- Push fixes to allow disabling of unlabeled_t packet access

- Enable unlabelednet policy
This commit is contained in:
Miroslav Grepl 2010-12-07 17:51:16 +00:00
parent 7b62a83f6b
commit c2ad3681fa
4 changed files with 89 additions and 57 deletions

View File

@ -2082,3 +2082,10 @@ shorewall = base
# Policy for shutdown # Policy for shutdown
# #
shutdown = module shutdown = module
# Layer: kernel
# Module: unlabelednet
#
# The unlabelednet module.
#
unlabelednet = module

View File

@ -1762,6 +1762,14 @@ userdomain = base
# #
unconfined = module unconfined = module
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: services # Layer: services
# Module: ulogd # Module: ulogd
# #

View File

@ -7681,7 +7681,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t) dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 34c9d01..4842e56 100644 index 34c9d01..6e68bd2 100644
--- a/policy/modules/kernel/corecommands.fc --- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@ -7705,7 +7705,16 @@ index 34c9d01..4842e56 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -307,6 +309,7 @@ ifdef(`distro_redhat', ` @@ -247,6 +249,8 @@ ifdef(`distro_gentoo',`
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -307,6 +311,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@ -7737,7 +7746,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index b06df19..ae572ad 100644 index b06df19..f20833d 100644
--- a/policy/modules/kernel/corenetwork.if.in --- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in
@@ -86,6 +86,33 @@ interface(`corenet_rpc_port',` @@ -86,6 +86,33 @@ interface(`corenet_rpc_port',`
@ -7774,7 +7783,7 @@ index b06df19..ae572ad 100644
## Define type to be a network client packet type ## Define type to be a network client packet type
## </summary> ## </summary>
## <desc> ## <desc>
@@ -2149,13 +2176,18 @@ interface(`corenet_tcp_recvfrom_netlabel',` @@ -2149,9 +2176,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </param> ## </param>
# #
interface(`corenet_tcp_recvfrom_unlabeled',` interface(`corenet_tcp_recvfrom_unlabeled',`
@ -7789,13 +7798,8 @@ index b06df19..ae572ad 100644
# XXX - at some point the oubound/send access check will be removed # XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break # but for right now we need to keep this in place so as not to break
# older systems # older systems
- kernel_sendrecv_unlabeled_association($1)
+# kernel_sendrecv_unlabeled_association($1)
')
########################################
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 36ba519..7be305d 100644 index 36ba519..e2d8b49 100644
--- a/policy/modules/kernel/corenetwork.te.in --- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type; @@ -15,6 +15,7 @@ attribute rpc_port_type;
@ -8003,17 +8007,6 @@ index 36ba519..7be305d 100644
network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0) network_port(zookeeper_leader, tcp,2888,s0)
@@ -262,6 +302,10 @@ network_interface(lo, lo, s0 - mls_systemhigh)
typealias netif_t alias { lo_netif_t netif_lo_t };
')
+optional_policy(`
+ unlabelednet_sendrecv_packets(corenet_unlabeled_type)
+')
+
########################################
#
# Unconfined access to this module
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b2da10..7c29e17 100644 index 3b2da10..7c29e17 100644
--- a/policy/modules/kernel/devices.fc --- a/policy/modules/kernel/devices.fc
@ -10399,7 +10392,7 @@ index 6d21b3d..255b47a 100644
# #
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index b4ad6d7..0937933 100644 index b4ad6d7..67e89f0 100644
--- a/policy/modules/kernel/kernel.if --- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if
@@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',` @@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
@ -10463,6 +10456,15 @@ index b4ad6d7..0937933 100644
## Do not audit attempts by caller to get attributes for ## Do not audit attempts by caller to get attributes for
## unlabeled character devices. ## unlabeled character devices.
## </summary> ## </summary>
@@ -2561,7 +2599,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
- allow $1 unlabeled_t:packet { send recv };
+# allow $1 unlabeled_t:packet { send recv };
')
########################################
@@ -2882,6 +2920,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` @@ -2882,6 +2920,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
######################################## ########################################
@ -10922,38 +10924,24 @@ index 0000000..f310b9d
+# No unlabelednet file contexts. +# No unlabelednet file contexts.
diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
new file mode 100644 new file mode 100644
index 0000000..ba2f0b8 index 0000000..0ce0470
--- /dev/null --- /dev/null
+++ b/policy/modules/kernel/unlabelednet.if +++ b/policy/modules/kernel/unlabelednet.if
@@ -0,0 +1,19 @@ @@ -0,0 +1 @@
+## <summary> Policy for allowing confined domains to talk use unlabeled_t packets. </summary> +## <summary> Policy for allowing confined domains to use unlabeled_t packets</summary>
+
+########################################
+## <summary>
+## Allow specified type to send recv unlabeled packets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unlabelednet_sendrecv_packets',`
+ gen_require(`
+ attribute unlabelednet_domain;
+ ')
+
+ kernel_sendrecv_unlabeled_association($1)
+')
diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
new file mode 100644 new file mode 100644
index 0000000..dee5ba8 index 0000000..571c3b9
--- /dev/null --- /dev/null
+++ b/policy/modules/kernel/unlabelednet.te +++ b/policy/modules/kernel/unlabelednet.te
@@ -0,0 +1,3 @@ @@ -0,0 +1,7 @@
