more fixing

This commit is contained in:
Chris PeBenito 2005-10-26 21:03:19 +00:00
parent f13da83f99
commit 4614e83fbb
18 changed files with 140 additions and 27 deletions

View File

@ -135,6 +135,10 @@ gen_tunable(ssh_sysadm_login,false)
## dir and read files (such as ~/.bashrc)
gen_tunable(staff_read_sysadm_file,false)
## Configure stunnel to be a standalone daemon or
## inetd service.
gen_tunable(stunnel_is_daemon,false)
## Support NFS home directories
gen_tunable(use_nfs_home_dirs,false)

View File

@ -45,7 +45,7 @@ type amanda_script_exec_t;
files_type(amanda_script_exec_t)
# temp:
typeattribute amanda_user_exec_t entry_type;
typeattribute amanda_script_exec_t entry_type;
# type for the shell configuration files
type amanda_shellconfig_t;

View File

@ -304,6 +304,9 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
auth_manage_shadow(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate

View File

@ -166,6 +166,7 @@ allow kernel_t self:unix_stream_socket create_stream_socket_perms;
allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file rw_file_perms;
allow kernel_t self:sock_file r_file_perms;
allow kernel_t self:fd use;
# old general_proc_read_access():

View File

@ -178,6 +178,13 @@ template(`apache_content_template',`
libs_read_lib(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
# added back to make sediff nicer
dev_rw_null_dev(httpd_$1_script_t)
term_use_controlling_term(httpd_$1_script_t)
allow httpd_$1_script_t self:dir r_dir_perms;
allow httpd_$1_script_t self:file r_file_perms;
allow httpd_$1_script_t self:lnk_file read;
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`

View File

@ -289,6 +289,10 @@ ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(httpd_t)
term_dontaudit_use_generic_pty(httpd_t)
files_dontaudit_read_root_file(httpd_t)
tunable_policy(`httpd_enable_homedirs',`
userdom_search_generic_user_home_dir(httpd_t)
')
')
tunable_policy(`allow_httpd_anon_write',`
@ -335,6 +339,9 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
allow httpd_t httpdcontent:dir create_dir_perms;
allow httpd_t httpdcontent:file create_file_perms;
allow httpd_t httpdcontent:lnk_file create_lnk_perms;
# make sediff easier
allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint };
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@ -407,17 +414,6 @@ optional_policy(`rhgb.te',`
can_tcp_connect(web_client_domain, httpd_t)
ifdef(`targeted_policy',`
if (httpd_enable_homedirs) {
allow httpd_t user_home_dir_t:dir { getattr search };
}
if (httpd_enable_homedirs) {
allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
}
if (httpd_enable_homedirs) {
allow httpd_suexec_t user_home_dir_t:dir { getattr search };
}
')
') dnl end TODO
########################################
@ -495,12 +491,17 @@ allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
# cjp: need transitionbool
domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
allow httpd_t httpd_suexec_t:fd use;
allow httpd_suexec_t httpd_t:fd use;
allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
allow httpd_suexec_t httpd_t:process sigchld;
ifdef(`targeted_policy',`
gen_tunable(httpd_suexec_disable_trans,false)
tunable_policy(`httpd_suexec_disable_trans',`',`
domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
allow httpd_t httpd_suexec_t:fd use;
allow httpd_suexec_t httpd_t:fd use;
allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
allow httpd_suexec_t httpd_t:process sigchld;
')
')
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
@ -534,6 +535,12 @@ logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
ifdef(`targeted_policy',`
tunable_policy(`httpd_enable_homedirs',`
userdom_search_generic_user_home_dir(httpd_suexec_t)
')
')
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
@ -555,6 +562,13 @@ tunable_policy(`httpd_can_network_connect',`
tunable_policy(`httpd_enable_cgi',`
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
allow httpd_suexec_t httpd_unconfined_script_t:fd use;
allow httpd_unconfined_script_t httpd_suexec_t:fd use;
allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
# make sediff happy
allow httpd_unconfined_script_t httpd_unconfined_script_exec_t:file { ioctl read getattr lock execute entrypoint };
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@ -619,6 +633,12 @@ ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
ifdef(`targeted_policy',`
tunable_policy(`httpd_enable_homedirs',`
userdom_search_generic_user_home_dir(httpd_sys_script_t)
')
')
optional_policy(`mysql.te',`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_socket(httpd_sys_script_t)

View File

@ -598,8 +598,8 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(cupsd_config_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(cupsd_config_t)
optional_policy(`hal.te',`
hal_domtrans(cupsd_config_t)
')
optional_policy(`hostname.te',`
@ -610,6 +610,10 @@ optional_policy(`logrotate.te',`
logrotate_use_fd(cupsd_config_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(cupsd_config_t)
')
optional_policy(`nscd.te',`
nscd_use_socket(cupsd_config_t)
')

View File

@ -1 +1,22 @@
## <summary>Hardware abstraction layer</summary>
########################################
## <summary>
## Execute hal in the hal domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`hal_domtrans',`
gen_require(`
type hald_t, hald_exec_t;
')
domain_auto_trans($1,hald_exec_t,hald_t)
allow $1 hald_t:fd use;
allow hald_t $1:fd use;
allow hald_t $1:fifo_file rw_file_perms;
allow hald_t $1:process sigchld;
')

