trunk: 3 patches from dan.
This commit is contained in:
parent
42d567c3f4
commit
d6605bc48b
@ -153,6 +153,12 @@ seutil_read_config(fsadm_t)
|
||||
userdom_use_user_terminals(fsadm_t)
|
||||
userdom_use_unpriv_users_fds(fsadm_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
unconfined_domain(fsadm_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(fsadm_t)
|
||||
files_read_default_files(fsadm_t)
|
||||
|
@ -16,6 +16,8 @@
|
||||
/usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
/usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
|
||||
/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
|
||||
/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
|
||||
/usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
@ -26,6 +28,7 @@
|
||||
/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
|
||||
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
|
||||
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
|
||||
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
|
||||
|
||||
|
@ -55,11 +55,12 @@ role system_r types setkey_t;
|
||||
|
||||
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
|
||||
dontaudit ipsec_t self:capability sys_tty_config;
|
||||
allow ipsec_t self:process signal;
|
||||
allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow ipsec_t self:process { signal setsched };
|
||||
allow ipsec_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_t self:key_socket { create write read setopt };
|
||||
allow ipsec_t self:fifo_file read_file_perms;
|
||||
allow ipsec_t self:udp_socket create_socket_perms;
|
||||
allow ipsec_t self:key_socket create_socket_perms;
|
||||
allow ipsec_t self:fifo_file read_fifo_file_perms;
|
||||
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
|
||||
|
||||
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
|
||||
read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
|
||||
@ -102,8 +103,11 @@ corenet_tcp_sendrecv_all_nodes(ipsec_t)
|
||||
corenet_raw_sendrecv_all_nodes(ipsec_t)
|
||||
corenet_tcp_sendrecv_all_ports(ipsec_t)
|
||||
corenet_tcp_bind_all_nodes(ipsec_t)
|
||||
corenet_udp_bind_all_nodes(ipsec_t)
|
||||
corenet_tcp_bind_reserved_port(ipsec_t)
|
||||
corenet_tcp_bind_isakmp_port(ipsec_t)
|
||||
corenet_udp_bind_isakmp_port(ipsec_t)
|
||||
corenet_udp_bind_ipsecnat_port(ipsec_t)
|
||||
corenet_sendrecv_generic_server_packets(ipsec_t)
|
||||
corenet_sendrecv_isakmp_server_packets(ipsec_t)
|
||||
|
||||
@ -127,19 +131,15 @@ files_read_etc_files(ipsec_t)
|
||||
init_use_fds(ipsec_t)
|
||||
init_use_script_ptys(ipsec_t)
|
||||
|
||||
auth_use_nsswitch(ipsec_t)
|
||||
|
||||
logging_send_syslog_msg(ipsec_t)
|
||||
|
||||
miscfiles_read_localization(ipsec_t)
|
||||
|
||||
sysnet_read_config(ipsec_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
|
||||
userdom_dontaudit_search_user_home_dirs(ipsec_t)
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(ipsec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ipsec_t)
|
||||
')
|
||||
@ -156,9 +156,9 @@ optional_policy(`
|
||||
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
|
||||
allow ipsec_mgmt_t self:process { signal setrlimit };
|
||||
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t self:tcp_socket create_socket_perms;
|
||||
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
||||
allow ipsec_mgmt_t self:key_socket { create setopt };
|
||||
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
||||
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
||||
@ -222,6 +222,7 @@ term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
|
||||
# the ipsec wrapper wants to run /usr/bin/logger (should we put
|
||||
# it in its own domain?)
|
||||
corecmd_exec_bin(ipsec_mgmt_t)
|
||||
corecmd_exec_shell(ipsec_mgmt_t)
|
||||
|
||||
domain_use_interactive_fds(ipsec_mgmt_t)
|
||||
# denials when ps tries to search /proc. Do not audit these denials.
|
||||
@ -241,6 +242,8 @@ init_use_script_ptys(ipsec_mgmt_t)
|
||||
init_exec_script_files(ipsec_mgmt_t)
|
||||
init_use_fds(ipsec_mgmt_t)
|
||||
|
||||
logging_send_syslog_msg(ipsec_mgmt_t)
|
||||
|
||||
miscfiles_read_localization(ipsec_mgmt_t)
|
||||
|
||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||
@ -276,7 +279,7 @@ allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
||||
allow racoon_t self:netlink_selinux_socket { bind create read };
|
||||
allow racoon_t self:udp_socket create_socket_perms;
|
||||
allow racoon_t self:key_socket { create read setopt write };
|
||||
allow racoon_t self:key_socket create_socket_perms;
|
||||
|
||||
# manage pid file
|
||||
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
|
||||
@ -295,6 +298,10 @@ kernel_read_system_state(racoon_t)
|
||||
kernel_read_network_state(racoon_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(racoon_t)
|
||||
corenet_tcp_sendrecv_all_if(racoon_t)
|
||||
corenet_udp_sendrecv_all_if(racoon_t)
|
||||
corenet_tcp_sendrecv_all_nodes(racoon_t)
|
||||
corenet_udp_sendrecv_all_nodes(racoon_t)
|
||||
corenet_tcp_bind_all_nodes(racoon_t)
|
||||
corenet_udp_bind_all_nodes(racoon_t)
|
||||
corenet_udp_bind_isakmp_port(racoon_t)
|
||||
@ -312,6 +319,8 @@ selinux_compute_access_vector(racoon_t)
|
||||
|
||||
ipsec_setcontext_default_spd(racoon_t)
|
||||
|
||||
auth_use_nsswitch(racoon_t)
|
||||
|
||||
locallogin_use_fds(racoon_t)
|
||||
|
||||
logging_send_syslog_msg(racoon_t)
|
||||
@ -325,7 +334,7 @@ miscfiles_read_localization(racoon_t)
|
||||
#
|
||||
|
||||
allow setkey_t self:capability net_admin;
|
||||
allow setkey_t self:key_socket { create read setopt write };
|
||||
allow setkey_t self:key_socket create_socket_perms;
|
||||
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
|
||||
|
@ -1,4 +1,3 @@
|
||||
|
||||
/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
@ -6,3 +5,5 @@
|
||||
/usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
|
||||
/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
|
||||
|
@ -22,12 +22,12 @@ files_pid_file(iptables_var_run_t)
|
||||
# Iptables local policy
|
||||
#
|
||||
|
||||
allow iptables_t self:capability { net_admin net_raw };
|
||||
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
|
||||
dontaudit iptables_t self:capability sys_tty_config;
|
||||
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||
allow iptables_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow iptables_t iptables_var_run_t:dir rw_dir_perms;
|
||||
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
|
||||
files_pid_filetrans(iptables_t,iptables_var_run_t,file)
|
||||
|
||||
can_exec(iptables_t,iptables_exec_t)
|
||||
|
Loading…
Reference in New Issue
Block a user