trunk: 6 patches from dan.

This commit is contained in:
Chris PeBenito 2009-06-11 15:00:48 +00:00
parent 731008ad85
commit a65fd90a50
14 changed files with 221 additions and 16 deletions

View File

@ -1,5 +1,5 @@
policy_module(netutils, 1.8.3) policy_module(netutils, 1.8.4)
######################################## ########################################
# #
@ -50,7 +50,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t) kernel_search_proc(netutils_t)
kernel_read_sysctl(netutils_t) kernel_read_all_sysctls(netutils_t)
corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t) corenet_all_recvfrom_netlabel(netutils_t)
@ -140,6 +140,10 @@ userdom_use_user_terminals(ping_t)
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t) init_dontaudit_use_fds(ping_t)
optional_policy(`
nagios_dontaudit_rw_pipes(ping_t)
')
') ')
tunable_policy(`user_ping',` tunable_policy(`user_ping',`

View File

@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@ -32,6 +33,8 @@ ifdef(`distro_redhat',`
# #
# /etc # /etc
# #
/etc/acpi/actions(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0)
@ -67,6 +70,8 @@ ifdef(`distro_redhat',`
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
@ -140,6 +145,7 @@ ifdef(`distro_gentoo',`
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -209,7 +215,14 @@ ifdef(`distro_gentoo',`
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(corecommands, 1.11.1) policy_module(corecommands, 1.11.2)
######################################## ########################################
# #

View File

@ -1610,6 +1610,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
allow $1 reserved_port_type:tcp_socket name_connect; allow $1 reserved_port_type:tcp_socket name_connect;
') ')
########################################
## <summary>
## Connect TCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(`
attribute port_type, reserved_port_type;
')
allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to connect TCP sockets ## Do not audit attempts to connect TCP sockets
@ -1685,6 +1703,24 @@ interface(`corenet_rw_tun_tap_dev',`
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
') ')
########################################
## <summary>
## Getattr the point-to-point device.
## </summary>
## <param name="domain">
## <summary>
## The domain allowed access.
## </summary>
## </param>
#
interface(`corenet_getattr_ppp_dev',`
gen_require(`
type ppp_device_t;
')
allow $1 ppp_device_t:chr_file getattr;
')
######################################## ########################################
## <summary> ## <summary>
## Read and write the point-to-point device. ## Read and write the point-to-point device.

View File

@ -1,5 +1,5 @@
policy_module(corenetwork, 1.11.7) policy_module(corenetwork, 1.11.8)
######################################## ########################################
# #

View File

@ -525,7 +525,7 @@ interface(`domain_search_all_domains_state',`
') ')
kernel_search_proc($1) kernel_search_proc($1)
allow $1 domain:dir search; allow $1 domain:dir search_dir_perms;
') ')
######################################## ########################################
@ -629,6 +629,7 @@ interface(`domain_read_confined_domains_state',`
dontaudit $1 unconfined_domain_type:dir search_dir_perms; dontaudit $1 unconfined_domain_type:dir search_dir_perms;
dontaudit $1 unconfined_domain_type:file read_file_perms; dontaudit $1 unconfined_domain_type:file read_file_perms;
dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(domain, 1.6.0) policy_module(domain, 1.6.1)
######################################## ########################################
# #
@ -145,7 +145,7 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid # For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms; allow unconfined_domain_type domain:dir list_dir_perms;
allow unconfined_domain_type domain:file read_file_perms; allow unconfined_domain_type domain:file rw_file_perms;
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys # act on all domains keys

View File

@ -5,6 +5,7 @@
/.* gen_context(system_u:object_r:default_t,s0) /.* gen_context(system_u:object_r:default_t,s0)
/ -d gen_context(system_u:object_r:root_t,s0) / -d gen_context(system_u:object_r:root_t,s0)
/\.journal <<none>> /\.journal <<none>>
/afs -d gen_context(system_u:object_r:mnt_t,s0)
/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)

View File

@ -928,6 +928,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
# this is only relabelfrom since there should be no
# device nodes with file types.
relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
@ -1094,6 +1096,24 @@ interface(`files_relabelto_all_file_type_fs',`
allow $1 file_type:filesystem relabelto; allow $1 file_type:filesystem relabelto;
') ')
########################################
## <summary>
## Relabel a filesystem to the type of a file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_relabel_all_file_type_fs',`
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem { relabelfrom relabelto };
')
######################################## ########################################
## <summary> ## <summary>
## Mount all filesystems with the type of a file. ## Mount all filesystems with the type of a file.
@ -2305,6 +2325,25 @@ interface(`files_rw_isid_type_dirs',`
allow $1 file_t:dir rw_dir_perms; allow $1 file_t:dir rw_dir_perms;
') ')
########################################
## <summary>
## Delete directories on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
type file_t;
')
delete_dirs_pattern($1, file_t, file_t)
')
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete directories ## Create, read, write, and delete directories
@ -2362,6 +2401,25 @@ interface(`files_read_isid_type_files',`
allow $1 file_t:file read_file_perms; allow $1 file_t:file read_file_perms;
') ')
########################################
## <summary>
## Delete files on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_isid_type_files',`
gen_require(`
type file_t;
')
delete_files_pattern($1, file_t, file_t)
')
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete files ## Create, read, write, and delete files
@ -2820,6 +2878,7 @@ interface(`files_search_kernel_modules',`
') ')
allow $1 modules_object_t:dir search_dir_perms; allow $1 modules_object_t:dir search_dir_perms;
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
') ')
######################################## ########################################
@ -3546,7 +3605,7 @@ interface(`files_delete_usr_dirs',`
type usr_t; type usr_t;
') ')
allow $1 usr_t:file delete_dir_perms; delete_dirs_pattern($1, usr_t, usr_t)
') ')
######################################## ########################################
@ -4411,6 +4470,28 @@ interface(`files_read_all_locks',`
read_lnk_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile)
') ')
########################################
## <summary>
## manage all lock files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_manage_all_locks',`
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 { var_t var_lock_t }:dir search_dir_perms;
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
')
######################################## ########################################
## <summary> ## <summary>
## Create an object in the locks directory, with a private ## Create an object in the locks directory, with a private
@ -4532,7 +4613,8 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t; type var_t, var_run_t;
') ')
read_files_pattern($1, { var_t var_run_t }, var_run_t) list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(files, 1.11.0) policy_module(files, 1.11.1)
######################################## ########################################
# #
@ -199,7 +199,7 @@ fs_associate_ramfs(file_type)
# Rules for all tmp file types # Rules for all tmp file types
# #
allow tmpfile tmp_t:filesystem associate; allow file_type tmp_t:filesystem associate;
fs_associate_tmpfs(tmpfile) fs_associate_tmpfs(tmpfile)

