From 967fd1ba3fc84abf45c320b6942ffd501ce84c43 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 8 Oct 2008 20:03:24 +0000 Subject: [PATCH] trunk: 8 patches from dan. --- Changelog | 1 + policy/modules/services/amavis.fc | 4 +- policy/modules/services/amavis.if | 31 +++++++---- policy/modules/services/amavis.te | 9 +++- policy/modules/services/automount.fc | 3 +- policy/modules/services/automount.if | 77 ++++++++++++++++++++++++++++ policy/modules/services/automount.te | 23 +++++---- policy/modules/services/ftp.fc | 2 + policy/modules/services/ftp.if | 71 +++++++++++++++++++++++-- policy/modules/services/ftp.te | 11 +++- policy/modules/services/ldap.fc | 1 + policy/modules/services/ldap.if | 46 +++++++++++++++++ policy/modules/services/ldap.te | 5 +- policy/modules/services/memcached.fc | 5 ++ policy/modules/services/memcached.if | 73 ++++++++++++++++++++++++++ policy/modules/services/memcached.te | 50 ++++++++++++++++++ policy/modules/services/openvpn.fc | 3 +- policy/modules/services/openvpn.if | 41 +++++++++++++++ policy/modules/services/openvpn.te | 17 ++++-- policy/modules/services/smartmon.fc | 4 +- policy/modules/services/smartmon.if | 17 ++++-- policy/modules/services/smartmon.te | 8 ++- 22 files changed, 458 insertions(+), 44 deletions(-) create mode 100644 policy/modules/services/memcached.fc create mode 100644 policy/modules/services/memcached.if create mode 100644 policy/modules/services/memcached.te diff --git a/Changelog b/Changelog index dc008a96..f545b87e 100644 --- a/Changelog +++ b/Changelog @@ -14,6 +14,7 @@ named pipe. Updated init_telinit() to match. - Added modules: cyphesis (Dan Walsh) + memcached (Dan Walsh) oident (Dominick Grift) w3c (Dan Walsh) diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc index 4533c2db..d96fdfa6 100644 --- a/policy/modules/services/amavis.fc +++ b/policy/modules/services/amavis.fc @@ -1,8 +1,10 @@ /etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) -/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0) +/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) +/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) +/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) ifdef(`distro_debian',` /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if index 2d2b2634..3e5f6dbe 100644 --- a/policy/modules/services/amavis.if +++ b/policy/modules/services/amavis.if @@ -197,6 +197,11 @@ interface(`amavis_create_pid_files',` ## Domain allowed access. ## ## +## +## +## Role allowed access. +## +## ## # interface(`amavis_admin',` @@ -204,28 +209,34 @@ interface(`amavis_admin',` type amavis_t, amavis_tmp_t, amavis_var_log_t; type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; type amavis_etc_t, amavis_quarantine_t; + type amavis_initrc_exec_t; ') allow $1 amavis_t:process { ptrace signal_perms }; ps_process_pattern($1, amavis_t) - - files_list_tmp($1) - manage_files_pattern($1, amavis_tmp_t, amavis_tmp_t) - manage_files_pattern($1, amavis_quarantine_t, amavis_quarantine_t) + init_labeled_script_domtrans($1, amavis_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 amavis_initrc_exec_t system_r; + allow $2 system_r; files_list_etc($1) - manage_files_pattern($1, amavis_etc_t, amavis_etc_t) + admin_pattern($1, amavis_etc_t) - logging_list_logs($1) - manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t) + admin_pattern($1, amavis_quarantine_t) files_list_spool($1) - manage_files_pattern($1, amavis_spool_t, amavis_spool_t) + admin_pattern($1, amavis_spool_t) + + files_list_tmp($1) + admin_pattern($1, amavis_tmp_t) files_list_var_lib($1) - manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) + admin_pattern($1, amavis_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, amavis_var_log_t) files_list_pids($1) - manage_files_pattern($1, amavis_var_run_t, amavis_var_run_t) + admin_pattern($1, amavis_var_run_t) ') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index 463fefd5..ad5b64e5 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -1,5 +1,5 @@ -policy_module(amavis, 1.7.0) +policy_module(amavis, 1.7.1) ######################################## # @@ -13,7 +13,10 @@ init_daemon_domain(amavis_t, amavis_exec_t) # configuration files type amavis_etc_t; -files_type(amavis_etc_t) +files_config_file(amavis_etc_t) + +type amavis_initrc_exec_t; +init_script_file(amavis_initrc_exec_t) # pid files type amavis_var_run_t; @@ -57,6 +60,8 @@ allow amavis_t amavis_etc_t:dir list_dir_perms; read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) +can_exec(amavis_t, amavis_exec_t) + # mail quarantine manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc index 4a150ebf..f16ab681 100644 --- a/policy/modules/services/automount.fc +++ b/policy/modules/services/automount.fc @@ -2,6 +2,7 @@ # /etc # /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) +/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) # # /usr @@ -12,4 +13,4 @@ # /var # -/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0) +/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index fa34bf93..d4c517de 100644 --- a/policy/modules/services/automount.if +++ b/policy/modules/services/automount.if @@ -56,6 +56,42 @@ interface(`automount_read_state',` read_files_pattern($1, automount_t, automount_t) ') +######################################## +## +## Do not audit attempts to file descriptors for automount. +## +## +## +## Domain to not audit. +## +## +# +interface(`automount_dontaudit_use_fds',` + gen_require(` + type automount_t; + ') + + dontaudit $1 automount_t:fd use; +') + +######################################## +## +## Do not audit attempts to write automount daemon unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`automount_dontaudit_write_pipes',` + gen_require(` + type automount_t; + ') + + dontaudit $1 automount_t:fifo_file write; +') + ######################################## ## ## Do not audit attempts to get the attributes @@ -74,3 +110,44 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` dontaudit $1 automount_tmp_t:dir getattr; ') + +######################################## +## +## All of the rules required to administrate +## an automount environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the automount domain. +## +## +## +# +interface(`automount_admin',` + gen_require(` + type automount_t, automount_lock_t, automount_tmp_t; + type automount_var_run_t, automount_initrc_exec_t; + ') + + allow $1 automount_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, automount_t) + + init_labeled_script_domtrans($1, automount_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 automount_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var($1) + admin_pattern($1, automount_lock_t) + + files_list_tmp($1) + admin_pattern($1, automount_tmp_t) + + files_list_pids($1) + admin_pattern($1, automount_var_run_t) +') diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 8241f9f7..7dd9861f 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount, 1.9.0) +policy_module(automount, 1.9.1) ######################################## # @@ -10,6 +10,9 @@ type automount_t; type automount_exec_t; init_daemon_domain(automount_t, automount_exec_t) +type automount_initrc_exec_t; +init_script_file(automount_initrc_exec_t) + type automount_var_run_t; files_pid_file(automount_var_run_t) @@ -35,8 +38,6 @@ allow automount_t self:tcp_socket create_stream_socket_perms; allow automount_t self:udp_socket create_socket_perms; allow automount_t self:rawip_socket create_socket_perms; -allow automount_t self:netlink_route_socket r_netlink_socket_perms; - can_exec(automount_t, automount_exec_t) allow automount_t automount_lock_t:file manage_file_perms; @@ -52,7 +53,8 @@ files_home_filetrans(automount_t, automount_tmp_t, dir) files_root_filetrans(automount_t, automount_tmp_t, dir) manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) -files_pid_filetrans(automount_t, automount_var_run_t, file) +manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) +files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) kernel_read_kernel_sysctls(automount_t) kernel_read_irq_sysctls(automount_t) @@ -126,8 +128,12 @@ fs_unmount_autofs(automount_t) fs_mount_autofs(automount_t) fs_manage_autofs_symlinks(automount_t) +storage_rw_fuse(automount_t) + term_dontaudit_getattr_pty_dirs(automount_t) +auth_use_nsswitch(automount_t) + libs_use_ld_so(automount_t) libs_use_shared_libs(automount_t) @@ -140,10 +146,6 @@ miscfiles_read_certs(automount_t) # Run mount in the mount_t domain. mount_domtrans(automount_t) -sysnet_dns_name_resolve(automount_t) -sysnet_use_ldap(automount_t) -sysnet_read_config(automount_t) - userdom_dontaudit_use_unpriv_user_fds(automount_t) sysadm_dontaudit_search_home_dirs(automount_t) @@ -163,11 +165,12 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(automount_t) + rpc_search_nfs_state_data(automount_t) ') optional_policy(` - rpc_search_nfs_state_data(automount_t) + samba_read_config(automount_t) + samba_manage_var_files(automount_t) ') optional_policy(` diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc index 5ea69a0d..983f90ee 100644 --- a/policy/modules/services/ftp.fc +++ b/policy/modules/services/ftp.fc @@ -3,6 +3,8 @@ # /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) # # /usr diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index 5383ed17..63c9801f 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -28,11 +28,13 @@ template(`ftp_per_role_template',` type ftpd_t; ') - userdom_manage_user_home_content_files($1, ftpd_t) - userdom_manage_user_home_content_symlinks($1, ftpd_t) - userdom_manage_user_home_content_sockets($1, ftpd_t) - userdom_manage_user_home_content_pipes($1, ftpd_t) - userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file }) + tunable_policy(`ftp_home_dir',` + userdom_manage_user_home_content_files($1, ftpd_t) + userdom_manage_user_home_content_symlinks($1, ftpd_t) + userdom_manage_user_home_content_sockets($1, ftpd_t) + userdom_manage_user_home_content_pipes($1, ftpd_t) + userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file }) + ') ') ######################################## @@ -155,3 +157,62 @@ interface(`ftp_run_ftpdctl',` role $2 types ftpdctl_t; allow ftpdctl_t $3:chr_file rw_term_perms; ') + +######################################## +## +## All of the rules required to administrate +## an ftp environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ftp domain. +## +## +## +## +## The type of the terminal allow the ftpdctl domain to use. +## +## +## +# +interface(`ftp_admin',` + gen_require(` + type ftpd_t, ftpdctl_t, ftpd_tmp_t; + type ftpd_etc_t, ftpd_lock_t; + type ftpd_var_run_t, xferlog_t; + type ftpd_initrc_exec_t; + ') + + allow $1 ftpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ftpd_t) + + init_labeled_script_domtrans($1, ftpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ftpd_initrc_exec_t system_r; + allow $2 system_r; + + ps_process_pattern($1, ftpdctl_t) + ftp_run_ftpdctl($1, $2, $3) + + miscfiles_manage_public_files($1) + + files_list_tmp($1) + admin_pattern($1, ftpd_tmp_t) + + files_list_etc($1) + admin_pattern($1, ftpd_etc_t) + + files_list_var($1) + admin_pattern($1, ftpd_lock_t) + + files_list_pids($1) + admin_pattern($1, ftpd_var_run_t) + + logging_list_logs($1) + admin_pattern($1, xferlog_t) +') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 7d08ac36..bc0a4d40 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp, 1.8.0) +policy_module(ftp, 1.8.1) ######################################## # @@ -53,6 +53,9 @@ init_daemon_domain(ftpd_t, ftpd_exec_t) type ftpd_etc_t; files_config_file(ftpd_etc_t) +type ftpd_initrc_exec_t; +init_script_file(ftpd_initrc_exec_t) + type ftpd_lock_t; files_lock_file(ftpd_lock_t) @@ -106,9 +109,10 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -files_pid_filetrans(ftpd_t, ftpd_var_run_t, file) +files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) # proftpd requires the client side to bind a socket so that # it can stat the socket to perform access control decisions, @@ -123,6 +127,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) +kernel_search_network_state(ftpd_t) dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t) @@ -169,7 +174,9 @@ init_rw_utmp(ftpd_t) libs_use_ld_so(ftpd_t) libs_use_shared_libs(ftpd_t) +logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) +logging_set_loginuid(ftpd_t) miscfiles_read_localization(ftpd_t) miscfiles_read_public_files(ftpd_t) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc index 53d71e09..c62f23e3 100644 --- a/policy/modules/services/ldap.fc +++ b/policy/modules/services/ldap.fc @@ -1,5 +1,6 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) +/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if index 8d5edff9..23d1c3fe 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -73,3 +73,49 @@ interface(`ldap_stream_connect',` allow $1 slapd_var_run_t:sock_file write; allow $1 slapd_t:unix_stream_socket connectto; ') + +######################################## +## +## All of the rules required to administrate +## an ldap environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ldap domain. +## +## +## +# +interface(`ldap_admin',` + gen_require(` + type slapd_t, slapd_tmp_t, slapd_replog_t; + type slapd_lock_t, slapd_etc_t, slapd_var_run_t; + type slapd_initrc_exec_t; + ') + + allow $1 slapd_t:process { ptrace signal_perms }; + ps_process_pattern($1, slapd_t) + + init_labeled_script_domtrans($1, slapd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 slapd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, slapd_etc_t) + + admin_pattern($1, slapd_lock_t) + + admin_pattern($1, slapd_replog_t) + + files_list_tmp($1) + admin_pattern($1, slapd_tmp_t) + + files_list_pids($1) + admin_pattern($1, slapd_var_run_t) +') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index 862d1f86..90f13fb0 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -1,5 +1,5 @@ -policy_module(ldap, 1.7.0) +policy_module(ldap, 1.7.1) ######################################## # @@ -19,6 +19,9 @@ files_type(slapd_db_t) type slapd_etc_t; files_config_file(slapd_etc_t) +type slapd_initrc_exec_t; +init_script_file(slapd_initrc_exec_t) + type slapd_lock_t; files_lock_file(slapd_lock_t) diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc new file mode 100644 index 00000000..4d694775 --- /dev/null +++ b/policy/modules/services/memcached.