Sysnetwork patch from Dan Walsh.
This commit is contained in:
parent
ddd786e404
commit
1fa92b8a55
@ -13,6 +13,9 @@
|
||||
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
|
||||
@ -21,7 +24,8 @@
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
@ -53,6 +57,7 @@ ifdef(`distro_redhat',`
|
||||
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
|
||||
/var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
|
||||
|
||||
|
@ -43,6 +43,42 @@ interface(`sysnet_run_dhcpc',`
|
||||
|
||||
sysnet_domtrans_dhcpc($1)
|
||||
role $2 types dhcpc_t;
|
||||
|
||||
modutils_run_insmod(dhcpc_t, $2)
|
||||
|
||||
sysnet_run_ifconfig(dhcpc_t, $2)
|
||||
|
||||
optional_policy(`
|
||||
consoletype_run(dhcpc_t, $2)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hostname_run(dhcpc_t, $2)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
netutils_run(dhcpc_t, $2)
|
||||
netutils_run_ping(dhcpc_t, $2)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to use
|
||||
## the dhcp file descriptors.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The domain sending the SIGCHLD.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_dontaudit_use_dhcpc_fds',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
')
|
||||
|
||||
dontaudit $1 dhcpc_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -192,7 +228,25 @@ interface(`sysnet_read_dhcpc_state',`
|
||||
type dhcpc_state_t;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_state_t:file read_file_perms;
|
||||
read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Delete the dhcp client state files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_delete_dhcpc_state',`
|
||||
gen_require(`
|
||||
type dhcpc_state_t;
|
||||
')
|
||||
|
||||
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -252,6 +306,11 @@ interface(`sysnet_read_config',`
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 net_conf_t:file read_file_perms;
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow $1 net_conf_t:dir list_dir_perms;
|
||||
read_files_pattern($1, net_conf_t, net_conf_t)
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -345,6 +404,10 @@ interface(`sysnet_manage_config',`
|
||||
')
|
||||
|
||||
allow $1 net_conf_t:file manage_file_perms;
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
manage_files_pattern($1, net_conf_t, net_conf_t)
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -485,6 +548,7 @@ interface(`sysnet_read_dhcp_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 dhcp_etc_t:dir list_dir_perms;
|
||||
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
|
||||
')
|
||||
|
||||
@ -578,6 +642,14 @@ interface(`sysnet_dns_name_resolve',`
|
||||
corenet_sendrecv_dns_client_packets($1)
|
||||
|
||||
sysnet_read_config($1)
|
||||
|
||||
optional_policy(`
|
||||
avahi_stream_connect($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sysnetwork, 1.10.2)
|
||||
policy_module(sysnetwork, 1.10.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -41,21 +41,23 @@ files_type(net_conf_t)
|
||||
#
|
||||
# DHCP client local policy
|
||||
#
|
||||
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
|
||||
dontaudit dhcpc_t self:capability sys_tty_config;
|
||||
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
|
||||
dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
||||
allow dhcpc_t self:process signal_perms;
|
||||
allow dhcpc_t self:fifo_file rw_file_perms;
|
||||
allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
|
||||
|
||||
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
|
||||
allow dhcpc_t self:udp_socket create_socket_perms;
|
||||
allow dhcpc_t self:packet_socket create_socket_perms;
|
||||
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
|
||||
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||
|
||||
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
|
||||
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
|
||||
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
|
||||
|
||||
allow dhcpc_t dhcp_state_t:file read_file_perms;
