From e87221cefedf75918e40651ede50bb6a5d23a21b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 8 Oct 2008 15:50:03 +0000 Subject: [PATCH] trunk: 21 patches from dan. --- policy/modules/services/apcupsd.fc | 2 + policy/modules/services/apcupsd.if | 45 ++++++++++++++++++++ policy/modules/services/apcupsd.te | 11 ++++- policy/modules/services/bitlbee.fc | 5 ++- policy/modules/services/bitlbee.if | 37 ++++++++++++++++ policy/modules/services/bitlbee.te | 19 ++++++++- policy/modules/services/canna.fc | 1 + policy/modules/services/canna.if | 41 ++++++++++++++++++ policy/modules/services/canna.te | 5 ++- policy/modules/services/ddclient.fc | 1 + policy/modules/services/ddclient.if | 48 +++++++++++++++++++++ policy/modules/services/ddclient.te | 7 +++- policy/modules/services/dictd.fc | 3 ++ policy/modules/services/dictd.if | 41 ++++++++++++++++++ policy/modules/services/dictd.te | 11 ++++- policy/modules/services/fail2ban.fc | 3 +- policy/modules/services/fail2ban.if | 38 +++++++++++++++++ policy/modules/services/fail2ban.te | 5 ++- policy/modules/services/inn.fc | 1 + policy/modules/services/inn.if | 51 ++++++++++++++++++++++- policy/modules/services/inn.te | 7 +++- policy/modules/services/jabber.fc | 2 + policy/modules/services/jabber.if | 41 ++++++++++++++++++ policy/modules/services/jabber.te | 5 ++- policy/modules/services/ntp.if | 44 +++++++++++++++++++ policy/modules/services/ntp.te | 2 +- policy/modules/services/postfixpolicyd.fc | 1 + policy/modules/services/postfixpolicyd.if | 39 +++++++++++++++++ policy/modules/services/postfixpolicyd.te | 5 ++- policy/modules/services/radius.fc | 1 + policy/modules/services/radius.if | 21 +++++++--- policy/modules/services/radius.te | 24 +++++++---- policy/modules/services/radvd.fc | 2 +- policy/modules/services/radvd.if | 18 ++++++-- policy/modules/services/radvd.te | 6 ++- policy/modules/services/rwho.fc | 2 + policy/modules/services/rwho.if | 19 +++++++-- policy/modules/services/rwho.te | 5 ++- policy/modules/services/soundserver.fc | 3 ++ policy/modules/services/soundserver.if | 42 +++++++++++++++++++ policy/modules/services/soundserver.te | 23 +++++++--- policy/modules/services/squid.fc | 2 +- policy/modules/services/squid.if | 45 ++++++++++++++++++++ policy/modules/services/squid.te | 4 +- policy/modules/services/tftp.if | 6 +-- policy/modules/services/tftp.te | 17 ++------ policy/modules/services/tor.fc | 1 + policy/modules/services/tor.if | 23 +++++++--- policy/modules/services/tor.te | 10 +++-- policy/modules/services/uucp.if | 16 +++---- policy/modules/services/uucp.te | 4 +- policy/modules/services/zabbix.fc | 2 + policy/modules/services/zabbix.if | 19 +++++++-- policy/modules/services/zabbix.te | 5 ++- policy/modules/services/zebra.fc | 6 +++ policy/modules/services/zebra.if | 31 +++++++++----- policy/modules/services/zebra.te | 8 +++- policy/support/file_patterns.spt | 14 +++++++ 58 files changed, 797 insertions(+), 103 deletions(-) diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc index a71bd47b..36c832ea 100644 --- a/policy/modules/services/apcupsd.fc +++ b/policy/modules/services/apcupsd.fc @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) + ifdef(`distro_debian',` /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) ') diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if index 9a8d2a00..c5cce45a 100644 --- a/policy/modules/services/apcupsd.if +++ b/policy/modules/services/apcupsd.if @@ -97,3 +97,48 @@ interface(`apcupsd_cgi_script_domtrans',` domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) ') + +######################################## +## +## All of the rules required to administrate +## an apcupsd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the apcupsd domain. +## +## +## +# +interface(`apcupsd_admin',` + gen_require(` + type apcupsd_t, apcupsd_tmp_t; + type apcupsd_log_t, apcupsd_lock_t; + type apcupsd_var_run_t, apcupsd_initrc_exec_t; + ') + + allow $1 apcupsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, apcupsd_t) + + init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 apcupsd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var($1) + admin_pattern($1, apcupsd_lock_t) + + logging_list_logs($1) + admin_pattern($1, apcupsd_log_t) + + files_list_tmp($1) + admin_pattern($1, apcupsd_tmp_t) + + files_list_pids($1) + admin_pattern($1, apcupsd_var_run_t) +') diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te index 9c01fa84..6d444ae4 100644 --- a/policy/modules/services/apcupsd.te +++ b/policy/modules/services/apcupsd.te @@ -1,5 +1,5 @@ -policy_module(apcupsd, 1.3.1) +policy_module(apcupsd, 1.3.2) ######################################## # @@ -13,6 +13,9 @@ init_daemon_domain(apcupsd_t, apcupsd_exec_t) type apcupsd_lock_t; files_lock_file(apcupsd_lock_t) +type apcupsd_initrc_exec_t; +init_script_file(apcupsd_initrc_exec_t) + type apcupsd_log_t; logging_log_file(apcupsd_log_t) @@ -86,12 +89,18 @@ logging_send_syslog_msg(apcupsd_t) miscfiles_read_localization(apcupsd_t) +sysnet_dns_name_resolve(apcupsd_t) + +userdom_use_unpriv_users_ttys(apcupsd_t) +userdom_use_unpriv_users_ptys(apcupsd_t) + optional_policy(` hostname_exec(apcupsd_t) ') optional_policy(` mta_send_mail(apcupsd_t) + mta_system_content(apcupsd_tmp_t) ') ######################################## diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc index b9c9c536..0197980d 100644 --- a/policy/modules/services/bitlbee.fc +++ b/policy/modules/services/bitlbee.fc @@ -1,3 +1,6 @@ -/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) +/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0) /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) + +/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) + /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if index d2cc8ae1..9e12e951 100644 --- a/policy/modules/services/bitlbee.if +++ b/policy/modules/services/bitlbee.if @@ -20,3 +20,40 @@ interface(`bitlbee_read_config',` allow $1 bitlbee_conf_t:file { read getattr }; ') +######################################## +## +## All of the rules required to administrate +## an bitlbee environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the bitlbee domain. +## +## +## +# +interface(`bitlbee_admin',` + gen_require(` + type bitlbee_t, bitlbee_conf_t, bitlbee_var_t; + type bitlbee_initrc_exec_t; + ') + + allow $1 bitlbee_t:process { ptrace signal_perms }; + ps_process_pattern($1, bitlbee_t) + + init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bitlbee_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, bitlbee_conf_t) + + files_list_var($1) + admin_pattern($1, bitlbee_var_t) +') diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te index 8a4006e9..748608fe 100644 --- a/policy/modules/services/bitlbee.te +++ b/policy/modules/services/bitlbee.te @@ -1,5 +1,5 @@ -policy_module(bitlbee, 1.0.0) +policy_module(bitlbee, 1.0.1) ######################################## # @@ -14,6 +14,12 @@ inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) type bitlbee_conf_t; files_config_file(bitlbee_conf_t) +type bitlbee_initrc_exec_t; +init_script_file(bitlbee_initrc_exec_t) + +type bitlbee_tmp_t; +files_tmp_file(bitlbee_tmp_t) + type bitlbee_var_t; files_type(bitlbee_var_t) @@ -26,9 +32,15 @@ files_type(bitlbee_var_t) allow bitlbee_t self:udp_socket create_socket_perms; allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; +allow bitlbee_t self:fifo_file rw_fifo_file_perms; +allow bitlbee_t self:process signal; bitlbee_read_config(bitlbee_t) +# tmp files +manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) + # user account information is read and edited at runtime; give the usual # r/w access to bitlbee_var_t manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) @@ -54,6 +66,9 @@ corenet_tcp_sendrecv_mmcc_port(bitlbee_t) corenet_tcp_connect_msnp_port(bitlbee_t) corenet_tcp_sendrecv_msnp_port(bitlbee_t) +dev_read_rand(bitlbee_t) +dev_read_urand(bitlbee_t) + files_read_etc_files(bitlbee_t) files_search_pids(bitlbee_t) # grant read-only access to the user help files @@ -62,6 +77,8 @@ files_read_usr_files(bitlbee_t) libs_legacy_use_shared_libs(bitlbee_t) libs_use_ld_so(bitlbee_t) +miscfiles_read_localization(bitlbee_t) + sysnet_dns_name_resolve(bitlbee_t) optional_policy(` diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc index 14c323c1..5432d0e5 100644 --- a/policy/modules/services/canna.fc +++ b/policy/modules/services/canna.fc @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0) # # /usr diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if index 2517e990..af2e6a08 100644 --- a/policy/modules/services/canna.if +++ b/policy/modules/services/canna.if @@ -18,3 +18,44 @@ interface(`canna_stream_connect',` files_search_pids($1) stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t) ') + +######################################## +## +## All of the rules required to administrate +## an canna environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the canna domain. +## +## +## +# +interface(`canna_admin',` + gen_require(` + type canna_t, canna_log_t, canna_var_lib_t; + type canna_var_run_t, canna_initrc_exec_t; + ') + + allow $1 canna_t:process { ptrace signal_perms }; + ps_process_pattern($1, canna_t) + + init_labeled_script_domtrans($1, canna_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 canna_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, canna_log_t) + + files_list_var_lib($1) + admin_pattern($1, canna_var_lib_t) + + files_list_pids($1) + admin_pattern($1, canna_var_run_t) +') diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te index 030d7850..5bd8f668 100644 --- a/policy/modules/services/canna.te +++ b/policy/modules/services/canna.te @@ -1,5 +1,5 @@ -policy_module(canna, 1.7.0) +policy_module(canna, 1.7.1) ######################################## # @@ -10,6 +10,9 @@ type canna_t; type canna_exec_t; init_daemon_domain(canna_t, canna_exec_t) +type canna_initrc_exec_t; +init_script_file(canna_initrc_exec_t) + type canna_log_t; logging_log_file(canna_log_t) diff --git a/policy/modules/services/ddclient.fc b/policy/modules/services/ddclient.fc index 606d2d29..083c1351 