add snmp

2005-09-16 14:54:36 +00:00 · 2005-09-16 14:54:36 +00:00 · ccc5978224
parent a0824843c2
commit ccc5978224
11 changed files with 386 additions and 21 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -6,6 +6,7 @@
 	ktalk
 	portmap
 	samba
+	snmp
 	zebra

 * Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@ -142,6 +142,8 @@ corecmd_shell_domtrans(rpm_t,rpm_script_t)

 domain_exec_all_entry_files(rpm_t)
 domain_read_all_domains_state(rpm_t)
+domain_getattr_all_domains(rpm_t)
+domain_dontaudit_ptrace_all_domains(rpm_t)
 domain_use_wide_inherit_fd(rpm_t)

 files_exec_etc_files(rpm_t)
@ -276,6 +278,8 @@ corecmd_exec_bin(rpm_script_t)
 corecmd_exec_sbin(rpm_script_t)

 domain_read_all_domains_state(rpm_script_t)
+domain_getattr_all_domains(rpm_script_t)
+domain_dontaudit_ptrace_all_domains(rpm_script_t)
 domain_use_wide_inherit_fd(rpm_script_t)
 domain_exec_all_entry_files(rpm_script_t)
 domain_signal_all_domains(rpm_script_t)
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@ -74,6 +74,25 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
 	dontaudit $1 fixed_disk_device_t:blk_file getattr;
 ')

+########################################
+## <summary>
+##	Do not audit attempts made by the caller to read
+##	fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`storage_dontaudit_read_fixed_disk',`
+	gen_require(`
+		type removable_device_t;
+		class blk_file { getattr ioctl read };
+		
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to directly read from a fixed disk.
@ -424,6 +443,25 @@ interface(`storage_dontaudit_getattr_removable_device',`
 	dontaudit $1 removable_device_t:blk_file getattr;
 ')