|
||||
manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
|
||||
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
|
||||
|
||||
@ -65,7 +67,7 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
|
||||
|
||||
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
|
||||
# in /etc created by dhcpcd will be labelled net_conf_t.
|
||||
allow dhcpc_t net_conf_t:file manage_file_perms;
|
||||
sysnet_manage_config(dhcpc_t)
|
||||
files_etc_filetrans(dhcpc_t, net_conf_t, file)
|
||||
|
||||
# create temp files
|
||||
@ -80,7 +82,9 @@ domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)
|
||||
|
||||
kernel_read_system_state(dhcpc_t)
|
||||
kernel_read_network_state(dhcpc_t)
|
||||
kernel_search_network_sysctl(dhcpc_t)
|
||||
kernel_read_kernel_sysctls(dhcpc_t)
|
||||
kernel_request_load_module(dhcpc_t)
|
||||
kernel_use_fds(dhcpc_t)
|
||||
|
||||
corecmd_exec_bin(dhcpc_t)
|
||||
@ -108,13 +112,15 @@ dev_read_sysfs(dhcpc_t)
|
||||
dev_read_urand(dhcpc_t)
|
||||
|
||||
domain_use_interactive_fds(dhcpc_t)
|
||||
domain_dontaudit_list_all_domains_state(dhcpc_t)
|
||||
domain_dontaudit_read_all_domains_state(dhcpc_t)
|
||||
|
||||
files_read_etc_files(dhcpc_t)
|
||||
files_read_etc_runtime_files(dhcpc_t)
|
||||
files_read_usr_files(dhcpc_t)
|
||||
files_search_home(dhcpc_t)
|
||||
files_search_var_lib(dhcpc_t)
|
||||
files_dontaudit_search_locks(dhcpc_t)
|
||||
files_getattr_generic_locks(dhcpc_t)
|
||||
|
||||
fs_getattr_all_fs(dhcpc_t)
|
||||
fs_search_auto_mountpoints(dhcpc_t)
|
||||
@ -164,6 +170,10 @@ optional_policy(`
|
||||
hostname_domtrans(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hotplug_getattr_config_dirs(dhcpc_t)
|
||||
hotplug_search_config(dhcpc_t)
|
||||
@ -183,25 +193,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(dhcpc_t)
|
||||
nis_signal_ypbind(dhcpc_t)
|
||||
nis_read_ypbind_pid(dhcpc_t)
|
||||
nis_delete_ypbind_pid(dhcpc_t)
|
||||
|
||||
# dhclient sometimes starts ypbind
|
||||
init_exec_script_files(dhcpc_t)
|
||||
nis_domtrans_ypbind(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_initrc_domtrans(dhcpc_t)
|
||||
nscd_domtrans(dhcpc_t)
|
||||
nscd_read_pid(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# dhclient sometimes starts ntpd
|
||||
init_exec_script_files(dhcpc_t)
|
||||
ntp_domtrans(dhcpc_t)
|
||||
ntp_initrc_domtrans(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -222,6 +224,10 @@ optional_policy(`
|
||||
userdom_use_all_users_fds(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
vmware_append_log(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kernel_read_xen_state(dhcpc_t)
|
||||
kernel_write_xen_state(dhcpc_t)
|
||||
@ -235,7 +241,6 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
|
||||
dontaudit ifconfig_t self:capability sys_module;
|
||||
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow ifconfig_t self:fd use;
|
||||
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -260,6 +265,7 @@ allow ifconfig_t self:tcp_socket { create ioctl };
|
||||
kernel_use_fds(ifconfig_t)
|
||||
kernel_read_system_state(ifconfig_t)
|
||||
kernel_read_network_state(ifconfig_t)
|
||||
kernel_request_load_module(ifconfig_t)
|
||||
kernel_search_network_sysctl(ifconfig_t)
|
||||
kernel_rw_net_sysctls(ifconfig_t)
|
||||
|
||||
@ -272,12 +278,18 @@ dev_read_urand(ifconfig_t)
|
||||
domain_use_interactive_fds(ifconfig_t)
|
||||
|
||||
files_read_etc_files(ifconfig_t)
|
||||
files_read_etc_runtime_files(ifconfig_t)
|
||||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
|
||||
selinux_dontaudit_getattr_fs(ifconfig_t)
|
||||
|
||||
term_dontaudit_use_console(ifconfig_t)
|
||||
term_dontaudit_use_all_ttys(ifconfig_t)
|
||||
term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
term_dontaudit_use_ptmx(ifconfig_t)
|
||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
files_dontaudit_read_root_files(ifconfig_t)
|
||||
|
||||
@ -313,6 +325,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_dontaudit_rw_pipes(ifconfig_t)
|
||||
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ipsec_write_pid(ifconfig_t)
|
||||
')
|
||||
@ -329,6 +346,14 @@ optional_policy(`
|
||||
ppp_use_fds(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_rw_pipes(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
vmware_append_log(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kernel_read_xen_state(ifconfig_t)
|
||||
kernel_write_xen_state(ifconfig_t)
|
||||
|
Loading…
Reference in New Issue
Block a user