ interface(`kerberos_admin',`
|
|||||||
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
||||||
type krb5kdc_principal_t, krb5kdc_tmp_t;
|
type krb5kdc_principal_t, krb5kdc_tmp_t;
|
||||||
type krb5kdc_var_run_t, krb5_host_rcache_t;
|
type krb5kdc_var_run_t, krb5_host_rcache_t;
|
||||||
type kadmind_spool_t, kadmind_var_lib_t, kpropd_t;
|
type kpropd_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 kadmind_t:process { ptrace signal_perms };
|
allow $1 kadmind_t:process { ptrace signal_perms };
|
||||||
@ -333,15 +333,9 @@ interface(`kerberos_admin',`
|
|||||||
logging_list_logs($1)
|
logging_list_logs($1)
|
||||||
admin_pattern($1, kadmind_log_t)
|
admin_pattern($1, kadmind_log_t)
|
||||||
|
|
||||||
files_list_spool($1)
|
|
||||||
admin_pattern($1, kadmind_spool_t)
|
|
||||||
|
|
||||||
files_list_tmp($1)
|
files_list_tmp($1)
|
||||||
admin_pattern($1, kadmind_tmp_t)
|
admin_pattern($1, kadmind_tmp_t)
|
||||||
|
|
||||||
files_list_var_lib($1)
|
|
||||||
admin_pattern($1, kadmind_var_lib_t)
|
|
||||||
|
|
||||||
files_list_pids($1)
|
files_list_pids($1)
|
||||||
admin_pattern($1, kadmind_var_run_t)
|
admin_pattern($1, kadmind_var_run_t)
|
||||||
|
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
|
@ -34,14 +34,20 @@ interface(`sasl_connect',`
|
|||||||
interface(`sasl_admin',`
|
interface(`sasl_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
|
type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
|
||||||
|
type saslauthd_initrc_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 saslauthd_t:process { ptrace signal_perms getattr };
|
allow $1 saslauthd_t:process { ptrace signal_perms getattr };
|
||||||
ps_process_pattern($1, saslauthd_t)
|
ps_process_pattern($1, saslauthd_t)
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
|
||||||
|
domain_system_change_exemption($1)
|
||||||
|
role_transition $2 saslauthd_initrc_exec_t system_r;
|
||||||
|
allow $2 system_r;
|
||||||
|
|
||||||
files_list_tmp($1)
|
files_list_tmp($1)
|
||||||
manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t)
|
admin_pattern($1, saslauthd_tmp_t)
|
||||||
|
|
||||||
files_list_pids($1)
|
files_list_pids($1)
|
||||||
manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t)
|
admin_pattern($1, saslauthd_var_run_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(sasl, 1.9.0)
|
policy_module(sasl, 1.9.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -17,6 +17,9 @@ type saslauthd_t;
|
|||||||
type saslauthd_exec_t;
|
type saslauthd_exec_t;
|
||||||
init_daemon_domain(saslauthd_t, saslauthd_exec_t)
|
init_daemon_domain(saslauthd_t, saslauthd_exec_t)
|
||||||
|
|
||||||
|
type saslauthd_initrc_exec_t;
|
||||||
|
init_script_file(saslauthd_initrc_exec_t)
|
||||||
|
|
||||||
type saslauthd_tmp_t;
|
type saslauthd_tmp_t;
|
||||||
files_tmp_file(saslauthd_tmp_t)
|
files_tmp_file(saslauthd_tmp_t)
|
||||||
|
|
||||||
@ -99,7 +102,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_read_keytab(saslauthd_t)
|
kerberos_keytab_template(saslauthd, saslauthd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -1,6 +1,9 @@
|
|||||||
|
/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0)
|
||||||
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
|
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
|
||||||
|
|
||||||
/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
|
/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
|
||||||
|
/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
|
||||||
|
|
||||||
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
|
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
|
||||||
|
|
||||||
|
/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)
|
||||||
|
@ -1 +1,60 @@
|
|||||||
## <summary>Snort network intrusion detection system</summary>
|
## <summary>Snort network intrusion detection system</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run snort.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`snort_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type snort_t, snort_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domtrans_pattern($1, snort_exec_t, snort_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## All of the rules required to administrate
|
||||||
