trunk: add bitlbee from devin carraway and add tcpd_wrapped_domain().

2007-09-17 14:33:40 +00:00 · 2007-09-17 14:33:40 +00:00 · 8242f5a68d
parent 14add30d03
commit 8242f5a68d
12 changed files with 194 additions and 74 deletions
--- a/2
+++ b/2
@ -1,3 +1,4 @@
 - Add tcpd_wrapped_domain() for services that use tcp wrappers.
 - Update MLS constraints from LSPP evaluated policy.
 - Allow initrc_t file descriptors to be inherited regardless of MLS level.
  Accordingly drop MLS permissions from daemons that inherit from any level.
@ -16,6 +17,7 @@
 - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
 - Added modules:
 	application
 	bitlbee (Devin Carraway)
 	brctl (Dan Walsh)
 * Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.10)
+policy_module(corenetwork,1.2.11)
 ########################################
 #
@ -67,6 +67,7 @@ network_port(afs_vl, udp,7003,s0)
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
 network_port(aol, tcp,5190,s0, udp,5190,s0)
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
 network_port(auth, tcp,113,s0)
@ -112,6 +113,8 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 network_port(mail, tcp,2000,s0)
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(mysqld, tcp,3306,s0)
 network_port(nessus, tcp,1241,s0)
--- a/policy/modules/services/bitlbee.fc
+++ b/policy/modules/services/bitlbee.fc
@ -0,0 +1,3 @@
 /usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
 /etc/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_conf_t,s0)
 /var/lib/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_var_t,s0)
--- a/policy/modules/services/bitlbee.if
+++ b/policy/modules/services/bitlbee.if
@ -0,0 +1,22 @@
 ## <summary>Bitlbee service</summary>
 ########################################
 ## <summary>
 ##     Read bitlbee configuration files
 ## </summary>
 ## <param name="domain">
 ##     <summary>
 ##         Domain allowed accesss.
 ##     </summary>
 ## </param>
 #
 interface(`bitlbee_read_config',`
 	gen_require(`
 		type bitlbee_conf_t;
 	')
 	files_search_etc($1)
 	allow $1 bitlbee_conf_t:dir { getattr read search };
 	allow $1 bitlbee_conf_t:file { read getattr };
 ')
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@ -0,0 +1,70 @@
 policy_module(bitlbee, 1.0.0)
 ########################################
 #
 # Declarations
 #
 type bitlbee_t;
 type bitlbee_exec_t;
 init_daemon_domain(bitlbee_t, bitlbee_exec_t)
 inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
 type bitlbee_conf_t;
 files_config_file(bitlbee_conf_t)
 type bitlbee_var_t;
 files_type(bitlbee_var_t)
 ########################################
 #
 # Local policy
 #
 #
 allow bitlbee_t self:udp_socket create_socket_perms;
 allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
 allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
 bitlbee_read_config(bitlbee_t)
 # user account information is read and edited at runtime; give the usual
 # r/w access to bitlbee_var_t
 manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
 files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_udp_sendrecv_generic_if(bitlbee_t)
 corenet_udp_sendrecv_generic_node(bitlbee_t)
 corenet_udp_sendrecv_lo_node(bitlbee_t)
 corenet_tcp_sendrecv_generic_if(bitlbee_t)
 corenet_tcp_sendrecv_generic_node(bitlbee_t)
 corenet_tcp_sendrecv_lo_node(bitlbee_t)
 # Allow bitlbee to connect to jabber servers
 corenet_tcp_connect_jabber_client_port(bitlbee_t)
 corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
 # to AIM servers:
 corenet_tcp_connect_aol_port(bitlbee_t)
 corenet_tcp_sendrecv_aol_port(bitlbee_t)
 # and to MMCC (Yahoo IM) servers:
 corenet_tcp_connect_mmcc_port(bitlbee_t)
 corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
 # and to MSNP (MSN Messenger) servers:
 corenet_tcp_connect_msnp_port(bitlbee_t)
 corenet_tcp_sendrecv_msnp_port(bitlbee_t)
 files_read_etc_files(bitlbee_t)
 files_search_pids(bitlbee_t)
 # grant read-only access to the user help files
 files_read_usr_files(bitlbee_t)
 libs_legacy_use_shared_libs(bitlbee_t)
 libs_use_ld_so(bitlbee_t)
 sysnet_dns_name_resolve(bitlbee_t)
 optional_policy(`
 	# normally started from inetd using tcpwrappers, so use those entry points
 	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
 ')
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@ -1,5 +1,5 @@
-policy_module(finger,1.4.0)
+policy_module(finger,1.4.1)
 ########################################
 #
@ -8,8 +8,8 @@ policy_module(finger,1.4.0)
 type fingerd_t;
 type fingerd_exec_t;
-init_daemon_domain(fingerd_t,fingerd_exec_t)
+init_daemon_domain(fingerd_t, fingerd_exec_t)
-inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
+inetd_tcp_service_domain(fingerd_t, fingerd_exec_t)
 type fingerd_etc_t;
 files_config_file(fingerd_etc_t)
@ -34,15 +34,15 @@ allow fingerd_t self:udp_socket create_socket_perms;
 allow fingerd_t self:unix_dgram_socket create_socket_perms;
 allow fingerd_t self:unix_stream_socket create_socket_perms;
