rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

todo cleanup

Browse Source
This commit is contained in:
Chris PeBenito 2005-09-20 20:48:17 +00:00
parent 93070cbaed
commit 3774e4eb28
20 changed files with 137 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
refpolicy/policy/modules/admin/consoletype.te
View File

@ -67,6 +67,7 @@ optional_policy(`authlogin.te', `
optional_policy(`cron.te',` optional_policy(`cron.te',`
cron_read_pipe(consoletype_t) cron_read_pipe(consoletype_t)
cron_use_system_job_fd(consoletype_t)
') ')
optional_policy(`firstboot.te',` optional_policy(`firstboot.te',`
@ -95,8 +96,6 @@ optional_policy(`userdomain.te',`
ifdef(`TODO',` ifdef(`TODO',`
allow consoletype_t nfs_t:file write; allow consoletype_t nfs_t:file write;
allow consoletype_t system_crond_t:fd use;
optional_policy(`xdm.te', ` optional_policy(`xdm.te', `
allow consoletype_t xdm_tmp_t:file rw_file_perms; allow consoletype_t xdm_tmp_t:file rw_file_perms;
') ')

4
refpolicy/policy/modules/admin/firstboot.te
View File

@ -120,8 +120,10 @@ optional_policy(`samba.te',`
') ')
optional_policy(`usermanage.te',` optional_policy(`usermanage.te',`
usermanage_domtrans_useradd(firstboot_t) usermanage_domtrans_chfn(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t) usermanage_domtrans_groupadd(firstboot_t)
usermanage_domtrans_passwd(firstboot_t)
usermanage_domtrans_useradd(firstboot_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

12
refpolicy/policy/modules/admin/logrotate.te
View File

@ -85,6 +85,8 @@ corecmd_exec_ls(logrotate_t)
domain_signal_all_domains(logrotate_t) domain_signal_all_domains(logrotate_t)
domain_use_wide_inherit_fd(logrotate_t) domain_use_wide_inherit_fd(logrotate_t)
domain_getattr_all_entry_files(logrotate_t) domain_getattr_all_entry_files(logrotate_t)
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logrotate_t)
files_read_usr_files(logrotate_t) files_read_usr_files(logrotate_t)
files_read_etc_files(logrotate_t) files_read_etc_files(logrotate_t)
@ -163,21 +165,11 @@ optional_policy(`squid.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
#from privmail this needs more work:
allow mta_user_agent logrotate_t:fd use;
allow mta_user_agent logrotate_t:process sigchld;
allow mta_user_agent logrotate_t:fifo_file { read write };
ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;') ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
# it should not require this # it should not require this
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search }; allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
# Read /proc/PID directories for all domains.
allow logrotate_t domain:notdevfile_class_set r_file_perms;
allow logrotate_t domain:dir r_dir_perms;
# for /var/backups on Debian # for /var/backups on Debian
ifdef(`backup.te', ` ifdef(`backup.te', `
rw_dir_create_file(logrotate_t, backup_store_t) rw_dir_create_file(logrotate_t, backup_store_t)

2
refpolicy/policy/modules/admin/netutils.te
View File

@ -1,5 +1,5 @@
policy_module(devices,1.0) policy_module(netutils,1.0)
######################################## ########################################
# #