|
## an snort environment
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## The role to be allowed to manage the snort domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`snort_admin',`
|
||||||
|
gen_require(`
|
||||||
|
type snort_t, snort_var_run_t, snort_log_t;
|
||||||
|
type snort_initrc_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 snort_t:process { ptrace signal_perms };
|
||||||
|
ps_process_pattern($1, snort_t)
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, snort_initrc_exec_t)
|
||||||
|
domain_system_change_exemption($1)
|
||||||
|
role_transition $2 snort_initrc_exec_t system_r;
|
||||||
|
allow $2 system_r;
|
||||||
|
|
||||||
|
admin_pattern($1, snort_etc_t)
|
||||||
|
files_search_etc($1)
|
||||||
|
|
||||||
|
admin_pattern($1, snort_log_t)
|
||||||
|
logging_search_logs($1)
|
||||||
|
|
||||||
|
admin_pattern($1, snort_var_run_t)
|
||||||
|
files_search_pids($1)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(snort, 1.5.0)
|
policy_module(snort, 1.5.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -11,7 +11,10 @@ type snort_exec_t;
|
|||||||
init_daemon_domain(snort_t, snort_exec_t)
|
init_daemon_domain(snort_t, snort_exec_t)
|
||||||
|
|
||||||
type snort_etc_t;
|
type snort_etc_t;
|
||||||
files_type(snort_etc_t)
|
files_config_file(snort_etc_t)
|
||||||
|
|
||||||
|
type snort_initrc_exec_t;
|
||||||
|
init_script_file(snort_initrc_exec_t)
|
||||||
|
|
||||||
type snort_log_t;
|
type snort_log_t;
|
||||||
logging_log_file(snort_log_t)
|
logging_log_file(snort_log_t)
|
||||||
@ -34,6 +37,8 @@ allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read wr
|
|||||||
allow snort_t self:tcp_socket create_stream_socket_perms;
|
allow snort_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow snort_t self:udp_socket create_socket_perms;
|
allow snort_t self:udp_socket create_socket_perms;
|
||||||
allow snort_t self:packet_socket create_socket_perms;
|
allow snort_t self:packet_socket create_socket_perms;
|
||||||
|
# Snort IPS node. unverified.
|
||||||
|
allow snort_t self:netlink_firewall_socket { bind create getattr };
|
||||||
|
|
||||||
allow snort_t snort_etc_t:dir list_dir_perms;
|
allow snort_t snort_etc_t:dir list_dir_perms;
|
||||||
allow snort_t snort_etc_t:file read_file_perms;
|
allow snort_t snort_etc_t:file read_file_perms;
|
||||||
@ -67,6 +72,8 @@ corenet_tcp_sendrecv_all_ports(snort_t)
|
|||||||
corenet_udp_sendrecv_all_ports(snort_t)
|
corenet_udp_sendrecv_all_ports(snort_t)
|
||||||
|
|
||||||
dev_read_sysfs(snort_t)
|
dev_read_sysfs(snort_t)
|
||||||
|
dev_read_rand(snort_t)
|
||||||
|
dev_read_urand(snort_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(snort_t)
|
domain_use_interactive_fds(snort_t)
|
||||||
|
|
||||||
@ -76,6 +83,8 @@ files_dontaudit_read_etc_runtime_files(snort_t)
|
|||||||
fs_getattr_all_fs(snort_t)
|
fs_getattr_all_fs(snort_t)
|
||||||
fs_search_auto_mountpoints(snort_t)
|
fs_search_auto_mountpoints(snort_t)
|
||||||
|
|
||||||
|
init_read_utmp(snort_t)
|
||||||
|
|
||||||
libs_use_ld_so(snort_t)
|
libs_use_ld_so(snort_t)
|
||||||
libs_use_shared_libs(snort_t)
|
libs_use_shared_libs(snort_t)
|
||||||
|
|
||||||
|
@ -847,6 +847,7 @@ interface(`logging_admin_audit',`
|
|||||||
gen_require(`
|
gen_require(`
|
||||||
type auditd_t, auditd_etc_t, auditd_log_t;
|
type auditd_t, auditd_etc_t, auditd_log_t;
|
||||||
type auditd_var_run_t;
|
type auditd_var_run_t;
|
||||||
|
type auditd_initrc_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 auditd_t:process { ptrace signal_perms };
|
allow $1 auditd_t:process { ptrace signal_perms };
|
||||||
@ -862,6 +863,11 @@ interface(`logging_admin_audit',`
|
|||||||
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
|
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
|
||||||
|
|
||||||
logging_run_auditctl($1, $2, $3)
|
logging_run_auditctl($1, $2, $3)
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, auditd_initrc_exec_t)
|
||||||
|
domain_system_change_exemption($1)
|
||||||
|
role_transition $2 auditd_initrc_exec_t system_r;
|
||||||
|
allow $2 system_r;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -874,6 +880,11 @@ interface(`logging_admin_audit',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## User role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`logging_admin_syslog',`