+########################################
+## <summary>
+##	Do not audit attempts made by the caller to read
+##	removable devices device nodes.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`storage_dontaudit_read_removable_device',`
+	gen_require(`
+		type removable_device_t;
+		class blk_file { getattr ioctl read };
+		
+	')
+
+	dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to set the attributes of removable
--- a/refpolicy/policy/modules/services/snmp.fc
+++ b/refpolicy/policy/modules/services/snmp.fc
@ -0,0 +1,26 @@
+
+#
+# /etc
+#
+
+/etc/snmp/snmp(trap)?d\.conf -- context_template(system_u:object_r:snmpd_etc_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/snmp(trap)?d	--	context_template(system_u:object_r:snmpd_exec_t,s0)
+
+/usr/share/snmp/mibs/\.index -- context_template(system_u:object_r:snmpd_var_lib_t,s0)
+
+#
+# /var
+#
+/var/lib/net-snmp(/.*)?		context_template(system_u:object_r:snmpd_var_lib_t,s0)
+/var/lib/snmp(/.*)?		context_template(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/log/snmpd\.log	--	context_template(system_u:object_r:snmpd_log_t,s0)
+
+/var/net-snmp(/.*)		context_template(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/run/snmpd		-d	context_template(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd\.pid	--	context_template(system_u:object_r:snmpd_var_run_t,s0)
--- a/refpolicy/policy/modules/services/snmp.if
+++ b/refpolicy/policy/modules/services/snmp.if
@ -0,0 +1 @@
+## <summary>Simple network management protocol services</summary>
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@ -0,0 +1,165 @@
+
+policy_module(snmp,1.0)
+
+########################################
+#
+# Declarations
+#
+type snmpd_t;
+type snmpd_exec_t;
+init_daemon_domain(snmpd_t,snmpd_exec_t)
+
+type snmpd_etc_t; #, usercanread;
+files_type(snmpd_etc_t)
+
+type snmpd_log_t;
+logging_log_file(snmpd_log_t)
+
+type snmpd_var_run_t;
+files_pid_file(snmpd_var_run_t)
+
+type snmpd_var_lib_t;
+files_type(snmpd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+allow snmpd_t self:file { getattr read };
+allow snmpd_t self:fifo_file rw_file_perms;
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_socket_perms;
+
+allow snmpd_t snmpd_etc_t:file { getattr read };
+
+allow snmpd_t snmpd_log_t:file create_file_perms;
+logging_create_log(snmpd_t,snmpd_log_t)
+
+allow snmpd_t snmpd_var_lib_t:file create_file_perms;
+allow snmpd_t snmpd_var_lib_t:dir create_dir_perms;
+files_create_usr(snmpd_t,snmpd_var_lib_t)
+files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir })
+files_create_var_lib(snmpd_t,snmpd_var_lib_t)
+
+allow snmpd_t snmpd_var_run_t:file create_file_perms;
+allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
+files_create_pid(snmpd_t,snmpd_var_run_t)
+
+kernel_read_kernel_sysctl(snmpd_t)
+kernel_read_net_sysctl(snmpd_t)
+kernel_read_proc_symlinks(snmpd_t)
+kernel_read_system_state(snmpd_t)
+kernel_read_network_state(snmpd_t)
+
+corenet_tcp_sendrecv_all_if(snmpd_t)
+corenet_raw_sendrecv_all_if(snmpd_t)
+corenet_tcp_sendrecv_all_nodes(snmpd_t)
+corenet_raw_sendrecv_all_nodes(snmpd_t)
+corenet_tcp_sendrecv_all_ports(snmpd_t)
+corenet_tcp_bind_all_nodes(snmpd_t)
+corenet_tcp_bind_snmp_port(snmpd_t)
+corenet_udp_bind_snmp_port(snmpd_t)
+
+dev_list_sysfs(snmpd_t)
+dev_read_sysfs(snmpd_t)
+dev_read_urand(snmpd_t)
+dev_read_rand(snmpd_t)
+
+fs_getattr_all_fs(snmpd_t)
+fs_search_auto_mountpoints(snmpd_t)
+
+storage_dontaudit_read_fixed_disk(snmpd_t)
+storage_dontaudit_read_removable_device(snmpd_t)
+
+term_dontaudit_use_console(snmpd_t)
+
+corecmd_exec_bin(snmpd_t)
+corecmd_exec_sbin(snmpd_t)
+corecmd_exec_shell(snmpd_t)
+
+domain_use_wide_inherit_fd(snmpd_t)
+domain_read_all_domains_state(snmpd_t)
+
+files_read_etc_files(snmpd_t)
+files_read_usr_files(snmpd_t)
+files_read_etc_runtime_files(snmpd_t)
+files_search_home(snmpd_t)
+
+init_read_script_pid(snmpd_t)
+init_use_fd(snmpd_t)
+init_use_script_pty(snmpd_t)
+init_dontaudit_write_script_pid(snmpd_t)
+
+libs_use_ld_so(snmpd_t)
+libs_use_shared_libs(snmpd_t)
+
+logging_send_syslog_msg(snmpd_t)
+
+miscfiles_read_localization(snmpd_t)
+
+seutil_dontaudit_search_config(snmpd_t)
+
+sysnet_read_config(snmpd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(snmpd_t)
+userdom_dontaudit_search_sysadm_home_dir(snmpd_t)
+
+ifdef(`distro_redhat', `
+	optional_policy(`rpm.te', `
+		rpm_read_db(snmpd_t)
+	')
+')
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(snmpd_t)
+	term_dontaudit_use_generic_pty(snmpd_t)
+	files_dontaudit_read_root_file(snmpd_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(snmpd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(snmpd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(snmpd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(snmpd_t)
+')
+
+
+ifdef(`TODO',`
+can_udp_send(sysadm_t, snmpd_t)
+can_udp_send(snmpd_t, sysadm_t)
+
+ifdef(`distro_redhat', `
+	optional_policy(`rpm.te', `
+		dontaudit snmpd_t rpm_var_lib_t:dir write;
+		dontaudit snmpd_t rpm_var_lib_t:file write;
+	')
+')
+
+dontaudit snmpd_t rpc_pipefs_t:dir getattr;
+allow snmpd_t rpc_pipefs_t:dir getattr;
+
+optional_policy(`amanda.te', `
+	dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
+')
+
+optional_policy(`cupsd.te', `
+	allow snmpd_t cupsd_rw_etc_t:file { getattr read };
+')
+
+allow snmpd_t var_lib_nfs_t:dir search;
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(snmpd_t)
+')
+') dnl end TODO
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -455,25 +455,34 @@ interface(`domain_read_all_domains_state',`
 		class dir r_dir_perms;
 		class lnk_file r_file_perms;
 		class file r_file_perms;
-		class process { getattr ptrace };
 	')

 	kernel_search_proc($1)
 	allow $1 domain:dir r_dir_perms;
 	allow $1 domain:lnk_file r_file_perms;
 	allow $1 domain:file r_file_perms;
-	allow $1 domain:process getattr;
-
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $1 domain:process ptrace;
 ')

