From 30705b6bc0c478736778568929f0eafa37865921 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 24 Oct 2005 19:50:21 +0000 Subject: [PATCH] fixes --- refpolicy/policy/modules/admin/su.if | 8 ++--- refpolicy/policy/modules/kernel/devices.if | 1 + refpolicy/policy/modules/kernel/selinux.if | 18 ++++++++++++ refpolicy/policy/modules/kernel/terminal.if | 2 ++ refpolicy/policy/modules/services/mta.if | 5 ++-- refpolicy/policy/modules/services/postfix.if | 12 ++++++++ refpolicy/policy/modules/services/postfix.te | 23 ++++++++++++--- refpolicy/policy/modules/services/samba.if | 19 ++++++++++++ refpolicy/policy/modules/system/authlogin.if | 29 +++++++++---------- refpolicy/policy/modules/system/domain.if | 2 +- .../policy/modules/system/selinuxutil.if | 6 ++-- 11 files changed, 95 insertions(+), 30 deletions(-) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 7215d891..6fb744be 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -53,7 +53,7 @@ template(`su_restricted_domain_template', ` auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) - domain_wide_inherit_fd($1_su_t) + domain_use_wide_inherit_fd($1_su_t) files_read_etc_files($1_su_t) @@ -177,11 +177,11 @@ template(`su_per_userdomain_template',` term_use_all_user_ttys($1_su_t) term_use_all_user_ptys($1_su_t) - auth_domtrans_user_chk_passwd($1_su_t,$1) + auth_domtrans_user_chk_passwd($1,$1_su_t) auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) - domain_wide_inherit_fd($1_su_t) + domain_use_wide_inherit_fd($1_su_t) files_read_etc_files($1_su_t) files_search_var_lib($1_su_t) @@ -218,7 +218,7 @@ template(`su_per_userdomain_template',` fs_search_cifs($1_su_t) ') - optional_policy(`crond.te',` + optional_policy(`cron.te',` cron_read_pipe($1_su_t) ') diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index c988ce0c..d442432a 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -45,6 +45,7 @@ interface(`dev_node',` fs_associate($1) fs_associate_tmpfs($1) + files_associate_tmp($1) ') ######################################## diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index 2d39c8ad..9ebdad0a 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -68,6 +68,24 @@ interface(`selinux_dontaudit_search_fs',` dontaudit $1 security_t:dir search; ') +######################################## +## +## Do not audit attempts to read +## generic selinuxfs entries +## +## +## Domain to not audit. +## +# +interface(`selinux_dontaudit_read_fs',` + gen_require(` + type security_t; + ') + + dontaudit $1 security_t:dir search; + dontaudit $1 security_t:file { getattr read }; +') + ######################################## ## ## Allows the caller to get the mode of policy enforcement diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 19e8de74..ddac65ba 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -80,6 +80,8 @@ interface(`term_tty',` typeattribute $2 ttynode, serial_device; type_change $1 tty_device_t:chr_file $2; + files_associate_tmp($1) + # Debian login is from shadow utils and does not allow resetting the perms. # have to fix this! ifdef(`distro_debian',` diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 08dcb934..479e58d0 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -349,8 +349,9 @@ interface(`mta_read_config',` ') files_search_etc($1) - allow spamd_t etc_mail_t:dir list_dir_perms; - allow spamd_t etc_mail_t:file r_file_perms; + allow $1 etc_mail_t:dir list_dir_perms; + allow $1 etc_mail_t:file r_file_perms; + allow $1 etc_mail_t:lnk_file { getattr read }; ') ######################################## diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index bf94aeca..66fa2be9 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -88,6 +88,10 @@ template(`postfix_domain_template',` files_dontaudit_read_root_file(postfix_$1_t) ') + optional_policy(`nscd.te',` + nscd_use_socket(postfix_$1_t) + ') + optional_policy(`udev.te',` udev_read_db(postfix_$1_t) ') @@ -102,6 +106,10 @@ template(`postfix_server_domain_template',` allow postfix_$1_t self:udp_socket create_socket_perms; domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) + allow postfix_master_t postfix_$1_t:fd use; + allow postfix_$1_t postfix_master_t:fd use; + allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms; + allow postfix_$1_t postfix_master_t:process sigchld; corenet_tcp_sendrecv_all_if(postfix_$1_t) corenet_udp_sendrecv_all_if(postfix_$1_t) @@ -128,6 +136,10 @@ template(`postfix_user_domain_template',` allow postfix_$1_t self:capability dac_override; domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t) + allow user_mail_domain postfix_$1_t:fd use; + allow postfix_$1_t user_mail_domain:fd use; + allow postfix_$1_t user_mail_domain:fifo_file rw_file_perms; + allow postfix_$1_t user_mail_domain:process sigchld; # this is replaced by run interfaces role sysadm_r types postfix_$1_t; diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index bbacedea..a25e13f9 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -109,6 +109,9 @@ allow postfix_master_t postfix_public_t:dir rw_dir_perms; allow postfix_master_t postfix_spool_t:dir create_dir_perms; allow postfix_master_t postfix_spool_t:file create_file_perms; +allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; +allow postfix_master_t postfix_spool_bounce_t:file getattr; + allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms; allow postfix_master_t postfix_spool_flush_t:file create_file_perms; allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms; @@ -357,6 +360,8 @@ files_dontaudit_search_var(postfix_map_t) libs_use_ld_so(postfix_map_t) libs_use_shared_libs(postfix_map_t) +logging_send_syslog_msg(postfix_map_t) + miscfiles_read_localization(postfix_map_t) seutil_read_config(postfix_map_t) @@ -464,10 +469,16 @@ allow postfix_postqueue_t postfix_public_t:dir search; allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write }; domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) +allow postfix_master_t postfix_postqueue_t:fd use; +allow postfix_postqueue_t postfix_master_t:fd use; +allow postfix_postqueue_t postfix_master_t:fifo_file rw_file_perms; +allow postfix_postqueue_t postfix_master_t:process sigchld; -# to write the mailq output, it really should not need read access! -term_use_all_user_ptys(postfix_showq_t) -term_use_all_user_ttys(postfix_showq_t) +domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) +allow postfix_postqueue_t postfix_showq_t:fd use; +allow postfix_showq_t postfix_postqueue_t:fd use; +allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms; +allow postfix_showq_t postfix_postqueue_t:process sigchld; init_sigchld_script(postfix_postqueue_t) init_use_script_fd(postfix_postqueue_t) @@ -508,9 +519,12 @@ allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; allow postfix_showq_t self:capability { setuid setgid }; allow postfix_showq_t self:tcp_socket create_socket_perms; -domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # the following auto_trans is usually in postfix server domain domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) +allow postfix_master_t postfix_showq_t:fd use; +allow postfix_showq_t postfix_master_t:fd use; +allow postfix_showq_t postfix_master_t:fifo_file rw_file_perms; +allow postfix_showq_t postfix_master_t:process sigchld; allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; @@ -520,6 +534,7 @@ allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search }; allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr }; allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read }; +# to write the mailq output, it really should not need read access! term_use_all_user_ptys(postfix_showq_t) term_use_all_user_ttys(postfix_showq_t) diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if index 36665bea..8346be60 100644 --- a/refpolicy/policy/modules/services/samba.if +++ b/refpolicy/policy/modules/services/samba.if @@ -304,3 +304,22 @@ interface(`samba_read_winbind_pid',` files_search_pids($1) allow $1 winbind_var_run_t:file r_file_perms; ') + +######################################## +## +## Connect to winbind. +## +## +## Domain allowed access. +## +# +interface(`samba_connect_winbind',` + gen_require(` + type winbind_t, winbind_var_run_t; + ') + + files_search_pids($1) + allow $1 winbind_var_run_t:dir search_dir_perms; + allow $1 winbind_var_run_t:file { getattr read write }; + allow $1 winbind_t:unix_stream_socket connectto; +') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 6af65815..ea0bf28a 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -103,12 +103,12 @@ template(`authlogin_per_userdomain_template',` nscd_use_socket($1_chkpwd_t) ') - optional_policy(`selinuxutil.te',` - seutil_use_newrole_fd($1_chkpwd_t) + optional_policy(`samba.te',` + samba_connect_winbind($1_chkpwd_t) ') - ifdef(`TODO',` - can_winbind($1) + optional_policy(`selinuxutil.te',` + seutil_use_newrole_fd($1_chkpwd_t) ') ') @@ -141,13 +141,13 @@ template(`auth_domtrans_user_chk_passwd',` type chkpwd_exec_t; ') - corecmd_search_bin($1) - domain_auto_trans($1,chkpwd_exec_t,$2_chkpwd_t) + corecmd_search_bin($2) + domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) - allow $1 $2_chkpwd_t:fd use; - allow $2_chkpwd_t $1:fd use; - allow $2_chkpwd_t $1:fifo_file rw_file_perms; - allow $2_chkpwd_t $1:process sigchld; + allow $2 $1_chkpwd_t:fd use; + allow $1_chkpwd_t $2:fd use; + allow $1_chkpwd_t $2:fifo_file rw_file_perms; + allow $1_chkpwd_t $2:process sigchld; ') ') @@ -241,9 +241,8 @@ interface(`auth_domtrans_chk_passwd',` nis_use_ypbind($1) ') - ifdef(`TODO',` - can_winbind($1) - dontaudit $1 shadow_t:file { getattr read }; + optional_policy(`samba.te',` + samba_connect_winbind($1) ') ') @@ -919,8 +918,8 @@ interface(`auth_use_nsswitch',` nis_use_ypbind($1) ') - ifdef(`TODO',` - can_winbind($1) + optional_policy(`samba.te',` + samba_connect_winbind($1) ') ') diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 80742d93..495874c9 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -93,7 +93,7 @@ interface(`domain_type',` ') optional_policy(`selinux.te',` - selinux_dontaudit_search_fs($1) + selinux_dontaudit_read_fs($1) ') optional_policy(`selinuxutil.te',` diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 7f7b26e8..925a055d 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -499,13 +499,12 @@ interface(`seutil_dontaudit_read_config',` interface(`seutil_read_config',` gen_require(` type selinux_config_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_etc($1) allow $1 selinux_config_t:dir r_dir_perms; allow $1 selinux_config_t:file r_file_perms; + allow $1 selinux_config_t:lnk_file { getattr read }; ') ######################################## @@ -534,14 +533,13 @@ interface(`seutil_search_default_contexts',` interface(`seutil_read_default_contexts',` gen_require(` type selinux_config_t, default_context_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_etc($1) allow $1 selinux_config_t:dir search; allow $1 default_context_t:dir r_dir_perms; allow $1 default_context_t:file r_file_perms; + allow $1 default_context_t:lnk_file { getattr read }; ') ########################################