-manage_files_pattern(fingerd_t,fingerd_var_run_t,fingerd_var_run_t)
+manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)
-files_pid_filetrans(fingerd_t,fingerd_var_run_t,file)
+files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)
-allow fingerd_t fingerd_etc_t:dir r_dir_perms;
+allow fingerd_t fingerd_etc_t:dir list_dir_perms;
-read_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t)
+read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
-read_lnk_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t)
+read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
 allow fingerd_t fingerd_log_t:file manage_file_perms;
-logging_log_filetrans(fingerd_t,fingerd_log_t,file)
+logging_log_filetrans(fingerd_t, fingerd_log_t, file)
 kernel_read_kernel_sysctls(fingerd_t)
 kernel_read_system_state(fingerd_t)
@ -105,7 +105,7 @@ ifdef(`targeted_policy',`
 ')
 optional_policy(`
-	cron_system_entry(fingerd_t,fingerd_exec_t)
+	cron_system_entry(fingerd_t, fingerd_exec_t)
 ')
 optional_policy(`
@ -124,6 +124,10 @@ optional_policy(`
 	seutil_sigchld_newrole(fingerd_t)
 ')
 optional_policy(`
 	tcpd_wrapped_domain(fingerd_t, fingerd_exec_t)
 ')
 optional_policy(`
 	udev_read_db(fingerd_t)
 ')
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@ -1,5 +1,5 @@
-policy_module(nagios,1.3.0)
+policy_module(nagios,1.3.1)
 ########################################
 #
@ -8,11 +8,11 @@ policy_module(nagios,1.3.0)
 type nagios_t;
 type nagios_exec_t;
-init_daemon_domain(nagios_t,nagios_exec_t)
+init_daemon_domain(nagios_t, nagios_exec_t)
 type nagios_cgi_t;
 type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
+init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
 type nagios_etc_t;
 files_config_file(nagios_etc_t)
@ -28,7 +28,7 @@ files_pid_file(nagios_var_run_t)
 type nrpe_t;
 type nrpe_exec_t;
-init_daemon_domain(nrpe_t,nrpe_exec_t)
+init_daemon_domain(nrpe_t, nrpe_exec_t)
 type nrpe_etc_t;
 files_config_file(nrpe_etc_t)
@ -45,20 +45,20 @@ allow nagios_t self:fifo_file rw_file_perms;
 allow nagios_t self:tcp_socket create_stream_socket_perms;
 allow nagios_t self:udp_socket create_socket_perms;
-read_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
+read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
+read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
 allow nagios_t nagios_etc_t:dir list_dir_perms;
-manage_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-manage_fifo_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
+manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })
+logging_log_filetrans(nagios_t, nagios_log_t, { file dir })
-manage_dirs_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
+manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
-manage_files_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
+manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
 files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
-manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t)
+manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
-files_pid_filetrans(nagios_t,nagios_var_run_t,file)
+files_pid_filetrans(nagios_t, nagios_var_run_t, file)
 kernel_read_system_state(nagios_t)
 kernel_read_kernel_sysctls(nagios_t)
@ -142,16 +142,16 @@ optional_policy(`
 allow nagios_cgi_t self:process signal_perms;
 allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
+read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
+read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
 allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
+read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
+read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
 allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
+read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
+read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
 kernel_read_system_state(nagios_cgi_t)
@ -218,13 +218,17 @@ ifdef(`targeted_policy',`
 ')
 optional_policy(`
-	inetd_tcp_service_domain(nrpe_t,nrpe_exec_t)
+	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
 ')
 optional_policy(`
        seutil_sigchld_newrole(nrpe_t)
 ')
 optional_policy(`
 	tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
 ')
 optional_policy(`
        udev_read_db(nrpe_t)
 ')
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@ -1,5 +1,5 @@
-policy_module(rlogin,1.4.0)
+policy_module(rlogin,1.4.1)
 ########################################
 #
@ -8,7 +8,7 @@ policy_module(rlogin,1.4.0)
 type rlogind_t;
 type rlogind_exec_t;
-inetd_service_domain(rlogind_t,rlogind_exec_t)
+inetd_service_domain(rlogind_t, rlogind_exec_t)
 role system_r types rlogind_t;
 type rlogind_devpts_t; #, userpty_type;
@ -39,12 +39,12 @@ term_create_pty(rlogind_t,rlogind_devpts_t)
 # for /usr/lib/telnetlogin
 can_exec(rlogind_t, rlogind_exec_t)
-manage_dirs_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t)
+manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
-manage_files_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t)
+manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
 files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
-manage_files_pattern(rlogind_t,rlogind_var_run_t,rlogind_var_run_t)
+manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
-files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)
+files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
 kernel_read_kernel_sysctls(rlogind_t)
 kernel_read_system_state(rlogind_t)
@ -96,6 +96,10 @@ optional_policy(`
 	kerberos_read_keytab(rlogind_t)
 ')
 optional_policy(`
 	tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
 ')
 ifdef(`TODO',`
 # Allow krb5 rlogind to use fork and open /dev/tty for use
 allow rlogind_t userpty_type:chr_file setattr;
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@ -1,5 +1,5 @@
-policy_module(rshd,1.3.1)
+policy_module(rshd,1.3.2)
 ########################################
 #
@ -7,7 +7,7 @@ policy_module(rshd,1.3.1)
 #
 type rshd_t;
 type rshd_exec_t;
-inetd_tcp_service_domain(rshd_t,rshd_exec_t)
+inetd_tcp_service_domain(rshd_t, rshd_exec_t)
 domain_subj_id_change_exemption(rshd_t)
 domain_role_change_exemption(rshd_t)
 role system_r types rshd_t;
@ -88,8 +88,6 @@ optional_policy(`
 	nscd_socket_use(rshd_t)
 ')
 ifdef(`TODO',`
 optional_policy(`
-	allow rshd_t rlogind_tmp_t:file rw_file_perms;
+	tcpd_wrapped_domain(rshd_t,rshd_exec_t)
 ')
 ')
--- a/policy/modules/services/tcpd.if
+++ b/policy/modules/services/tcpd.if
@ -15,5 +15,31 @@ interface(`tcpd_domtrans',`
 		type tcpd_t, tcpd_exec_t;
 	')
-	domtrans_pattern($1,tcpd_exec_t,tcpd_t)
+	domtrans_pattern($1, tcpd_exec_t, tcpd_t)
 ')
 ########################################
 ## <summary>
 ##	Create a domain for services that
 ##	utilize tcp wrappers.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
 ##	</summary>
 ## </param>
 ## <param name="entry_point">
 ##	<summary>
 ##	Type of the program to be used as an entry point to this domain.
 ##	</summary>
 ## </param>
 #
 interface(`tcpd_wrapped_domain',`
 	gen_require(`
 		type tcpd_t;
 		role system_r;
 	')
 	domtrans_pattern(tcpd_t, $2, $1)
 	role system_r types $1;
 ')
--- a/policy/modules/services/tcpd.te
+++ b/policy/modules/services/tcpd.te
@ -1,5 +1,5 @@
-policy_module(tcpd,1.2.0)
+policy_module(tcpd,1.2.1)
 ########################################
 #
@ -7,7 +7,7 @@ policy_module(tcpd,1.2.0)
 #
 type tcpd_t;
 type tcpd_exec_t;
-inetd_tcp_service_domain(tcpd_t,tcpd_exec_t)
+inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
 role system_r types tcpd_t;
 type tcpd_tmp_t;
@ -19,8 +19,8 @@ files_tmp_file(tcpd_tmp_t)
 #
 allow tcpd_t self:tcp_socket create_stream_socket_perms;
-manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
+manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
-manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
+manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
 files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
 corenet_all_recvfrom_unlabeled(tcpd_t)
@ -49,26 +49,6 @@ sysnet_read_config(tcpd_t)
 inetd_domtrans_child(tcpd_t)
 optional_policy(`
 	finger_domtrans(tcpd_t)
 ')
 optional_policy(`
 	nis_use_ypbind(tcpd_t)
 ')
 optional_policy(`
 	nagios_domtrans_nrpe(tcpd_t)
 ')
 optional_policy(`
 	rlogin_domtrans(tcpd_t)
 ')
 optional_policy(`
 	rshd_domtrans(tcpd_t)
 ')
 optional_policy(`
 	uwimap_domtrans(tcpd_t)
 ')
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@ -1,5 +1,5 @@
-policy_module(uwimap,1.3.0)
+policy_module(uwimap,1.3.1)
 ########################################
 #
@ -8,8 +8,8 @@ policy_module(uwimap,1.3.0)
 type imapd_t;
 type imapd_exec_t;
-init_daemon_domain(imapd_t,imapd_exec_t)
+init_daemon_domain(imapd_t, imapd_exec_t)
-inetd_tcp_service_domain(imapd_t,imapd_exec_t)
+inetd_tcp_service_domain(imapd_t, imapd_exec_t)
 type imapd_tmp_t;
 files_tmp_file(imapd_tmp_t)
@ -28,12 +28,12 @@ allow imapd_t self:process signal_perms;
 allow imapd_t self:fifo_file rw_fifo_file_perms;
 allow imapd_t self:tcp_socket create_stream_socket_perms;
-manage_dirs_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t)
+manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
-manage_files_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t)
+manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
 files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
-manage_files_pattern(imapd_t,imapd_var_run_t,imapd_var_run_t)
+manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t)
-files_pid_filetrans(imapd_t,imapd_var_run_t,file)
+files_pid_filetrans(imapd_t, imapd_var_run_t, file)
 kernel_read_kernel_sysctls(imapd_t)
 kernel_list_proc(imapd_t)
@ -92,6 +92,10 @@ optional_policy(`
 	seutil_sigchld_newrole(imapd_t)
 ')
 optional_policy(`
 	tcpd_wrapped_domain(imapd_t, imapd_exec_t)
 ')
 optional_policy(`
 	udev_read_db(imapd_t)
 ')