22
refpolicy/policy/modules/admin/rpm.te
View File

@ -6,11 +6,12 @@ policy_module(rpm,1.0)
# Declarations # Declarations
# #
type rpm_t; #, priv_system_role; type rpm_t;
type rpm_exec_t; type rpm_exec_t;
init_system_domain(rpm_t,rpm_exec_t) init_system_domain(rpm_t,rpm_exec_t)
domain_obj_id_change_exempt(rpm_t) domain_obj_id_change_exempt(rpm_t)
domain_role_change_exempt(rpm_t) domain_role_change_exempt(rpm_t)
domain_system_change_exempt(rpm_t)
domain_wide_inherit_fd(rpm_t) domain_wide_inherit_fd(rpm_t)
role system_r types rpm_t; role system_r types rpm_t;
@ -30,9 +31,10 @@ type rpm_var_lib_t;
files_type(rpm_var_lib_t) files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t; typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_script_t; #, admin, privmem, priv_system_role; type rpm_script_t;
type rpm_script_exec_t; type rpm_script_exec_t;
domain_obj_id_change_exempt(rpm_script_t) domain_obj_id_change_exempt(rpm_script_t)
domain_system_change_exempt(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t) corecmd_shell_entry_type(rpm_script_t)
domain_type(rpm_script_t) domain_type(rpm_script_t)
domain_entry_file(rpm_t,rpm_script_exec_t) domain_entry_file(rpm_t,rpm_script_exec_t)
@ -92,7 +94,7 @@ fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }
# Access /var/lib/rpm files # Access /var/lib/rpm files
allow rpm_t rpm_var_lib_t:file create_file_perms; allow rpm_t rpm_var_lib_t:file create_file_perms;
allow rpm_t rpm_var_lib_t:dir rw_dir_perms; allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
#files_create_private_libraries(rpm_t,rpm_var_lib_t,dir) files_create_var_lib(rpm_t,rpm_var_lib_t,dir)
kernel_read_system_state(rpm_t) kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctl(rpm_t) kernel_read_kernel_sysctl(rpm_t)
@ -114,7 +116,7 @@ dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t) dev_read_urand(rpm_t)
#devices_manage_all_device_types(rpm_t) #devices_manage_all_device_types(rpm_t)
#fs_manage_nfs_dir(rpm_t) fs_manage_nfs_dirs(rpm_t)
fs_manage_nfs_files(rpm_t) fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t) fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t) fs_getattr_all_fs(rpm_t)
@ -183,10 +185,6 @@ ifdef(`TODO',`
# cjp: this seems way out of place # cjp: this seems way out of place
role sysadm_r types initrc_t; role sysadm_r types initrc_t;
type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
dontaudit rpm_t domain:process ptrace;
# read/write/create any files in the system # read/write/create any files in the system
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
allow rpm_t ttyfile:chr_file unlink; allow rpm_t ttyfile:chr_file unlink;
@ -312,10 +310,6 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t) userdom_use_all_user_fd(rpm_script_t)
if (allow_execmem) {
allow rpm_script_t self:process execmem;
}
# this should be tunable_policy, but # this should be tunable_policy, but
# typeattribute does not work in conditionals # typeattribute does not work in conditionals
ifdef(`unlimitedRPM',` ifdef(`unlimitedRPM',`
@ -323,6 +317,10 @@ ifdef(`unlimitedRPM',`
unconfined_domain_template(rpm_script_t) unconfined_domain_template(rpm_script_t)
') ')
tunable_policy(`allow_execmem',`
allow rpm_script_t self:process execmem;
')
optional_policy(`bootloader.te',` optional_policy(`bootloader.te',`
bootloader_domtrans(rpm_script_t) bootloader_domtrans(rpm_script_t)
') ')

