From 0907bda1e0f80c8d87ea958586d63b2544752a64 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 13 Sep 2005 13:06:07 +0000 Subject: [PATCH] more merging of NSA CVS policy --- refpolicy/policy/global_tunables | 4 + refpolicy/policy/modules/admin/consoletype.te | 2 +- refpolicy/policy/modules/admin/netutils.te | 1 + refpolicy/policy/modules/admin/usermanage.fc | 3 + refpolicy/policy/modules/admin/usermanage.te | 1 + refpolicy/policy/modules/apps/gpg.fc | 3 +- .../policy/modules/kernel/corenetwork.te.in | 41 ++++- refpolicy/policy/modules/kernel/devices.te | 5 + refpolicy/policy/modules/kernel/filesystem.te | 15 ++ refpolicy/policy/modules/kernel/kernel.if | 17 ++ refpolicy/policy/modules/kernel/terminal.te | 2 +- refpolicy/policy/modules/services/hal.te | 5 +- refpolicy/policy/modules/services/ldap.te | 1 + refpolicy/policy/modules/services/nscd.te | 1 + refpolicy/policy/modules/services/ntp.te | 1 + refpolicy/policy/modules/services/portmap.te | 5 + refpolicy/policy/modules/services/privoxy.te | 13 +- refpolicy/policy/modules/services/rshd.te | 7 +- refpolicy/policy/modules/services/rsync.te | 2 - refpolicy/policy/modules/services/squid.te | 12 ++ refpolicy/policy/modules/services/ssh.if | 7 +- refpolicy/policy/modules/system/authlogin.te | 6 +- .../policy/modules/system/corecommands.fc | 1 + refpolicy/policy/modules/system/files.fc | 11 ++ refpolicy/policy/modules/system/files.te | 8 +- refpolicy/policy/modules/system/fstools.fc | 2 + refpolicy/policy/modules/system/getty.fc | 4 + refpolicy/policy/modules/system/getty.te | 31 +++- refpolicy/policy/modules/system/init.fc | 4 +- refpolicy/policy/modules/system/init.te | 28 ++- refpolicy/policy/modules/system/logging.if | 31 +++- refpolicy/policy/modules/system/logging.te | 7 +- refpolicy/policy/modules/system/lvm.te | 7 +- refpolicy/policy/modules/system/miscfiles.te | 24 ++- refpolicy/policy/modules/system/raid.te | 2 +- .../policy/modules/system/selinuxutil.te | 3 +- refpolicy/policy/modules/system/sysnetwork.fc | 1 + refpolicy/policy/modules/system/udev.te | 6 +- strict/domains/misc/local.te | 5 + strict/domains/program/consoletype.te | 3 +- strict/domains/program/crond.te | 2 +- strict/domains/program/getty.te | 23 +-- strict/domains/program/hald.te | 6 +- strict/domains/program/init.te | 6 +- strict/domains/program/initrc.te | 16 +- strict/domains/program/klogd.te | 2 +- strict/domains/program/lvm.te | 5 +- strict/domains/program/mdadm.te | 2 +- strict/domains/program/netutils.te | 3 + strict/domains/program/nscd.te | 1 + strict/domains/program/ntpd.te | 7 +- strict/domains/program/pamconsole.te | 11 +- strict/domains/program/passwd.te | 3 +- strict/domains/program/portmap.te | 7 +- strict/domains/program/postfix.te | 5 +- strict/domains/program/privoxy.te | 5 +- strict/domains/program/restorecon.te | 8 +- strict/domains/program/rlogind.te | 1 + strict/domains/program/rshd.te | 5 +- strict/domains/program/rsync.te | 2 - strict/domains/program/slapd.te | 1 + strict/domains/program/squid.te | 14 +- strict/domains/program/ssh.te | 6 +- strict/domains/program/syslogd.te | 10 +- strict/domains/program/udev.te | 4 +- strict/domains/program/xfs.te | 5 +- strict/file_contexts/program/amavis.fc | 2 + strict/file_contexts/program/apache.fc | 12 +- strict/file_contexts/program/apmd.fc | 3 + strict/file_contexts/program/crack.fc | 2 + strict/file_contexts/program/dhcpc.fc | 1 + strict/file_contexts/program/fsadm.fc | 3 + strict/file_contexts/program/ftpd.fc | 1 + strict/file_contexts/program/getty.fc | 2 + strict/file_contexts/program/gpg.fc | 6 +- strict/file_contexts/program/iceauth.fc | 3 + strict/file_contexts/program/initrc.fc | 9 + strict/mls | 1 + strict/net_contexts | 167 ++++++++---------- strict/types/device.te | 9 +- strict/types/devpts.te | 4 +- strict/types/file.te | 69 +++++--- strict/types/network.te | 137 ++++++++++---- 83 files changed, 627 insertions(+), 296 deletions(-) create mode 100644 strict/domains/misc/local.te create mode 100644 strict/file_contexts/program/iceauth.fc diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 8c7ae701..c03493e5 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -45,6 +45,10 @@ gen_tunable(run_ssh_inetd,false) ## user domains. gen_bool(secure_mode,false) +## Allow squid to connect to all ports, not just +## HTTP, FTP, and Gopher ports. +gen_tunable(squid_connect_any,false) + ## Allow ssh logins as sysadm_r:sysadm_t gen_tunable(ssh_sysadm_login,false) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index eefeb836..7dc2c5f8 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -6,7 +6,7 @@ policy_module(consoletype, 1.0) # Declarations # -type consoletype_t; +type consoletype_t; #, mlsfileread, mlsfilewrite type consoletype_exec_t; init_domain(consoletype_t,consoletype_exec_t) init_system_domain(consoletype_t,consoletype_exec_t) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 8674b74b..d2a0172b 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -53,6 +53,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t) corenet_udp_sendrecv_all_ports(netutils_t) corenet_tcp_bind_all_nodes(netutils_t) corenet_udp_bind_all_nodes(netutils_t) +corenet_tcp_connect_all_ports(netutils_t) fs_getattr_xattr_fs(netutils_t) diff --git a/refpolicy/policy/modules/admin/usermanage.fc b/refpolicy/policy/modules/admin/usermanage.fc index b27c4f80..6afac6e3 100644 --- a/refpolicy/policy/modules/admin/usermanage.fc +++ b/refpolicy/policy/modules/admin/usermanage.fc @@ -10,6 +10,7 @@ /usr/lib(64)?/cracklib_dict.* -- context_template(system_u:object_r:crack_db_t,s0) /usr/sbin/crack_[a-z]* -- context_template(system_u:object_r:crack_exec_t,s0) +/usr/sbin/cracklib-[a-z]* -- context_template(system_u:object_r:crack_exec_t,s0) /usr/sbin/gpasswd -- context_template(system_u:object_r:groupadd_exec_t,s0) /usr/sbin/groupadd -- context_template(system_u:object_r:groupadd_exec_t,s0) /usr/sbin/groupdel -- context_template(system_u:object_r:groupadd_exec_t,s0) @@ -24,4 +25,6 @@ /usr/sbin/vigr -- context_template(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/vipw -- context_template(system_u:object_r:admin_passwd_exec_t,s0) +/usr/share/cracklib(/.*)? context_template(system_u:object_r:crack_db_t,s0) + /var/cache/cracklib(/.*)? context_template(system_u:object_r:crack_db_t,s0) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 72a63653..8f6ed38a 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -288,6 +288,7 @@ allow passwd_t self:unix_dgram_socket create_socket_perms; allow passwd_t self:unix_stream_socket create_stream_socket_perms; allow passwd_t self:unix_dgram_socket sendto; allow passwd_t self:unix_stream_socket connectto; +allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; diff --git a/refpolicy/policy/modules/apps/gpg.fc b/refpolicy/policy/modules/apps/gpg.fc index 03d0676d..bc435de1 100644 --- a/refpolicy/policy/modules/apps/gpg.fc +++ b/refpolicy/policy/modules/apps/gpg.fc @@ -1,9 +1,10 @@ -/usr/bin/gpg -- context_template(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpg(2)? -- context_template(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- context_template(system_u:object_r:gpg_agent_exec_t,s0) /usr/bin/kgpg -- context_template(system_u:object_r:gpg_exec_t,s0) /usr/bin/pinentry.* -- context_template(system_u:object_r:pinentry_exec_t,s0) +/usr/lib/gnupg/.* -- context_template(system_u:object_r:gpg_exec_t,s0) /usr/lib/gnupg/gpgkeys.* -- context_template(system_u:object_r:gpg_helper_exec_t,s0) HOME_DIR/\.gnupg(/.+)? context_template(system_u:object_r:ROLE_gpg_secret_t,s0) diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 582e9d9f..c1e59f07 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -36,9 +36,21 @@ sid port context_template(system_u:object_r:port_t,s0) # type reserved_port_t, port_type, reserved_port_type; +network_port(afs_bos, udp,7007,s0) +network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) +network_port(afs_ka, udp,7004,s0) +network_port(afs_pt, udp,7002,s0) +network_port(afs_vl, udp,7003,s0) network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) +network_port(amavisd_recv, tcp,10024,s0) +network_port(amavisd_send, tcp,10025,s0) +network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) network_port(auth, tcp,113,s0) dnl network_port(biff) # no defined portcon in current strict +network_port(clamd, tcp,3310,s0) +network_port(clockspeed, udp,4041,s0) +network_port(cvs, tcp,2401,s0, udp,2401,s0) +network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dbskkd, tcp,1178,s0) network_port(dhcpc, udp,68,s0) network_port(dhcpd, udp,67,s0) @@ -47,43 +59,64 @@ network_port(dns, udp,53,s0, tcp,53,s0) network_port(fingerd, tcp,79,s0) network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) -network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0) -network_port(http, tcp,80,s0, tcp,443,s0) +network_port(giftd, tcp,1213,s0) +network_port(gopher, tcp,70,s0, udp,70,s0) +network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) +network_port(hplip, tcp,50000,s0, tcp,50002,s0) dnl network_port(i18n_input) # no defined portcon in current strict -network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0) +network_port(imaze, tcp,5323,s0, udp,5323,s0) +network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) network_port(ipp, tcp,631,s0, udp,631,s0) +network_port(ircd, tcp,6667,s0) +network_port(isakmp, udp,500,s0) +network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) +network_port(jabber_interserver, tcp,5269,s0) network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0) network_port(mail, tcp,2000,s0) +network_port(monopd, tcp,1234,s0) network_port(mysqld, tcp,3306,s0) +network_port(nessus, tcp,1241,s0) network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0) network_port(ntp, udp,123,s0) -network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0) +network_port(openvpn, udp,5000,s0) +network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) +network_port(postgrey, tcp,60000,s0) network_port(printer, tcp,515,s0) +network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) +network_port(pyzor, udp,24441,s0) network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) +network_port(razor, tcp,2703,s0) +network_port(rndc, tcp,953,s0) network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) +network_port(spamd, tcp,783,s0) network_port(ssh, tcp,22,s0) +network_port(soundd, tcp,8000,s0, tcp,9433,s0) dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) +network_port(transproxy, tcp,8081,s0) +network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0) network_port(zebra, tcp,2601,s0) +network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 0ba36972..d7f7e7f9 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -59,6 +59,11 @@ type cpu_device_t, device_node; fs_associate(cpu_device_t) fs_associate_tmpfs(cpu_device_t) +# for the IBM zSeries z90crypt hardware ssl accelorator +type crypt_device_t, device_node; +fs_associate(crypt_device_t) +fs_associate_tmpfs(crypt_device_t) + type dri_device_t, device_node; fs_associate(dri_device_t) fs_associate_tmpfs(dri_device_t) diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 37aa654f..62a4f367 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -40,14 +40,29 @@ type bdev_t, filesystem_type; genfscon bdev / context_template(system_u:object_r:bdev_t,s0) type binfmt_misc_fs_t, filesystem_type; +files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0) +type debugfs_t, filesystem_type; +allow debugfs_t self:filesystem associate; + type eventpollfs_t, filesystem_type; genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0) type futexfs_t, filesystem_type; genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0) +type hugetlbfs_t, filesystem_type; +files_mountpoint(hugetlbfs_t) +allow hugetlbfs_t self:filesystem associate; + +type inotifyfs_t, filesystem_type; +allow inotifyfs_t self:filesystem associate; + +type mqueue_t, filesystem_type; +files_mountpoint(mqueue_t) +allow mqueue_t self:filesystem associate; + type