View File

@ -39,6 +39,7 @@ allow hald_t hald_tmp_t:file create_file_perms;
files_create_tmp_files(hald_t, hald_tmp_t, { file dir })
allow hald_t hald_var_run_t:file create_file_perms;
allow hald_t hald_var_run_t:dir rw_dir_perms;
files_create_pid(hald_t,hald_var_run_t)
kernel_read_system_state(hald_t)

View File

@ -32,15 +32,18 @@ interface(`inetd_core_service_domain',`
role system_r types $1;
allow inetd_t $1:process sigkill;
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
can_exec(inetd_t,$2)
# can_exec(inetd_t,$2)
# cjp: this must be wrong
gen_require(`
type initrc_t, unconfined_t;
')
can_exec({ unconfined_t initrc_t },$2)
} else {
domain_auto_trans(inetd_t,$2,$1)
allow inetd_t $1:fd use;
@ -49,6 +52,8 @@ interface(`inetd_core_service_domain',`
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
}
@ -60,6 +65,8 @@ interface(`inetd_core_service_domain',`
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
')

View File

@ -38,7 +38,10 @@ type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
postfix_domain_template(master)
mta_mailserver(postfix_master_t,postfix_master_exec_t)
typealias postfix_master_t alias postfix_t;
# alias is a hack to make the disable trans bool
# generation macro work
mta_mailserver(postfix_t,postfix_master_exec_t)
postfix_public_domain_template(pickup)

View File

@ -70,6 +70,10 @@ allow pppd_t self:udp_socket { connect connected_socket_perms };
allow pppd_t self:packet_socket create_socket_perms;
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
allow pppd_t pptp_t:fd use;
allow pptp_t pppd_t:fd use;
allow pptp_t pppd_t:fifo_file rw_file_perms;
allow pptp_t pppd_t:process sigchld;
allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
@ -179,10 +183,10 @@ ifdef(`targeted_policy', `
optional_policy(`postfix.te',`
gen_require(`
bool postfix_master_disable_transgre;
bool postfix_disable_trans;
')
if(!postfix_master_disable_trans) {
if(!postfix_disable_trans) {
postfix_domtrans_master(pppd_t)
}
')

View File

@ -30,6 +30,7 @@ allow privoxy_t privoxy_log_t:dir rw_dir_perms;
logging_create_log(privoxy_t,privoxy_log_t)
allow privoxy_t privoxy_var_run_t:file create_file_perms;
allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
files_create_pid(privoxy_t,privoxy_var_run_t)
kernel_read_kernel_sysctl(privoxy_t)

View File

@ -37,6 +37,7 @@ allow stunnel_t self:capability { setgid setuid sys_chroot };
allow stunnel_t self:process signal_perms;
allow stunnel_t self:fifo_file rw_file_perms;
allow stunnel_t self:tcp_socket create_stream_socket_perms;
allow stunnel_t self:udp_socket create_socket_perms;
allow stunnel_t stunnel_etc_t:dir { getattr read search };
allow stunnel_t stunnel_etc_t:file { read getattr };
@ -138,3 +139,14 @@ ifdef(`distro_gentoo', `
nscd_use_socket(stunnel_t)
')
')
tunable_policy(`stunnel_is_daemon',`
allow stunnel_t self:tcp_socket create_stream_socket_perms;
# hack since this port has no interfaces since it doesnt
# have net_contexts
gen_require(`
type stunnel_port_t;
')
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
')

View File

@ -187,7 +187,8 @@ rhgb_domain(auditd_t)
#
allow klogd_t klogd_tmp_t:file create_file_perms;
files_create_tmp_files(klogd_t,klogd_tmp_t)
allow klogd_t klogd_tmp_t:dir create_dir_perms;
files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir })
allow klogd_t klogd_var_run_t:file create_file_perms;
@ -209,6 +210,8 @@ dev_read_sysfs(klogd_t)
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
term_dontaudit_use_console(klogd_t)
domain_use_wide_inherit_fd(klogd_t)
files_create_pid(klogd_t,klogd_var_run_t)

View File

@ -50,6 +50,10 @@ allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
can_exec(insmod_t, insmod_exec_t)
# make sediff happy (no effect)
dontaudit insmod_t self:process { noatsecure rlimitinh siginh };
type_transition insmod_t insmod_exec_t:process insmod_t;
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
kernel_mount_debugfs(insmod_t)

View File

@ -273,6 +273,8 @@ dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_file_perms;
allow ifconfig_t self:sock_file r_file_perms;
allow ifconfig_t self:socket create_socket_perms;
allow ifconfig_t self:unix_dgram_socket create_socket_perms;
allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
allow ifconfig_t self:unix_dgram_socket sendto;

View File

@ -2126,6 +2126,22 @@ interface(`userdom_create_generic_user_home_dir',`
files_create_home_dirs($1,user_home_dir_t)
')
########################################
## <summary>
## Search generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_search_generic_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete