rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Merge pull request #48 from lkundrak/contrib-openfortivpn 

- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
This commit is contained in:
Miroslav Grepl 2015-11-10 10:24:32 +01:00
parent 5c3fd596c9
commit db55b65949
3 changed files with 271 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docker-selinux.tgz
View File

Binary file not shown.

291
policy-rawhide-contrib.patch
View File

@ -9551,7 +9551,7 @@ index 531a8f2..0b86f2f 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
index 1241123..5336071 100644
index 1241123..dcaf16b 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@ -9607,11 +9607,12 @@ index 1241123..5336071 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
@@ -141,9 +143,12 @@ corenet_sendrecv_all_client_packets(named_t)
@@ -141,9 +143,13 @@ corenet_sendrecv_all_client_packets(named_t)
corenet_tcp_connect_all_ports(named_t)
corenet_tcp_sendrecv_all_ports(named_t)
+corenet_tcp_bind_all_ephemeral_ports(named_t)
+corenet_udp_bind_all_ephemeral_ports(named_t)
+
dev_read_sysfs(named_t)
dev_read_rand(named_t)
@ -9620,7 +9621,7 @@ index 1241123..5336071 100644
domain_use_interactive_fds(named_t)
@@ -175,6 +180,19 @@ tunable_policy(`named_write_master_zones',`
@@ -175,6 +181,19 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@ -9640,7 +9641,7 @@ index 1241123..5336071 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
@@ -187,7 +205,13 @@ optional_policy(`
@@ -187,7 +206,13 @@ optional_policy(`
')
optional_policy(`
@ -9654,7 +9655,7 @@ index 1241123..5336071 100644
kerberos_use(named_t)
')
@@ -215,7 +239,8 @@ optional_policy(`
@@ -215,7 +240,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@ -9664,7 +9665,7 @@ index 1241123..5336071 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
@@ -229,10 +254,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
@@ -229,10 +255,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@ -9676,7 +9677,7 @@ index 1241123..5336071 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
@@ -242,6 +266,9 @@ corenet_tcp_bind_generic_node(ndc_t)
@@ -242,6 +267,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@ -9686,7 +9687,7 @@ index 1241123..5336071 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
@@ -257,7 +284,7 @@ init_use_script_ptys(ndc_t)
@@ -257,7 +285,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@ -44261,7 +44262,7 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
index 483c87b..62ca3e4 100644
index 483c87b..0a54c6d 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@ -44273,7 +44274,12 @@ index 483c87b..62ca3e4 100644
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin };
@@ -23,10 +23,11 @@ files_pid_file(lircd_var_run_t)
# Local policy
#
-allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:capability { setuid setgid dac_override chown kill sys_admin };
allow lircd_t self:process signal;
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:tcp_socket { accept listen };
@ -44281,17 +44287,27 @@ index 483c87b..62ca3e4 100644
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
@@ -64,9 +65,9 @@ files_manage_generic_locks(lircd_t)
@@ -39,6 +40,7 @@ dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
kernel_request_load_module(lircd_t)
+
corenet_all_recvfrom_unlabeled(lircd_t)
corenet_all_recvfrom_netlabel(lircd_t)
corenet_tcp_sendrecv_generic_if(lircd_t)
@@ -64,9 +66,11 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
+term_use_usb_ttys(lircd_t)
+term_use_unallocated_ttys(lircd_t)
logging_send_syslog_msg(lircd_t)
-logging_send_syslog_msg(lircd_t)
+auth_read_passwd(lircd_t)
-miscfiles_read_localization(lircd_t)
-
+logging_send_syslog_msg(lircd_t)
sysnet_dns_name_resolve(lircd_t)
diff --git a/livecd.if b/livecd.if
index e354181..fc614ba 100644
@ -57389,7 +57405,7 @@ index 86dc29d..7380935 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
index 55f2009..d63018d 100644
index 55f2009..2646460 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@ -57607,10 +57623,10 @@ index 55f2009..d63018d 100644
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+systemd_machined_read_pid_files(NetworkManager_t)
+
+term_use_unallocated_ttys(NetworkManager_t)
-userdom_write_user_tmp_sockets(NetworkManager_t)
+term_use_unallocated_ttys(NetworkManager_t)
+
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
@ -57809,7 +57825,21 @@ index 55f2009..d63018d 100644
')
optional_policy(`
@@ -357,6 +447,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
@@ -338,6 +428,13 @@ optional_policy(`
vpn_relabelfrom_tun_socket(NetworkManager_t)
')
+optional_policy(`
+ openfortivpn_domtrans(NetworkManager_t)
+ openfortivpn_sigkill(NetworkManager_t)
+ openfortivpn_signal(NetworkManager_t)
+ openfortivpn_signull(NetworkManager_t)
+')
+
########################################
#
# wpa_cli local policy
@@ -357,6 +454,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@ -62271,6 +62301,210 @@ index 3b6920e..3e9b17f 100644
userdom_dontaudit_use_unpriv_user_fds(openct_t)
userdom_dontaudit_search_user_home_dirs(openct_t)
diff --git a/openfortivpn.fc b/openfortivpn.fc
new file mode 100644
index 0000000..2e4dd3f
--- /dev/null
+++ b/openfortivpn.fc
@@ -0,0 +1,4 @@
+/usr/bin/openfortivpn -- gen_context(system_u:object_r:openfortivpn_exec_t,s0)
+/usr/libexec/nm-fortisslvpn-service -- gen_context(system_u:object_r:openfortivpn_exec_t,s0)
+
+/var/lib/NetworkManager-fortisslvpn(/.*)? gen_context(system_u:object_r:openfortivpn_var_lib_t,s0)
diff --git a/openfortivpn.if b/openfortivpn.if
new file mode 100644
index 0000000..7581b52
--- /dev/null
+++ b/openfortivpn.if
