From 207c4d1e6e9e3e21e3435d3ab383a79bf2240719 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 7 Jan 2010 09:00:48 -0500 Subject: [PATCH] Snmp patch from Dan Walsh. --- policy/modules/services/snmp.if | 21 ++++++++++++++++++++- policy/modules/services/snmp.te | 6 ++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index 42f5ca60..275f9fb5 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -1,5 +1,24 @@ ## Simple network management protocol services +######################################## +## +## Connect to snmpd using a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`snmp_stream_connect',` + gen_require(` + type snmpd_t, snmpd_var_lib_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) +') + ######################################## ## ## Use snmp over a TCP connection. (Deprecated) @@ -87,7 +106,7 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` ######################################## ## -## All of the rules required to administrate +## All of the rules required to administrate ## an snmp environment ## ## diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index f82cbc9e..7a805f0f 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -1,5 +1,5 @@ -policy_module(snmp, 1.10.0) +policy_module(snmp, 1.10.1) ######################################## # @@ -27,7 +27,7 @@ files_type(snmpd_var_lib_t) # allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; -allow snmpd_t self:process { getsched setsched }; +allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; @@ -72,6 +72,8 @@ corenet_tcp_bind_snmp_port(snmpd_t) corenet_udp_bind_snmp_port(snmpd_t) corenet_sendrecv_snmp_server_packets(snmpd_t) corenet_tcp_connect_agentx_port(snmpd_t) +corenet_tcp_bind_agentx_port(snmpd_t) +corenet_udp_bind_agentx_port(snmpd_t) dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t)