nfsd_fs_t, filesystem_type; genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 41dec5ef..e74c2d2b 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -68,6 +68,23 @@ interface(`kernel_sigchld',` allow kernel_t $1:process sigchld; ') +######################################## +## +## Send a generic signal to kernel threads. +## +## +## The type of the process sending the signal. +## +# +interface(`kernel_signal',` + gen_require(` + type kernel_t; + class process signal; + ') + + allow kernel_t $1:process signal; +') + ######################################## ## ## Allows the kernel to share state information with diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index 53b52a21..90f51a0f 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -38,7 +38,7 @@ dev_node(devtty_t) # # ptmx_t is the type for /dev/ptmx. # -type ptmx_t; +type ptmx_t; #, mlstrustedobject; dev_node(ptmx_t) # diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 7217d1f4..162e9f86 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -19,10 +19,13 @@ files_pid_file(hald_var_run_t) allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod }; dontaudit hald_t self:capability sys_tty_config; allow hald_t self:fifo_file rw_file_perms; -allow hald_t self:unix_stream_socket create_stream_socket_perms; +allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow hald_t self:unix_dgram_socket create_socket_perms; allow hald_t self:netlink_route_socket r_netlink_socket_perms; +allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; allow hald_t self:tcp_socket create_stream_socket_perms; +# For backwards compatibility with older kernels +allow hald_t self:netlink_socket create_socket_perms; allow hald_t hald_tmp_t:dir create_dir_perms; allow hald_t hald_tmp_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index a2d8d7e6..e55e70d0 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -120,6 +120,7 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` +r_dir_file(slapd_t, cert_t) optional_policy(`rhgb.te',` rhgb_domain(slapd_t) ') diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 43c01dc9..6ed82415 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -65,6 +65,7 @@ corenet_tcp_sendrecv_all_ports(nscd_t) corenet_udp_sendrecv_all_ports(nscd_t) corenet_tcp_bind_all_nodes(nscd_t) corenet_udp_bind_all_nodes(nscd_t) +corenet_tcp_connect_all_ports(nscd_t) selinux_get_fs_mount(nscd_t) selinux_validate_context(nscd_t) diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 638dbe49..0460f887 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -72,6 +72,7 @@ corenet_udp_sendrecv_all_ports(ntpd_t) corenet_tcp_bind_all_nodes(ntpd_t) corenet_udp_bind_all_nodes(ntpd_t) corenet_udp_bind_ntp_port(ntpd_t) +corenet_tcp_connect_ntp_port(ntpd_t) dev_read_sysfs(ntpd_t) # for SSP diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index 85c9c8cd..be80b855 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -58,6 +58,7 @@ corenet_tcp_bind_all_nodes(portmap_t) corenet_udp_bind_all_nodes(portmap_t) corenet_tcp_bind_portmap_port(portmap_t) corenet_udp_bind_portmap_port(portmap_t) +corenet_tcp_connect_all_ports(portmap_t) # portmap binds to arbitary ports corenet_tcp_bind_generic_port(portmap_t) corenet_udp_bind_generic_port(portmap_t) @@ -158,6 +159,9 @@ allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; allow portmap_helper_t self:tcp_socket create_stream_socket_perms; allow portmap_helper_t self:udp_socket create_socket_perms; +allow portmap_helper_t portmap_var_run_t:file create_file_perms; +files_create_pid(portmap_helper_t,portmap_var_run_t) + corenet_tcp_sendrecv_all_if(portmap_helper_t) corenet_udp_sendrecv_all_if(portmap_helper_t) corenet_raw_sendrecv_all_if(portmap_helper_t) @@ -172,6 +176,7 @@ corenet_tcp_bind_reserved_port(portmap_helper_t) corenet_udp_bind_reserved_port(portmap_helper_t) corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t) corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t) +corenet_tcp_connect_all_ports(portmap_helper_t) files_read_etc_files(portmap_helper_t) files_rw_generic_pids(portmap_helper_t) diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index 36ee8a50..1160bb8b 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -6,7 +6,7 @@ policy_module(privoxy,1.0) # Declarations # -type privoxy_t; +type privoxy_t; # web_client_domain type privoxy_exec_t; init_daemon_domain(privoxy_t,privoxy_exec_t) @@ -36,16 +36,11 @@ kernel_list_proc(privoxy_t) kernel_read_proc_symlinks(privoxy_t) corenet_tcp_sendrecv_all_if(privoxy_t) -corenet_udp_sendrecv_all_if(privoxy_t) corenet_raw_sendrecv_all_if(privoxy_t) corenet_tcp_sendrecv_all_nodes(privoxy_t) -corenet_udp_sendrecv_all_nodes(privoxy_t) corenet_raw_sendrecv_all_nodes(privoxy_t) corenet_tcp_sendrecv_all_ports(privoxy_t) -corenet_udp_sendrecv_all_ports(privoxy_t) -# cjp: this really should be specified! -corenet_tcp_bind_generic_port(privoxy_t) -corenet_udp_bind_generic_port(privoxy_t) +corenet_tcp_bind_http_cache_port(privoxy_t) dev_read_sysfs(privoxy_t) @@ -83,6 +78,10 @@ optional_policy(`mount.te',` mount_send_nfs_client_request(privoxy_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(privoxy_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(privoxy_t) ') diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te index 14986b89..717ac4a5 100644 --- a/refpolicy/policy/modules/services/rshd.te +++ b/refpolicy/policy/modules/services/rshd.te @@ -29,8 +29,7 @@ corenet_raw_sendrecv_all_nodes(rshd_t) corenet_tcp_sendrecv_all_nodes(rshd_t) corenet_tcp_sendrecv_all_ports(rshd_t) corenet_tcp_bind_all_nodes(rshd_t) -corenet_tcp_bind_reserved_port(rshd_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(rshd_t) +corenet_tcp_bind_rsh_port(rshd_t) dev_read_urand(rshd_t) @@ -83,10 +82,6 @@ optional_policy(`kerberos.te',` kerberos_use(rshd_t) ') -optional_policy(`nis.te',` - nis_use_ypbind(rshd_t) -') - ifdef(`TODO',` optional_policy(`rlogind.te', ` allow rshd_t rlogind_tmp_t:file rw_file_perms; diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index 12d6c194..10fc1193 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -88,7 +88,5 @@ optional_policy(`nscd.te',` ') ifdef(`TODO',` -ifdef(`ftpd.te', ` r_dir_file(rsync_t, ftpd_anon_t) -') ') dnl end TODO diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index 90d85a19..5e8fcb90 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -78,6 +78,9 @@ corenet_tcp_bind_all_nodes(squid_t) corenet_udp_bind_all_nodes(squid_t) corenet_tcp_bind_http_cache_port(squid_t) corenet_udp_bind_http_cache_port(squid_t) +corenet_tcp_connect_ftp_port(squid_t) +corenet_tcp_connect_gopher_port(squid_t) +corenet_tcp_connect_http_port(squid_t) dev_read_sysfs(squid_t) dev_read_urand(squid_t) @@ -126,6 +129,10 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(squid_t) ') +tunable_policy(`squid_connect_any',` + corenet_tcp_connect_all_ports(squid_t) +') + optional_policy(`logrotate.te',` allow squid_t self:capability kill; cron_use_fd(squid_t) @@ -161,6 +168,11 @@ optional_policy(`rhgb.te',` ifdef(`apache.te',` can_tcp_connect(squid_t, httpd_t) ') +r_dir_file(squid_t, cert_t) +ifdef(`winbind.te', ` +domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t) +allow winbind_helper_t squid_t:tcp_socket rw_socket_perms; +') #squid requires the following when run in diskd mode, the recommended setting allow squid_t tmpfs_t:file { read write }; ') dnl end TODO diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index b18be627..e1c29eb2 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -388,7 +388,7 @@ template(`ssh_per_userdomain_template',` ## # template(`ssh_server_template', ` - type $1_t, ssh_server; + type $1_t, ssh_server; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; domain_type($1_t) role system_r types $1_t; @@ -428,6 +428,7 @@ template(`ssh_server_template', ` corenet_tcp_sendrecv_all_ports($1_t) corenet_tcp_bind_all_nodes($1_t) corenet_udp_bind_all_nodes($1_t) + corenet_tcp_connect_all_ports($1_t) dev_read_urand($1_t) @@ -498,6 +499,10 @@ template(`ssh_server_template', ` init_use_script_pty($1_t) ') + optional_policy(`kerberos.te',` + kerberos_use($1_t) + ') + optional_policy(`mount.te', ` mount_send_nfs_client_request($1_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index d0f55e4d..46dbce67 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -22,7 +22,7 @@ logging_log_file(lastlog_t) type login_exec_t; files_type(login_exec_t) -type pam_console_t; +type pam_console_t; #, mlsfileread type pam_console_exec_t; init_system_domain(pam_console_t,pam_console_exec_t) role system_r types pam_console_t; @@ -142,8 +142,9 @@ allow pam_console_t pam_var_console_t:file r_file_perms; allow pam_console_t pam_var_console_t:lnk_file r_file_perms; kernel_read_kernel_sysctl(pam_console_t) -kernel_read_system_state(pam_console_t) kernel_use_fd(pam_console_t) +# Read /proc/meminfo +kernel_read_system_state(pam_console_t) dev_read_sysfs(pam_console_t) dev_getattr_apm_bios(pam_console_t) @@ -173,6 +174,7 @@ storage_getattr_scsi_generic(pam_console_t) storage_setattr_scsi_generic(pam_console_t) term_use_console(pam_console_t) +term_setattr_console(pam_console_t) term_getattr_unallocated_ttys(pam_console_t) term_setattr_unallocated_ttys(pam_console_t) diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index 7a47a584..51663260 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -40,6 +40,7 @@ ifdef(`targeted_policy',` # /sbin # /sbin(/.*)? context_template(system_u:object_r:sbin_t,s0) +/sbin/mkfs\.cramfs -- context_template(system_u:object_r:sbin_t,s0) /sbin/insmod_ksymoops_clean -- context_template(system_u:object_r:sbin_t,s0) # diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc index ce349377..3430a3ca 100644 --- a/refpolicy/policy/modules/system/files.fc +++ b/refpolicy/policy/modules/system/files.fc @@ -5,6 +5,14 @@ /.* context_template(system_u:object_r:default_t,s0) / -d context_template(system_u:object_r:root_t,s0) /\.journal <> +ifdef(`distro_redhat',` +/\.autofsck -- context_template(system_u:object_r:etc_runtime_t,s0) +/\.autorelabel -- context_template(system_u:object_r:etc_runtime_t,s0) +/fastboot -- context_template(system_u:object_r:etc_runtime_t,s0) +/forcefsck -- context_template(system_u:object_r:etc_runtime_t,s0) +/fsckoptions -- context_template(system_u:object_r:etc_runtime_t,s0) +/poweroff -- context_template(system_u:object_r:etc_runtime_t,s0) +') # # /boot @@ -32,6 +40,9 @@ /etc/nologin.* -- context_template(system_u:object_r:etc_runtime_t,s0) /etc/init\.d/functions -- context_template(system_u:object_r:etc_t,s0) +ifdef(`distro_suse',` +/etc/init\.d/\.depend.* -- context_template(system_u:object_r:etc_runtime_t,s0) +') /etc/ipsec\.d/examples(/.*)? context_template(system_u:object_r:etc_t,s0) diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index e9d0adbb..94c867c6 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -51,7 +51,7 @@ sid file context_template(system_u:object_r:file_t,s0) # home_root_t is the type for the directory where user home directories # are created # -type home_root_t, file_type, mountpoint; +type home_root_t, file_type, mountpoint; #, polyparent fs_associate(home_root_t) fs_associate_noxattr(home_root_t) @@ -84,7 +84,7 @@ fs_associate_noxattr(readable_t) # # root_t is the type for rootfs and the root directory. # -type root_t, file_type, mountpoint; +type root_t, file_type, mountpoint; #, polyparent fs_associate(root_t) fs_associate_noxattr(root_t) kernel_rootfs_mountpoint(root_t) @@ -93,14 +93,14 @@ genfscon rootfs / context_template(system_u:object_r:root_t,s0) # # src_t is the type of files in the system src directories. # -type src_t, file_type; +type src_t, file_type, mountpoint; fs_associate(src_t) fs_associate_noxattr(src_t) # # tmp_t is the type of the temporary directories # -type tmp_t, file_type, tmpfile, mountpoint; +type tmp_t, file_type, tmpfile, mountpoint; #, polydir fs_associate(tmp_t) fs_associate_noxattr(tmp_t) diff --git a/refpolicy/policy/modules/system/fstools.fc b/refpolicy/policy/modules/system/fstools.fc index f24fd8c3..90f772df 100644 --- a/refpolicy/policy/modules/system/fstools.fc +++ b/refpolicy/policy/modules/system/fstools.fc @@ -1,6 +1,7 @@ /sbin/blockdev -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/dosfsck -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/dump -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/dumpe2fs -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/e2fsck -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/e2label -- context_template(system_u:object_r:fsadm_exec_t,s0) @@ -21,6 +22,7 @@ /sbin/parted -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/raidautorun -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/raidstart -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/reiserfs(ck|tune) -- context_template(system_u:object_r:fsadm_exec_t,s0) /sbin/resize.