From bb88161284adc8756b4a4112aaf6751121677c2a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 30 Jun 2009 19:27:21 +0000 Subject: [PATCH] trunk: 3 patches from dan. --- policy/modules/services/dovecot.fc | 10 ++- policy/modules/services/dovecot.if | 92 +++++++++++++++++++++++++++ policy/modules/services/dovecot.te | 90 ++++++++++++++++++++++++-- policy/modules/services/kerneloops.if | 22 +++++++ policy/modules/services/kerneloops.te | 13 ++-- policy/modules/services/nscd.fc | 1 + policy/modules/services/nscd.if | 79 ++++++++++++++++++++++- policy/modules/services/nscd.te | 23 +++++-- 8 files changed, 309 insertions(+), 21 deletions(-) diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc index 70189107..b6de818a 100644 --- a/policy/modules/services/dovecot.fc +++ b/policy/modules/services/dovecot.fc @@ -6,6 +6,7 @@ /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) /etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) +/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) # # /usr @@ -16,20 +17,23 @@ /usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) ifdef(`distro_debian', ` -/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ') ifdef(`distro_redhat', ` /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ') # # /var # /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -# this is a hard link to /var/lib/dovecot/ssl-parameters.dat -/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0) +/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) +/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if index 7771a8f2..93eeef5a 100644 --- a/policy/modules/services/dovecot.if +++ b/policy/modules/services/dovecot.if @@ -1,5 +1,42 @@ ## Dovecot POP and IMAP mail server +######################################## +## +## Connect to dovecot auth unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`dovecot_stream_connect_auth',` + gen_require(` + type dovecot_auth_t, dovecot_var_run_t; + ') + + stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) +') + +######################################## +## +## Execute dovecot_deliver in the dovecot_deliver domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`dovecot_domtrans_deliver',` + gen_require(` + type dovecot_deliver_t, dovecot_deliver_exec_t; + ') + + domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) +') + ######################################## ## ## Create, read, write, and delete the dovecot spool files. @@ -36,3 +73,58 @@ interface(`dovecot_dontaudit_unlink_lib_files',` dontaudit $1 dovecot_var_lib_t:file unlink; ') + +######################################## +## +## All of the rules required to administrate +## an dovecot environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the dovecot domain. +## +## +## +# +interface(`dovecot_admin',` + gen_require(` + type dovecot_t, dovecot_etc_t, dovecot_log_t; + type dovecot_spool_t, dovecot_var_lib_t; + type dovecot_var_run_t; + + type dovecot_cert_t, dovecot_passwd_t; + type dovecot_initrc_exec_t; + ') + + allow $1 dovecot_t:process { ptrace signal_perms }; + ps_process_pattern($1, dovecot_t) + + init_labeled_script_domtrans($1, dovecot_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dovecot_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, dovecot_etc_t) + + logging_list_logs($1) + admin_pattern($1, dovecot_log_t) + + files_list_spool($1) + admin_pattern($1, dovecot_spool_t) + + files_list_var_lib($1) + admin_pattern($1, dovecot_var_lib_t) + + files_list_pids($1) + admin_pattern($1, dovecot_var_run_t) + + admin_pattern($1, dovecot_cert_t) + + admin_pattern($1, dovecot_passwd_t) +') diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index fd1eaef7..ccb421d7 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot, 1.10.2) +policy_module(dovecot, 1.10.3) ######################################## # @@ -15,12 +15,24 @@ domain_type(dovecot_auth_t) domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; +type dovecot_auth_tmp_t; +files_tmp_file(dovecot_auth_tmp_t) + type dovecot_cert_t; files_type(dovecot_cert_t) +type dovecot_deliver_t; +type dovecot_deliver_exec_t; +domain_type(dovecot_deliver_t) +domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) +role system_r types dovecot_deliver_t; + type dovecot_etc_t; files_config_file(dovecot_etc_t) +type dovecot_initrc_exec_t; +init_script_file(dovecot_initrc_exec_t) + type dovecot_passwd_t; files_type(dovecot_passwd_t) @@ -31,6 +43,9 @@ files_type(dovecot_spool_t) type dovecot_var_lib_t; files_type(dovecot_var_lib_t) +type dovecot_var_log_t; +logging_log_file(dovecot_var_log_t) + type dovecot_var_run_t; files_pid_file(dovecot_var_run_t) @@ -58,6 +73,9 @@ files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) +manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) + manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -98,7 +116,7 @@ files_search_tmp(dovecot_t) files_dontaudit_list_default(dovecot_t) # Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_t) -files_getattr_all_mountpoints(dovecot_t) +files_search_all_mountpoints(dovecot_t) init_getattr_utmp(dovecot_t) @@ -120,7 +138,7 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file mta_manage_spool(dovecot_t) optional_policy(` - kerberos_use(dovecot_t) + kerberos_keytab_template(dovecot, dovecot_t) ') optional_policy(` @@ -140,25 +158,35 @@ optional_policy(` # dovecot auth local policy # -allow dovecot_auth_t self:capability { setgid setuid }; +allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; allow dovecot_auth_t self:process signal_perms; allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; +allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; -allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; +read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) + +manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) # Allow dovecot to create and read SSL parameters file manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) files_search_var_lib(dovecot_t) +files_read_var_symlinks(dovecot_t) allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; +manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) +dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) +logging_send_audit_msgs(dovecot_auth_t) +logging_send_syslog_msg(dovecot_auth_t) + dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) @@ -167,6 +195,7 @@ auth_use_nsswitch(dovecot_auth_t) files_read_etc_files(dovecot_auth_t) files_read_etc_runtime_files(dovecot_auth_t) files_search_pids(dovecot_auth_t) +files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) @@ -182,5 +211,52 @@ optional_policy(` ') optional_policy(` - logging_send_syslog_msg(dovecot_auth_t) + mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) +') + +optional_policy(` + nis_authenticate(dovecot_auth_t) +') + +optional_policy(` + postfix_search_spool(dovecot_auth_t) +') + +######################################## +# +# dovecot deliver local policy +# +allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; + +allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; +allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; + +kernel_read_all_sysctls(dovecot_deliver_t) +kernel_read_system_state(dovecot_deliver_t) + +files_read_etc_files(dovecot_deliver_t) +files_read_etc_runtime_files(dovecot_deliver_t) + +auth_use_nsswitch(dovecot_deliver_t) + +logging_send_syslog_msg(dovecot_deliver_t) + +miscfiles_read_localization(dovecot_deliver_t) + +dovecot_stream_connect_auth(dovecot_deliver_t) + +files_search_tmp(dovecot_deliver_t) + +fs_getattr_all_fs(dovecot_deliver_t) + +userdom_manage_user_home_content_dirs(dovecot_deliver_t) +userdom_manage_user_home_content_files(dovecot_deliver_t) +userdom_manage_user_home_content_symlinks(dovecot_deliver_t) +userdom_manage_user_home_content_pipes(dovecot_deliver_t) +userdom_manage_user_home_content_sockets(dovecot_deliver_t) +userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + mta_manage_spool(dovecot_deliver_t) ') diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if index e46f7812..29f8c163 100644 --- a/policy/modules/services/kerneloops.if +++ b/policy/modules/services/kerneloops.if @@ -61,6 +61,25 @@ interface(`kerneloops_dontaudit_dbus_chat',` dontaudit kerneloops_t $1:dbus send_msg; ') +######################################## +## +## Allow domain to manage kerneloops tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`kerneloops_manage_tmp_files',` + gen_require(` + type kerneloops_tmp_t; + ') + + manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) + files_search_tmp($1) +') + ######################################## ## ## All of the rules required to administrate @@ -81,6 +100,7 @@ interface(`kerneloops_dontaudit_dbus_chat',` interface(`kerneloops_admin',` gen_require(` type kerneloops_t, kerneloops_initrc_exec_t; + type kerneloops_tmp_t; ') allow $1 kerneloops_t:process { ptrace signal_perms }; @@ -90,4 +110,6 @@ interface(`kerneloops_admin',` domain_system_change_exemption($1) role_transition $2 kerneloops_initrc_exec_t system_r; allow $2 system_r; + + admin_pattern($1, kerneloops_tmp_t) ') diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te index 22edce7c..36633ea2 100644 --- a/policy/modules/services/kerneloops.te +++ b/policy/modules/services/kerneloops.te @@ -1,5 +1,5 @@ -policy_module(kerneloops, 1.2.2) +policy_module(kerneloops, 1.2.3) ######################################## # @@ -13,6 +13,9 @@ init_daemon_domain(kerneloops_t, kerneloops_exec_t) type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) +type kerneloops_tmp_t; +files_tmp_file(kerneloops_tmp_t) + ######################################## # # kerneloops local policy @@ -21,7 +24,9 @@ init_script_file(kerneloops_initrc_exec_t) allow kerneloops_t self:capability