94
refpolicy/policy/modules/admin/usermanage.te
View File

@ -96,6 +96,9 @@ fs_search_auto_mountpoints(chfn_t)
# for SSP # for SSP
dev_read_urand(chfn_t) dev_read_urand(chfn_t)
auth_domtrans_chk_passwd(chfn_t)
auth_dontaudit_read_shadow(chfn_t)
# can exec /sbin/unix_chkpwd # can exec /sbin/unix_chkpwd
corecmd_search_bin(chfn_t) corecmd_search_bin(chfn_t)
corecmd_search_sbin(chfn_t) corecmd_search_sbin(chfn_t)
@ -117,31 +120,23 @@ miscfiles_read_localization(chfn_t)
logging_send_syslog_msg(chfn_t) logging_send_syslog_msg(chfn_t)
auth_domtrans_chk_passwd(chfn_t) # uses unix_chkpwd for checking passwords
auth_dontaudit_read_shadow(chfn_t) seutil_dontaudit_search_config(chfn_t)
userdom_use_unpriv_users_fd(chfn_t) userdom_use_unpriv_users_fd(chfn_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_all_users_home(chfn_t)
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(chfn_t) nis_use_ypbind(chfn_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`firstboot.te',`
domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t)
')
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;') ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
# allow checking if a shell is executable # allow checking if a shell is executable
allow chfn_t shell_exec_t:file execute; allow chfn_t shell_exec_t:file execute;
# user generally runs this from their home directory, so do not audit a search
# on user home dir
dontaudit chfn_t { user_home_dir_type user_home_type }:dir search;
# uses unix_chkpwd for checking passwords
dontaudit chfn_t selinux_config_t:dir search;
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -180,16 +175,11 @@ libs_use_shared_libs(crack_t)
logging_send_syslog_msg(crack_t) logging_send_syslog_msg(crack_t)
ifdef(`TODO',` userdom_dontaudit_search_sysadm_home_dir(crack_t)
ifdef(`crond.te', `
domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
allow crack_t crond_t:fifo_file rw_file_perms;
allow crack_t crond_t:fd use;
allow crack_t crond_t:process sigchld;
')
dontaudit crack_t sysadm_home_dir_t:dir { getattr search }; optional_policy(`cron.te',`
') dnl endif TODO cron_system_entry(crack_t,crack_exec_t)
')
######################################## ########################################
# #
@ -250,6 +240,8 @@ auth_rw_lastlog(groupadd_t)
seutil_read_config(groupadd_t) seutil_read_config(groupadd_t)
userdom_use_unpriv_users_fd(groupadd_t) userdom_use_unpriv_users_fd(groupadd_t)
# for when /root is the cwd
userdom_dontaudit_search_sysadm_home_dir(groupadd_t)
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(groupadd_t) nis_use_ypbind(groupadd_t)
@ -265,15 +257,11 @@ optional_policy(`rpm.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
# Update /etc/shadow and /etc/passwd # Update /etc/shadow and /etc/passwd
allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto }; allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
# Access terminals. # Access terminals.
ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;') ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
# for when /root is the cwd
dontaudit groupadd_t sysadm_home_dir_t:dir search;
') dnl end TODO ') dnl end TODO
######################################## ########################################
@ -314,6 +302,8 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t) selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t) selinux_compute_user_contexts(passwd_t)
auth_manage_shadow(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate # /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp. # correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(passwd_t) init_dontaudit_rw_script_pid(passwd_t)
@ -323,6 +313,7 @@ domain_use_wide_inherit_fd(passwd_t)
files_read_etc_runtime_files(passwd_t) files_read_etc_runtime_files(passwd_t)
files_manage_etc_files(passwd_t) files_manage_etc_files(passwd_t)
files_search_var(passwd_t) files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
libs_use_ld_so(passwd_t) libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t) libs_use_shared_libs(passwd_t)
@ -331,20 +322,18 @@ logging_send_syslog_msg(passwd_t)
miscfiles_read_localization(passwd_t) miscfiles_read_localization(passwd_t)
auth_manage_shadow(passwd_t) seutil_dontaudit_search_config(passwd_t)
userdom_use_unpriv_users_fd(passwd_t) userdom_use_unpriv_users_fd(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_all_users_home(passwd_t)