*fs -- context_template(system_u:object_r:fsadm_exec_t,s0) diff --git a/refpolicy/policy/modules/system/getty.fc b/refpolicy/policy/modules/system/getty.fc index 77a3b5b0..6dcaaca8 100644 --- a/refpolicy/policy/modules/system/getty.fc +++ b/refpolicy/policy/modules/system/getty.fc @@ -2,3 +2,7 @@ /etc/mgetty(/.*)? context_template(system_u:object_r:getty_etc_t,s0) /sbin/.*getty -- context_template(system_u:object_r:getty_exec_t,s0) + +/var/log/mgetty\.log.* -- context_template(system_u:object_r:getty_log_t,s0) + +/var/run/mgetty\.pid.* -- context_template(system_u:object_r:getty_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 3956bc62..c403848e 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -15,33 +15,43 @@ type getty_etc_t; typealias getty_etc_t alias etc_getty_t; files_type(getty_etc_t) +type getty_lock_t; +files_lock_file(getty_lock_t) + type getty_log_t; logging_log_file(getty_log_t) type getty_tmp_t; files_tmp_file(getty_tmp_t) +type getty_var_run_t; +files_pid_file(getty_var_run_t) + ######################################## # # Getty local policy # # Use capabilities. -allow getty_t self:capability { dac_override chown sys_resource sys_tty_config }; -# fbgetty needs fsetid for some reason -#allow getty_t self:capability fsetid; - +allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid }; allow getty_t self:process { getpgid getsession }; allow getty_t getty_etc_t:dir r_dir_perms; allow getty_t getty_etc_t:file r_file_perms; files_create_etc_config(getty_t,getty_etc_t,{ file dir }) +allow getty_t getty_lock_t:file create_file_perms; +files_create_lock(getty_t,getty_lock_t) + +allow getty_t getty_log_t:file { getattr append setattr }; + allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink }; allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir }; files_create_tmp_files(getty_t,getty_tmp_t,{ file dir }) -allow getty_t getty_log_t:file { getattr append setattr }; +allow getty_t getty_var_run_t:file create_file_perms; +allow getty_t getty_var_run_t:dir create_dir_perms; +files_create_pid(getty_t,getty_var_run_t) dev_read_sysfs(getty_t) @@ -58,9 +68,9 @@ term_setattr_console(getty_t) auth_rw_login_records(getty_t) corecmd_search_bin(getty_t) +corecmd_search_sbin(getty_t) files_rw_generic_pids(getty_t) -files_manage_generic_locks(getty_t) files_read_etc_runtime_files(getty_t) files_read_etc_files(getty_t) @@ -75,3 +85,12 @@ locallogin_domtrans(getty_t) logging_send_syslog_msg(getty_t) miscfiles_read_localization(getty_t) + +ifdef(`TODO',` +# +# getty needs to be able to run pppd +# +ifdef(`pppd.te', ` +domain_auto_trans(getty_t, pppd_exec_t, pppd_t) +') +') dnl end TODO diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc index 7a0983fe..c85ca5a5 100644 --- a/refpolicy/policy/modules/system/init.fc +++ b/refpolicy/policy/modules/system/init.fc @@ -55,8 +55,10 @@ ifdef(`distro_gentoo', ` /var/run/setmixer_flag -- context_template(system_u:object_r:initrc_var_run_t,s0) ifdef(`distro_suse', ` -/var/run/sysconfig(/.*)? context_template(system_u:object_r:initrc_var_run_t,s0) +/var/run/bootsplashctl -p context_template(system_u:object_r:initrc_var_run_t,s0) /var/run/keymap -- context_template(system_u:object_r:initrc_var_run_t,s0) /var/run/numlock-on -- context_template(system_u:object_r:initrc_var_run_t,s0) +/var/run/setleds-on -- context_template(system_u:object_r:initrc_var_run_t,s0) +/var/run/sysconfig(/.*)? context_template(system_u:object_r:initrc_var_run_t,s0) ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index c9fa5c7c..ad8c4510 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -15,7 +15,7 @@ attribute direct_init_entry; # # init_t is the domain of the init process. # -type init_t; +type init_t; #, mlsrangetrans, mlsfileread, mlsfilewrite; domain_type(init_t) role system_r types init_t; @@ -37,10 +37,10 @@ files_pid_file(init_var_run_t) # by init during initialization. This pipe is used # to communicate with init. # -type initctl_t; +type initctl_t; #, mlstrustedobject; files_type(initctl_t) -type initrc_t; +type initrc_t; #, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite; domain_type(initrc_t) role system_r types initrc_t; @@ -79,6 +79,8 @@ allow init_t self:fifo_file rw_file_perms; # Re-exec itself allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans }; +allow init_t initrc_t:unix_stream_socket connectto; + # For /var/run/shutdown.pid. allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; files_create_pid(init_t,init_var_run_t) @@ -162,6 +164,10 @@ optional_policy(`userdomain.te',` userdom_shell_domtrans_sysadm(init_t) ') +ifdef(`TODO',` +allow init_t ramfs_t:sock_file write; +') + ######################################## # # Init script local policy @@ -201,12 +207,8 @@ kernel_read_ring_buffer(initrc_t) kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) -dev_read_sysfs(initrc_t) -dev_rw_sysfs(initrc_t) kernel_read_all_sysctl(initrc_t) kernel_rw_all_sysctl(initrc_t) -selinux_get_enforce_mode(initrc_t) -dev_list_usbfs(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) @@ -222,11 +224,14 @@ corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_bind_all_nodes(initrc_t) corenet_udp_bind_all_nodes(initrc_t) +corenet_tcp_connect_all_ports(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) +dev_rw_sysfs(initrc_t) +dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_snd_mixer_dev(initrc_t) @@ -244,6 +249,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) +selinux_get_enforce_mode(initrc_t) + storage_getattr_fixed_disk(initrc_t) storage_setattr_fixed_disk(initrc_t) storage_setattr_removable_device(initrc_t) @@ -307,7 +314,7 @@ libs_use_shared_libs(initrc_t) libs_exec_lib_files(initrc_t) logging_send_syslog_msg(initrc_t) -logging_rw_generic_logs(initrc_t) +logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) @@ -527,6 +534,11 @@ role system_r types initrc_su_t; ifdef(`distro_redhat', ` # readahead asks for these allow initrc_t var_lib_nfs_t:file r_file_perms; + + file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file) + allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; + allow initrc_t self:capability sys_admin; + allow initrc_t device_t:dir create; ') ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index a592aae1..4c3c744a 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -238,9 +238,13 @@ interface(`logging_write_generic_logs',` allow $1 var_log_t:file { getattr write }; ') -####################################### -# -# logging_rw_generic_logs(domain) +######################################## +## +## Read and write generic log files. +## +## +## Domain allowed access. +## # interface(`logging_rw_generic_logs',` gen_require(` @@ -253,3 +257,24 @@ interface(`logging_rw_generic_logs',` allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:file rw_file_perms; ') + +######################################## +## +## Create, read, write, and delete +## generic log files. +## +## +## Domain allowed access. +## +# +interface(`logging_manage_generic_logs',` + gen_require(` + type var_log_t; + class dir rw_dir_perms; + class file create_file_perms; + ') + + files_search_var($1) + allow $1 var_log_t:dir rw_dir_perms; + allow $1 var_log_t:file create_file_perms; +') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 3090e0a1..039d8ea3 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -18,10 +18,10 @@ init_daemon_domain(auditd_t,auditd_exec_t) type auditd_var_run_t; files_pid_file(auditd_var_run_t) -type devlog_t; +type devlog_t; #, mlstrustedobject; files_type(devlog_t) -type klogd_t; +type klogd_t; #, mlsfileread type klogd_exec_t; init_daemon_domain(klogd_t,klogd_exec_t) @@ -155,7 +155,8 @@ miscfiles_read_localization(klogd_t) # syslogd local policy # -allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config }; +# cjp: why net_admin! +allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin }; dontaudit syslogd_t self:capability sys_tty_config; allow syslogd_t self:process signal_perms; diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 47cfa64f..db203f9d 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -32,14 +32,12 @@ files_tmp_file(lvm_tmp_t) # # DAC overrides and mknod for modifying /dev entries (vgmknodes) -allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod }; +allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource }; dontaudit lvm_t self:capability sys_tty_config; - allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; - -allow lvm_t self:file r_file_perms; +allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file rw_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; @@ -122,7 +120,6 @@ corecmd_dontaudit_getattr_sbin_file(lvm_t) domain_use_wide_inherit_fd(lvm_t) -files_search_var(lvm_t) files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) files_dontaudit_getattr_pid_dir(lvm_t) diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index 61e76747..9b9ab9a3 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -6,12 +6,6 @@ policy_module(miscfiles,1.0) # Declarations # -# -# catman_t is the type for /var/catman. -# -type catman_t; -files_tmp_file(catman_t) - # # cert_t is the type of files in the system certs directories. # @@ -25,6 +19,18 @@ files_type(cert_t) type fonts_t; files_type(fonts_t) +# +# Type for anonymous FTP data, used by ftp and rsync +# +type ftpd_anon_t; #, customizable; +files_type(ftpd_anon_t) + +# +# type for /tmp/.ICE-unix +# +type ice_tmp_t; +files_tmp_file(ice_tmp_t) + # # locale_t is the type for system localization # @@ -34,7 +40,7 @@ files_type(locale_t) # # man_t is the type for the man directories. # -type man_t; +type man_t alias catman_t; files_type(man_t) # @@ -48,3 +54,7 @@ files_type(test_file_t) # type tetex_data_t; files_tmp_file(tetex_data_t) + +ifdef(`TODO',` +allow customizable self:filesystem associate; +') dnl end TODO diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index c58e7af4..5a0665cb 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -6,7 +6,7 @@ policy_module(raid,1.0) # Declarations # -type mdadm_t; +type mdadm_t; # privmail type mdadm_exec_t; init_daemon_domain(mdadm_t,mdadm_exec_t) role system_r types mdadm_t; diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 1a74046f..f55425c6 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -65,7 +65,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append }; type policy_src_t; files_type(policy_src_t) -type restorecon_t, can_relabelto_binary_policy; +type restorecon_t, can_relabelto_binary_policy; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; type restorecon_exec_t; domain_obj_id_change_exempt(restorecon_t) init_system_domain(restorecon_t,restorecon_exec_t) @@ -280,7 +280,6 @@ kernel_read_system_state(restorecon_t) dev_rw_generic_file(restorecon_t) fs_getattr_xattr_fs(restorecon_t) -fs_list_all(restorecon_t) selinux_get_fs_mount(restorecon_t) selinux_validate_context(restorecon_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc index b3f389ae..98904afd 100644 --- a/refpolicy/policy/modules/system/sysnetwork.fc +++ b/refpolicy/policy/modules/system/sysnetwork.fc @@ -43,6 +43,7 @@ # /var/lib/dhcp3? -d context_template(system_u:object_r:dhcp_state_t,s0) /var/lib/dhcp3?/dhclient.* context_template(system_u:object_r:dhcpc_state_t,s0) +/var/lib/dhcpcd(/.