100644 --- a/policy/modules/services/ddclient.fc +++ b/policy/modules/services/ddclient.fc @@ -1,5 +1,6 @@ /etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) /etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) +/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) /usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) /usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if index 06d54c7e..c1e04cea 100644 --- a/policy/modules/services/ddclient.if +++ b/policy/modules/services/ddclient.if @@ -18,3 +18,51 @@ interface(`ddclient_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, ddclient_exec_t, ddclient_t) ') + +######################################## +## +## All of the rules required to administrate +## an ddclient environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ddclient domain. +## +## +## +# +interface(`ddclient_admin',` + gen_require(` + type ddclient_t, ddclient_etc_t, ddclient_log_t; + type ddclient_var_t, ddclient_var_lib_t; + type ddclient_var_run_t, ddclient_initrc_exec_t; + ') + + allow $1 ddclient_t:process { ptrace signal_perms }; + ps_process_pattern($1, ddclient_t) + + init_labeled_script_domtrans($1, ddclient_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ddclient_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, ddclient_etc_t) + + logging_list_logs($1) + admin_pattern($1, ddclient_log_t) + + files_list_var($1) + admin_pattern($1, ddclient_var_t) + + files_list_var_lib($1) + admin_pattern($1, ddclient_var_lib_t) + + files_list_pids($1) + admin_pattern($1, ddclient_var_run_t) +') diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te index fc733995..14b19dab 100644 --- a/policy/modules/services/ddclient.te +++ b/policy/modules/services/ddclient.te @@ -1,5 +1,5 @@ -policy_module(ddclient, 1.5.0) +policy_module(ddclient, 1.5.1) ######################################## # @@ -11,7 +11,10 @@ type ddclient_exec_t; init_daemon_domain(ddclient_t, ddclient_exec_t) type ddclient_etc_t; -files_type(ddclient_etc_t) +files_config_file(ddclient_etc_t) + +type ddclient_initrc_exec_t; +init_script_file(ddclient_initrc_exec_t) type ddclient_log_t; logging_log_file(ddclient_log_t) diff --git a/policy/modules/services/dictd.fc b/policy/modules/services/dictd.fc index 1907af76..54f88c87 100644 --- a/policy/modules/services/dictd.fc +++ b/policy/modules/services/dictd.fc @@ -1,6 +1,9 @@ +/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0) /etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0) /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) /var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) + +/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if index 43f1ea33..a0d23ce1 100644 --- a/policy/modules/services/dictd.if +++ b/policy/modules/services/dictd.if @@ -14,3 +14,44 @@ interface(`dictd_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## All of the rules required to administrate +## an dictd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the dictd domain. +## +## +## +# +interface(`dictd_admin',` + gen_require(` + type dictd_t, dictd_etc_t, dictd_var_lib_t; + type dictd_var_run_t, dictd_initrc_exec_t; + ') + + allow $1 dictd_t:process { ptrace signal_perms }; + ps_process_pattern($1, dictd_t) + + init_labeled_script_domtrans($1, dictd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dictd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, dictd_etc_t) + + files_list_var_lib($1) + admin_pattern($1, dictd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, dictd_var_run_t) +') diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te index b9e3ca20..f413643c 100644 --- a/policy/modules/services/dictd.te +++ b/policy/modules/services/dictd.te @@ -1,5 +1,5 @@ -policy_module(dictd, 1.5.0) +policy_module(dictd, 1.5.1) ######################################## # @@ -13,9 +13,15 @@ init_daemon_domain(dictd_t, dictd_exec_t) type dictd_etc_t; files_config_file(dictd_etc_t) +type dictd_initrc_exec_t; +init_script_file(dictd_initrc_exec_t) + type dictd_var_lib_t alias var_lib_dictd_t; files_type(dictd_var_lib_t) +type dictd_var_run_t; +files_pid_file(dictd_var_run_t) + ######################################## # # Local policy @@ -34,6 +40,9 @@ files_search_etc(dictd_t) allow dictd_t dictd_var_lib_t:dir list_dir_perms; allow dictd_t dictd_var_lib_t:file read_file_perms; +manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t) +files_pid_filetrans(dictd_t, dictd_var_run_t, file) + kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc index 96a46231..c886ef55 100644 --- a/policy/modules/services/fail2ban.fc +++ b/policy/modules/services/fail2ban.fc @@ -3,5 +3,4 @@ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) -/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) -/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if index d78cb8ff..fced3105 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -78,3 +78,41 @@ interface(`fail2ban_read_pid_files',` files_search_pids($1) allow $1 fail2ban_var_run_t:file read_file_perms; ') + +######################################## +## +## All