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(passwd_t) nis_use_ypbind(passwd_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`firstboot.te',`
domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
')
# Update /etc/shadow and /etc/passwd # Update /etc/shadow and /etc/passwd
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
@ -354,18 +343,10 @@ ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
# allow checking if a shell is executable # allow checking if a shell is executable
allow passwd_t shell_exec_t:file execute; allow passwd_t shell_exec_t:file execute;
# user generally runs this from their home directory, so do not audit a search
# on user home dir
dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
# make sure that getcon succeeds # make sure that getcon succeeds
allow passwd_t userdomain:dir search; allow passwd_t userdomain:dir search;
allow passwd_t userdomain:file read; allow passwd_t userdomain:file read;
allow passwd_t userdomain:process getattr; allow passwd_t userdomain:process getattr;
dontaudit passwd_t selinux_config_t:dir search;
dontaudit passwd_t var_run_t:dir search;
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -424,6 +405,8 @@ domain_use_wide_inherit_fd(sysadm_passwd_t)
files_manage_etc_files(sysadm_passwd_t) files_manage_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
files_dontaudit_search_pids(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate # /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp. # correctly without it. Do not audit write denials to utmp.
@ -436,7 +419,12 @@ miscfiles_read_localization(sysadm_passwd_t)
logging_send_syslog_msg(sysadm_passwd_t) logging_send_syslog_msg(sysadm_passwd_t)
seutil_dontaudit_search_config(sysadm_passwd_t)
userdom_use_unpriv_users_fd(sysadm_passwd_t) userdom_use_unpriv_users_fd(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_all_users_home(sysadm_passwd_t)
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(sysadm_passwd_t) nis_use_ypbind(sysadm_passwd_t)
@ -452,20 +440,9 @@ ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
# allow checking if a shell is executable # allow checking if a shell is executable
allow sysadm_passwd_t shell_exec_t:file execute; allow sysadm_passwd_t shell_exec_t:file execute;
# user generally runs this from their home directory, so do not audit a search
# on user home dir
dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search;
# Update /etc/shadow and /etc/passwd # Update /etc/shadow and /etc/passwd
allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
# for vipw - vi looks in the root home directory for config
dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
# for nscd lookups
dontaudit sysadm_passwd_t var_run_t:dir search;
dontaudit sysadm_passwd_t selinux_config_t:dir search;
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
role system_r types sysadm_passwd_t; role system_r types sysadm_passwd_t;
allow sysadm_passwd_t devpts_t:chr_file rw_file_perms; allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
@ -534,6 +511,12 @@ seutil_read_config(useradd_t)
seutil_read_file_contexts(useradd_t) seutil_read_file_contexts(useradd_t)
userdom_use_unpriv_users_fd(useradd_t) userdom_use_unpriv_users_fd(useradd_t)
# for when /root is the cwd
userdom_dontaudit_search_sysadm_home_dir(useradd_t)
# Add/remove user home directories
userdom_create_user_home_dir(useradd_t)
userdom_manage_user_home_dir(useradd_t)
userdom_create_user_home(useradd_t,notdevfile_class_set)
mta_manage_spool(useradd_t) mta_manage_spool(useradd_t)
@ -551,21 +534,12 @@ optional_policy(`rpm.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
# Update /etc/shadow and /etc/passwd # Update /etc/shadow and /etc/passwd
allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto }; allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
# Access terminals. # Access terminals.
ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;') ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;')
# for when /root is the cwd
dontaudit useradd_t sysadm_home_dir_t:dir search;
# Add/remove user home directories
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
# /var/mail is a link to /var/spool/mail # /var/mail is a link to /var/spool/mail
allow useradd_t mail_spool_t:lnk_file read; allow useradd_t mail_spool_t:lnk_file read;
') dnl end TODO ') dnl end TODO