@@ -0,0 +1,113 @@
+## <summary>Fortinet compatible SSL VPN daemons.</summary>
+
+########################################
+## <summary>
+## Transition to openfortivpn.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_domtrans',`
+ gen_require(`
+ type openfortivpn_t, openfortivpn_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openfortivpn_exec_t, openfortivpn_t)
+')
+
+########################################
+## <summary>
+## Allow send a signal to openfortivpn.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_signal',`
+ gen_require(`
+ type openfortivpn_t;
+ ')
+
+ allow $1 openfortivpn_t:process signal;
+')
+
+########################################
+## <summary>
+## Allow send signull to openfortivpn.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_signull',`
+ gen_require(`
+ type openfortivpn_t;
+ ')
+
+ allow $1 openfortivpn_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow send sigkill to openfortivpn.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_sigkill',`
+ gen_require(`
+ type openfortivpn_t;
+ ')
+
+ allow $1 openfortivpn_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## openfortivpn over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_dbus_chat',`
+ gen_require(`
+ type openfortivpn_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 openfortivpn_t:dbus send_msg;
+ allow openfortivpn_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read from and write to the openfortivpn devpts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openfortivpn_use_ptys',`
+ gen_require(`
+ type openfortivpn_devpts_t;
+ ')
+
+ allow $1 openfortivpn_devpts_t:chr_file rw_term_perms;
+')
diff --git a/openfortivpn.te b/openfortivpn.te
new file mode 100644
index 0000000..0d22f83
--- /dev/null
+++ b/openfortivpn.te
@@ -0,0 +1,69 @@
+policy_module(openfortivpn, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openfortivpn_t;
+domain_type(openfortivpn_t);
+role system_r types openfortivpn_t;
+
+type openfortivpn_exec_t;
+domain_entry_file(openfortivpn_t, openfortivpn_exec_t)
+
+type openfortivpn_var_lib_t;
+files_type(openfortivpn_var_lib_t)
+
+type openfortivpn_devpts_t;
+term_pty(openfortivpn_devpts_t)
+
+########################################
+#
+# Local policy
+#
+
+# User certificates are typically not world-readable and are owned by the user
+allow openfortivpn_t self:capability dac_override;
+
+# Talking to pppd via the PTY
+allow openfortivpn_t openfortivpn_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
+manage_dirs_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t)
+manage_files_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t)
+
+can_exec(openfortivpn_t, openfortivpn_exec_t)
+
+# No standard port for SSLVPN
+corenet_all_recvfrom_unlabeled(openfortivpn_t)
+corenet_tcp_connect_all_ports(openfortivpn_t)
+corenet_tcp_sendrecv_all_ports(openfortivpn_t)
+corenet_tcp_sendrecv_generic_if(openfortivpn_t)
+corenet_tcp_sendrecv_generic_node(openfortivpn_t)
+
+fs_dontaudit_getattr_xattr_fs(openfortivpn_t)
+
+# PTY to pppd
+term_create_pty(openfortivpn_t, openfortivpn_devpts_t)
+
+auth_dontaudit_read_passwd(openfortivpn_t)
+auth_use_nsswitch(openfortivpn_t)
+
+logging_send_syslog_msg(openfortivpn_t)
+
+userdom_read_home_certs(openfortivpn_t)
+
+optional_policy(`
+ dbus_system_bus_client(openfortivpn_t)
+ dbus_connect_system_bus(openfortivpn_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(openfortivpn_t)
+ ')
+')
+
+optional_policy(`
+ ppp_domtrans(openfortivpn_t)
+ ppp_signal(openfortivpn_t)
+ ppp_kill(openfortivpn_t)
+')
diff --git a/openhpi.te b/openhpi.te
index 8de6191..1a01e99 100644
--- a/openhpi.te
@ -73802,7 +74036,7 @@ index cd8b8b9..2cfa88a 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
index d616ca3..6b73bbd 100644
index d616ca3..8ccefd5 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@ -73991,14 +74225,14 @@ index d616ca3..6b73bbd 100644
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
+# for scripts
-
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t)
-
+# for scripts
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t)
-init_signal_script(pppd_t)
@ -74046,8 +74280,15 @@ index d616ca3..6b73bbd 100644
')
')
@@ -218,16 +240,19 @@ optional_policy(`
@@ -216,18 +238,26 @@ optional_policy(`
udev_read_db(pppd_t)
')
+optional_policy(`
+ openfortivpn_dbus_chat(pppd_t)
+ openfortivpn_use_ptys(pppd_t)
+')
+
########################################
#
-# PPTP local policy
@ -74069,7 +74310,7 @@ index d616ca3..6b73bbd 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
@@ -236,45 +261,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
@@ -236,45 +266,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@ -74126,7 +74367,7 @@ index d616ca3..6b73bbd 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
@@ -282,12 +305,12 @@ term_ioctl_generic_ptys(pptp_t)
@@ -282,12 +310,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@ -74141,7 +74382,7 @@ index d616ca3..6b73bbd 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -299,6 +322,10 @@ optional_policy(`
@@ -299,6 +327,10 @@ optional_policy(`
')
optional_policy(`

6
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 157%{?dist}
Release: 158%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -661,6 +661,10 @@ exit 0
%endif
%changelog
* Tue Nov 10 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-158
- Merge pull request #48 from lkundrak/contrib-openfortivpn
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
* Mon Nov 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-157
- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.