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0) + +/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) + +/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if new file mode 100644 index 00000000..8d4a94ed --- /dev/null +++ b/policy/modules/services/memcached.if @@ -0,0 +1,73 @@ +## high-performance memory object caching system + +######################################## +## +## Execute a domain transition to run memcached. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`memcached_domtrans',` + gen_require(` + type memcached_t; + type memcached_exec_t; + ') + + domtrans_pattern($1,memcached_exec_t,memcached_t) +') + +######################################## +## +## Read memcached PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`memcached_read_pid_files',` + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) + allow $1 memcached_var_run_t:file read_file_perms; +') + +######################################## +## +## All of the rules required to administrate +## an memcached environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the memcached domain. +## +## +## +# +interface(`memcached_admin',` + gen_require(` + type memcached_t; + type memcached_initrc_exec_t; + ') + + allow $1 memcached_t:process { ptrace signal_perms }; + ps_process_pattern($1, memcached_t) + + init_labeled_script_domtrans($1, memcached_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 memcached_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, memcached_var_run_t) +') diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te new file mode 100644 index 00000000..cf3a8f0c --- /dev/null +++ b/policy/modules/services/memcached.te @@ -0,0 +1,50 @@ + +policy_module(memcached, 1.0.0) + +######################################## +# +# Declarations +# + +type memcached_t; +type memcached_exec_t; +init_daemon_domain(memcached_t, memcached_exec_t) + +type memcached_initrc_exec_t; +init_script_file(memcached_initrc_exec_t) + +type memcached_var_run_t; +files_pid_file(memcached_var_run_t) + +######################################## +# +# memcached local policy +# + +allow memcached_t self:capability { setuid setgid }; +allow memcached_t self:tcp_socket create_stream_socket_perms; +allow memcached_t self:udp_socket { create_socket_perms listen }; +allow memcached_t self:fifo_file rw_fifo_file_perms; + +corenet_all_recvfrom_unlabeled(memcached_t) +corenet_udp_sendrecv_all_if(memcached_t) +corenet_udp_sendrecv_all_nodes(memcached_t) +corenet_udp_sendrecv_all_ports(memcached_t) +corenet_udp_bind_all_nodes(memcached_t) +corenet_tcp_sendrecv_all_if(memcached_t) +corenet_tcp_sendrecv_all_nodes(memcached_t) +corenet_tcp_sendrecv_all_ports(memcached_t) +corenet_tcp_bind_all_nodes(memcached_t) + +manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +files_pid_filetrans(memcached_t,memcached_var_run_t, { file dir }) + +files_read_etc_files(memcached_t) + +libs_use_ld_so(memcached_t) +libs_use_shared_libs(memcached_t) + +miscfiles_read_localization(memcached_t) + +sysnet_dns_name_resolve(memcached_t) diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc index bbcd6c6f..405b5bc7 100644 --- a/policy/modules/services/openvpn.fc +++ b/policy/modules/services/openvpn.fc @@ -2,6 +2,7 @@ # /etc # /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) +/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) # # /usr @@ -11,5 +12,5 @@ # # /var # -/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0) +/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if index 54c09b82..f4488462 100644 --- a/policy/modules/services/openvpn.if +++ b/policy/modules/services/openvpn.if @@ -90,3 +90,44 @@ interface(`openvpn_read_config',` read_files_pattern($1, openvpn_etc_t, openvpn_etc_t) read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t) ') + +######################################## +## +## All of the rules required to administrate +## an openvpn environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the