of the rules required to administrate +## an fail2ban environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the fail2ban domain. +## +## +## +# +interface(`fail2ban_admin',` + gen_require(` + type fail2ban_t, fail2ban_log_t; + type fail2ban_var_run_t, fail2ban_initrc_exec_t; + ') + + allow $1 fail2ban_t:process { ptrace signal_perms }; + ps_process_pattern($1, fail2ban_t) + + init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fail2ban_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, fail2ban_log_t) + + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) +') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index b1be911e..918f5b51 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -1,5 +1,5 @@ -policy_module(fail2ban, 1.1.1) +policy_module(fail2ban, 1.1.2) ######################################## # @@ -37,9 +37,10 @@ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) # pid file +manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file }) +files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) kernel_read_system_state(fail2ban_t) diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc index 85dc7b38..ee9dbf6f 100644 --- a/policy/modules/services/inn.fc +++ b/policy/modules/services/inn.fc @@ -4,6 +4,7 @@ # /etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0) /etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0) +/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0) # # /usr diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if index 55ff9e4c..c390f23e 100644 --- a/policy/modules/services/inn.if +++ b/policy/modules/services/inn.if @@ -54,8 +54,7 @@ interface(`inn_manage_log',` ') logging_rw_generic_log_dirs($1) - allow $1 innd_log_t:dir search; - allow $1 innd_log_t:file manage_file_perms; + manage_files_pattern($1, innd_log_t, innd_log_t) ') ######################################## @@ -176,3 +175,51 @@ interface(`inn_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, innd_exec_t, innd_t) ') + +######################################## +## +## All of the rules required to administrate +## an inn environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the inn domain. +## +## +## +# +interface(`inn_admin',` + gen_require(` + type innd_t, innd_etc_t, innd_log_t; + type news_spool_t, innd_var_lib_t; + type innd_var_run_t, innd_initrc_exec_t; + ') + + allow $1 innd_t:process { ptrace signal_perms }; + ps_process_pattern($1, innd_t) + + init_labeled_script_domtrans($1, innd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 innd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, innd_etc_t) + + logging_list_logs($1) + admin_pattern($1, innd_log_t) + + files_list_var_lib($1) + admin_pattern($1, innd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, innd_var_run_t) + + files_list_spool($1) + admin_pattern($1, news_spool_t) +') diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index 8cdce84e..31e66c5a 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -1,5 +1,5 @@ -policy_module(inn, 1.6.0) +policy_module(inn, 1.6.1) ######################################## # @@ -12,6 +12,9 @@ init_daemon_domain(innd_t, innd_exec_t) type innd_etc_t; files_config_file(innd_etc_t) +type innd_initrc_exec_t; +init_script_file(innd_initrc_exec_t) + type innd_log_t; logging_log_file(innd_log_t) @@ -22,7 +25,7 @@ type innd_var_run_t; files_pid_file(innd_var_run_t) type news_spool_t; -files_type(news_spool_t) +files_mountpoint(news_spool_t) ######################################## # diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc index 06ea7468..4c9acec1 100644 --- a/policy/modules/services/jabber.fc +++ b/policy/modules/services/jabber.fc @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) + /usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if index 4d1a9319..98784995 100644 --- a/policy/modules/services/jabber.if +++ b/policy/modules/services/jabber.if @@ -13,3 +13,44 @@ interface(`jabber_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## All of the rules required to administrate +## an jabber environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the jabber domain. +## +## +## +# +interface(`jabber_admin',` + gen_require(` + type jabberd_t, jabberd_log_t, jabberd_var_lib_t; + type jabberd_var_run_t, jabberd_initrc_exec_t; + ') + + allow $1 jabberd_t:process { ptrace signal_perms }; + ps_process_pattern($1, jabberd_t) + + init_labeled_script_domtrans($1, jabberd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 jabberd_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, jabberd_log_t) + + files_list_var_lib($1) + admin_pattern($1, jabberd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, jabberd_var_run_t) +') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index e152dbc1..3e4e036f 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -1,5 +1,5 @@ -policy_module(jabber, 1.5.0) +policy_module(jabber, 1.5.1) ######################################## # @@ -10,6 +10,9 @@ type jabberd_t; type jabberd_exec_t; init_daemon_domain(jabberd_t, jabberd_exec_t) +type