5
refpolicy/policy/modules/admin/vpn.te
View File

@ -96,6 +96,7 @@ sysnet_create_config(vpnc_t)
sysnet_manage_config(vpnc_t) sysnet_manage_config(vpnc_t)
userdom_use_all_user_fd(vpnc_t) userdom_use_all_user_fd(vpnc_t)
userdom_dontaudit_search_all_users_home(vpnc_t)
optional_policy(`mount.te',` optional_policy(`mount.te',`
mount_send_nfs_client_request(vpnc_t) mount_send_nfs_client_request(vpnc_t)
@ -108,7 +109,3 @@ optional_policy(`nis.te',`
optional_policy(`nscd.te',` optional_policy(`nscd.te',`
nscd_use_socket(vpnc_t) nscd_use_socket(vpnc_t)
') ')
ifdef(`TODO',`
dontaudit vpnc_t user_home_dir_type:dir search;
')

32
refpolicy/policy/modules/services/cron.if
View File

@ -98,6 +98,8 @@ template(`cron_per_userdomain_template',`
fs_getattr_all_fs($1_crond_t) fs_getattr_all_fs($1_crond_t)
domain_exec_all_entry_files($1_crond_t) domain_exec_all_entry_files($1_crond_t)
# quiet other ps operations
domain_dontaudit_read_all_domains_state($1_crond_t)
files_read_usr_files($1_crond_t) files_read_usr_files($1_crond_t)
files_exec_etc_files($1_crond_t) files_exec_etc_files($1_crond_t)
@ -113,6 +115,8 @@ template(`cron_per_userdomain_template',`
libs_exec_ld_so($1_crond_t) libs_exec_ld_so($1_crond_t)
files_read_etc_runtime_files($1_crond_t) files_read_etc_runtime_files($1_crond_t)
files_read_var_files($1_crond_t)
files_search_spool($1_crond_t)
logging_search_logs($1_crond_t) logging_search_logs($1_crond_t)
@ -126,6 +130,13 @@ template(`cron_per_userdomain_template',`
userdom_manage_user_tmp_sockets($1,$1_crond_t) userdom_manage_user_tmp_sockets($1,$1_crond_t)
# Run scripts in user home directory and access shared libs. # Run scripts in user home directory and access shared libs.
userdom_exec_user_home_files($1,$1_crond_t) userdom_exec_user_home_files($1,$1_crond_t)
# Access user files and dirs.
# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
userdom_manage_user_home_subdir_files($1,$1_crond_t)
userdom_manage_user_home_subdir_symlinks($1,$1_crond_t)
userdom_manage_user_home_subdir_pipes($1,$1_crond_t)
userdom_manage_user_home_subdir_sockets($1,$1_crond_t)
# userdom_create_user_home($1,$1_crond_t,notdevfile_class_set)
tunable_policy(`fcron_crond', ` tunable_policy(`fcron_crond', `
allow crond_t $1_cron_spool_t:file create_file_perms; allow crond_t $1_cron_spool_t:file create_file_perms;
@ -136,9 +147,6 @@ template(`cron_per_userdomain_template',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
# Access user files and dirs.
file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
allow $1_crond_t tmp_t:dir rw_dir_perms; allow $1_crond_t tmp_t:dir rw_dir_perms;
type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t; type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
@ -150,13 +158,6 @@ template(`cron_per_userdomain_template',`
dontaudit $1_mail_t crond_t:fifo_file write; dontaudit $1_mail_t crond_t:fifo_file write;
allow mta_user_agent $1_crond_t:fd use; allow mta_user_agent $1_crond_t:fd use;
') ')
allow $1_crond_t var_spool_t:dir search;
allow $1_crond_t var_t:dir r_dir_perms;
allow $1_crond_t var_t:file r_file_perms;
# quiet other ps operations
dontaudit $1_crond_t domain:dir { getattr search };
') dnl endif TODO ') dnl endif TODO
############################## ##############################
@ -171,6 +172,12 @@ template(`cron_per_userdomain_template',`
allow $1_crontab_t $2:fifo_file rw_file_perms; allow $1_crontab_t $2:fifo_file rw_file_perms;
allow $1_crontab_t $2:process sigchld; allow $1_crontab_t $2:process sigchld;
# crontab shows up in user ps
allow $2 $1_crontab_t:dir { search getattr read };
allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
allow $2 $1_crontab_t:process getattr;
dontaudit $2 $1_crontab_t:process ptrace;
# for ^Z # for ^Z
allow $2 $1_crontab_t:process signal; allow $2 $1_crontab_t:process signal;
@ -229,15 +236,10 @@ template(`cron_per_userdomain_template',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
can_ps($1_t, $1_crontab_t)
dontaudit $1_crontab_t proc_t:dir search;
allow $1_crond_t tmp_t:dir rw_dir_perms; allow $1_crond_t tmp_t:dir rw_dir_perms;
type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t; type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
# Read user crontabs # Read user crontabs
allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
dontaudit $1_crontab_t $1_home_dir_t:dir write; dontaudit $1_crontab_t $1_home_dir_t:dir write;
# Inherit and use descriptors from gnome-pty-helper. # Inherit and use descriptors from gnome-pty-helper.

