From 6ed3f15e827cbd4b2bfef723a44f5be3c4aed6cc Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Wed, 22 Sep 2010 16:42:32 -0400 Subject: [PATCH] Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc Allow shutdown to write utmp and search /var/log Allow mozilla_plugin to send nsplugin signals Split out samba_run_unconfined_net from unconfined_domain stuff. TO allow unconfined.pp module to be removed Allow nrpe to send signal and sigkill to the plugins Fix up xguest to allow it to read hwdata and gconf_etc_t Allow initrc_t to manage faillog --- policy/mcs | 5 ++++- policy/modules/admin/shutdown.te | 4 ++-- policy/modules/apps/mozilla.te | 1 + policy/modules/apps/nsplugin.if | 19 ++++++++++++++++++ policy/modules/apps/sandbox.if | 3 +++ policy/modules/kernel/mcs.if | 27 ++++++++++++++++++++++++++ policy/modules/kernel/mcs.te | 2 ++ policy/modules/roles/unconfineduser.te | 5 ++++- policy/modules/services/nagios.if | 1 + policy/modules/services/samba.te | 7 +++---- policy/modules/services/virt.if | 1 + policy/modules/services/xserver.if | 6 ++++++ policy/modules/system/authlogin.if | 19 ++++++++++++++++++ policy/modules/system/init.te | 1 + 14 files changed, 93 insertions(+), 8 deletions(-) diff --git a/policy/mcs b/policy/mcs index fbd2c407..9fef0f8f 100644 --- a/policy/mcs +++ b/policy/mcs @@ -98,9 +98,12 @@ mlsconstrain process { transition dyntransition } mlsconstrain process { ptrace } (( h1 dom h2) or ( t1 == mcsptraceall )); -mlsconstrain process { signal sigkill sigstop } +mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); + # # MCS policy for SELinux-enabled databases # diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te index 707fb3de..eb63a797 100644 --- a/policy/modules/admin/shutdown.te +++ b/policy/modules/admin/shutdown.te @@ -43,10 +43,10 @@ term_use_all_terms(shutdown_t) auth_use_nsswitch(shutdown_t) auth_write_login_records(shutdown_t) -init_dontaudit_write_utmp(shutdown_t) -init_read_utmp(shutdown_t) +init_rw_utmp(shutdown_t) init_telinit(shutdown_t) +logging_search_logs(shutdown_t) logging_send_audit_msgs(shutdown_t) miscfiles_read_localization(shutdown_t) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 7c260fa4..0a9a9212 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -366,6 +366,7 @@ optional_policy(` nsplugin_rw_exec(mozilla_plugin_t) nsplugin_manage_home_dirs(mozilla_plugin_t) nsplugin_manage_home_files(mozilla_plugin_t) + nsplugin_signal(mozilla_plugin_t) ') optional_policy(` diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if index c779d448..94397463 100644 --- a/policy/modules/apps/nsplugin.if +++ b/policy/modules/apps/nsplugin.if @@ -168,6 +168,7 @@ interface(`nsplugin_domtrans',` allow $1 nsplugin_t:unix_stream_socket connectto; allow nsplugin_t $1:process signal; ') + ####################################### ## ## The per role template for the nsplugin module. @@ -390,3 +391,21 @@ interface(`nsplugin_exec_domtrans',` allow $2 nsplugin_exec_t:file entrypoint; domtrans_pattern($1, nsplugin_exec_t, $2) ') + +######################################## +## +## Send generic signals to user nsplugin processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_signal',` + gen_require(` + type nsplugin_t; + ') + + allow $1 nsplugin_t:process signal; +') diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if index 5dd356fc..587c440b 100644 --- a/policy/modules/apps/sandbox.if +++ b/policy/modules/apps/sandbox.if @@ -90,6 +90,7 @@ template(`sandbox_domain_template',` application_type($1_t) mls_rangetrans_target($1_t) + mcs_untrusted_proc($1_t) type $1_file_t, sandbox_file_type; files_type($1_file_t) @@ -123,6 +124,7 @@ template(`sandbox_x_domain_template',` type $1_t, sandbox_x_domain; application_type($1_t) + mcs_untrusted_proc($1_t) type $1_file_t, sandbox_file_type; files_type($1_file_t) @@ -145,6 +147,7 @@ template(`sandbox_x_domain_template',` type $1_client_t, sandbox_x_domain; application_type($1_client_t) + mcs_untrusted_proc($1_t) type $1_client_tmpfs_t, sandbox_tmpfs_type; files_tmpfs_file($1_client_tmpfs_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index f52faaf3..3d623858 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -102,3 +102,30 @@ interface(`mcs_process_set_categories',` typeattribute $1 mcssetcats; ') + +######################################## +## +## Make specified process type MCS untrusted. +## +## +##

