trunk: add bitlbee from devin carraway and add tcpd_wrapped_domain().
This commit is contained in:
parent
14add30d03
commit
8242f5a68d
|
@ -1,3 +1,4 @@
|
|||
- Add tcpd_wrapped_domain() for services that use tcp wrappers.
|
||||
- Update MLS constraints from LSPP evaluated policy.
|
||||
- Allow initrc_t file descriptors to be inherited regardless of MLS level.
|
||||
Accordingly drop MLS permissions from daemons that inherit from any level.
|
||||
|
@ -16,6 +17,7 @@
|
|||
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
|
||||
- Added modules:
|
||||
application
|
||||
bitlbee (Devin Carraway)
|
||||
brctl (Dan Walsh)
|
||||
|
||||
* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(corenetwork,1.2.10)
|
||||
policy_module(corenetwork,1.2.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -67,6 +67,7 @@ network_port(afs_vl, udp,7003,s0)
|
|||
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
|
||||
network_port(amavisd_recv, tcp,10024,s0)
|
||||
network_port(amavisd_send, tcp,10025,s0)
|
||||
network_port(aol, tcp,5190,s0, udp,5190,s0)
|
||||
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
||||
network_port(auth, tcp,113,s0)
|
||||
|
@ -112,6 +113,8 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
|
|||
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
||||
network_port(lmtp, tcp,24,s0, udp,24,s0)
|
||||
network_port(mail, tcp,2000,s0)
|
||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
network_port(monopd, tcp,1234,s0)
|
||||
network_port(mysqld, tcp,3306,s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
|
||||
/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
|
||||
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
|
|
@ -0,0 +1,22 @@
|
|||
## <summary>Bitlbee service</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read bitlbee configuration files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed accesss.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bitlbee_read_config',`
|
||||
gen_require(`
|
||||
type bitlbee_conf_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 bitlbee_conf_t:dir { getattr read search };
|
||||
allow $1 bitlbee_conf_t:file { read getattr };
|
||||
')
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
|
||||
policy_module(bitlbee, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type bitlbee_t;
|
||||
type bitlbee_exec_t;
|
||||
init_daemon_domain(bitlbee_t, bitlbee_exec_t)
|
||||
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
|
||||
|
||||
type bitlbee_conf_t;
|
||||
files_config_file(bitlbee_conf_t)
|
||||
|
||||
type bitlbee_var_t;
|
||||
files_type(bitlbee_var_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
#
|
||||
|
||||
allow bitlbee_t self:udp_socket create_socket_perms;
|
||||
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
|
||||
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
bitlbee_read_config(bitlbee_t)
|
||||
|
||||
# user account information is read and edited at runtime; give the usual
|
||||
# r/w access to bitlbee_var_t
|
||||
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
|
||||
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(bitlbee_t)
|
||||
corenet_udp_sendrecv_generic_if(bitlbee_t)
|
||||
corenet_udp_sendrecv_generic_node(bitlbee_t)
|
||||
corenet_udp_sendrecv_lo_node(bitlbee_t)
|
||||
corenet_tcp_sendrecv_generic_if(bitlbee_t)
|
||||
corenet_tcp_sendrecv_generic_node(bitlbee_t)
|
||||
corenet_tcp_sendrecv_lo_node(bitlbee_t)
|
||||
# Allow bitlbee to connect to jabber servers
|
||||
corenet_tcp_connect_jabber_client_port(bitlbee_t)
|
||||
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
|
||||
# to AIM servers:
|
||||
corenet_tcp_connect_aol_port(bitlbee_t)
|
||||
corenet_tcp_sendrecv_aol_port(bitlbee_t)
|
||||
# and to MMCC (Yahoo IM) servers:
|
||||
corenet_tcp_connect_mmcc_port(bitlbee_t)
|
||||
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
|
||||
# and to MSNP (MSN Messenger) servers:
|
||||
corenet_tcp_connect_msnp_port(bitlbee_t)
|
||||
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
|
||||
|
||||
files_read_etc_files(bitlbee_t)
|
||||
files_search_pids(bitlbee_t)
|
||||
# grant read-only access to the user help files
|
||||
files_read_usr_files(bitlbee_t)
|
||||
|
||||
libs_legacy_use_shared_libs(bitlbee_t)
|
||||
libs_use_ld_so(bitlbee_t)
|
||||
|
||||
sysnet_dns_name_resolve(bitlbee_t)
|
||||
|
||||
optional_policy(`
|
||||
# normally started from inetd using tcpwrappers, so use those entry points
|
||||
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
|
||||
')
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(finger,1.4.0)
|
||||
policy_module(finger,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -37,7 +37,7 @@ allow fingerd_t self:unix_stream_socket create_socket_perms;
|
|||
manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)
|
||||
files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)
|
||||
|
||||
allow fingerd_t fingerd_etc_t:dir r_dir_perms;
|
||||
allow fingerd_t fingerd_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
|
||||
read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
|
||||
|
||||
|
@ -124,6 +124,10 @@ optional_policy(`
|
|||
seutil_sigchld_newrole(fingerd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tcpd_wrapped_domain(fingerd_t, fingerd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(fingerd_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(nagios,1.3.0)
|
||||
policy_module(nagios,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -225,6 +225,10 @@ optional_policy(`
|
|||
seutil_sigchld_newrole(nrpe_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(nrpe_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(rlogin,1.4.0)
|
||||
policy_module(rlogin,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -96,6 +96,10 @@ optional_policy(`
|
|||
kerberos_read_keytab(rlogind_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Allow krb5 rlogind to use fork and open /dev/tty for use
|
||||
allow rlogind_t userpty_type:chr_file setattr;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(rshd,1.3.1)
|
||||
policy_module(rshd,1.3.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -88,8 +88,6 @@ optional_policy(`
|
|||
nscd_socket_use(rshd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`
|
||||
allow rshd_t rlogind_tmp_t:file rw_file_perms;
|
||||
')
|
||||
tcpd_wrapped_domain(rshd_t,rshd_exec_t)
|
||||
')
|
||||
|
|
|
@ -17,3 +17,29 @@ interface(`tcpd_domtrans',`
|
|||
|
||||
domtrans_pattern($1, tcpd_exec_t, tcpd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain for services that
|
||||
## utilize tcp wrappers.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
## <summary>
|
||||
## Type of the program to be used as an entry point to this domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tcpd_wrapped_domain',`
|
||||
gen_require(`
|
||||
type tcpd_t;
|
||||
role system_r;
|
||||
')
|
||||
|
||||
domtrans_pattern(tcpd_t, $2, $1)
|
||||
role system_r types $1;
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(tcpd,1.2.0)
|
||||
policy_module(tcpd,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -49,26 +49,6 @@ sysnet_read_config(tcpd_t)
|
|||
|
||||
inetd_domtrans_child(tcpd_t)
|
||||
|
||||
optional_policy(`
|
||||
finger_domtrans(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nagios_domtrans_nrpe(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rlogin_domtrans(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rshd_domtrans(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
uwimap_domtrans(tcpd_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(uwimap,1.3.0)
|
||||
policy_module(uwimap,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -92,6 +92,10 @@ optional_policy(`
|
|||
seutil_sigchld_newrole(imapd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tcpd_wrapped_domain(imapd_t, imapd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(imapd_t)
|
||||
')
|
||||
|
|
Loading…
Reference in New Issue