From 27eab81f2f73121c52731006941d466791fa9c14 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 8 Feb 2010 13:38:48 -0500 Subject: [PATCH] Misc fixes for 1031ee6. --- policy/modules/kernel/files.if | 36 ++++----- policy/modules/services/apache.if | 1 - policy/modules/services/apache.te | 2 +- policy/modules/services/bind.if | 41 +++++----- policy/modules/services/cobbler.fc | 10 +-- policy/modules/services/cobbler.if | 114 ++++++++++++++-------------- policy/modules/services/cobbler.te | 9 +-- policy/modules/services/dnsmasq.fc | 2 +- policy/modules/services/dnsmasq.if | 76 +++++++++---------- policy/modules/services/dnsmasq.te | 3 +- policy/modules/services/rsync.if | 4 +- policy/modules/services/rsync.te | 2 +- policy/modules/services/tftp.if | 58 +++++--------- policy/modules/system/miscfiles.fc | 4 +- policy/modules/system/sysnetwork.fc | 2 +- 15 files changed, 171 insertions(+), 193 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index f853bf52..1cdf376d 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1502,24 +1502,6 @@ interface(`files_dontaudit_getattr_boot_dirs',` dontaudit $1 boot_t:dir getattr; ') -######################################## -## -## List the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_boot',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir list_dir_perms; -') - ######################################## ## ## Search the /boot directory. @@ -1556,6 +1538,24 @@ interface(`files_dontaudit_search_boot',` dontaudit $1 boot_t:dir search_dir_perms; ') +######################################## +## +## List the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_boot',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir list_dir_perms; +') + ######################################## ## ## Create directories in /boot diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index c1139e4c..2dc0a81d 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -773,7 +773,6 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) files_search_var($1) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 3deb7cbd..014ee445 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -451,7 +451,7 @@ optional_policy(` ') optional_policy(` - cobbler_search_var_lib(httpd_t) + cobbler_search_lib(httpd_t) ') optional_policy(` diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index aef64b7a..31032a6e 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -6,11 +6,10 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # -# interface(`bind_initrc_domtrans',` gen_require(` type named_initrc_exec_t; @@ -209,25 +208,6 @@ interface(`bind_manage_config_dirs',` manage_dirs_pattern($1, named_conf_t, named_conf_t) ') -######################################## -## -## Manage BIND zone files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_manage_zone',` - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - manage_files_pattern($1, named_zone_t, named_zone_t) -') - ######################################## ## ## Search the BIND cache directory. @@ -309,6 +289,25 @@ interface(`bind_read_zone',` read_files_pattern($1, named_zone_t, named_zone_t) ') +######################################## +## +## Manage BIND zone files. +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_manage_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + manage_files_pattern($1, named_zone_t, named_zone_t) +') + ######################################## ## ## Send and receive datagrams to and from named. (Deprecated) diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc index 0a811f6e..1cf6c4e4 100644 --- a/policy/modules/services/cobbler.fc +++ b/policy/modules/services/cobbler.fc @@ -1,7 +1,7 @@ -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) -/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if index 433099f5..1f2c4923 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if @@ -10,6 +10,42 @@ ##

## +######################################## +## +## Execute a domain transition to run cobblerd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cobblerd_domtrans',` + gen_require(` + type cobblerd_t, cobblerd_exec_t; + ') + + domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) +') + +######################################## +## +## Execute cobblerd server in the cobblerd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`cobblerd_initrc_domtrans',` + gen_require(` + type cobblerd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) +') + ######################################## ## ## Read Cobbler content in /etc @@ -48,6 +84,25 @@ interface(`cobbler_dontaudit_rw_log',` dontaudit $1 cobbler_var_log_t:file rw_file_perms; ') +######################################## +## +## Search cobbler dirs in /var/lib +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_search_lib',` + gen_require(` + type cobbler_var_lib_t; + ') + + search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) +') + ######################################## ## ## Read cobbler files in /var/lib @@ -58,7 +113,7 @@ interface(`cobbler_dontaudit_rw_log',` ## ## # -interface(`cobbler_read_var_lib_files',` +interface(`cobbler_read_lib_files',` gen_require(` type cobbler_var_lib_t; ') @@ -77,7 +132,7 @@ interface(`cobbler_read_var_lib_files',` ## ## # -interface(`cobbler_manage_var_lib_files',` +interface(`cobbler_manage_lib_files',` gen_require(` type cobbler_var_lib_t; ') @@ -86,61 +141,6 @@ interface(`cobbler_manage_var_lib_files',` files_search_var_lib($1) ') -######################################## -## -## Search cobbler dirs in /var/lib -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_search_var_lib',` - gen_require(` - type cobbler_var_lib_t; - ') - - search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Execute a domain transition to run cobblerd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cobblerd_domtrans',` - gen_require(` - type cobblerd_t, cobblerd_exec_t; - ') - - domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) -') - -######################################## -## -## Execute cobblerd server in the cobblerd domain. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`cobblerd_initrc_domtrans',` - gen_require(` - type cobblerd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) -') - ######################################## ## ## All of the rules required to administrate diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te index 7e5c614f..a267c2f4 100644 --- a/policy/modules/services/cobbler.te +++ b/policy/modules/services/cobbler.te @@ -52,6 +52,8 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) +kernel_read_system_state(cobblerd_t) + corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) @@ -67,13 +69,9 @@ corenet_tcp_sendrecv_generic_port(cobblerd_t) dev_read_urand(cobblerd_t) files_read_usr_files(cobblerd_t) - files_list_boot(cobblerd_t) - files_list_tmp(cobblerd_t) -kernel_read_system_state(cobblerd_t) - miscfiles_read_localization(cobblerd_t) miscfiles_read_public_files(cobblerd_t) @@ -119,6 +117,5 @@ optional_policy(` ') optional_policy(` - tftp_manage_tftpdir_dirs(cobblerd_t) - tftp_manage_tftpdir_files(cobblerd_t) + tftp_manage_rw_content(cobblerd_t) ') diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc index 89e2e662..21089cad 100644 --- a/policy/modules/services/dnsmasq.fc +++ b/policy/modules/services/dnsmasq.fc @@ -1,4 +1,4 @@ -/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) +/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if index 09e1efd7..5681e658 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if @@ -96,6 +96,44 @@ interface(`dnsmasq_kill',` allow $1 dnsmasq_t:process sigkill; ') +######################################## +## +## Read dnsmasq config files. +## +## +## +## Domain allowed. +## +## +# +interface(`dnsmasq_read_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + allow $1 dnsmasq_etc_t:file read_file_perms; + files_search_etc($1) +') + +######################################## +## +## Write to dnsmasq config files. +## +## +## +## Domain allowed. +## +## +# +interface(`dnsmasq_write_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + allow $1 dnsmasq_etc_t:file write_file_perms; + files_search_etc($1) +') + ######################################## ## ## Delete dnsmasq pid files @@ -134,44 +172,6 @@ interface(`dnsmasq_read_pid_files',` read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -######################################## -## -## Read dnsmasq config files. -## -## -## -## Domain allowed. -## -## -# -interface(`dnsmasq_read_config',` - gen_require(` - type dnsmasq_etc_t; - ') - - read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) -') - -######################################## -## -## Write to dnsmasq config files. -## -## -## -## Domain allowed. -## -## -# -interface(`dnsmasq_write_config',` - gen_require(` - type dnsmasq_etc_t; - ') - - write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) -') - ######################################## ## ## All of the rules required to administrate diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 2f9b213e..2865f045 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -37,7 +37,7 @@ allow dnsmasq_t self:udp_socket create_socket_perms; allow dnsmasq_t self:packet_socket create_socket_perms; allow dnsmasq_t self:rawip_socket create_socket_perms; -read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) +allow dnsmasq_t dnsmasq_etc_t:file read_file_perms; # dhcp leases manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) @@ -71,6 +71,7 @@ dev_read_urand(dnsmasq_t) domain_use_interactive_fds(dnsmasq_t) +files_read_etc_files(dnsmasq_t) files_read_etc_runtime_files(dnsmasq_t) fs_getattr_all_fs(dnsmasq_t) diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if index 7dc8495b..6a2d3452 100644 --- a/policy/modules/services/rsync.if +++ b/policy/modules/services/rsync.if @@ -119,7 +119,7 @@ interface(`rsync_read_config',` type rsync_etc_t; ') - read_files_pattern($1, rsync_etc_t, rsync_etc_t) + allow $1 rsync_etc_t:file read_file_perms; files_search_etc($1) ') @@ -138,6 +138,6 @@ interface(`rsync_write_config',` type rsync_etc_t; ') - write_files_pattern($1, rsync_etc_t, rsync_etc_t) + allow $1 rsync_etc_t:file read_file_perms; files_search_etc($1) ') diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index fabe97b7..19bbfcb9 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -60,7 +60,7 @@ allow rsync_t self:udp_socket connected_socket_perms; allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; #end for identd -read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) +allow rsync_t rsync_etc_t:file read_file_perms; allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index 230c5a65..38bb3127 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -1,43 +1,5 @@ ## Trivial file transfer protocol daemon -######################################## -## -## Manage tftp /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tftp_manage_tftpdir_dirs',` - gen_require(` - type tftpdir_rw_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -') - -######################################## -## -## Manage tftp /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tftp_manage_tftpdir_files',` - gen_require(` - type tftpdir_rw_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -') - ######################################## ## ## Read tftp content @@ -56,6 +18,26 @@ interface(`tftp_read_content',` read_files_pattern($1, tftpdir_t, tftpdir_t) ') +######################################## +## +## Manage tftp /var/lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`tftp_manage_rw_content',` + gen_require(` + type tftpdir_rw_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) +') + ######################################## ## ## All of the rules required to administrate diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 3051ca73..569c7d05 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -74,8 +74,8 @@ ifdef(`distro_redhat',` /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) -/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) +/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index 0e77e217..b261e3d2 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -12,7 +12,7 @@ /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)