20
refpolicy/policy/modules/services/cron.te
View File

@ -13,7 +13,7 @@ files_type(anacron_exec_t)
type cron_spool_t; type cron_spool_t;
files_type(cron_spool_t) files_type(cron_spool_t)
type crond_t; #, privmail type crond_t;
type crond_exec_t; type crond_exec_t;
init_daemon_domain(crond_t,crond_exec_t) init_daemon_domain(crond_t,crond_exec_t)
domain_wide_inherit_fd(crond_t) domain_wide_inherit_fd(crond_t)
@ -31,7 +31,7 @@ files_type(crontab_exec_t)
type system_cron_spool_t, cron_spool_type; type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t) files_type(system_cron_spool_t)
type system_crond_t; #, privmail type system_crond_t;
init_daemon_domain(system_crond_t,anacron_exec_t) init_daemon_domain(system_crond_t,anacron_exec_t)
corecmd_shell_entry_type(system_crond_t) corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t; role system_r types system_crond_t;
@ -100,6 +100,9 @@ domain_use_wide_inherit_fd(crond_t)
files_read_etc_files(crond_t) files_read_etc_files(crond_t)
files_read_generic_spools(crond_t) files_read_generic_spools(crond_t)
# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
init_use_fd(crond_t) init_use_fd(crond_t)
init_use_script_pty(crond_t) init_use_script_pty(crond_t)
@ -117,6 +120,8 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fd(crond_t) userdom_use_unpriv_users_fd(crond_t)
mta_send_mail(crond_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out. # via redirection of standard out.
@ -169,10 +174,6 @@ optional_policy(`rhgb.te', `
rhgb_domain(crond_t) rhgb_domain(crond_t)
') ')
# Read from /var/spool/cron.
allow crond_t var_lib_t:dir search;
allow crond_t default_t:dir search;
# crond tries to search /root. Not sure why. # crond tries to search /root. Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms; allow crond_t sysadm_home_dir_t:dir r_dir_perms;
@ -257,6 +258,8 @@ corecmd_exec_bin(system_crond_t)
corecmd_exec_sbin(system_crond_t) corecmd_exec_sbin(system_crond_t)
domain_exec_all_entry_files(system_crond_t) domain_exec_all_entry_files(system_crond_t)
# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_crond_t)
files_exec_etc_files(system_crond_t) files_exec_etc_files(system_crond_t)
files_read_etc_files(system_crond_t) files_read_etc_files(system_crond_t)
@ -296,6 +299,8 @@ miscfiles_manage_man_pages(system_crond_t)
seutil_read_config(system_crond_t) seutil_read_config(system_crond_t)
mta_send_mail(system_crond_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out. # via redirection of standard out.
@ -342,9 +347,6 @@ optional_policy(`squid.te',`
ifdef(`TODO',` ifdef(`TODO',`
dontaudit userdomain system_crond_t:fd use; dontaudit userdomain system_crond_t:fd use;
# quiet other ps operations
dontaudit system_crond_t domain:dir { getattr search };
# Do not audit attempts to search unlabeled directories (e.g. slocate). # Do not audit attempts to search unlabeled directories (e.g. slocate).
dontaudit system_crond_t unlabeled_t:dir r_dir_perms; dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
dontaudit system_crond_t unlabeled_t:file r_file_perms; dontaudit system_crond_t unlabeled_t:file r_file_perms;

11
refpolicy/policy/modules/services/inetd.te
View File

@ -6,7 +6,7 @@ policy_module(inetd,1.0)
# Declarations # Declarations
# #
type inetd_t; # ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem') type inetd_t;
type inetd_exec_t; type inetd_exec_t;
init_daemon_domain(inetd_t,inetd_exec_t) init_daemon_domain(inetd_t,inetd_exec_t)
@ -127,6 +127,11 @@ optional_policy(`mount.te',`
mount_send_nfs_client_request(inetd_t) mount_send_nfs_client_request(inetd_t)
') ')
# Communicate with the portmapper.
optional_policy(`portmap.te',`
portmap_udp_sendto(inetd_t)
')
optional_policy(`selinuxutil.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(inetd_t) seutil_sigchld_newrole(inetd_t)
') ')
@ -146,13 +151,9 @@ ifdef(`unlimitedInetd', `
') ')
ifdef(`TODO',` ifdef(`TODO',`
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
rhgb_domain(inetd_t) rhgb_domain(inetd_t)
') ')
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
') dnl TODO ') dnl TODO
######################################## ########################################