jabberd_initrc_exec_t; +init_script_file(jabberd_initrc_exec_t) + type jabberd_log_t; logging_log_file(jabberd_log_t) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index 06bf2ea9..87dbda38 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -53,3 +53,47 @@ interface(`ntp_domtrans_ntpdate',` corecmd_search_bin($1) domtrans_pattern($1, ntpdate_exec_t, ntpd_t) ') + +######################################## +## +## All of the rules required to administrate +## an ntp environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ntp domain. +## +## +## +# +interface(`ntp_admin',` + gen_require(` + type ntpd_t, ntpd_tmp_t, ntpd_log_t; + type ntpd_key_t, ntpd_var_lib_t, ntpd_var_run_t; + type ntpd_initrc_exec_t; + ') + + allow $1 ntpd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, ntpd_t) + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ntpd_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, ntpd_key_t) + + logging_list_logs($1) + admin_pattern($1, ntpd_log_t) + + files_list_tmp($1) + admin_pattern($1, ntpd_tmp_t) + + files_list_pids($1) + admin_pattern($1, ntpd_var_run_t) +') diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index c5acc6fb..bfd2b7e2 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -1,5 +1,5 @@ -policy_module(ntp, 1.6.2) +policy_module(ntp, 1.6.3) ######################################## # diff --git a/policy/modules/services/postfixpolicyd.fc b/policy/modules/services/postfixpolicyd.fc index 945acea5..4361cb67 100644 --- a/policy/modules/services/postfixpolicyd.fc +++ b/policy/modules/services/postfixpolicyd.fc @@ -1,4 +1,5 @@ /etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0) +/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0) /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if index bafa81c0..feae93b0 100644 --- a/policy/modules/services/postfixpolicyd.if +++ b/policy/modules/services/postfixpolicyd.if @@ -1 +1,40 @@ ## Postfix policy server + +######################################## +## +## All of the rules required to administrate +## an postfixpolicyd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the postfixpolicyd domain. +## +## +## +# +interface(`postfixpolicyd_admin',` + gen_require(` + type postfix_policyd_t, postfix_policyd_conf_t; + type postfix_policyd_var_run_t; + type postfix_policyd_initrc_exec_t; + ') + + allow $1 postfix_policyd_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_policyd_t) + + init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 postfix_policyd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, postfix_policyd_conf_t) + + files_list_pids($1) + admin_pattern($1, postfix_policyd_var_run_t) +') diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te index b9d86653..95f2ae2a 100644 --- a/policy/modules/services/postfixpolicyd.te +++ b/policy/modules/services/postfixpolicyd.te @@ -1,5 +1,5 @@ -policy_module(postfixpolicyd, 1.0.0) +policy_module(postfixpolicyd, 1.0.1) ######################################## # @@ -13,6 +13,9 @@ init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t) type postfix_policyd_conf_t; files_config_file(postfix_policyd_conf_t) +type postfix_policyd_initrc_exec_t; +init_script_file(postfix_policyd_initrc_exec_t) + type postfix_policyd_var_run_t; files_pid_file(postfix_policyd_var_run_t) diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc index 6f48bb05..cf707fb5 100644 --- a/policy/modules/services/radius.fc +++ b/policy/modules/services/radius.fc @@ -1,6 +1,7 @@ /etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) /etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0) /etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) /etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if index b8a1477c..9a78598e 100644 --- a/policy/modules/services/radius.if +++ b/policy/modules/services/radius.if @@ -24,28 +24,39 @@ interface(`radius_use',` ## Domain allowed access. ## ## +## +## +## Role allowed access. +## +## ## # interface(`radius_admin',` gen_require(` type radiusd_t, radiusd_etc_t, radiusd_log_t; type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; + type radiusd_initrc_exec_t; ') allow $1 radiusd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, radiusd_t) + init_labeled_script_domtrans($1, radiusd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 radiusd_initrc_exec_t system_r; + allow $2 system_r; + files_list_etc($1) - manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t) + admin_pattern($1, radiusd_etc_t) logging_list_logs($1) - manage_files_pattern($1, radiusd_log_t, radiusd_log_t) + admin_pattern($1, radiusd_log_t) - manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t) + admin_pattern($1, radiusd_etc_rw_t) files_list_var_lib($1) - manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t) + admin_pattern($1, radiusd_var_lib_t) files_list_pids($1) - manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t) + admin_pattern($1, radiusd_var_run_t) ') diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index c280a526..61f8edf4 