|
interface(`logging_admin_syslog',`
|
||||||
@ -882,6 +893,7 @@ interface(`logging_admin_syslog',`
|
|||||||
type syslogd_tmp_t, syslogd_var_lib_t;
|
type syslogd_tmp_t, syslogd_var_lib_t;
|
||||||
type syslogd_var_run_t, klogd_var_run_t;
|
type syslogd_var_run_t, klogd_var_run_t;
|
||||||
type klogd_tmp_t, var_log_t;
|
type klogd_tmp_t, var_log_t;
|
||||||
|
type syslogd_initrc_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 syslogd_t:process { ptrace signal_perms };
|
allow $1 syslogd_t:process { ptrace signal_perms };
|
||||||
@ -909,6 +921,11 @@ interface(`logging_admin_syslog',`
|
|||||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||||
|
|
||||||
logging_manage_all_logs($1)
|
logging_manage_all_logs($1)
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||||
|
domain_system_change_exemption($1)
|
||||||
|
role_transition $2 syslogd_initrc_exec_t system_r;
|
||||||
|
allow $2 system_r;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -935,5 +952,5 @@ interface(`logging_admin_syslog',`
|
|||||||
#
|
#
|
||||||
interface(`logging_admin',`
|
interface(`logging_admin',`
|
||||||
logging_admin_audit($1, $2, $3)
|
logging_admin_audit($1, $2, $3)
|
||||||
logging_admin_syslog($1)
|
logging_admin_syslog($1, $2)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(logging, 1.11.4)
|
policy_module(logging, 1.11.5)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -130,6 +130,7 @@ allow auditd_t self:process { signal_perms setpgid setsched };
|
|||||||
allow auditd_t self:file { getattr read write };
|
allow auditd_t self:file { getattr read write };
|
||||||
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow auditd_t self:fifo_file rw_file_perms;
|
allow auditd_t self:fifo_file rw_file_perms;
|
||||||
|
allow auditd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
allow auditd_t auditd_etc_t:dir list_dir_perms;
|
allow auditd_t auditd_etc_t:dir list_dir_perms;
|
||||||
allow auditd_t auditd_etc_t:file read_file_perms;
|
allow auditd_t auditd_etc_t:file read_file_perms;
|
||||||
@ -151,9 +152,19 @@ dev_read_sysfs(auditd_t)
|
|||||||
|
|
||||||
fs_getattr_all_fs(auditd_t)
|
fs_getattr_all_fs(auditd_t)
|
||||||
fs_search_auto_mountpoints(auditd_t)
|
fs_search_auto_mountpoints(auditd_t)
|
||||||
|
fs_rw_anon_inodefs_files(auditd_t)
|
||||||
|
|
||||||
selinux_search_fs(auditctl_t)
|
selinux_search_fs(auditctl_t)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_unlabeled(auditd_t)
|
||||||
|
corenet_all_recvfrom_netlabel(auditd_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(auditd_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes(auditd_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(auditd_t)
|
||||||
|
corenet_tcp_bind_all_nodes(auditd_t)
|
||||||
|
corenet_tcp_bind_audit_port(auditd_t)
|
||||||
|
corenet_sendrecv_audit_server_packets(auditd_t)
|
||||||
|
|
||||||
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
||||||
# Probably want a transition, and a new auditd_helper app
|
# Probably want a transition, and a new auditd_helper app
|
||||||
corecmd_exec_bin(auditd_t)
|
corecmd_exec_bin(auditd_t)
|
||||||
@ -236,6 +247,8 @@ logging_send_syslog_msg(audisp_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(audisp_t)
|
miscfiles_read_localization(audisp_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve(audisp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Audit remote logger local policy
|
# Audit remote logger local policy
|
||||||
@ -247,6 +260,8 @@ corenet_all_recvfrom_unlabeled(audisp_remote_t)
|
|||||||
corenet_all_recvfrom_netlabel(audisp_remote_t)
|
corenet_all_recvfrom_netlabel(audisp_remote_t)
|
||||||
corenet_tcp_sendrecv_all_if(audisp_remote_t)
|
corenet_tcp_sendrecv_all_if(audisp_remote_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
|
corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
|
||||||
|
corenet_tcp_connect_audit_port(audisp_remote_t)
|
||||||
|
corenet_sendrecv_audit_client_packets(audisp_remote_t)
|
||||||
|
|
||||||
files_read_etc_files(audisp_remote_t)
|
files_read_etc_files(audisp_remote_t)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user