8
refpolicy/policy/modules/services/kerberos.te
View File

@ -145,9 +145,6 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
rhgb_domain(kadmind_t) rhgb_domain(kadmind_t)
') ')
# cjp: not sure, but I think this has no effect
can_tcp_connect(kerberos_admin_port_t, kadmind_t)
') dnl end TODO ') dnl end TODO
######################################## ########################################
@ -250,9 +247,4 @@ optional_policy(`rhgb.te',`
# Allow user programs to talk to KDC # Allow user programs to talk to KDC
allow krb5kdc_t userdomain:udp_socket recvfrom; allow krb5kdc_t userdomain:udp_socket recvfrom;
allow userdomain krb5kdc_t:udp_socket recvfrom; allow userdomain krb5kdc_t:udp_socket recvfrom;
# cjp: not sure, but I think these have no effect
can_udp_send(kerberos_port_t, krb5kdc_t)
can_udp_send(krb5kdc_t, kerberos_port_t)
can_tcp_connect(kerberos_port_t, krb5kdc_t)
') dnl end TODO ') dnl end TODO

18
refpolicy/policy/modules/services/ldap.if
View File

@ -35,3 +35,21 @@ interface(`ldap_read_config',`
files_search_etc($1) files_search_etc($1)
allow $1 slapd_etc_t:file { getattr read }; allow $1 slapd_etc_t:file { getattr read };
') ')
########################################
## <summary>
## Use LDAP over TCP connection.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`ldap_use',`
gen_require(`
type slapd_t;
')
allow $1 slapd_t:tcp_socket { connectto recvfrom };
allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1)
')

4
refpolicy/policy/modules/services/ldap.te
View File

@ -59,6 +59,7 @@ files_create_pid(slapd_t,slapd_var_run_t)
kernel_read_system_state(slapd_t) kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctl(slapd_t) kernel_read_kernel_sysctl(slapd_t)
kernel_tcp_recvfrom(slapd_t)
corenet_tcp_sendrecv_all_if(slapd_t) corenet_tcp_sendrecv_all_if(slapd_t)
corenet_udp_sendrecv_all_if(slapd_t) corenet_udp_sendrecv_all_if(slapd_t)
@ -124,7 +125,4 @@ r_dir_file(slapd_t, cert_t)
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
rhgb_domain(slapd_t) rhgb_domain(slapd_t)
') ')
# allow any domain to connect to the LDAP server
# cjp: how does this relate to the old can_ldap() macro?
can_tcp_connect(domain, slapd_t)
') dnl end TODO ') dnl end TODO

2
refpolicy/policy/modules/services/nscd.te
View File

@ -2,7 +2,7 @@
policy_module(nscd,1.0) policy_module(nscd,1.0)
gen_require(` gen_require(`
class nscd { admin getstat }; class nscd all_nscd_perms;
') ')
######################################## ########################################

3
refpolicy/policy/modules/services/rshd.te
View File

@ -86,7 +86,4 @@ ifdef(`TODO',`
optional_policy(`rlogind.te', ` optional_policy(`rlogind.te', `
allow rshd_t rlogind_tmp_t:file rw_file_perms; allow rshd_t rlogind_tmp_t:file rw_file_perms;
') ')
allow rshd_t selinux_config_t:lnk_file { getattr read };
allow rshd_t default_context_t:lnk_file { getattr read };
') ')

2
refpolicy/policy/modules/services/samba.te
View File

@ -21,6 +21,7 @@ files_type(samba_log_t)
type samba_net_t; type samba_net_t;
domain_type(samba_net_t) domain_type(samba_net_t)
role system_r types samba_net_t;
type samba_net_exec_t; type samba_net_exec_t;
domain_entry_file(samba_net_t,samba_net_exec_t) domain_entry_file(samba_net_t,samba_net_exec_t)
@ -126,7 +127,6 @@ optional_policy(`nscd.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
role system_r types samba_net_t;
in_user_role(samba_net_t) in_user_role(samba_net_t)
') ')