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -1,5 +1,5 @@ -policy_module(radius, 1.8.0) +policy_module(radius, 1.8.1) ######################################## # @@ -16,6 +16,9 @@ files_config_file(radiusd_etc_t) type radiusd_etc_rw_t; files_type(radiusd_etc_rw_t) +type radiusd_initrc_exec_t; +init_script_file(radiusd_initrc_exec_t) + type radiusd_log_t; logging_log_file(radiusd_log_t) @@ -34,12 +37,11 @@ files_pid_file(radiusd_var_run_t) # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { setsched signal }; +allow radiusd_t self:process { getsched setsched sigkill signal }; allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; allow radiusd_t self:udp_socket create_socket_perms; -allow radiusd_t self:netlink_route_socket r_netlink_socket_perms; allow radiusd_t radiusd_etc_t:dir list_dir_perms; read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) @@ -74,8 +76,12 @@ corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_all_nodes(radiusd_t) corenet_udp_bind_radacct_port(radiusd_t) corenet_udp_bind_radius_port(radiusd_t) +corenet_tcp_connect_mysqld_port(radiusd_t) +corenet_tcp_connect_snmp_port(radiusd_t) corenet_sendrecv_radius_server_packets(radiusd_t) corenet_sendrecv_radacct_server_packets(radiusd_t) +corenet_sendrecv_mysqld_client_packets(radiusd_t) +corenet_sendrecv_snmp_client_packets(radiusd_t) # for RADIUS proxy port corenet_udp_bind_generic_port(radiusd_t) corenet_dontaudit_udp_bind_all_ports(radiusd_t) @@ -86,9 +92,6 @@ dev_read_sysfs(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) -auth_read_shadow(radiusd_t) -auth_domtrans_chk_passwd(radiusd_t) - corecmd_exec_bin(radiusd_t) corecmd_exec_shell(radiusd_t) @@ -98,6 +101,10 @@ files_read_usr_files(radiusd_t) files_read_etc_files(radiusd_t) files_read_etc_runtime_files(radiusd_t) +auth_use_nsswitch(radiusd_t) +auth_read_shadow(radiusd_t) +auth_domtrans_chk_passwd(radiusd_t) + libs_use_ld_so(radiusd_t) libs_use_shared_libs(radiusd_t) libs_exec_lib_files(radiusd_t) @@ -107,8 +114,6 @@ logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) miscfiles_read_certs(radiusd_t) -sysnet_read_config(radiusd_t) - userdom_dontaudit_use_unpriv_user_fds(radiusd_t) sysadm_dontaudit_search_home_dirs(radiusd_t) @@ -123,7 +128,8 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(radiusd_t) + mysql_read_config(radiusd_t) + mysql_stream_connect(radiusd_t) ') optional_policy(` diff --git a/policy/modules/services/radvd.fc b/policy/modules/services/radvd.fc index c699ccdc..cc98d83b 100644 --- a/policy/modules/services/radvd.fc +++ b/policy/modules/services/radvd.fc @@ -1,5 +1,5 @@ - /etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0) +/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0) /usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if index 596e3f43..be05bff5 100644 --- a/policy/modules/services/radvd.if +++ b/policy/modules/services/radvd.if @@ -10,20 +10,30 @@ ## Domain allowed access. ## ## +## +## +## Role allowed access. +## +## ## # interface(`radvd_admin',` gen_require(` type radvd_t, radvd_etc_t; - type radvd_var_run_t; + type radvd_var_run_t, radvd_initrc_exec_t; ') - allow $1 radvd_t:process { ptrace signal_perms getattr }; + allow $1 radvd_t:process { ptrace signal_perms }; ps_process_pattern($1, radvd_t) + init_labeled_script_domtrans($1, radvd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 radvd_initrc_exec_t system_r; + allow $2 system_r; + files_list_etc($1) - manage_files_pattern($1, radvd_etc_t, radvd_etc_t) + admin_pattern($1, radvd_etc_t) files_list_pids($1) - manage_files_pattern($1, radvd_var_run_t, radvd_var_run_t) + admin_pattern($1, radvd_var_run_t) ') diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te index 2a32e53e..6c8904b9 100644 --- a/policy/modules/services/radvd.te +++ b/policy/modules/services/radvd.te @@ -1,5 +1,5 @@ -policy_module(radvd, 1.8.0) +policy_module(radvd, 1.8.1) ######################################## # @@ -9,6 +9,9 @@ type radvd_t; type radvd_exec_t; init_daemon_domain(radvd_t, radvd_exec_t) +type radvd_initrc_exec_t; +init_script_file(radvd_initrc_exec_t) + type radvd_var_run_t; files_pid_file(radvd_var_run_t) @@ -27,6 +30,7 @@ allow radvd_t self:unix_stream_socket create_socket_perms; allow radvd_t self:rawip_socket create_socket_perms; allow radvd_t self:tcp_socket create_stream_socket_perms; allow radvd_t self:udp_socket create_socket_perms; +allow radvd_t self:fifo_file rw_file_perms; allow radvd_t radvd_etc_t:file read_file_perms; diff --git a/policy/modules/services/rwho.fc b/policy/modules/services/rwho.fc index 7aa6ae0b..bc048cef 100644 --- a/policy/modules/services/rwho.fc +++ b/policy/modules/services/rwho.fc @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0) + /usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0) /var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if index 523086e1..7da7060c 100644 --- a/policy/modules/services/rwho.if +++ b/policy/modules/services/rwho.if @@ -126,19 +126,30 @@ interface(`rwho_manage_spool_files',` ## Domain allowed access. ## ## +## +## +## The role allowed