From 67962667ec88358b4d25e1ab4362ee687c60aa47 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 31 Jan 2006 21:43:09 +0000 Subject: [PATCH] add mrtg, bug 1394 --- refpolicy/Changelog | 1 + refpolicy/policy/modules/admin/mrtg.fc | 18 ++ refpolicy/policy/modules/admin/mrtg.if | 17 ++ refpolicy/policy/modules/admin/mrtg.te | 172 ++++++++++++++++++ refpolicy/policy/modules/kernel/files.if | 8 +- refpolicy/policy/modules/services/cron.te | 4 + refpolicy/policy/modules/services/radius.te | 2 +- refpolicy/policy/modules/services/snmp.if | 36 +++- .../policy/modules/system/selinuxutil.te | 3 +- 9 files changed, 256 insertions(+), 5 deletions(-) create mode 100644 refpolicy/policy/modules/admin/mrtg.fc create mode 100644 refpolicy/policy/modules/admin/mrtg.if create mode 100644 refpolicy/policy/modules/admin/mrtg.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 99c7778e..9867c911 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -25,6 +25,7 @@ - Added modules: certwatch mono (Dan Walsh) + mrtg portage userhelper usernetctl diff --git a/refpolicy/policy/modules/admin/mrtg.fc b/refpolicy/policy/modules/admin/mrtg.fc new file mode 100644 index 00000000..c59caa5c --- /dev/null +++ b/refpolicy/policy/modules/admin/mrtg.fc @@ -0,0 +1,18 @@ +# +# /etc +# +/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0) + +# +# /usr +# +/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0) +/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0) + +# +# /var +# +/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0) +/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) +/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0) + diff --git a/refpolicy/policy/modules/admin/mrtg.if b/refpolicy/policy/modules/admin/mrtg.if new file mode 100644 index 00000000..8602f09d --- /dev/null +++ b/refpolicy/policy/modules/admin/mrtg.if @@ -0,0 +1,17 @@ +## Network traffic graphing + +######################################## +## +## Create and append mrtg logs. +## +## +## Domain allowed access. +## +# +interface(`mrtg_append_create_logs',` + gen_require(` + type mrtg_log_t; + ') + allow $1 mrtg_log_t:dir rw_dir_perms; + allow $1 mrtg_log_t:file { create append getattr }; +') diff --git a/refpolicy/policy/modules/admin/mrtg.te b/refpolicy/policy/modules/admin/mrtg.te new file mode 100644 index 00000000..eaf93009 --- /dev/null +++ b/refpolicy/policy/modules/admin/mrtg.te @@ -0,0 +1,172 @@ + +policy_module(mrtg,1.0.0) + +######################################## +# +# Declarations +# + +type mrtg_t; +type mrtg_exec_t; +init_system_domain(mrtg_t,mrtg_exec_t) + +type mrtg_etc_t; +files_config_file(mrtg_etc_t) + +type mrtg_lock_t; +files_lock_file(mrtg_lock_t) + +type mrtg_log_t; +logging_log_file(mrtg_log_t) + +type mrtg_var_lib_t; +files_type(mrtg_var_lib_t) + +######################################## +# +# Local policy +# + +allow mrtg_t self:capability { setgid setuid }; +dontaudit mrtg_t self:capability sys_tty_config; +allow mrtg_t self:process signal_perms; +allow mrtg_t self:fifo_file { getattr read write ioctl }; +allow mrtg_t self:unix_stream_socket create_socket_perms; +allow mrtg_t self:tcp_socket create_socket_perms; +allow mrtg_t self:udp_socket create_socket_perms; + +allow mrtg_t mrtg_etc_t:file r_file_perms; +allow mrtg_t mrtg_etc_t:dir r_dir_perms; +allow mrtg_t mrtg_etc_t:lnk_file { getattr read }; +files_search_etc(mrtg_t) + +allow mrtg_t mrtg_lock_t:dir rw_dir_perms; +allow mrtg_t mrtg_lock_t:file create_file_perms; +allow mrtg_t mrtg_lock_t:lnk_file create_lnk_perms; + +allow mrtg_t mrtg_log_t:file create_file_perms; +allow mrtg_t mrtg_log_t:dir rw_dir_perms; +logging_filetrans_log(mrtg_t,mrtg_log_t,{ file dir }) + +allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms; +allow mrtg_t mrtg_var_lib_t:file create_file_perms; +allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms; + +# read config files +dontaudit mrtg_t mrtg_etc_t:dir write; +dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; +files_read_etc_files(mrtg_t) + +kernel_read_system_state(mrtg_t) +kernel_read_network_state(mrtg_t) +kernel_read_kernel_sysctls(mrtg_t) + +corecmd_exec_bin(mrtg_t) +corecmd_exec_sbin(mrtg_t) +corecmd_exec_shell(mrtg_t) + +corenet_non_ipsec_sendrecv(mrtg_t) +corenet_tcp_sendrecv_generic_if(mrtg_t) +corenet_udp_sendrecv_generic_if(mrtg_t) +corenet_raw_sendrecv_generic_if(mrtg_t) +corenet_tcp_sendrecv_all_nodes(mrtg_t) +corenet_udp_sendrecv_all_nodes(mrtg_t) +corenet_raw_sendrecv_all_nodes(mrtg_t) +corenet_tcp_sendrecv_all_ports(mrtg_t) +corenet_udp_sendrecv_all_ports(mrtg_t) +corenet_tcp_bind_all_nodes(mrtg_t) +corenet_udp_bind_all_nodes(mrtg_t) +corenet_tcp_connect_all_ports(mrtg_t) + +dev_read_sysfs(mrtg_t) +dev_read_urand(mrtg_t) + +domain_use_wide_inherit_fd(mrtg_t) + +files_read_usr_files(mrtg_t) +files_search_var(mrtg_t) +files_search_locks(mrtg_t) +files_search_var_lib(mrtg_t) +files_search_spool(mrtg_t) +files_getattr_tmp_dirs(mrtg_t) +# for