- Add virt_content_ro_t and labeling for isos directory
This commit is contained in:
Daniel J Walsh
parent
2fbeb784fa
commit
618e35262f
@ -3287,8 +3287,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.3/policy/modules/apps/podsleuth.te
|
||||
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/apps/podsleuth.te 2009-01-19 13:10:02.000000000 -0500
|
||||
@@ -11,21 +11,58 @@
|
||||
+++ serefpolicy-3.6.3/policy/modules/apps/podsleuth.te 2009-01-30 08:03:36.000000000 -0500
|
||||
@@ -11,21 +11,59 @@
|
||||
application_domain(podsleuth_t, podsleuth_exec_t)
|
||||
role system_r types podsleuth_t;
|
||||
|
||||
@ -3326,7 +3326,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+fs_getattr_dos_fs(podsleuth_t)
|
||||
+fs_read_dos_files(podsleuth_t)
|
||||
+fs_search_dos(podsleuth_t)
|
||||
+
|
||||
+fs_getattr_tmpfs(podsleuth_t)
|
||||
+fs_list_tmpfs(podsleuth_t)
|
||||
+fs_mount_nfs(podsleuth_t)
|
||||
+fs_unmount_nfs(podsleuth_t)
|
||||
+fs_getattr_nfs(podsleuth_t)
|
||||
@ -3685,7 +3686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.3/policy/modules/apps/qemu.te
|
||||
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/apps/qemu.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/apps/qemu.te 2009-01-30 09:14:38.000000000 -0500
|
||||
@@ -6,6 +6,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -3695,7 +3696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow qemu to connect fully to the network
|
||||
@@ -13,28 +15,151 @@
|
||||
@@ -13,28 +15,153 @@
|
||||
## </desc>
|
||||
gen_tunable(qemu_full_network, false)
|
||||
|
||||
@ -3799,6 +3800,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
+storage_raw_write_removable_device(qemu_t)
|
||||
+storage_raw_read_removable_device(qemu_t)
|
||||
+
|
||||
+userdom_search_user_home_content(qemu_t)
|
||||
+
|
||||
tunable_policy(`qemu_full_network',`
|
||||
allow qemu_t self:udp_socket create_socket_perms;
|
||||
@ -5158,7 +5161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## all protocols (TCP, UDP, etc)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.3/policy/modules/kernel/domain.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/kernel/domain.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/kernel/domain.te 2009-01-30 07:56:48.000000000 -0500
|
||||
@@ -5,6 +5,13 @@
|
||||
#
|
||||
# Declarations
|
||||
@ -5220,7 +5223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
|
||||
# act on all domains keys
|
||||
@@ -153,3 +170,39 @@
|
||||
@@ -153,3 +170,34 @@
|
||||
|
||||
# receive from all domains over labeled networking
|
||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||
@ -5234,15 +5237,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ cron_dontaudit_write_system_job_tmp_files(domain)
|
||||
+ cron_rw_pipes(domain)
|
||||
+ifdef(`hide_broken_symptoms',`
|
||||
+ cron_dontaudit_rw_tcp_sockets(domain)
|
||||
+ allow domain domain:key { link search };
|
||||
+')
|
||||
+')
|
||||
+
|
||||
+ifdef(`hide_broken_symptoms',`
|
||||
+ dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_rw_pipes(domain)
|
||||
+ rpm_dontaudit_use_script_fds(domain)
|
||||
@ -17626,7 +17624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.3/policy/modules/services/postfix.if
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/postfix.if 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/postfix.if 2009-01-30 08:30:01.000000000 -0500
|
||||
@@ -46,6 +46,7 @@
|
||||
|
||||
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
|
||||
@ -17647,7 +17645,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
@@ -378,7 +378,7 @@
|
||||
@@ -232,6 +232,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Allow read/write postfix local pipes
|
||||
+## TCP sockets.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`postfix_rw_local_pipes',`
|
||||
+ gen_require(`
|
||||
+ type postfix_local_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 postfix_local_t:fifo rw_fifo_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Allow domain to read postfix local process state
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -378,7 +397,7 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -17656,7 +17680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
gen_require(`
|
||||
type postfix_private_t;
|
||||
')
|
||||
@@ -389,6 +389,25 @@
|
||||
@@ -389,6 +408,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -17682,7 +17706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Execute the master postfix program in the
|
||||
## postfix_master domain.
|
||||
## </summary>
|
||||
@@ -418,10 +437,10 @@
|
||||
@@ -418,10 +456,10 @@
|
||||
#
|
||||
interface(`postfix_search_spool',`
|
||||
gen_require(`
|
||||
@ -17695,7 +17719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_search_spool($1)
|
||||
')
|
||||
|
||||
@@ -437,11 +456,30 @@
|
||||
@@ -437,11 +475,30 @@
|
||||
#
|
||||
interface(`postfix_list_spool',`
|
||||
gen_require(`
|
||||
@ -17728,7 +17752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -456,16 +494,16 @@
|
||||
@@ -456,16 +513,16 @@
|
||||
#
|
||||
interface(`postfix_read_spool_files',`
|
||||
gen_require(`
|
||||
@ -17748,7 +17772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -475,11 +513,11 @@
|
||||
@@ -475,11 +532,11 @@
|
||||
#
|
||||
interface(`postfix_manage_spool_files',`
|
||||
gen_require(`
|
||||
@ -17762,7 +17786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -500,3 +538,23 @@
|
||||
@@ -500,3 +557,23 @@
|
||||
|
||||
typeattribute $1 postfix_user_domtrans;
|
||||
')
|
||||
@ -21420,7 +21444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.3/policy/modules/services/spamassassin.te
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/spamassassin.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/spamassassin.te 2009-01-30 08:30:30.000000000 -0500
|
||||
@@ -20,6 +20,35 @@
|
||||
## </desc>
|
||||
gen_tunable(spamd_enable_home_dirs, true)
|
||||
@ -21532,7 +21556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
miscfiles_read_localization(spamc_t)
|
||||
|
||||
# cjp: this should probably be removed:
|
||||
@@ -265,31 +323,34 @@
|
||||
@@ -265,31 +323,35 @@
|
||||
|
||||
sysnet_read_config(spamc_t)
|
||||
|
||||
@ -21568,6 +21592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- nscd_socket_use(spamc_t)
|
||||
+ postfix_domtrans_postdrop(spamc_t)
|
||||
+ postfix_search_spool(spamc_t)
|
||||
+ postfix_rw_local_pipes(spamc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21579,7 +21604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -301,7 +362,7 @@
|
||||
@@ -301,7 +363,7 @@
|
||||
# setuids to the user running spamc. Comment this if you are not
|
||||
# using this ability.
|
||||
|
||||
@ -21588,7 +21613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit spamd_t self:capability sys_tty_config;
|
||||
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow spamd_t self:fd use;
|
||||
@@ -317,10 +378,13 @@
|
||||
@@ -317,10 +379,13 @@
|
||||
allow spamd_t self:unix_stream_socket connectto;
|
||||
allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow spamd_t self:udp_socket create_socket_perms;
|
||||
@ -21603,7 +21628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
||||
@@ -329,10 +393,11 @@
|
||||
@@ -329,10 +394,11 @@
|
||||
|
||||
# var/lib files for spamd
|
||||
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
||||
@ -21616,7 +21641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
|
||||
|
||||
kernel_read_all_sysctls(spamd_t)
|
||||
@@ -382,22 +447,27 @@
|
||||
@@ -382,22 +448,27 @@
|
||||
|
||||
init_dontaudit_rw_utmp(spamd_t)
|
||||
|
||||
@ -21648,7 +21673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_manage_cifs_files(spamd_t)
|
||||
')
|
||||
|
||||
@@ -415,6 +485,7 @@
|
||||
@@ -415,6 +486,7 @@
|
||||
|
||||
optional_policy(`
|
||||
dcc_domtrans_client(spamd_t)
|
||||
@ -21656,7 +21681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dcc_stream_connect_dccifd(spamd_t)
|
||||
')
|
||||
|
||||
@@ -424,10 +495,6 @@
|
||||
@@ -424,10 +496,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21667,7 +21692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
postfix_read_config(spamd_t)
|
||||
')
|
||||
|
||||
@@ -442,6 +509,10 @@
|
||||
@@ -442,6 +510,10 @@
|
||||
|
||||
optional_policy(`
|
||||
razor_domtrans(spamd_t)
|
||||