access. +## +## ## # interface(`rwho_admin',` gen_require(` type rwho_t, rwho_log_t, rwho_spool_t; + type rwho_initrc_exec_t; ') - allow $1 rwho_t:process { ptrace signal_perms getattr }; + allow $1 rwho_t:process { ptrace signal_perms }; ps_process_pattern($1, rwho_t) - + + init_labeled_script_domtrans($1, rwho_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rwho_initrc_exec_t system_r; + allow $2 system_r; + logging_list_logs($1) - manage_files_pattern($1, rwho_log_t, rwho_log_t) + admin_pattern($1, rwho_log_t) files_list_spool($1) - manage_files_pattern($1, rwho_spool_t, rwho_spool_t) + admin_pattern($1, rwho_spool_t) ') diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te index 21c9fd2e..a5de93e4 100644 --- a/policy/modules/services/rwho.te +++ b/policy/modules/services/rwho.te @@ -1,5 +1,5 @@ -policy_module(rwho, 1.4.0) +policy_module(rwho, 1.4.1) ######################################## # @@ -10,6 +10,9 @@ type rwho_t; type rwho_exec_t; init_daemon_domain(rwho_t, rwho_exec_t) +type rwho_initrc_exec_t; +init_script_file(rwho_initrc_exec_t) + type rwho_log_t; files_type(rwho_log_t) diff --git a/policy/modules/services/soundserver.fc b/policy/modules/services/soundserver.fc index b930d5f5..d89b2cb6 100644 --- a/policy/modules/services/soundserver.fc +++ b/policy/modules/services/soundserver.fc @@ -1,4 +1,5 @@ /etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) +/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0) /etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) /usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) @@ -6,5 +7,7 @@ /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) +/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) /var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) + /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if index 4d862d9b..93fe7bf8 100644 --- a/policy/modules/services/soundserver.if +++ b/policy/modules/services/soundserver.if @@ -13,3 +13,45 @@ interface(`soundserver_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## All of the rules required to administrate +## an soundd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the soundd domain. +## +## +## +# +interface(`soundserver_admin',` + gen_require(` + type soundd_t, soundd_etc_t; + type soundd_tmp_t, soundd_var_run_t; + type soundd_initrc_exec_t; + ') + + allow $1 soundd_t:process { ptrace signal_perms }; + ps_process_pattern($1, soundd_t) + + init_labeled_script_domtrans($1, soundd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 soundd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, soundd_etc_t) + + files_list_tmp($1) + admin_pattern($1, soundd_tmp_t) + + files_list_pids($1) + admin_pattern($1, soundd_var_run_t) +') diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te index 7c41c358..c13f000b 100644 --- a/policy/modules/services/soundserver.te +++ b/policy/modules/services/soundserver.te @@ -1,5 +1,5 @@ -policy_module(soundserver, 1.5.0) +policy_module(soundserver, 1.5.1) ######################################## # @@ -11,7 +11,10 @@ type soundd_exec_t; init_daemon_domain(soundd_t, soundd_exec_t) type soundd_etc_t alias etc_soundd_t; -files_type(soundd_etc_t) +files_config_file(soundd_etc_t) + +type soundd_initrc_exec_t; +init_script_file(soundd_initrc_exec_t) type soundd_state_t; files_type(soundd_state_t) @@ -31,16 +34,18 @@ files_pid_file(soundd_var_run_t) # Declarations # +allow soundd_t self:capability dac_override; dontaudit soundd_t self:capability sys_tty_config; allow soundd_t self:process { setpgid signal_perms }; allow soundd_t self:tcp_socket create_stream_socket_perms; allow soundd_t self:udp_socket create_socket_perms; +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; + # for yiff allow soundd_t self:shm create_shm_perms; -allow soundd_t soundd_etc_t:dir list_dir_perms; -allow soundd_t soundd_etc_t:file read_file_perms; -allow soundd_t soundd_etc_t:lnk_file { getattr read }; +read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) +read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t) manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t) @@ -55,8 +60,10 @@ manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -files_pid_filetrans(soundd_t, soundd_var_run_t, file) +manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) +files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir }) kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) @@ -99,6 +106,10 @@ userdom_dontaudit_use_unpriv_user_fds(soundd_t) sysadm_dontaudit_search_home_dirs(soundd_t) +optional_policy(` + alsa_domtrans(soundd_t) +') + optional_policy(` seutil_sigchld_newrole(soundd_t) ') diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc index 48f46c5a..80e894b5 100644 --- a/policy/modules/services/squid.fc +++ b/policy/modules/services/squid.fc @@ -1,4 +1,4 @@ -/etc/rc.d/init.