+policy_module(unlabelednet, 1.0) +policy_module(unlabelednet, 1.0)
+ +
+attribute unlabelednet_domain; +gen_require(`
+ attribute corenet_unlabeled_type;
+')
+
+kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index b0d5b27..a96f2e6 100644 index b0d5b27..a96f2e6 100644
--- a/policy/modules/roles/auditadm.te --- a/policy/modules/roles/auditadm.te
@ -20245,10 +20233,10 @@ index 0000000..60c81d6
+') +')
diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
new file mode 100644 new file mode 100644
index 0000000..c88f611 index 0000000..b4d0dd0
--- /dev/null --- /dev/null
+++ b/policy/modules/services/dirsrv-admin.te +++ b/policy/modules/services/dirsrv-admin.te
@@ -0,0 +1,94 @@ @@ -0,0 +1,95 @@
+policy_module(dirsrv-admin,1.0.0) +policy_module(dirsrv-admin,1.0.0)
+ +
+######################################## +########################################
@ -20318,7 +20306,8 @@ index 0000000..c88f611
+ +
+kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) +kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+ +
+corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t) +corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
+corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
+corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) +corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) +corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) +corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
@ -26440,7 +26429,7 @@ index 8581040..cfcdf10 100644
allow $1 nagios_t:process { ptrace signal_perms }; allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index da5b33d..3ce90f7 100644 index da5b33d..8b56967 100644
--- a/policy/modules/services/nagios.te --- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t) @@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@ -26494,7 +26483,17 @@ index da5b33d..3ce90f7 100644
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
@@ -270,7 +271,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) @@ -201,7 +202,8 @@ corecmd_exec_shell(nrpe_t)
corenet_tcp_bind_generic_node(nrpe_t)
corenet_tcp_bind_inetd_child_port(nrpe_t)
-corenet_sendrecv_unlabeled_packets(nrpe_t)
+corenet_all_recvfrom_unlabeled(nrpe_t)
+corenet_all_recvfrom_netlabel(nrpe_t)
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
@@ -270,7 +272,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
# #
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@ -26502,7 +26501,7 @@ index da5b33d..3ce90f7 100644
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_mail_plugin_t self:udp_socket create_socket_perms; allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
@@ -299,7 +299,7 @@ optional_policy(` @@ -299,7 +300,7 @@ optional_policy(`
optional_policy(` optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t) postfix_stream_connect_master(nagios_mail_plugin_t)
@ -26511,7 +26510,7 @@ index da5b33d..3ce90f7 100644
') ')
###################################### ######################################
@@ -310,6 +310,9 @@ optional_policy(` @@ -310,6 +311,9 @@ optional_policy(`
# needed by ioctl() # needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@ -26521,7 +26520,7 @@ index da5b33d..3ce90f7 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t)
@@ -323,7 +326,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) @@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill }; allow nagios_services_plugin_t self:process { signal sigkill };
@ -26529,7 +26528,7 @@ index da5b33d..3ce90f7 100644
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms;
@@ -340,6 +342,8 @@ files_read_usr_files(nagios_services_plugin_t) @@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(` optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t) netutils_domtrans_ping(nagios_services_plugin_t)
@ -30160,7 +30159,7 @@ index 2316653..77ef768 100644
+ admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_tmp_t)
') ')
diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
index 7e84587..7a7310d 100644 index 7e84587..febda2f 100644
--- a/policy/modules/services/prelude.te --- a/policy/modules/services/prelude.te
+++ b/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te
@@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t) @@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t)
@ -30182,6 +30181,20 @@ index 7e84587..7a7310d 100644
allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto; allow prelude_lml_t self:unix_stream_socket connectto;
@@ -236,11 +235,12 @@ kernel_read_sysctl(prelude_lml_t)
corecmd_exec_bin(prelude_lml_t)
+corenet_all_recvfrom_unlabeled(prelude_lml_t)
+corenet_all_recvfrom_netlabel(prelude_lml_t)
corenet_tcp_sendrecv_generic_if(prelude_lml_t)
corenet_tcp_sendrecv_generic_node(prelude_lml_t)
corenet_tcp_recvfrom_netlabel(prelude_lml_t)
corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
-corenet_sendrecv_unlabeled_packets(prelude_lml_t)
corenet_tcp_connect_prelude_port(prelude_lml_t)
dev_read_rand(prelude_lml_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 6f1b2c3..3f1a3fe 100644 index 6f1b2c3..3f1a3fe 100644
--- a/policy/modules/services/privoxy.te --- a/policy/modules/services/privoxy.te

View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.9.10 Version: 3.9.10
Release: 8%{?dist} Release: 9%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -471,6 +471,10 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-9
- Push fixes to allow disabling of unlabeled_t packet access
- Enable unlabelednet policy
* Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-8 * Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-8
- Fixes for lvm to work with systemd - Fixes for lvm to work with systemd