*)? context_template(system_u:object_r:dhcpc_state_t,s0) /var/run/dhclient.*\.pid -- context_template(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhclient.*\.leases -- context_template(system_u:object_r:dhcpc_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 7c3ec484..a11919c5 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -6,7 +6,7 @@ policy_module(udev,1.0) # Declarations # -type udev_t; +type udev_t; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite') type udev_exec_t; type udev_helper_exec_t; kernel_userland_entry(udev_t,udev_exec_t) @@ -34,7 +34,7 @@ files_pid_file(udev_var_run_t) # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice }; allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; @@ -42,6 +42,7 @@ allow udev_t self:fifo_file rw_file_perms; allow udev_t self:unix_stream_socket { listen accept }; allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; +allow udev_t self:netlink_kobject_uevent_socket { create bind read }; allow udev_t self:shm create_shm_perms; allow udev_t self:sem create_sem_perms; allow udev_t self:msgq create_msgq_perms; @@ -72,6 +73,7 @@ kernel_read_modprobe_sysctl(udev_t) kernel_read_kernel_sysctl(udev_t) kernel_rw_unix_dgram_socket(udev_t) kernel_sendto_unix_dgram_socket(udev_t) +kernel_signal(udev_t) dev_read_sysfs(udev_t) dev_manage_dev_nodes(udev_t) diff --git a/strict/domains/misc/local.te b/strict/domains/misc/local.te new file mode 100644 index 00000000..cedba3c4 --- /dev/null +++ b/strict/domains/misc/local.te @@ -0,0 +1,5 @@ +# Local customization of existing policy should be done in this file. +# If you are creating brand new policy for a new "target" domain, you +# need to create a type enforcement (.te) file in domains/program +# and a file context (.fc) file in file_context/program. + diff --git a/strict/domains/program/consoletype.te b/strict/domains/program/consoletype.te index 9836ce4e..f3f2c284 100644 --- a/strict/domains/program/consoletype.te +++ b/strict/domains/program/consoletype.te @@ -11,7 +11,7 @@ # consoletype_t is the domain for the consoletype program. # consoletype_exec_t is the type of the corresponding program. # -type consoletype_t, domain; +type consoletype_t, domain, mlsfileread, mlsfilewrite; type consoletype_exec_t, file_type, sysadmfile, exec_type; role system_r types consoletype_t; @@ -57,6 +57,7 @@ allow consoletype_t tmpfs_t:chr_file rw_file_perms; ifdef(`firstboot.te', ` allow consoletype_t firstboot_t:fifo_file write; ') +dontaudit consoletype_t proc_t:dir search; dontaudit consoletype_t proc_t:file read; dontaudit consoletype_t root_t:file read; allow consoletype_t crond_t:fifo_file { read getattr ioctl }; diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te index 10f8a4de..c19a2d84 100644 --- a/strict/domains/program/crond.te +++ b/strict/domains/program/crond.te @@ -37,7 +37,7 @@ allow mta_user_agent system_crond_t:fd use; # read files in /etc allow system_crond_t etc_t:file r_file_perms; -allow system_crond_t etc_runtime_t:file read; +allow system_crond_t etc_runtime_t:file { getattr read }; allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te index fc8a2bb7..c0602112 100644 --- a/strict/domains/program/getty.te +++ b/strict/domains/program/getty.te @@ -23,22 +23,13 @@ allow getty_t self:process { getpgid getsession }; allow getty_t self:unix_dgram_socket create_socket_perms; allow getty_t self:unix_stream_socket create_socket_perms; -# to allow w to display everyone... -bool user_ttyfile_stat false; -if (user_ttyfile_stat) { -allow userdomain ttyfile:chr_file getattr; -} - # Use capabilities. allow getty_t self:capability { dac_override chown sys_resource sys_tty_config }; -# fbgetty needs fsetid for some reason -#allow getty_t self:capability fsetid; - read_locale(getty_t) # Run login in local_login_t domain. -allow getty_t bin_t:dir search; +allow getty_t { sbin_t bin_t }:dir search; domain_auto_trans(getty_t, login_exec_t, local_login_t) # Write to /var/run/utmp. @@ -55,5 +46,15 @@ allow getty_t ttyfile:chr_file { setattr rw_file_perms }; # for error condition handling allow getty_t fs_t:filesystem getattr; -rw_dir_create_file(getty_t, var_lock_t) +lock_domain(getty) r_dir_file(getty_t, sysfs_t) +# for mgetty +var_run_domain(getty) +allow getty_t self:capability { fowner fsetid }; + +# +# getty needs to be able to run pppd +# +ifdef(`pppd.te', ` +domain_auto_trans(getty_t, pppd_exec_t, pppd_t) +') diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te index 2bdd0b55..ed84911e 100644 --- a/strict/domains/program/hald.te +++ b/strict/domains/program/hald.te @@ -15,7 +15,7 @@ daemon_domain(hald, `, fs_domain, nscd_client_domain') can_exec_any(hald_t) allow hald_t { etc_t etc_runtime_t }:file { getattr read }; -allow hald_t self:unix_stream_socket create_stream_socket_perms; +allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow hald_t self:unix_dgram_socket create_socket_perms; ifdef(`dbusd.te', ` @@ -30,6 +30,10 @@ allow hald_t { bin_t sbin_t }:dir search; allow hald_t self:fifo_file rw_file_perms; allow hald_t usr_t:file { getattr read }; allow hald_t bin_t:file getattr; +# For backwards compatibility with older kernels +allow hald_t self:netlink_socket create_socket_perms; + +allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; allow hald_t self:netlink_route_socket r_netlink_socket_perms; allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod }; can_network_server(hald_t) diff --git a/strict/domains/program/init.te b/strict/domains/program/init.te index 3fb67ded..185e0baa 100644 --- a/strict/domains/program/init.te +++ b/strict/domains/program/init.te @@ -14,11 +14,11 @@ # by init during initialization. This pipe is used # to communicate with init. # -type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain; +type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite; role system_r types init_t; uses_shlib(init_t); type init_exec_t, file_type, sysadmfile, exec_type; -type initctl_t, file_type, sysadmfile, dev_fs; +type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject; # for init to determine whether SE Linux is active so it can know whether to # activate it @@ -82,6 +82,7 @@ allow init_t self:process { fork sigchld }; # Modify utmp. allow init_t var_run_t:file rw_file_perms; allow init_t initrc_var_run_t:file { setattr rw_file_perms }; +can_unix_connect(init_t, initrc_t) # For /var/run/shutdown.pid. var_run_domain(init) @@ -133,6 +134,7 @@ allow init_t lib_t:file { getattr read }; allow init_t devtty_t:chr_file { read write }; allow init_t ramfs_t:dir search; +allow init_t ramfs_t:sock_file write; r_dir_file(init_t, sysfs_t) r_dir_file(init_t, selinux_config_t) diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te index 86e09cc4..f6e248ee 100644 --- a/strict/domains/program/initrc.te +++ b/strict/domains/program/initrc.te @@ -12,11 +12,12 @@ # initrc_exec_t is the type of the init program. # # do not use privmail for sendmail as it creates a type transition conflict -type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain; +type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite; role system_r types initrc_t; uses_shlib(initrc_t); can_network(initrc_t) +allow initrc_t port_type:tcp_socket name_connect; can_ypbind(initrc_t) type initrc_exec_t, file_type, sysadmfile, exec_type; @@ -130,7 +131,7 @@ allow initrc_t ld_so_cache_t:file rw_file_perms; # Update /var/log/wtmp and /var/log/dmesg. allow initrc_t wtmp_t:file { setattr rw_file_perms }; allow initrc_t var_log_t:dir rw_dir_perms; -allow initrc_t var_log_t:file { setattr rw_file_perms }; +allow initrc_t var_log_t:file create_file_perms; allow initrc_t lastlog_t:file { setattr rw_file_perms }; allow initrc_t logfile:file { read append }; @@ -194,10 +195,8 @@ file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file) allow initrc_t tmpfs_t:chr_file rw_file_perms; allow initrc_t tmpfs_t:dir r_dir_perms; -ifdef(`distro_redhat', ` # Allow initrc domain to set the enforcing flag. can_setenforce(initrc_t) -') # # readahead asks for these @@ -208,6 +207,11 @@ allow initrc_t var_lib_nfs_t:file { getattr read }; # for /halt /.autofsck and other flag files file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) +file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file) +allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; +allow initrc_t self:capability sys_admin; +allow initrc_t device_t:dir create; + ')dnl end distro_redhat allow initrc_t system_map_t:{ file lnk_file } r_file_perms; @@ -287,10 +291,6 @@ allow initrc_t device_t:lnk_file unlink; r_dir_file(initrc_t,selinux_config_t) -ifdef(`distro_redhat', ` -#allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; -') - ifdef(`unlimitedRC', ` unconfined_domain(initrc_t) ') diff --git a/strict/domains/program/klogd.te b/strict/domains/program/klogd.te index b7efff18..42a136e5 100644 --- a/strict/domains/program/klogd.te +++ b/strict/domains/program/klogd.te @@ -8,7 +8,7 @@ # # Rules for the klogd_t domain. # -daemon_domain(klogd, `, privmem') +daemon_domain(klogd, `, privmem, privkmsg, mlsfileread') tmp_domain(klogd) allow klogd_t proc_t:dir r_dir_perms; diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te index f2cf0611..7ed07225 100644 --- a/strict/domains/program/lvm.te +++ b/strict/domains/program/lvm.te @@ -18,7 +18,6 @@ type lvm_vg_t, file_type, sysadmfile; type lvm_metadata_t, file_type, sysadmfile; type lvm_control_t, device_type, dev_fs; etcdir_domain(lvm) -allow lvm_t var_t:dir search; lock_domain(lvm) allow lvm_t lvm_lock_t:dir rw_dir_perms; @@ -35,7 +34,7 @@ allow lvm_t self:fifo_file rw_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; r_dir_file(lvm_t, proc_t) -allow lvm_t self:file r_file_perms; +allow lvm_t self:file rw_file_perms; # Read system variables in /proc/sys read_sysctl(lvm_t) @@ -65,7 +64,7 @@ tmp_domain(lvm) allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl }; # DAC overrides and mknod for modifying /dev entries (vgmknodes) -allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod }; +allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod }; # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file) diff --git a/strict/domains/program/mdadm.te b/strict/domains/program/mdadm.te index 91de77c5..47f82e2d 100644 --- a/strict/domains/program/mdadm.te +++ b/strict/domains/program/mdadm.te @@ -3,7 +3,7 @@ # Author: Colin Walters # -daemon_base_domain(mdadm, `, fs_domain') +daemon_base_domain(mdadm, `, fs_domain, privmail') role sysadm_r types mdadm_t; allow initrc_t mdadm_var_run_t:file create_file_perms; diff --git a/strict/domains/program/netutils.te b/strict/domains/program/netutils.te index c314eeea..9b13fd49 100644 --- a/strict/domains/program/netutils.te +++ b/strict/domains/program/netutils.te @@ -16,11 +16,14 @@ role sysadm_r types netutils_t; uses_shlib(netutils_t) can_network(netutils_t) +allow netutils_t port_type:tcp_socket name_connect; can_ypbind(netutils_t) tmp_domain(netutils) domain_auto_trans(initrc_t, netutils_exec_t, netutils_t) +ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t) +') # Inherit and use descriptors from init. allow netutils_t { userdomain init_t }:fd use; diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te index 74db2285..40ffbbce 100644 --- a/strict/domains/program/nscd.te +++ b/strict/domains/program/nscd.te @@ -23,6 +23,7 @@ daemon_domain(nscd, `, userspace_objmgr') allow nscd_t etc_t:file r_file_perms; allow nscd_t etc_t:lnk_file read; can_network_client(nscd_t) +allow nscd_t port_type:tcp_socket name_connect; can_ypbind(nscd_t) file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file) diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te index 1598c233..2b7480ce 100644 --- a/strict/domains/program/ntpd.te +++ b/strict/domains/program/ntpd.te @@ -10,7 +10,6 @@ # daemon_domain(ntpd, `, nscd_client_domain') type ntp_drift_t, file_type, sysadmfile; -type ntp_port_t, port_type, reserved_port_type; type ntpdate_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t) @@ -25,7 +24,7 @@ allow ntpd_t ntp_drift_t:dir rw_dir_perms; allow ntpd_t ntp_drift_t:file create_file_perms; # for SSP -allow ntpd_t urandom_device_t:chr_file read; +allow ntpd_t urandom_device_t:chr_file { getattr read }; allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot }; dontaudit ntpd_t self:capability { net_admin }; @@ -41,6 +40,7 @@ allow ntpd_t etc_t:file { read getattr }; # Use the network. can_network(ntpd_t) +allow ntpd_t ntp_port_t:tcp_socket name_connect; can_ypbind(ntpd_t) allow ntpd_t ntp_port_t:udp_socket name_bind; allow ntpd_t self:unix_dgram_socket create_socket_perms; @@ -83,4 +83,5 @@ ifdef(`winbind.te', ` allow ntpd_t winbind_var_run_t:dir r_dir_perms; allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; ') - +# For clock devices like wwvb1 +allow ntpd_t device_t:lnk_file read; diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te index 72704425..cbb84aff 100644 --- a/strict/domains/program/pamconsole.te +++ b/strict/domains/program/pamconsole.te @@ -3,17 +3,23 @@ # # pam_console_apply -daemon_base_domain(pam_console, `, nscd_client_domain') +daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread') type pam_var_console_t, file_type, sysadmfile; allow pam_console_t etc_t:file { getattr read ioctl }; allow pam_console_t self:unix_stream_socket create_stream_socket_perms; +# Read /etc/mtab +allow pam_console_t etc_runtime_t:file { read getattr }; + +# Read /proc/meminfo +allow pam_console_t proc_t:file { read getattr }; + allow pam_console_t self:capability { chown fowner fsetid }; # Allow access to /dev/console through the fd: -allow pam_console_t console_device_t:chr_file { read write }; +allow pam_console_t console_device_t:chr_file { read write setattr }; allow pam_console_t { kernel_t init_t }:fd use; # for /var/run/console.lock checking @@ -36,7 +42,6 @@ ifdef(`hotplug.te', ` dontaudit pam_console_t hotplug_etc_t:dir search; allow pam_console_t hotplug_t:fd use; ') -allow pam_console_t proc_t:file read; ifdef(`xdm.te', ` allow pam_console_t xdm_var_run_t:file { getattr read }; ') diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te index efae37c6..e9843208 100644 --- a/strict/domains/program/passwd.te +++ b/strict/domains/program/passwd.te @@ -145,6 +145,7 @@ dontaudit sysadm_passwd_t devpts_t:dir search; # make sure that getcon succeeds allow passwd_t userdomain:dir search; -allow passwd_t userdomain:file read; +allow passwd_t userdomain:file { getattr read }; allow passwd_t userdomain:process getattr; +allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te index 134b2001..adc364d3 100644 --- a/strict/domains/program/portmap.te +++ b/strict/domains/program/portmap.te @@ -14,12 +14,11 @@ daemon_domain(portmap, `, nscd_client_domain') can_network(portmap_t) +allow portmap_t port_type:tcp_socket name_connect; can_ypbind(portmap_t) allow portmap_t self:unix_dgram_socket create_socket_perms; allow portmap_t self:unix_stream_socket create_stream_socket_perms; -type portmap_port_t, port_type, reserved_port_type; - tmp_domain(portmap) allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; @@ -60,11 +59,13 @@ domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) dontaudit portmap_helper_t self:capability { net_admin }; allow portmap_helper_t self:capability { net_bind_service }; allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms; +file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file) allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; can_network(portmap_helper_t) +allow portmap_helper_t port_type:tcp_socket name_connect; can_ypbind(portmap_helper_t) dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; allow portmap_helper_t etc_t:file { getattr read }; -dontaudit portmap_helper_t userdomain:fd use; +dontaudit portmap_helper_t { userdomain privfd }:fd use; allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind; dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --git a/strict/domains/program/postfix.te b/strict/domains/program/postfix.te index 7d62e01a..26ac65ba 100644 --- a/strict/domains/program/postfix.te +++ b/strict/domains/program/postfix.te @@ -9,7 +9,6 @@ type postfix_var_run_t, file_type, sysadmfile, pidfile; type postfix_etc_t, file_type, sysadmfile; -typealias postfix_etc_t alias etc_postfix_t; type postfix_exec_t, file_type, sysadmfile, exec_type; type postfix_public_t, file_type, sysadmfile; type postfix_private_t, file_type, sysadmfile; @@ -120,6 +119,7 @@ allow postfix_master_t postfix_private_t:dir rw_dir_perms; allow postfix_master_t postfix_private_t:sock_file create_file_perms; allow postfix_master_t postfix_private_t:fifo_file create_file_perms; can_network(postfix_master_t) +allow postfix_master_t port_type:tcp_socket name_connect; can_ypbind(postfix_master_t) allow postfix_master_t smtp_port_t:tcp_socket name_bind; allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; @@ -155,6 +155,7 @@ domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:capability { setuid setgid dac_override }; can_network_client(postfix_$1_t) +allow postfix_$1_t port_type:tcp_socket name_connect; can_ypbind(postfix_$1_t) ') @@ -179,6 +180,7 @@ allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; # for OpenSSL certificates r_dir_file(postfix_smtpd_t,usr_t) allow postfix_smtpd_t etc_aliases_t:file r_file_perms; +allow postfix_smtpd_t self:file { getattr read }; # for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; @@ -345,5 +347,6 @@ allow postfix_map_t self:capability setgid; allow postfix_map_t self:unix_dgram_socket create_socket_perms; dontaudit postfix_map_t var_t:dir search; can_network_server(postfix_map_t) +allow postfix_map_t port_type:tcp_socket name_connect; allow postfix_local_t mail_spool_t:dir { remove_name }; allow postfix_local_t mail_spool_t:file { unlink }; diff --git a/strict/domains/program/privoxy.te b/strict/domains/program/privoxy.te index 57625921..9e94026e 100644 --- a/strict/domains/program/privoxy.te +++ b/strict/domains/program/privoxy.te @@ -8,7 +8,7 @@ # # Rules for the privoxy_t domain. # -daemon_domain(privoxy) +daemon_domain(privoxy, `, web_client_domain') logdir_domain(privoxy) @@ -17,7 +17,8 @@ allow privoxy_t self:capability net_bind_service; # Use the network. can_network(privoxy_t) -allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind; +can_ypbind(privoxy_t) +allow privoxy_t http_cache_port_t:tcp_socket name_bind; allow privoxy_t etc_t:file { getattr read }; allow privoxy_t self:capability { setgid setuid }; allow privoxy_t self:unix_stream_socket create_socket_perms ; diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te index fb014d74..058dcd11 100644 --- a/strict/domains/program/restorecon.te +++ b/strict/domains/program/restorecon.te @@ -12,7 +12,7 @@ # # needs auth_write attribute because it has relabelfrom/relabelto # access to shadow_t -type restorecon_t, domain, privlog, privowner, auth_write, change_context; +type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; type restorecon_exec_t, file_type, sysadmfile, exec_type; role system_r types restorecon_t; @@ -48,10 +48,9 @@ allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom rel allow restorecon_t ptyfile:chr_file getattr; allow restorecon_t fs_t:filesystem getattr; -allow restorecon_t fs_type:dir r_dir_perms; -allow restorecon_t etc_runtime_t:file read; -allow restorecon_t etc_t:file read; +allow restorecon_t etc_runtime_t:file { getattr read }; +allow restorecon_t etc_t:file { getattr read }; allow restorecon_t proc_t:file { getattr read }; dontaudit restorecon_t proc_t:lnk_file { getattr read }; @@ -60,4 +59,3 @@ allow restorecon_t kernel_t:fd use; allow restorecon_t kernel_t:fifo_file { read write }; allow restorecon_t kernel_t:unix_dgram_socket { read write }; r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } ) - diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te index 0c896cfe..d6fa1c55 100644 --- a/strict/domains/program/rlogind.te +++ b/strict/domains/program/rlogind.te @@ -35,3 +35,4 @@ allow rlogind_t self:file { getattr read }; allow rlogind_t default_t:dir search; typealias rlogind_port_t alias rlogin_port_t; read_sysctl(rlogind_t); +allow rlogind_t krb5_keytab_t:file { getattr read }; diff --git a/strict/domains/program/rshd.te b/strict/domains/program/rshd.te index 33006bd5..39976c59 100644 --- a/strict/domains/program/rshd.te +++ b/strict/domains/program/rshd.te @@ -23,10 +23,7 @@ allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chow # Use the network. can_network_server(rshd_t) -allow rshd_t reserved_port_t:tcp_socket name_bind; -dontaudit rshd_t reserved_port_type:tcp_socket name_bind; - -can_ypbind(rshd_t) +allow rshd_t rsh_port_t:tcp_socket name_bind; allow rshd_t etc_t:file { getattr read }; read_locale(rshd_t) diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te index 1090463e..6bac7b78 100644 --- a/strict/domains/program/rsync.te +++ b/strict/domains/program/rsync.te @@ -14,6 +14,4 @@ inetd_child_domain(rsync) type rsync_data_t, file_type, sysadmfile; r_dir_file(rsync_t, rsync_data_t) -ifdef(`ftpd.te', ` r_dir_file(rsync_t, ftpd_anon_t) -') diff --git a/strict/domains/program/slapd.te b/strict/domains/program/slapd.te index 8cca78ee..dd9e416f 100644 --- a/strict/domains/program/slapd.te +++ b/strict/domains/program/slapd.te @@ -58,3 +58,4 @@ read_sysctl(slapd_t) allow slapd_t usr_t:file { read getattr }; allow slapd_t urandom_device_t:chr_file { getattr read }; allow slapd_t self:netlink_route_socket r_netlink_socket_perms; +r_dir_file(slapd_t, cert_t) diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te index 06d411dd..bf7d01d1 100644 --- a/strict/domains/program/squid.te +++ b/strict/domains/program/squid.te @@ -12,7 +12,7 @@ ifdef(`apache.te',` can_tcp_connect(squid_t, httpd_t) ') - +bool squid_connect_any false; daemon_domain(squid, `, web_client_domain, nscd_client_domain') type squid_conf_t, file_type, sysadmfile; general_domain_access(squid_t) @@ -53,12 +53,15 @@ ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)') # Use the network can_network(squid_t) +if (squid_connect_any) { +allow squid_t port_type:tcp_socket name_connect; +} can_ypbind(squid_t) can_tcp_connect(web_client_domain, squid_t) # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts) -allow squid_t http_cache_port_t:tcp_socket name_bind; -allow squid_t http_cache_port_t:udp_socket name_bind; +allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind; +allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; # to allow running programs from /usr/lib/squid (IE unlinkd) # also allow exec()ing itself @@ -74,3 +77,8 @@ allow squid_t urandom_device_t:chr_file { getattr read }; #squid requires the following when run in diskd mode, the recommended setting allow squid_t tmpfs_t:file { read write }; +r_dir_file(squid_t, cert_t) +ifdef(`winbind.te', ` +domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t) +allow winbind_helper_t squid_t:tcp_socket rw_socket_perms; +') diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te index a1eb5ec7..ee4dcf16 100644 --- a/strict/domains/program/ssh.te +++ b/strict/domains/program/ssh.te @@ -23,7 +23,7 @@ define(`sshd_program_domain', ` # privowner is for changing the identity on the terminal device # privfd is for passing the terminal file handle to the user process # auth_chkpwd is for running unix_chkpwd and unix_verify. -type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain; +type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; can_exec($1_t, sshd_exec_t) r_dir_file($1_t, self) role system_r types $1_t; @@ -67,6 +67,8 @@ allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms; allow $1_t urandom_device_t:chr_file { getattr read }; can_network($1_t) +allow $1_t port_type:tcp_socket name_connect; +can_kerberos($1_t) allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow $1_t { home_root_t home_dir_type }:dir { search getattr }; @@ -145,10 +147,8 @@ sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type }) sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type) } -ifdef(`use_x_ports', ` # for