View File

@ -157,7 +157,7 @@ interface(`kernel_signal',`
type kernel_t; type kernel_t;
') ')
allow kernel_t $1:process signal; allow $1 kernel_t:process signal;
') ')
######################################## ########################################
@ -817,7 +817,7 @@ interface(`kernel_dontaudit_read_system_state',`
type proc_t; type proc_t;
') ')
dontaudit $1 proc_t:file { getattr read }; dontaudit $1 proc_t:file read_file_perms;
') ')
######################################## ########################################
@ -1181,6 +1181,25 @@ interface(`kernel_write_xen_state',`
write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
') ')
########################################
## <summary>
## Allow attempts to list all proc directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_list_all_proc',`
gen_require(`
attribute proc_type;
')
allow $1 proc_type:dir list_dir_perms;
allow $1 proc_type:file getattr;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to list all proc directories. ## Do not audit attempts to list all proc directories.
@ -1197,6 +1216,7 @@ interface(`kernel_dontaudit_list_all_proc',`
') ')
dontaudit $1 proc_type:dir list_dir_perms; dontaudit $1 proc_type:dir list_dir_perms;
dontaudit $1 proc_type:file getattr;
') ')
######################################## ########################################
@ -1232,10 +1252,11 @@ interface(`kernel_dontaudit_search_sysctl',`
# #
interface(`kernel_read_sysctl',` interface(`kernel_read_sysctl',`
gen_require(` gen_require(`
type sysctl_t; type sysctl_t, proc_t;
') ')
list_dirs_pattern($1, proc_t, sysctl_t) list_dirs_pattern($1, proc_t, sysctl_t)
read_files_pattern($1, sysctl_t, sysctl_t)
') ')
######################################## ########################################
@ -1566,6 +1587,25 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
dontaudit $1 sysctl_kernel_t:dir search; dontaudit $1 sysctl_kernel_t:dir search;
') ')
########################################
## <summary>
## Read generic crypto sysctls.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_read_crypto_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_crypto_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read generic kernel sysctls. ## Read generic kernel sysctls.
@ -1767,6 +1807,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
') ')
dontaudit $1 sysctl_type:dir list_dir_perms; dontaudit $1 sysctl_type:dir list_dir_perms;
dontaudit $1 sysctl_type:file getattr;
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(kernel, 1.10.3) policy_module(kernel, 1.10.4)
######################################## ########################################
# #
@ -100,6 +100,7 @@ type proc_net_t, proc_type;
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
type proc_xen_t, proc_type; type proc_xen_t, proc_type;
files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
# #
@ -120,6 +121,10 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
type sysctl_rpc_t, sysctl_type; type sysctl_rpc_t, sysctl_type;
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
# /proc/sys/crypto directory and files
type sysctl_crypto_t, sysctl_type;
genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
# /proc/sys/fs directory and files # /proc/sys/fs directory and files
type sysctl_fs_t, sysctl_type; type sysctl_fs_t, sysctl_type;
files_mountpoint(sysctl_fs_t) files_mountpoint(sysctl_fs_t)
@ -198,6 +203,8 @@ allow kernel_t self:fifo_file rw_fifo_file_perms;
allow kernel_t self:sock_file read_sock_file_perms; allow kernel_t self:sock_file read_sock_file_perms;
allow kernel_t self:fd use; allow kernel_t self:fd use;
allow kernel_t debugfs_t:dir search_dir_perms;
allow kernel_t proc_t:dir list_dir_perms; allow kernel_t proc_t:dir list_dir_perms;
allow kernel_t proc_t:file read_file_perms; allow kernel_t proc_t:file read_file_perms;
allow kernel_t proc_t:lnk_file read_lnk_file_perms; allow kernel_t proc_t:lnk_file read_lnk_file_perms;

View File

@ -1,5 +1,25 @@
## <summary>Net Saint / NAGIOS - network monitoring server</summary> ## <summary>Net Saint / NAGIOS - network monitoring server</summary>
########################################
## <summary>
## Do not audit attempts to read or write nagios
## unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
type nagios_t;
')
dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to read ## Allow the specified domain to read

View File

@ -1,5 +1,5 @@
policy_module(nagios, 1.7.1) policy_module(nagios, 1.7.2)
######################################## ########################################
# #