sys_nice; allow kerneloops_t self:process { setsched getsched signal }; allow kerneloops_t self:fifo_file rw_file_perms; -allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) +files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) kernel_read_ring_buffer(kerneloops_t) @@ -38,13 +43,13 @@ corenet_tcp_connect_http_port(kerneloops_t) files_read_etc_files(kerneloops_t) +auth_use_nsswitch(kerneloops_t) + logging_send_syslog_msg(kerneloops_t) logging_read_generic_logs(kerneloops_t) miscfiles_read_localization(kerneloops_t) -sysnet_dns_name_resolve(kerneloops_t) - optional_policy(` dbus_system_bus_client(kerneloops_t) dbus_connect_system_bus(kerneloops_t) diff --git a/policy/modules/services/nscd.fc b/policy/modules/services/nscd.fc index 1f8489b2..bc6e39cf 100644 --- a/policy/modules/services/nscd.fc +++ b/policy/modules/services/nscd.fc @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if index 5cef4f75..3b5d2a18 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -18,6 +18,42 @@ interface(`nscd_signal',` allow $1 nscd_t:process signal; ') +######################################## +## +## Send NSCD the kill signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`nscd_kill',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process sigkill; +') + +######################################## +## +## Send signulls to NSCD. +## +## +## +## Domain allowed access. +## +## +# +interface(`nscd_signull',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process signull; +') + ######################################## ## ## Execute NSCD in the nscd domain. @@ -70,15 +106,14 @@ interface(`nscd_exec',` interface(`nscd_socket_use',` gen_require(` type nscd_t, nscd_var_run_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; ') allow $1 self:unix_stream_socket create_socket_perms; allow $1 nscd_t:nscd { getpwd getgrp gethost }; dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; - + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; files_search_pids($1) stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) dontaudit $1 nscd_var_run_t:file { getattr read }; @@ -198,3 +233,41 @@ interface(`nscd_run',` nscd_domtrans($1) role $2 types nscd_t; ') + +######################################## +## +## All of the rules required to administrate +## an nscd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the nscd domain. +## +## +## +# +interface(`nscd_admin',` + gen_require(` + type nscd_t, nscd_log_t, nscd_var_run_t; + type nscd_initrc_exec_t; + ') + + allow $1 nscd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nscd_t) + + init_labeled_script_domtrans($1, nscd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 nscd_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, nscd_log_t) + + files_list_pids($1) + admin_pattern($1, nscd_var_run_t) +') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index b5351afa..090a2e6d 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd, 1.8.2) +policy_module(nscd, 1.8.3) gen_require(` class nscd all_nscd_perms; @@ -20,6 +20,9 @@ type nscd_t; type nscd_exec_t; init_daemon_domain(nscd_t, nscd_exec_t) +type nscd_initrc_exec_t; +init_script_file(nscd_initrc_exec_t) + type nscd_log_t; logging_log_file(nscd_log_t) @@ -28,14 +31,13 @@ logging_log_file(nscd_log_t) # Local policy # -allow nscd_t self:capability { kill setgid setuid audit_write }; +allow nscd_t self:capability { kill setgid setuid }; dontaudit nscd_t self:capability sys_tty_config; -allow nscd_t self:process { getattr setsched signal_perms }; +allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; allow nscd_t self:unix_stream_socket create_stream_socket_perms; allow nscd_t self:unix_dgram_socket create_socket_perms; allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow nscd_t self:tcp_socket create_socket_perms; allow nscd_t self:udp_socket create_socket_perms; @@ -50,6 +52,9 @@ manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) +corecmd_search_bin(nscd_t) +can_exec(nscd_t, nscd_exec_t) + kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) @@ -73,6 +78,7 @@ corenet_tcp_sendrecv_generic_node(nscd_t) corenet_udp_sendrecv_generic_node(nscd_t) corenet_tcp_sendrecv_all_ports(nscd_t) corenet_udp_sendrecv_all_ports(nscd_t) +corenet_udp_bind_generic_node(nscd_t) corenet_tcp_connect_all_ports(nscd_t) corenet_sendrecv_all_client_packets(nscd_t) corenet_rw_tun_tap_dev(nscd_t) @@ -90,6 +96,7 @@ files_read_generic_tmp_symlinks(nscd_t) # Needed to read files created by firstboot "/etc/hesiod.conf" files_read_etc_runtime_files(nscd_t) +logging_send_audit_msgs(nscd_t) logging_send_syslog_msg(nscd_t) miscfiles_read_localization(nscd_t) @@ -104,6 +111,14 @@ userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) +optional_policy(` + cron_read_system_job_tmp_files(nscd_t) +') + +optional_policy(` + kerberos_use(nscd_t) +') + optional_policy(` udev_read_db(nscd_t) ')