X forwarding allow sshd_t xserver_port_t:tcp_socket name_bind; -') r_dir_file(sshd_t, selinux_config_t) sshd_program_domain(sshd_extern) diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te index 76d518ed..33d1e207 100644 --- a/strict/domains/program/syslogd.te +++ b/strict/domains/program/syslogd.te @@ -14,9 +14,9 @@ # by syslogd. # ifdef(`klogd.te', ` -daemon_domain(syslogd) +daemon_domain(syslogd, `, privkmsg') ', ` -daemon_domain(syslogd, `, privmem') +daemon_domain(syslogd, `, privmem, privkmsg') ') # can_network is for the UDP socket @@ -25,7 +25,7 @@ can_ypbind(syslogd_t) r_dir_file(syslogd_t, sysfs_t) -type devlog_t, file_type, sysadmfile, dev_fs; +type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject; # if something can log to syslog they should be able to log to the console allow privlog console_device_t:chr_file { ioctl read write getattr }; @@ -36,7 +36,7 @@ tmp_domain(syslogd) allow syslogd_t etc_t:file r_file_perms; # Use capabilities. -allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config }; +allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config }; # Modify/create log files. create_append_log_file(syslogd_t, var_log_t) @@ -94,7 +94,6 @@ allow syslogd_t { device_t file_t }:sock_file unlink; allow syslogd_t tty_device_t:chr_file { getattr write ioctl append }; # Allow name_bind for remote logging -type syslogd_port_t, port_type, reserved_port_type; allow syslogd_t syslogd_port_t:udp_socket name_bind; # # /initrd is not umounted before minilog starts @@ -103,5 +102,4 @@ dontaudit syslogd_t file_t:dir search; allow syslogd_t { tmpfs_t devpts_t }:dir search; dontaudit syslogd_t unlabeled_t:file read; dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; -allow syslogd_t self:capability net_admin; allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te index eae23a29..fb70a359 100644 --- a/strict/domains/program/udev.te +++ b/strict/domains/program/udev.te @@ -9,7 +9,7 @@ # # udev_exec_t is the type of the udev executable. # -daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner') +daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite') general_domain_access(udev_t) @@ -33,6 +33,7 @@ allow udev_t self:file { getattr read }; allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; allow udev_t self:unix_dgram_socket create_socket_perms; allow udev_t self:fifo_file rw_file_perms; +allow udev_t self:netlink_kobject_uevent_socket { create bind read }; allow udev_t device_t:sock_file create_file_perms; allow udev_t device_t:lnk_file create_lnk_perms; allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; @@ -70,6 +71,7 @@ can_setfscreate(udev_t) allow udev_t kernel_t:fd use; allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; +allow udev_t kernel_t:process signal; allow udev_t initrc_var_run_t:file r_file_perms; dontaudit udev_t initrc_var_run_t:file write; diff --git a/strict/domains/program/xfs.te b/strict/domains/program/xfs.te index 0c9e93f7..04302cde 100644 --- a/strict/domains/program/xfs.te +++ b/strict/domains/program/xfs.te @@ -37,9 +37,8 @@ allow xfs_t xfs_tmp_t:unix_stream_socket name_bind; allow xfs_t self:unix_stream_socket create_stream_socket_perms; allow xfs_t self:unix_dgram_socket create_socket_perms; -# Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.* -allow xfs_t fonts_t:dir search; -allow xfs_t fonts_t:file { getattr read }; +# Read fonts +read_fonts(xfs_t) # Unlink the xfs socket. allow initrc_t xfs_tmp_t:dir rw_dir_perms; diff --git a/strict/file_contexts/program/amavis.fc b/strict/file_contexts/program/amavis.fc index 12a20643..366da332 100644 --- a/strict/file_contexts/program/amavis.fc +++ b/strict/file_contexts/program/amavis.fc @@ -4,3 +4,5 @@ /var/log/amavisd\.log -- system_u:object_r:amavisd_log_t /var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t /var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t +/var/amavis(/.*)? system_u:object_r:amavisd_lib_t +/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t diff --git a/strict/file_contexts/program/apache.fc b/strict/file_contexts/program/apache.fc index 4fe5dac2..444c3f03 100644 --- a/strict/file_contexts/program/apache.fc +++ b/strict/file_contexts/program/apache.fc @@ -1,6 +1,7 @@ # apache HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t /var/www(/.*)? system_u:object_r:httpd_sys_content_t +/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t /usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t /var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t @@ -15,7 +16,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_ /usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t /usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t /usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t -/usr/sbin/httpd -- system_u:object_r:httpd_exec_t +/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t /usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t /usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t @@ -36,7 +37,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_ /var/run/gcache_port -s system_u:object_r:httpd_var_run_t ifdef(`distro_suse', ` # suse puts shell scripts there :-( -/usr/share/apache2/[^/]* -- system_u:object_r:bin_t +/usr/share/apache2/[^/]* -- system_u:object_r:bin_t +/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t ') /var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t /var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t @@ -44,3 +46,9 @@ ifdef(`distro_suse', ` /usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t /var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t /etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t +/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t +ifdef(`targeted_policy', `', ` +/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t +') +/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t + diff --git a/strict/file_contexts/program/apmd.fc b/strict/file_contexts/program/apmd.fc index da3c93a4..9e6ce0d3 100644 --- a/strict/file_contexts/program/apmd.fc +++ b/strict/file_contexts/program/apmd.fc @@ -1,9 +1,12 @@ # apmd /usr/sbin/apmd -- system_u:object_r:apmd_exec_t /usr/sbin/acpid -- system_u:object_r:apmd_exec_t +/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t /usr/bin/apm -- system_u:object_r:apm_exec_t /var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t /var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t +/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t +/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t /var/log/acpid -- system_u:object_r:apmd_log_t ifdef(`distro_suse', ` /var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t diff --git a/strict/file_contexts/program/crack.fc b/strict/file_contexts/program/crack.fc index fac9bd6b..7d991366 100644 --- a/strict/file_contexts/program/crack.fc +++ b/strict/file_contexts/program/crack.fc @@ -1,4 +1,6 @@ # crack - for password checking +/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t /usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t /var/cache/cracklib(/.*)? system_u:object_r:crack_db_t /usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t +/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc index 4085e1d6..13908395 100644 --- a/strict/file_contexts/program/dhcpc.fc +++ b/strict/file_contexts/program/dhcpc.fc @@ -6,6 +6,7 @@ /sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t /sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t /var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t +/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t /var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t /var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t # pump diff --git a/strict/file_contexts/program/fsadm.fc b/strict/file_contexts/program/fsadm.fc index f755f4a6..5d42601b 100644 --- a/strict/file_contexts/program/fsadm.fc +++ b/strict/file_contexts/program/fsadm.fc @@ -1,6 +1,7 @@ # fs admin utilities /sbin/fsck.* -- system_u:object_r:fsadm_exec_t /sbin/mkfs.* -- system_u:object_r:fsadm_exec_t +/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t /sbin/e2fsck -- system_u:object_r:fsadm_exec_t /sbin/mkdosfs -- system_u:object_r:fsadm_exec_t /sbin/dosfsck -- system_u:object_r:fsadm_exec_t @@ -19,9 +20,11 @@ /sbin/parted -- system_u:object_r:fsadm_exec_t /sbin/tune2fs -- system_u:object_r:fsadm_exec_t /sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t +/sbin/dump -- system_u:object_r:fsadm_exec_t /sbin/swapon.* -- system_u:object_r:fsadm_exec_t /sbin/hdparm -- system_u:object_r:fsadm_exec_t /sbin/raidstart -- system_u:object_r:fsadm_exec_t +/sbin/raidautorun -- system_u:object_r:fsadm_exec_t /sbin/mkraid -- system_u:object_r:fsadm_exec_t /sbin/blockdev -- system_u:object_r:fsadm_exec_t /sbin/losetup.* -- system_u:object_r:fsadm_exec_t diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc index 02601976..6865fc5b 100644 --- a/strict/file_contexts/program/ftpd.fc +++ b/strict/file_contexts/program/ftpd.fc @@ -13,3 +13,4 @@ /var/log/xferreport.* -- system_u:object_r:xferlog_t /etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t /var/ftp(/.*)? system_u:object_r:ftpd_anon_t +/srv/([^/]*/)?ftp(/.*)? system_u:object_r:ftpd_anon_t diff --git a/strict/file_contexts/program/getty.fc b/strict/file_contexts/program/getty.fc index f9082219..0da4b32a 100644 --- a/strict/file_contexts/program/getty.fc +++ b/strict/file_contexts/program/getty.fc @@ -1,3 +1,5 @@ # getty /sbin/.*getty -- system_u:object_r:getty_exec_t /etc/mgetty(/.*)? system_u:object_r:getty_etc_t +/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t +/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t diff --git a/strict/file_contexts/program/gpg.fc b/strict/file_contexts/program/gpg.fc index 1cc9508e..650df0cf 100644 --- a/strict/file_contexts/program/gpg.fc +++ b/strict/file_contexts/program/gpg.fc @@ -1,5 +1,7 @@ # gpg HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t -/usr/bin/gpg -- system_u:object_r:gpg_exec_t +/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t /usr/bin/kgpg -- system_u:object_r:gpg_exec_t -/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t +/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t +/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t + diff --git a/strict/file_contexts/program/iceauth.fc b/strict/file_contexts/program/iceauth.fc new file mode 100644 index 00000000..31bf1f3d --- /dev/null +++ b/strict/file_contexts/program/iceauth.fc @@ -0,0 +1,3 @@ +# iceauth +/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t +HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t diff --git a/strict/file_contexts/program/initrc.fc b/strict/file_contexts/program/initrc.fc index b23d55e2..45ea6cfc 100644 --- a/strict/file_contexts/program/initrc.fc +++ b/strict/file_contexts/program/initrc.fc @@ -19,6 +19,9 @@ ifdef(`distro_suse', ` /var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t /var/run/keymap -- system_u:object_r:initrc_var_run_t /var/run/numlock-on -- system_u:object_r:initrc_var_run_t +/var/run/setleds-on -- system_u:object_r:initrc_var_run_t +/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t +/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t ') ifdef(`distro_gentoo', ` @@ -35,5 +38,11 @@ ifdef(`distro_gentoo', ` /etc/nohotplug -- system_u:object_r:etc_runtime_t ifdef(`distro_redhat', ` /halt -- system_u:object_r:etc_runtime_t +/fastboot -- system_u:object_r:etc_runtime_t +/fsckoptions -- system_u:object_r:etc_runtime_t +/forcefsck -- system_u:object_r:etc_runtime_t +/poweroff -- system_u:object_r:etc_runtime_t /\.autofsck -- system_u:object_r:etc_runtime_t +/\.autorelabel -- system_u:object_r:etc_runtime_t ') + diff --git a/strict/mls b/strict/mls index 5f509063..ef20c214 100644 --- a/strict/mls +++ b/strict/mls @@ -730,3 +730,4 @@ mlsconstrain xextension use # these access vectors have no MLS restrictions # association { sendto recvfrom } + diff --git a/strict/net_contexts b/strict/net_contexts index 49f6862d..fd10f9b4 100644 --- a/strict/net_contexts +++ b/strict/net_contexts @@ -17,7 +17,6 @@ # protocol number context # protocol low-high context # -ifdef(`inetd.te', ` portcon tcp 7 system_u:object_r:inetd_child_port_t portcon udp 7 system_u:object_r:inetd_child_port_t portcon tcp 9 system_u:object_r:inetd_child_port_t @@ -37,42 +36,47 @@ portcon udp 891 system_u:object_r:inetd_child_port_t portcon tcp 892 system_u:object_r:inetd_child_port_t portcon udp 892 system_u:object_r:inetd_child_port_t portcon tcp 2105 system_u:object_r:inetd_child_port_t -') -ifdef(`ftpd.te', ` portcon tcp 20 system_u:object_r:ftp_data_port_t portcon tcp 21 system_u:object_r:ftp_port_t -') -ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t') -ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t') -ifdef(`mta.te', ` +portcon tcp 22 system_u:object_r:ssh_port_t +portcon tcp 23 system_u:object_r:telnetd_port_t + portcon tcp 25 system_u:object_r:smtp_port_t portcon tcp 465 system_u:object_r:smtp_port_t portcon tcp 587 system_u:object_r:smtp_port_t -') -ifdef(`use_dns', ` + +portcon udp 500 system_u:object_r:isakmp_port_t portcon udp 53 system_u:object_r:dns_port_t portcon tcp 53 system_u:object_r:dns_port_t -') -ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t') -ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t') -ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t') -ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t') -ifdef(`apache.te', ` + +portcon udp 67 system_u:object_r:dhcpd_port_t +portcon udp 68 system_u:object_r:dhcpc_port_t +portcon udp 70 system_u:object_r:gopher_port_t +portcon tcp 70 system_u:object_r:gopher_port_t + +portcon udp 69 system_u:object_r:tftp_port_t +portcon tcp 79 system_u:object_r:fingerd_port_t + portcon tcp 80 system_u:object_r:http_port_t portcon tcp 443 system_u:object_r:http_port_t -') -ifdef(`use_pop', ` +portcon tcp 488 system_u:object_r:http_port_t +portcon tcp 8008 system_u:object_r:http_port_t + portcon tcp 106 system_u:object_r:pop_port_t portcon tcp 109 system_u:object_r:pop_port_t portcon tcp 110 system_u:object_r:pop_port_t -') -ifdef(`portmap.te', ` +portcon tcp 143 system_u:object_r:pop_port_t +portcon tcp 220 system_u:object_r:pop_port_t +portcon tcp 993 system_u:object_r:pop_port_t +portcon tcp 995 system_u:object_r:pop_port_t +portcon tcp 1109 system_u:object_r:pop_port_t + portcon udp 111 system_u:object_r:portmap_port_t portcon tcp 111 system_u:object_r:portmap_port_t -') -ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t') -ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t') -ifdef(`samba.te', ` + +portcon tcp 119 system_u:object_r:innd_port_t +portcon udp 123 system_u:object_r:ntp_port_t + portcon tcp 137 system_u:object_r:smbd_port_t portcon udp 137 system_u:object_r:nmbd_port_t portcon tcp 138 system_u:object_r:smbd_port_t @@ -80,39 +84,26 @@ portcon udp 138 system_u:object_r:nmbd_port_t portcon tcp 139 system_u:object_r:smbd_port_t portcon udp 139 system_u:object_r:nmbd_port_t portcon tcp 445 system_u:object_r:smbd_port_t -') -ifdef(`use_pop', ` -portcon tcp 143 system_u:object_r:pop_port_t -portcon tcp 220 system_u:object_r:pop_port_t -') -ifdef(`snmpd.te', ` + portcon udp 161 system_u:object_r:snmp_port_t portcon udp 162 system_u:object_r:snmp_port_t portcon tcp 199 system_u:object_r:snmp_port_t -') -ifdef(`comsat.te', ` portcon udp 512 system_u:object_r:comsat_port_t -') -ifdef(`slapd.te', ` + portcon tcp 389 system_u:object_r:ldap_port_t portcon udp 389 system_u:object_r:ldap_port_t portcon tcp 636 system_u:object_r:ldap_port_t portcon udp 636 system_u:object_r:ldap_port_t -') -ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t') -ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t') -ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t') -ifdef(`syslogd.te', ` + +portcon tcp 513 system_u:object_r:rlogind_port_t +portcon tcp 514 system_u:object_r:rsh_port_t + +portcon tcp 515 system_u:object_r:printer_port_t portcon udp 514 system_u:object_r:syslogd_port_t -') -ifdef(`ktalkd.te', ` portcon udp 517 system_u:object_r:ktalkd_port_t portcon udp 518 system_u:object_r:ktalkd_port_t -') -ifdef(`cups.te', ` portcon tcp 631 system_u:object_r:ipp_port_t portcon udp 631 system_u:object_r:ipp_port_t -') portcon tcp 88 system_u:object_r:kerberos_port_t portcon udp 88 system_u:object_r:kerberos_port_t portcon tcp 464 system_u:object_r:kerberos_admin_port_t @@ -122,66 +113,57 @@ portcon tcp 750 system_u:object_r:kerberos_port_t portcon udp 750 system_u:object_r:kerberos_port_t portcon tcp 4444 system_u:object_r:kerberos_master_port_t portcon udp 4444 system_u:object_r:kerberos_master_port_t -ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t') -ifdef(`rsync.te', ` +portcon tcp 783 system_u:object_r:spamd_port_t +portcon tcp 540 system_u:object_r:uucpd_port_t +portcon tcp 2401 system_u:object_r:cvs_port_t +portcon udp 2401 system_u:object_r:cvs_port_t portcon tcp 873 system_u:object_r:rsync_port_t portcon udp 873 system_u:object_r:rsync_port_t -') -ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t') -ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t') -ifdef(`use_pop', ` -portcon tcp 993 system_u:object_r:pop_port_t -portcon tcp 995 system_u:object_r:pop_port_t -portcon tcp 1109 system_u:object_r:pop_port_t -') -ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t') -ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t') -ifdef(`radius.te', ` +portcon tcp 901 system_u:object_r:swat_port_t +portcon tcp 953 system_u:object_r:rndc_port_t +portcon tcp 1213 system_u:object_r:giftd_port_t +portcon tcp 1241 system_u:object_r:nessus_port_t +portcon tcp 1234 system_u:object_r:monopd_port_t portcon udp 1645 system_u:object_r:radius_port_t portcon udp 1646 system_u:object_r:radacct_port_t portcon udp 1812 system_u:object_r:radius_port_t portcon udp 1813 system_u:object_r:radacct_port_t -') -ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t') -ifdef(`gatekeeper.te', ` portcon udp 1718 system_u:object_r:gatekeeper_port_t portcon udp 1719 system_u:object_r:gatekeeper_port_t portcon tcp 1721 system_u:object_r:gatekeeper_port_t portcon tcp 7000 system_u:object_r:gatekeeper_port_t -') -ifdef(`asterisk.te', ` +portcon tcp 2040 system_u:object_r:afs_fs_port_t +portcon udp 7000 system_u:object_r:afs_fs_port_t +portcon udp 7002 system_u:object_r:afs_pt_port_t +portcon udp 7003 system_u:object_r:afs_vl_port_t +portcon udp 7004 system_u:object_r:afs_ka_port_t +portcon udp 7005 system_u:object_r:afs_fs_port_t +portcon udp 7007 system_u:object_r:afs_bos_port_t portcon tcp 1720 system_u:object_r:asterisk_port_t portcon udp 2427 system_u:object_r:asterisk_port_t portcon udp 2727 system_u:object_r:asterisk_port_t portcon udp 4569 system_u:object_r:asterisk_port_t portcon udp 5060 system_u:object_r:asterisk_port_t -') portcon tcp 2000 system_u:object_r:mail_port_t -ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t') -ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t') -ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t') -ifdef(`distcc.te', `portcon tcp 3632 system_u:object_r:distccd_port_t') -ifdef(`use_pxe', `portcon udp 4011 system_u:object_r:pxe_port_t') -ifdef(`openvpn.te', `portcon udp 5000 system_u:object_r:openvpn_port_t') -ifdef(`imazesrv.te',` +portcon tcp 2601 system_u:object_r:zebra_port_t +portcon tcp 2628 system_u:object_r:dict_port_t +portcon tcp 3306 system_u:object_r:mysqld_port_t +portcon tcp 3632 system_u:object_r:distccd_port_t +portcon udp 4011 system_u:object_r:pxe_port_t +portcon udp 5000 system_u:object_r:openvpn_port_t portcon tcp 5323 system_u:object_r:imaze_port_t portcon udp 5323 system_u:object_r:imaze_port_t -') -ifdef(`howl.te', ` portcon tcp 5335 system_u:object_r:howl_port_t portcon udp 5353 system_u:object_r:howl_port_t -') -ifdef(`jabberd.te', ` portcon tcp 5222 system_u:object_r:jabber_client_port_t portcon tcp 5223 system_u:object_r:jabber_client_port_t portcon tcp 5269 system_u:object_r:jabber_interserver_port_t -') -ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t') -ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t') -ifdef(`xdm.te', ` +portcon tcp 5432 system_u:object_r:postgresql_port_t +portcon tcp 5666 system_u:object_r:inetd_child_port_t +portcon tcp 5703 system_u:object_r:ptal_port_t +portcon tcp 50000 system_u:object_r:hplip_port_t +portcon tcp 50002 system_u:object_r:hplip_port_t portcon tcp 5900 system_u:object_r:vnc_port_t -') -ifdef(`use_x_ports', ` portcon tcp 6000 system_u:object_r:xserver_port_t portcon tcp 6001 system_u:object_r:xserver_port_t portcon tcp 6002 system_u:object_r:xserver_port_t @@ -202,29 +184,34 @@ portcon tcp 6016 system_u:object_r:xserver_port_t portcon tcp 6017 system_u:object_r:xserver_port_t portcon tcp 6018 system_u:object_r:xserver_port_t portcon tcp 6019 system_u:object_r:xserver_port_t -') -ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t') -ifdef(`ciped.te', `portcon udp 7007 system_u:object_r:cipe_port_t') -ifdef(`sound-server.te', ` +portcon tcp 6667 system_u:object_r:ircd_port_t portcon tcp 8000 system_u:object_r:soundd_port_t # 9433 is for YIFF portcon tcp 9433 system_u:object_r:soundd_port_t -') -ifdef(`use_http_cache', ` portcon tcp 3128 system_u:object_r:http_cache_port_t portcon tcp 8080 system_u:object_r:http_cache_port_t portcon udp 3130 system_u:object_r:http_cache_port_t -') -ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t') -ifdef(`amanda.te', ` +# 8118 is for privoxy +portcon tcp 8118 system_u:object_r:http_cache_port_t + +portcon udp 4041 system_u:object_r:clockspeed_port_t +portcon tcp 8081 system_u:object_r:transproxy_port_t portcon udp 10080 system_u:object_r:amanda_port_t portcon tcp 10080 system_u:object_r:amanda_port_t portcon udp 10081 system_u:object_r:amanda_port_t portcon tcp 10081 system_u:object_r:amanda_port_t portcon tcp 10082 system_u:object_r:amanda_port_t portcon tcp 10083 system_u:object_r:amanda_port_t -') -ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t') +portcon tcp 60000 system_u:object_r:postgrey_port_t + +portcon tcp 10024 system_u:object_r:amavisd_recv_port_t +portcon tcp 10025 system_u:object_r:amavisd_send_port_t +portcon tcp 3310 system_u:object_r:clamd_port_t +portcon udp 6276 system_u:object_r:dcc_port_t +portcon udp 6277 system_u:object_r:dcc_port_t +portcon udp 24441 system_u:object_r:pyzor_port_t +portcon tcp 2703 system_u:object_r:razor_port_t +portcon tcp 8021 system_u:object_r:zope_port_t # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise diff --git a/strict/types/device.te b/strict/types/device.te index 35836e24..ffa6c11a 100644 --- a/strict/types/device.te +++ b/strict/types/device.te @@ -10,7 +10,7 @@ # # device_t is the type of /dev. # -type device_t, file_type, dev_fs; +type device_t, file_type, mount_point, dev_fs; # # null_device_t is the type of /dev/null. @@ -154,3 +154,10 @@ type cpu_device_t, device_type, dev_fs; # for other device nodes such as the NVidia binary-only driver type xserver_misc_device_t, device_type, dev_fs; + +# for the IBM zSeries z90crypt hardware ssl accelorator +type crypt_device_t, device_type, dev_fs; + + + + diff --git a/strict/types/devpts.te b/strict/types/devpts.te index b50cd557..56b8ddef 100644 --- a/strict/types/devpts.te +++ b/strict/types/devpts.te @@ -10,12 +10,12 @@ # # ptmx_t is the type for /dev/ptmx. # -type ptmx_t, sysadmfile, device_type, dev_fs; +type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject; # # devpts_t is the type of the devpts file system and # the type of the root directory of the file system. # -type devpts_t, fs_type; +type devpts_t, mount_point, fs_type; diff --git a/strict/types/file.te b/strict/types/file.te index 0df034af..d6bc8a98 100644 --- a/strict/types/file.te +++ b/strict/types/file.te @@ -23,37 +23,37 @@ type fs_t, fs_type; type eventpollfs_t, fs_type; type futexfs_t, fs_type; type bdev_t, fs_type; -type usbfs_t, fs_type; +type usbfs_t, mount_point, fs_type; type nfsd_fs_t, fs_type; type rpc_pipefs_t, fs_type; -type binfmt_misc_fs_t, fs_type; +type binfmt_misc_fs_t, mount_point, fs_type; # # file_t is the default type of a file that has not yet been # assigned an extended attribute (EA) value (when using a filesystem # that supports EAs). # -type file_t, file_type, sysadmfile; +type file_t, file_type, mount_point, sysadmfile; # default_t is the default type for files that do not # match any specification in the file_contexts configuration # other than the generic /.* specification. -type default_t, file_type, sysadmfile; +type default_t, file_type, mount_point, sysadmfile; # # root_t is the type for the root directory. # -type root_t, file_type, sysadmfile; +type root_t, file_type, mount_point, polyparent, sysadmfile; # # mnt_t is the type for mount points such as /mnt/cdrom -type mnt_t, file_type, sysadmfile; +type mnt_t, file_type, mount_point, sysadmfile; # # home_root_t is the type for the directory where user home directories # are created # -type home_root_t, file_type, sysadmfile; +type home_root_t, file_type, mount_point, polyparent, sysadmfile; # # lost_found_t is the type for the lost+found directories. @@ -64,7 +64,7 @@ type lost_found_t, file_type, sysadmfile; # boot_t is the type for files in /boot, # including the kernel. # -type boot_t, file_type, sysadmfile; +type boot_t, file_type, mount_point, sysadmfile; # system_map_t is for the system.map files in /boot type system_map_t, file_type, sysadmfile; @@ -77,7 +77,7 @@ type boot_runtime_t, file_type, sysadmfile; # # tmp_t is the type of /tmp and /var/tmp. # -type tmp_t, file_type, sysadmfile, tmpfile; +type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile; # # etc_t is the type of the system etc directories. @@ -137,7 +137,11 @@ type shlib_t, file_type, sysadmfile; # texrel_shlib_t is the type of shared objects in the system lib # directories, which require text relocation. # +ifdef(`targeted_policy', ` +typealias lib_t alias texrel_shlib_t; +', ` type texrel_shlib_t, file_type, sysadmfile; +') # ld_so_t is the type of the system dynamic loaders. # @@ -171,26 +175,27 @@ type sbin_t, file_type, sysadmfile; # # usr_t is the type for /usr. # -type usr_t, file_type, sysadmfile; +type usr_t, file_type, mount_point, sysadmfile; # # src_t is the type of files in the system src directories. # -type src_t, file_type, sysadmfile; +type src_t, file_type, mount_point, sysadmfile; # # var_t is the type for /var. # -type var_t, file_type, sysadmfile; +type var_t, file_type, mount_point, sysadmfile; # # Types for subdirectories of /var. # type var_run_t, file_type, sysadmfile; type var_log_t, file_type, sysadmfile, logfile; +typealias var_log_t alias crond_log_t; type faillog_t, file_type, sysadmfile, logfile; type var_lock_t, file_type, sysadmfile, lockfile; -type var_lib_t, file_type, sysadmfile; +type var_lib_t, mount_point, file_type, sysadmfile; # for /var/{spool,lib}/texmf index files type tetex_data_t, file_type, sysadmfile, tmpfile; type var_spool_t, file_type, sysadmfile, tmpfile; @@ -203,18 +208,13 @@ type var_log_ksyms_t, file_type, sysadmfile, logfile; type lastlog_t, file_type, sysadmfile, logfile; # Type for /var/lib/nfs. -type var_lib_nfs_t, file_type, sysadmfile, usercanread; +type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread; # # wtmp_t is the type of /var/log/wtmp. # type wtmp_t, file_type, sysadmfile, logfile; -# -# catman_t is the type for /var/catman. -# -type catman_t, file_type, sysadmfile, tmpfile; - # # cron_spool_t is the type for /var/spool/cron. # @@ -239,6 +239,7 @@ type mqueue_spool_t, file_type, sysadmfile; # man_t is the type for the man directories. # type man_t, file_type, sysadmfile; +typealias man_t alias catman_t; # # readable_t is a general type for @@ -271,23 +272,23 @@ type locale_t, file_type, sysadmfile; # the default file system type. # allow { file_type device_type ttyfile } fs_t:filesystem associate; -ifdef(`distro_redhat', ` -allow { dev_fs ttyfile } tmpfs_t:filesystem associate; -') # Allow the pty to be associated with the file system. allow devpts_t self:filesystem associate; type tmpfs_t, file_type, sysadmfile, fs_type; allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate; +ifdef(`distro_redhat', ` +allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate; +') type autofs_t, fs_type, noexattrfile, sysadmfile; allow autofs_t self:filesystem associate; -type usbdevfs_t, fs_type, noexattrfile, sysadmfile; +type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile; allow usbdevfs_t self:filesystem associate; -type sysfs_t, fs_type, sysadmfile; +type sysfs_t, mount_point, fs_type, sysadmfile; allow sysfs_t self:filesystem associate; type iso9660_t, fs_type, noexattrfile, sysadmfile; @@ -302,6 +303,12 @@ allow ramfs_t self:filesystem associate; type dosfs_t, fs_type, noexattrfile, sysadmfile; allow dosfs_t self:filesystem associate; +type hugetlbfs_t, mount_point, fs_type, sysadmfile; +allow hugetlbfs_t self:filesystem associate; + +type mqueue_t, mount_point, fs_type, sysadmfile; +allow mqueue_t self:filesystem associate; + # udev_runtime_t is the type of the udev table file type udev_runtime_t, file_type, sysadmfile; @@ -310,7 +317,12 @@ type krb5_conf_t, file_type, sysadmfile; type cifs_t, fs_type, noexattrfile, sysadmfile; allow cifs_t self:filesystem associate; -typealias cifs_t alias sambafs_t; + +type debugfs_t, fs_type, sysadmfile; +allow debugfs_t self:filesystem associate; + +type inotifyfs_t, fs_type, sysadmfile; +allow inotifyfs_t self:filesystem associate; # removable_t is the default type of all removable media type removable_t, file_type, sysadmfile, usercanread; @@ -318,4 +330,11 @@ allow removable_t self:filesystem associate; allow file_type removable_t:filesystem associate; allow file_type noexattrfile:filesystem associate; +# Type for anonymous FTP data, used by ftp and rsync +type ftpd_anon_t, file_type, sysadmfile, customizable; + +allow customizable self:filesystem associate; + +# type for /tmp/.ICE-unix +type ice_tmp_t, file_type, sysadmfile, tmpfile; diff --git a/strict/types/network.te b/strict/types/network.te index 39666ee5..bf5ca671 100644 --- a/strict/types/network.te +++ b/strict/types/network.te @@ -8,50 +8,27 @@ # Modified by Russell Coker # Move port types to their respective domains, add ifdefs, other cleanups. -# generally we do not want to define port types in this file, but some things -# are insanely difficult to do elsewhere, xserver_port_t is a good example -# getting the type defined is the easy part for X, conditional code for many -# other domains (including one that starts with a) is the hard part. -ifdef(`xdm.te', `define(`use_x_ports')') -ifdef(`startx.te', `define(`use_x_ports')') -ifdef(`xauth.te', `define(`use_x_ports')') -ifdef(`xserver.te', `define(`use_x_ports')') -ifdef(`use_x_ports', ` type xserver_port_t, port_type; -') # # Defines used by the te files need to be defined outside of net_constraints # -ifdef(`named.te', `define(`use_dns')') -ifdef(`nsd.te', `define(`use_dns')') -ifdef(`tinydns.te', `define(`use_dns')') -ifdef(`dnsmasq.te', `define(`use_dns')') -ifdef(`use_dns', ` -type dns_port_t, port_type; -') +type rsh_port_t, port_type, reserved_port_type; +type dns_port_t, port_type, reserved_port_type; +type smtp_port_t, port_type, reserved_port_type; +type dhcpd_port_t, port_type, reserved_port_type; +type smbd_port_t, port_type, reserved_port_type; +type nmbd_port_t, port_type, reserved_port_type; +type http_cache_port_t, port_type, reserved_port_type; +type http_port_t, port_type, reserved_port_type; +type ipp_port_t, port_type, reserved_port_type; +type gopher_port_t, port_type, reserved_port_type; +type isakmp_port_t, port_type, reserved_port_type; -ifdef(`dhcpd.te', `define(`use_dhcpd')') -ifdef(`dnsmasq.te', `define(`use_dhcpd')') -ifdef(`use_dhcpd', ` -type dhcpd_port_t, port_type; -') - -ifdef(`cyrus.te', `define(`use_pop')') -ifdef(`courier.te', `define(`use_pop')') -ifdef(`perdition.te', `define(`use_pop')') -ifdef(`dovecot.te', `define(`use_pop')') -ifdef(`uwimapd.te', `define(`use_pop')') -ifdef(`use_pop', ` +allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect; type pop_port_t, port_type, reserved_port_type; -') -ifdef(`apache.te', `define(`use_http_cache')') -ifdef(`squid.te', `define(`use_http_cache')') -ifdef(`use_http_cache', ` -type http_cache_port_t, port_type; -') -ifdef(`dhcpd.te', `define(`use_pxe')') -ifdef(`pxe.te', `define(`use_pxe')') +type ftp_port_t, port_type, reserved_port_type; +type ftp_data_port_t, port_type, reserved_port_type; ############################################ # @@ -70,6 +47,16 @@ type kerberos_port_t, port_type, reserved_port_type; type kerberos_admin_port_t, port_type, reserved_port_type; type kerberos_master_port_t, port_type; +# +# Ports used to communicate with portmap server +# +type portmap_port_t, port_type, reserved_port_type; + +# +# Ports used to communicate with ldap server +# +type ldap_port_t, port_type, reserved_port_type; + # # port_t is the default type of INET port numbers. # The *_port_t types are used for specific port @@ -120,3 +107,79 @@ allow kernel_t node_type:node { rawip_send rawip_recv }; # Kernel-generated traffic, e.g. TCP resets. allow kernel_t netif_type:netif { tcp_send tcp_recv }; allow kernel_t node_type:node { tcp_send tcp_recv }; +type radius_port_t, port_type; +type radacct_port_t, port_type; +type rndc_port_t, port_type, reserved_port_type; +type tftp_port_t, port_type, reserved_port_type; +type printer_port_t, port_type, reserved_port_type; +type mysqld_port_t, port_type; +type postgresql_port_t, port_type; +type ptal_port_t, port_type, reserved_port_type; +type howl_port_t, port_type; +type dict_port_t, port_type; +type syslogd_port_t, port_type, reserved_port_type; +type spamd_port_t, port_type, reserved_port_type; +type ssh_port_t, port_type, reserved_port_type; +type pxe_port_t, port_type; +type amanda_port_t, port_type; +type fingerd_port_t, port_type, reserved_port_type; +type dhcpc_port_t, port_type, reserved_port_type; +type ntp_port_t, port_type, reserved_port_type; +type stunnel_port_t, port_type; +type zebra_port_t, port_type; +type i18n_input_port_t, port_type; +type vnc_port_t, port_type; +type openvpn_port_t, port_type; +type clamd_port_t, port_type, reserved_port_type; +type transproxy_port_t, port_type; +type clockspeed_port_t, port_type; +type pyzor_port_t, port_type, reserved_port_type; +type postgrey_port_t, port_type; +type asterisk_port_t, port_type; +type utcpserver_port_t, port_type; +type nessus_port_t, port_type; +type razor_port_t, port_type; +type distccd_port_t, port_type; +type socks_port_t, port_type; +type gatekeeper_port_t, port_type; +type dcc_port_t, port_type; +type lrrd_port_t, port_type; +type jabber_client_port_t, port_type; +type jabber_interserver_port_t, port_type; +type ircd_port_t, port_type; +type giftd_port_t, port_type; +type soundd_port_t, port_type; +type imaze_port_t, port_type; +type monopd_port_t, port_type; +# Differentiate between the port where amavisd receives mail, and the +# port where it returns cleaned mail back to the MTA. +type amavisd_recv_port_t, port_type; +type amavisd_send_port_t, port_type; +type innd_port_t, port_type, reserved_port_type; +type snmp_port_t, port_type, reserved_port_type; +type biff_port_t, port_type, reserved_port_type; +type hplip_port_t, port_type; + +#inetd_child_ports + +type rlogind_port_t, port_type, reserved_port_type; +type telnetd_port_t, port_type, reserved_port_type; +type comsat_port_t, port_type, reserved_port_type; +type cvs_port_t, port_type; +type dbskkd_port_t, port_type, reserved_port_type; +type inetd_child_port_t, port_type, reserved_port_type; +type ktalkd_port_t, port_type, reserved_port_type; +type rsync_port_t, port_type, reserved_port_type; +type uucpd_port_t, port_type, reserved_port_type; +type swat_port_t, port_type, reserved_port_type; +type zope_port_t, port_type; +type auth_port_t, port_type, reserved_port_type; + +# afs ports + +type afs_fs_port_t, port_type; +type afs_pt_port_t, port_type; +type afs_vl_port_t, port_type; +type afs_ka_port_t, port_type; +type afs_bos_port_t, port_type; +