openvpn domain. +## +## +## +# +interface(`openvpn_admin',` + gen_require(` + type openvpn_t, openvpn_etc_t, openvpn_var_log_t; + type openvpn_var_run_t, openvpn_initrc_exec_t; + ') + + allow $1 openvpn_t:process { ptrace signal_perms }; + ps_process_pattern($1, openvpn_t) + + init_labeled_script_domtrans($1, openvpn_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 openvpn_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, openvpn_etc_t) + + logging_list_logs($1) + admin_pattern($1, openvpn_var_log_t) + + files_list_pids($1) + admin_pattern($1, openvpn_var_run_t) +') diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 83067321..116a59b4 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -1,5 +1,5 @@ -policy_module(openvpn, 1.5.0) +policy_module(openvpn, 1.5.1) ######################################## # @@ -20,7 +20,10 @@ init_daemon_domain(openvpn_t, openvpn_exec_t) # configuration files type openvpn_etc_t; -files_type(openvpn_etc_t) +files_config_file(openvpn_etc_t) + +type openvpn_initrc_exec_t; +init_script_file(openvpn_initrc_exec_t) # log files type openvpn_var_log_t; @@ -35,7 +38,7 @@ files_pid_file(openvpn_var_run_t) # openvpn local policy # -allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config }; +allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; allow openvpn_t self:process { signal getsched }; allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -45,6 +48,7 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms; allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; allow openvpn_t openvpn_etc_t:dir list_dir_perms; +can_exec(openvpn_t, openvpn_etc_t) read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) @@ -74,9 +78,12 @@ corenet_tcp_bind_all_nodes(openvpn_t) corenet_udp_bind_all_nodes(openvpn_t) corenet_tcp_bind_openvpn_port(openvpn_t) corenet_udp_bind_openvpn_port(openvpn_t) -corenet_sendrecv_openvpn_server_packets(openvpn_t) -corenet_rw_tun_tap_dev(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) +corenet_tcp_connect_http_port(openvpn_t) +corenet_rw_tun_tap_dev(openvpn_t) +corenet_sendrecv_openvpn_server_packets(openvpn_t) +corenet_sendrecv_openvpn_client_packets(openvpn_t) +corenet_sendrecv_http_client_packets(openvpn_t) dev_search_sysfs(openvpn_t) dev_read_rand(openvpn_t) diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc index a8863e87..268ae3d6 100644 --- a/policy/modules/services/smartmon.fc +++ b/policy/modules/services/smartmon.fc @@ -1,7 +1,9 @@ +/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) + # # /usr # -/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) +/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) # # /var diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index b695c2ea..85663947 100644 --- a/policy/modules/services/smartmon.if +++ b/policy/modules/services/smartmon.if @@ -28,19 +28,30 @@ interface(`smartmon_read_tmp_files',` ## Domain allowed access. ## ## +## +## +## Role allowed access. +## +## ## # interface(`smartmon_admin',` gen_require(` type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; + type fsdaemon_initrc_exec_t; ') allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, fsdaemon_t) - + + init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fsdaemon_initrc_exec_t system_r; + allow $2 system_r; + files_list_tmp($1) - manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t) + admin_pattern($1, fsdaemon_tmp_t) files_list_pids($1) - manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t) + admin_pattern($1, fsdaemon_var_run_t) ') diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index 6bc65731..d9c874d7 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -1,5 +1,5 @@ -policy_module(smartmon, 1.6.0) +policy_module(smartmon, 1.6.1) ######################################## # @@ -10,6 +10,9 @@ type fsdaemon_t; type fsdaemon_exec_t; init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) +type fsdaemon_initrc_exec_t; +init_script_file(fsdaemon_initrc_exec_t) + type fsdaemon_var_run_t; files_pid_file(fsdaemon_var_run_t) @@ -28,6 +31,7 @@ allow fsdaemon_t self:fifo_file rw_fifo_file_perms; allow fsdaemon_t self:unix_dgram_socket create_socket_perms; allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; allow fsdaemon_t self:udp_socket create_socket_perms; +allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) @@ -78,7 +82,7 @@ logging_send_syslog_msg(fsdaemon_t) miscfiles_read_localization(fsdaemon_t) -sysnet_read_config(fsdaemon_t) +sysnet_dns_name_resolve(fsdaemon_t) userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)