uptime +files_read_etc_runtime_files(mrtg_t) + +fs_search_auto_mountpoints(mrtg_t) +fs_getattr_xattr_fs(mrtg_t) + +term_dontaudit_use_console(mrtg_t) + +init_use_fd(mrtg_t) +init_use_script_pty(mrtg_t) +# for uptime +init_read_utmp(mrtg_t) +init_dontaudit_write_utmp(mrtg_t) + +libs_read_lib(mrtg_t) +libs_use_ld_so(mrtg_t) +libs_use_shared_libs(mrtg_t) + +logging_send_syslog_msg(mrtg_t) + +miscfiles_read_localization(mrtg_t) + +selinux_dontaudit_getattr_dir(mrtg_t) + +# Use the network. +sysnet_read_config(mrtg_t) + +userdom_dontaudit_use_unpriv_user_fd(mrtg_t) +userdom_use_sysadm_terms(mrtg_t) + +ifdef(`distro_redhat',` + allow mrtg_t mrtg_etc_t:dir rw_dir_perms; + allow mrtg_t mrtg_lock_t:file create_file_perms; + type_transition mrtg_t mrtg_etc_t:file mrtg_lock_t; +') + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(mrtg_t) + term_dontaudit_use_generic_pty(mrtg_t) + files_dontaudit_read_root_files(mrtg_t) +') + +optional_policy(`apache',` + apache_manage_sys_content(mrtg_t) +') + +optional_policy(`cron',` + cron_system_entry(mrtg_t,mrtg_exec_t) +') + +optional_policy(`hostname',` + hostname_exec(mrtg_t) +') + +optional_policy(`nis',` + nis_use_ypbind(mrtg_t) +') + +optional_policy(`selinuxutil',` + seutil_sigchld_newrole(mrtg_t) +') + +optional_policy(`quota',` + quota_dontaudit_getattr_db(mrtg_t) +') + +optional_policy(`snmp',` + snmp_udp_chat(mrtg_t) + snmp_read_snmp_var_lib(mrtg_t) +') + +optional_policy(`udev',` + udev_read_db(mrtg_t) +') + +ifdef(`TODO',` + # should not need this! + dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr }; + dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; + dontaudit mrtg_t root_t:lnk_file getattr; +') diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index e17e312d..9301cb2b 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -2628,8 +2628,12 @@ interface(`files_manage_mounttab',` ') ######################################## -# -# files_search_locks(domain) +## +## Search the locks directory (/var/lock). +## +## +## Domain allowed access. +## # interface(`files_search_locks',` gen_require(` diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 5377ac21..de8e413d 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -385,6 +385,10 @@ ifdef(`targeted_policy',` inn_read_config(system_crond_t) ') + optional_policy(`mrtg',` + mrtg_append_create_logs(system_crond_t) + ') + optional_policy(`mysql',` mysql_read_config(system_crond_t) ') diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index 54399532..9e172384 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -126,7 +126,7 @@ optional_policy(`selinuxutil',` ') optional_policy(`snmp',` - snmp_use(radiusd_t) + snmp_tcp_connect(radiusd_t) ') optional_policy(`udev',` diff --git a/refpolicy/policy/modules/services/snmp.if b/refpolicy/policy/modules/services/snmp.if index 0da887bc..93cf004e 100644 --- a/refpolicy/policy/modules/services/snmp.if +++ b/refpolicy/policy/modules/services/snmp.if @@ -8,7 +8,7 @@ ## Domain allowed access. ## # -interface(`snmp_use',` +interface(`snmp_tcp_connect',` gen_require(` type snmpd_t; ') @@ -17,3 +17,37 @@ interface(`snmp_use',` allow snmpd_t $1:tcp_socket { acceptfrom recvfrom }; kernel_tcp_recvfrom($1) ') + +######################################## +## +## Send and receive UDP traffic to SNMP +## +## +## Domain allowed access. +## +# +interface(`snmp_udp_chat',` + gen_require(` + type snmpd_t; + ') + + allow $1 snmpd_t:udp_socket { sendto recvfrom }; + allow snmpd_t $1:udp_socket { sendto recvfrom }; +') + +######################################## +## +## Read snmpd libraries. +## +## +## Domain allowed access. +## +# +interface(`snmp_read_snmp_var_lib',` + gen_require(` + type snmpd_var_lib_t; + ') + allow $1 snmpd_var_lib_t:dir r_dir_perms; + allow $1 snmpd_var_lib_t:file r_file_perms; + allow $1 snmpd_var_lib_t:lnk_file { getattr read }; +') diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 55ff9a69..63e4ed2d 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.1.2) +policy_module(selinuxutil,1.1.3) gen_require(` bool secure_mode; @@ -423,6 +423,7 @@ ifdef(`targeted_policy',`',` term_dontaudit_list_ptys(run_init_t) + auth_domtrans_chk_passwd(run_init_t) auth_dontaudit_read_shadow(run_init_t) corecmd_exec_bin(run_init_t)