10
refpolicy/policy/modules/system/authlogin.if
View File

@ -32,13 +32,6 @@ template(`authlogin_per_userdomain_template',`
gen_require(` gen_require(`
attribute can_read_shadow_passwords; attribute can_read_shadow_passwords;
type chkpwd_exec_t, system_chkpwd_t, shadow_t; type chkpwd_exec_t, system_chkpwd_t, shadow_t;
class file rx_file_perms;
class process { getattr transition sigchld };
class capability setuid;
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
class fd use;
class fifo_file rw_file_perms;
') ')
type $1_chkpwd_t, can_read_shadow_passwords; type $1_chkpwd_t, can_read_shadow_passwords;
@ -63,6 +56,8 @@ template(`authlogin_per_userdomain_template',`
allow $1_chkpwd_t $2:fifo_file rw_file_perms; allow $1_chkpwd_t $2:fifo_file rw_file_perms;
allow $1_chkpwd_t $2:process sigchld; allow $1_chkpwd_t $2:process sigchld;
dontaudit $2 shadow_t:file { getattr read };
# is_selinux_enabled # is_selinux_enabled
kernel_read_system_state($1_chkpwd_t) kernel_read_system_state($1_chkpwd_t)
@ -114,7 +109,6 @@ template(`authlogin_per_userdomain_template',`
ifdef(`TODO',` ifdef(`TODO',`
can_winbind($1) can_winbind($1)
r_dir_file($1, cert_t) r_dir_file($1, cert_t)
dontaudit $1 shadow_t:file { getattr read };
') ')
') ')

23
refpolicy/policy/modules/system/domain.if
View File

@ -71,6 +71,11 @@ interface(`domain_type',`
unconfined_sigchld($1) unconfined_sigchld($1)
') ')
# allow any domain to connect to the LDAP server
optional_policy(`ldap.te',`
ldap_use($1)
')
# this seems highly questionable: # this seems highly questionable:
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
rpm_use_fd($1) rpm_use_fd($1)
@ -129,6 +134,24 @@ interface(`domain_dyntrans_type',`
typeattribute $1 set_curr_context; typeattribute $1 set_curr_context;
') ')
########################################
## <summary>
## Makes caller and execption to the constraint
## preventing changing to the system user
## identity and system role.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`domain_system_change_exempt',`
gen_require(`
attribute can_system_change;
')
typeattribute $1 can_system_change;
')
######################################## ########################################
## <summary> ## <summary>
## Makes caller an exception to the constraint preventing ## Makes caller an exception to the constraint preventing

9
refpolicy/policy/modules/system/hotplug.te
View File

@ -78,6 +78,8 @@ corecmd_exec_shell(hotplug_t)
corecmd_exec_sbin(hotplug_t) corecmd_exec_sbin(hotplug_t)
domain_use_wide_inherit_fd(hotplug_t) domain_use_wide_inherit_fd(hotplug_t)
# for ps
domain_dontaudit_read_all_domains_state(hotplug_t)
files_read_etc_files(hotplug_t) files_read_etc_files(hotplug_t)
files_manage_etc_runtime_files(hotplug_t) files_manage_etc_runtime_files(hotplug_t)
@ -187,16 +189,9 @@ optional_policy(`rhgb.te',`
rhgb_domain(hotplug_t) rhgb_domain(hotplug_t)
') ')
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read; dontaudit hotplug_t { init_t kernel_t }:file read;
optional_policy(`hald.te', ` optional_policy(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto; allow hotplug_t hald_t:unix_dgram_socket sendto;
') ')
# this block goes to hald:
optional_policy(`hotplug.te',`
hotplug_read_config(hald_t)
')
') dnl end TODO ') dnl end TODO

4
refpolicy/policy/modules/system/raid.te
View File

@ -6,7 +6,7 @@ policy_module(raid,1.0)
# Declarations # Declarations
# #
type mdadm_t; # privmail type mdadm_t;
type mdadm_exec_t; type mdadm_exec_t;
init_daemon_domain(mdadm_t,mdadm_exec_t) init_daemon_domain(mdadm_t,mdadm_exec_t)
role system_r types mdadm_t; role system_r types mdadm_t;
@ -67,6 +67,8 @@ miscfiles_read_localization(mdadm_t)
userdom_dontaudit_use_unpriv_user_fd(mdadm_t) userdom_dontaudit_use_unpriv_user_fd(mdadm_t)
userdom_dontaudit_use_sysadm_tty(mdadm_t) userdom_dontaudit_use_sysadm_tty(mdadm_t)
mta_send_mail(mdadm_t)
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(mdadm_t) term_dontaudit_use_unallocated_tty(mdadm_t)
term_dontaudit_use_generic_pty(mdadm_t) term_dontaudit_use_generic_pty(mdadm_t)