+## Make specified process type MCS untrusted. This +## prevents this process from sending signals to other processes +## with different mcs labels +## object. +##

+##
+## +## +## The type of the process. +## +## +# +interface(`mcs_untrusted_proc',` + gen_require(` + attribute mcsuntrustedproc; + ') + + typeattribute $1 mcsuntrustedproc; +') + diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 0e5b6611..dbf577f3 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -10,3 +10,5 @@ attribute mcsptraceall; attribute mcssetcats; attribute mcswriteall; attribute mcsreadall; +attribute mcsuntrustedproc; + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te index 799db362..a09ca522 100644 --- a/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te @@ -371,8 +371,11 @@ optional_policy(` ') optional_policy(` + optional_policy(` + samba_run_unconfined_net(unconfined_t, unconfined_r) + ') + samba_role_notrans(unconfined_r) - samba_run_unconfined_net(unconfined_t, unconfined_r) # samba_run_winbind_helper(unconfined_t, unconfined_r) samba_run_smbcontrol(unconfined_t, unconfined_r) ') diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index e3c82729..33d9d440 100644 --- a/policy/modules/services/nagios.if +++ b/policy/modules/services/nagios.if @@ -26,6 +26,7 @@ template(`nagios_plugin_template',` allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + allow nrpe_t nagios_$1_plugin_t:process { signal sigkill }; # needed by command.cfg domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 2a5981d2..85203daf 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -555,11 +555,10 @@ allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) -allow smbcontrol_t nmbd_var_run_t:file { read lock }; - -allow smbcontrol_t smbd_t:process signal; - +allow smbcontrol_t smbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) allow smbcontrol_t winbind_t:process { signal signull }; files_search_var_lib(smbcontrol_t) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index e584e21c..0198dc2a 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -21,6 +21,7 @@ template(`virt_domain_template',` domain_type($1_t) domain_user_exemption_target($1_t) mls_rangetrans_target($1_t) + mcs_untrusted_proc($1_t) role system_r types $1_t; type $1_devpts_t; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index f34a53f2..265c5df6 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -102,6 +102,7 @@ interface(`xserver_restricted_role',` miscfiles_read_fonts($2) miscfiles_setattr_fonts_cache_dirs($2) + miscfiles_read_hwdata($2) xserver_common_x_domain_template(user, $2) xserver_xsession_entry_type($2) @@ -127,6 +128,10 @@ interface(`xserver_restricted_role',` tunable_policy(`user_direct_dri',` dev_rw_dri($2) ') + + optional_policy(` + gnome_read_gconf_config($2) + ') ') ######################################## @@ -1038,6 +1043,7 @@ interface(`xserver_read_xdm_etc_files',` files_search_etc($1) read_files_pattern($1, xdm_etc_t, xdm_etc_t) + read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) ') ######################################## diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 58192113..c411b5ed 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -783,6 +783,25 @@ interface(`auth_rw_faillog',` allow $1 faillog_t:file rw_file_perms; ') +######################################## +## +## Manage the login failure log. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_manage_faillog',` + gen_require(` + type faillog_t; + ') + + logging_search_logs($1) + allow $1 faillog_t:file manage_file_perms; +') + ####################################### ## ## Read the last logins log. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 1b6733fa..d7abdd14 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -505,6 +505,7 @@ auth_read_pam_pid(initrc_t) auth_delete_pam_pid(initrc_t) auth_delete_pam_console_data(initrc_t) auth_use_nsswitch(initrc_t) +auth_manage_faillog(initrc_t) libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t)