 ########################################
 ## <summary>
-##	Read the process state (/proc/pid) of all domains.
+##	Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process getattr;
+	')
+
+	allow $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of all confined domains.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
@ -485,7 +494,6 @@ interface(`domain_read_confined_domains_state',`
 		class dir r_dir_perms;
 		class lnk_file r_file_perms;
 		class file r_file_perms;
-		class process { getattr ptrace };
 	')

 	kernel_search_proc($1)
@ -495,11 +503,76 @@ interface(`domain_read_confined_domains_state',`
 	allow $1 { domain -unconfined_domain }:process getattr;

 	dontaudit $1 unconfined_domain:dir search;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all confined domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_confined_domains',`
+	gen_require(`
+		attribute domain, unconfined_domain;
+		class process getattr;
+	')
+
+	allow $1 { domain -unconfined_domain }:process getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ptrace all domains.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to ptrace all domains.
+##	</p>
+##	<p>
+##	Generally this needs to be suppressed because procps tries to access
+##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
+##	(2.4 and 2.6).
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_ptrace_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process ptrace;
+	')
+
+	dontaudit $1 domain:process ptrace;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ptrace confined domains.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to ptrace confined domains.
+##	</p>
+##	<p>
+##	Generally this needs to be suppressed because procps tries to access
+##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
+##	(2.4 and 2.6).
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_ptrace_confined_domains',`
+	gen_require(`
+		attribute domain, unconfined_domain;
+		class process ptrace;
+	')

-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
 	dontaudit $1 { domain -unconfined_domain }:process ptrace;
 ')

@ -518,19 +591,12 @@ interface(`domain_dontaudit_read_all_domains_state',`
 		class dir r_dir_perms;
 		class lnk_file r_file_perms;
 		class file r_file_perms;
-		class process { getattr ptrace };
 	')

 	dontaudit $1 domain:dir r_dir_perms;
 	dontaudit $1 domain:lnk_file r_file_perms;
 	dontaudit $1 domain:file r_file_perms;
 	dontaudit $1 domain:process getattr;
-
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $1 domain:process ptrace;
 ')

 ########################################
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -1714,6 +1714,35 @@ interface(`files_read_usr_symlinks',`
 	allow $1 usr_t:lnk_file r_file_perms;
 ')

+########################################
+## <summary>
+##	Create objects in the /usr directory
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="file_type">
+##	The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+##	The object class.  If not specified, file is used.
+## </param>
+#
+interface(`files_create_usr',`
+	gen_require(`
+		type usr_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 usr_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 usr_t:file $2;
+	',`
+		type_transition $1 usr_t:$3 $2;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute programs in /usr/src in the caller domain.
@ -1874,6 +1903,35 @@ interface(`files_manage_var_symlinks',`
 	allow $1 var_t:lnk_file create_lnk_perms;
 ')

+########################################
+## <summary>
+##	Create objects in the /var directory
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="file_type">
+##	The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+##	The object class.  If not specified, file is used.
+## </param>
+#
+interface(`files_create_var',`
+	gen_require(`
+		type var_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 var_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 var_t:file $2;
+	',`
+		type_transition $1 var_t:$3 $2;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the /var/lib directory.
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -277,6 +277,8 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
+domain_getattr_all_domains(initrc_t)
+domain_dontaudit_ptrace_all_domains(initrc_t)
 domain_getsession_all_domains(initrc_t)
 domain_use_wide_inherit_fd(initrc_t)
 domain_exec_all_entry_files(initrc_t)
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@ -73,6 +73,8 @@ domain_use_wide_inherit_fd(cardmgr_t)
 domain_exec_all_entry_files(cardmgr_t)
 # Read /proc/PID directories for all domains (for fuser).
 domain_read_confined_domains_state(cardmgr_t)
+domain_getattr_confined_domains(cardmgr_t)
+domain_dontaudit_ptrace_confined_domains(cardmgr_t)
 # cjp: these look excessive:
 domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
 domain_dontaudit_getattr_all_sockets(cardmgr_t)
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -787,6 +787,8 @@ template(`admin_user_template',`

 	domain_setpriority_all_domains($1_t)
 	domain_read_all_domains_state($1_t)
+	domain_getattr_all_domains($1_t)
+	domain_dontaudit_ptrace_all_domains($1_t)
 	# signal all domains:
 	domain_kill_all_domains($1_t)
 	domain_signal_all_domains($1_t)
				`@ -0,0 +1 @@`
				`## <summary>Simple network management protocol services</summary>`