@ -22363,10 +22388,80 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.3/policy/modules/services/virt.fc
|
||||
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/virt.fc 2009-01-30 09:09:00.000000000 -0500
|
||||
@@ -8,5 +8,10 @@
|
||||
|
||||
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
||||
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
||||
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_image_ro_t,s0)
|
||||
+
|
||||
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
||||
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
||||
+
|
||||
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
||||
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_image_ro_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if
|
||||
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-01-30 09:13:05.000000000 -0500
|
||||
@@ -293,6 +293,41 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Allow domain to manage virt image files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virt_read_ro_t',`
|
||||
+ gen_require(`
|
||||
+ type virt_image_ro_t;
|
||||
+ ')
|
||||
+
|
||||
+ virt_search_lib($1)
|
||||
+ allow $1 virt_image_ro_t:dir list_dir_perms;
|
||||
+ read_dirs_pattern($1, virt_image_ro_t, virt_image_ro_t)
|
||||
+ read_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
|
||||
+ read_lnk_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
|
||||
+ rw_blk_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
|
||||
+
|
||||
+ tunable_policy(`virt_use_nfs',`
|
||||
+ fs_read_nfs_dirs($1)
|
||||
+ fs_read_nfs_files($1)
|
||||
+ fs_read_nfs_symlinks($1)
|
||||
+ ')
|
||||
+
|
||||
+ tunable_policy(`virt_use_samba',`
|
||||
+ fs_read_nfs_files($1)
|
||||
+ fs_read_cifs_files($1)
|
||||
+ fs_read_cifs_symlinks($1)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an virt environment
|
||||
## </summary>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-21 16:53:49.000000000 -0500
|
||||
@@ -53,7 +53,7 @@
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-30 09:10:13.000000000 -0500
|
||||
@@ -32,6 +32,10 @@
|
||||
type virt_image_t, virt_image_type; # customizable
|
||||
virt_image(virt_image_t)
|
||||
|
||||
+# virt Image files
|
||||
+type virt_image_ro_t;
|
||||
+virt_image(virt_image_ro_t)
|
||||
+
|
||||
type virt_log_t;
|
||||
logging_log_file(virt_log_t)
|
||||
|
||||
@@ -53,7 +57,7 @@
|
||||
# virtd local policy
|
||||
#
|
||||
|
||||
@ -22375,7 +22470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow virtd_t self:process { getsched sigkill signal execmem };
|
||||
allow virtd_t self:fifo_file rw_file_perms;
|
||||
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -96,7 +96,7 @@
|
||||
@@ -96,7 +100,7 @@
|
||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||
corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||
corenet_tcp_bind_generic_node(virtd_t)
|
||||
@ -22384,7 +22479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_soundd_port(virtd_t)
|
||||
@@ -110,11 +110,13 @@
|
||||
@@ -110,11 +114,13 @@
|
||||
|
||||
files_read_usr_files(virtd_t)
|
||||
files_read_etc_files(virtd_t)
|
||||
@ -22398,7 +22493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
storage_raw_write_removable_device(virtd_t)
|
||||
storage_raw_read_removable_device(virtd_t)
|
||||
@@ -129,7 +131,10 @@
|
||||
@@ -129,7 +135,10 @@
|
||||
|
||||
logging_send_syslog_msg(virtd_t)
|
||||
|
||||
@ -22409,7 +22504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virtd_t)
|
||||
@@ -173,16 +178,17 @@
|
||||
@@ -173,16 +182,17 @@
|
||||
iptables_domtrans(virtd_t)
|
||||
')
|
||||
|
||||
@ -28084,7 +28179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-28 10:48:13.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-30 09:14:16.000000000 -0500
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user