trunk: 3 patches from dan.

This commit is contained in:
Chris PeBenito 2007-09-11 19:24:32 +00:00
parent 8a9d6f6449
commit 134a799c75
5 changed files with 169 additions and 17 deletions

View File

@ -1,5 +1,5 @@
policy_module(inetd,1.4.1)
policy_module(inetd,1.4.2)
########################################
#
@ -80,16 +80,21 @@ corenet_tcp_bind_auth_port(inetd_t)
corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
corenet_tcp_bind_ftp_port(inetd_t)
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
corenet_udp_bind_rlogind_port(inetd_t)
corenet_udp_bind_rsh_port(inetd_t)
corenet_tcp_bind_rsh_port(inetd_t)
corenet_tcp_bind_rsync_port(inetd_t)
corenet_udp_bind_rsync_port(inetd_t)
#corenet_tcp_bind_stunnel_port(inetd_t)
corenet_tcp_bind_swat_port(inetd_t)
corenet_udp_bind_swat_port(inetd_t)
corenet_tcp_bind_telnetd_port(inetd_t)
corenet_udp_bind_tftp_port(inetd_t)
corenet_tcp_bind_ssh_port(inetd_t)
@ -134,6 +139,7 @@ miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
mls_process_set_level(inetd_t)
sysnet_read_config(inetd_t)
@ -141,6 +147,11 @@ sysnet_read_config(inetd_t)
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
ifdef(`enable_mls',`
corenet_tcp_recvfrom_netlabel(inetd_t)
corenet_udp_recvfrom_netlabel(inetd_t)
')
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(inetd_t)
term_dontaudit_use_generic_ptys(inetd_t)
@ -208,6 +219,8 @@ fs_getattr_xattr_fs(inetd_child_t)
files_read_etc_files(inetd_child_t)
auth_use_nsswitch(inetd_child_t)
libs_use_ld_so(inetd_child_t)
libs_use_shared_libs(inetd_child_t)
@ -225,10 +238,3 @@ optional_policy(`
kerberos_use(inetd_child_t)
')
optional_policy(`
nis_use_ypbind(inetd_child_t)
')
optional_policy(`
nscd_socket_use(inetd_child_t)
')

View File

@ -14,6 +14,7 @@ ifdef(`distro_redhat', `
/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@ -28,6 +29,7 @@ ifdef(`distro_redhat', `
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)

View File

@ -41,6 +41,8 @@ template(`postfix_domain_template',`
allow postfix_$1_t self:unix_stream_socket connectto;
allow postfix_master_t postfix_$1_t:process signal;
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
allow postfix_$1_t postfix_master_t:file read;
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t)
@ -66,6 +68,7 @@ template(`postfix_domain_template',`
fs_search_auto_mountpoints(postfix_$1_t)
fs_getattr_xattr_fs(postfix_$1_t)
fs_rw_anon_inodefs_files(postfix_$1_t)
term_dontaudit_use_console(postfix_$1_t)
@ -138,10 +141,8 @@ template(`postfix_server_domain_template',`
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
sysnet_read_config(postfix_$1_t)
optional_policy(`
nis_use_ypbind(postfix_$1_t)
auth_use_nsswitch(postfix_$1_t)
')
')
@ -273,6 +274,42 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
dontaudit $1 postfix_local_t:tcp_socket { read write };
')
########################################
## <summary>
## Allow domain to read postfix local process state
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`postfix_read_local_state',`
gen_require(`
type postfix_local_t;
')
read_files_pattern($1,postfix_local_t,postfix_local_t)
')
########################################
## <summary>
## Allow domain to read postfix master process state
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`postfix_read_master_state',`
gen_require(`
type postfix_master_t;
')
read_files_pattern($1,postfix_master_t,postfix_master_t)
')
########################################
## <summary>
## Do not audit attempts to use
@ -381,6 +418,25 @@ interface(`postfix_exec_master',`
can_exec($1,postfix_master_exec_t)
')
########################################
## <summary>
## Create a named socket in a postfix private directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postfix_create_pivate_sockets',`
gen_require(`
type postfix_private_t;
')
allow $1 postfix_private_t:dir list_dir_perms;
create_sock_files_pattern($1,postfix_private_t,postfix_private_t)
')
########################################
## <summary>
## Execute the master postfix program in the
@ -438,6 +494,25 @@ interface(`postfix_list_spool',`
files_search_spool($1)
')
########################################
## <summary>
## Read postfix mail spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postfix_read_spool_files',`
gen_require(`
type postfix_spool_t;
')
files_search_spool($1)
read_files_pattern($1,postfix_spool_t, postfix_spool_t)
')
########################################
## <summary>
## Execute postfix user mail programs

View File

@ -1,5 +1,5 @@
policy_module(postfix,1.6.1)
policy_module(postfix,1.6.2)
########################################
#
@ -83,6 +83,12 @@ files_type(postfix_public_t)
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
postfix_server_domain_template(virtual)
mta_mailserver_delivery(postfix_virtual_t)
type postfix_virtual_tmp_t;
files_tmp_file(postfix_virtual_tmp_t)
########################################
#
# Postfix master process local policy
@ -158,6 +164,8 @@ domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
term_dontaudit_search_ptys(postfix_master_t)
miscfiles_read_man_pages(postfix_master_t)
seutil_sigchld_newrole(postfix_master_t)
@ -169,6 +177,10 @@ sysnet_read_config(postfix_master_t)
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
optional_policy(`
auth_use_nsswitch(postfix_master_t)
')
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(postfix_master_t)
term_dontaudit_use_generic_ptys(postfix_master_t)
@ -183,10 +195,18 @@ optional_policy(`
mailman_manage_data_files(postfix_master_t)
')
optional_policy(`
mysql_stream_connect(postfix_master_t)
')
optional_policy(`
nis_use_ypbind(postfix_master_t)
')
optional_policy(`
sendmail_signal(postfix_master_t)
')
###########################################################
#
# Partially converted rules. THESE ARE ONLY TEMPORARY
@ -387,7 +407,7 @@ delete_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_mai
# Postfix pipe local policy
#
allow postfix_pipe_t self:fifo_file { read write };
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
@ -441,6 +461,11 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
optional_policy(`
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
@ -520,8 +545,6 @@ sysnet_dns_name_resolve(postfix_showq_t)
# Postfix smtp delivery local policy
#
allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms;
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@ -529,6 +552,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
files_dontaudit_getattr_home_dir(postfix_smtp_t)
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
@ -552,6 +577,10 @@ corecmd_exec_bin(postfix_smtpd_t)
files_read_usr_files(postfix_smtpd_t)
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
mailman_read_data_files(postfix_smtpd_t)
')
optional_policy(`
postgrey_stream_connect(postfix_smtpd_t)
')
@ -559,3 +588,31 @@ optional_policy(`
optional_policy(`
sasl_connect(postfix_smtpd_t)
')
########################################
#
# Postfix virtual local policy
#
allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
manage_dirs_pattern(postfix_virtual_t,postfix_virtual_tmp_t,postfix_virtual_tmp_t)
manage_files_pattern(postfix_virtual_t,postfix_virtual_tmp_t,postfix_virtual_tmp_t)
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
stream_connect_pattern(postfix_virtual_t,postfix_public_t,postfix_public_t,postfix_master_t)
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
files_read_etc_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)

View File

@ -1,5 +1,5 @@
policy_module(locallogin,1.4.1)
policy_module(locallogin,1.4.2)
########################################
#
@ -25,6 +25,7 @@ domain_subj_id_change_exemption(sulogin_t)
domain_role_change_exemption(sulogin_t)
domain_interactive_fd(sulogin_t)
init_domain(sulogin_t,sulogin_exec_t)
init_system_domain(sulogin_t,sulogin_exec_t)
role system_r types sulogin_t;
########################################
@ -138,7 +139,6 @@ userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t)
ifdef(`targeted_policy',`
unconfined_domain(local_login_t)
unconfined_shell_domtrans(local_login_t)
')
@ -160,6 +160,13 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(local_login_t)
')
optional_policy(`
dbus_system_bus_client_template(local_login,local_login_t)
dbus_send_system_bus(local_login_t)
consolekit_dbus_chat(local_login_t)
')
optional_policy(`
gpm_getattr_gpmctl(local_login_t)
gpm_setattr_gpmctl(local_login_t)
@ -186,6 +193,11 @@ optional_policy(`
alsa_domtrans(local_login_t)
')
optional_policy(`
xserver_read_xdm_tmp_files(local_login_t)
xserver_rw_xdm_tmp_files(local_login_t)
')
#################################
#
# Sulogin local policy