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if index 64651a1d..5b012ce5 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -168,3 +168,48 @@ interface(`squid_manage_logs',` interface(`squid_use',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## All of the rules required to administrate +## an squid environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the squid domain. +## +## +## +# +interface(`squid_admin',` + gen_require(` + type squid_t, squid_cache_t, squid_conf_t; + type squid_log_t, squid_var_run_t; + type squid_initrc_exec_t; + ') + + allow $1 squid_t:process { ptrace signal_perms }; + ps_process_pattern($1, squid_t) + + init_labeled_script_domtrans($1, squid_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 squid_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var($1) + admin_pattern($1, squid_cache_t) + + files_list_etc($1) + admin_pattern($1, squid_conf_t) + + logging_list_logs($1) + admin_pattern($1, squid_log_t) + + files_list_pids($1) + admin_pattern($1, squid_var_run_t) +') diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index e4e33902..f72c6b17 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -1,5 +1,5 @@ -policy_module(squid, 1.6.1) +policy_module(squid, 1.6.2) ######################################## # @@ -156,6 +156,8 @@ sysadm_dontaudit_search_home_dirs(squid_t) tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) + corenet_tcp_bind_all_ports(squid_t) + corenet_sendrecv_all_packets(squid_t) ') optional_policy(` diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index ea34c2a8..150f5c02 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -20,10 +20,10 @@ interface(`tftp_admin',` allow $1 tftpd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, tftpd_t) - manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + admin_pattern($1, tftpdir_rw_t) - manage_files_pattern($1, tftpdir_t, tftpdir_t) + admin_pattern($1, tftpdir_t) files_list_pids($1) - manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t) + admin_pattern($1, tftpd_var_run_t) ') diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 00c20525..a47d9363 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -1,5 +1,5 @@ -policy_module(tftp, 1.8.0) +policy_module(tftp, 1.8.1) ######################################## # @@ -37,7 +37,6 @@ allow tftpd_t self:tcp_socket create_stream_socket_perms; allow tftpd_t self:udp_socket create_socket_perms; allow tftpd_t self:unix_dgram_socket create_socket_perms; allow tftpd_t self:unix_stream_socket create_stream_socket_perms; -allow tftpd_t self:netlink_route_socket r_netlink_socket_perms; dontaudit tftpd_t self:capability sys_tty_config; allow tftpd_t tftpdir_t:dir { getattr read search }; @@ -80,6 +79,8 @@ files_read_var_files(tftpd_t) files_read_var_symlinks(tftpd_t) files_search_var(tftpd_t) +auth_use_nsswitch(tftpd_t) + libs_use_ld_so(tftpd_t) libs_use_shared_libs(tftpd_t) @@ -88,11 +89,7 @@ logging_send_syslog_msg(tftpd_t) miscfiles_read_localization(tftpd_t) miscfiles_read_public_files(tftpd_t) -sysnet_read_config(tftpd_t) -sysnet_use_ldap(tftpd_t) - userdom_dontaudit_use_unpriv_user_fds(tftpd_t) - sysadm_dontaudit_use_ttys(tftpd_t) sysadm_dontaudit_search_home_dirs(tftpd_t) @@ -104,14 +101,6 @@ optional_policy(` inetd_udp_service_domain(tftpd_t, tftpd_exec_t) ') -optional_policy(` - nis_use_ypbind(tftpd_t) -') - -optional_policy(` - nscd_socket_use(tftpd_t) -') - optional_policy(` seutil_sigchld_newrole(tftpd_t) ') diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc index 8190cc61..4e786ae6 100644 --- a/policy/modules/services/tor.fc +++ b/policy/modules/services/tor.fc @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0) /etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if index 95b88c6f..904f13e1 100644 --- a/policy/modules/services/tor.if +++ b/policy/modules/services/tor.if @@ -28,26 +28,37 @@ interface(`tor_domtrans',` ## Domain allowed access. ## ## +## +## +## The role to be allowed to manage the tor domain. +## +## ## # interface(`tor_admin',` gen_require(` type tor_t, tor_var_log_t, tor_etc_t; type tor_var_lib_t, tor_var_run_t; + type tor_initrc_exec_t; ') allow $1 tor_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, tor_t) - - logging_list_logs($1) - manage_files_pattern($1, tor_var_log_t, tor_var_log_t) + + init_labeled_script_domtrans($1, tor_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 tor_initrc_exec_t system_r; + allow $2 system_r; files_list_etc($1) - manage_files_pattern($1, tor_etc_t, tor_etc_t) + admin_pattern($1, tor_etc_t) files_list_var_lib($1) - manage_files_pattern($1, tor_var_lib_t, tor_var_lib_t) + admin_pattern($1, tor_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, tor_var_log_t) files_list_pids($1) - manage_files_pattern($1, tor_var_run_t, tor_var_run_t) + admin_pattern($1, tor_var_run_t) ') diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te index 2d5ac0ed..765ebb75 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -1,5 +1,5 @@ -policy_module(tor, 1.4.0) +policy_module(tor, 1.4.1) ######################################## # @@ -14,6 +14,9 @@ init_daemon_domain(tor_t, tor_exec_t) type tor_etc_t; files_config_file(tor_etc_t) +type tor_initrc_exec_t; +init_script_file(tor_initrc_exec_t) + # var/lib/tor type tor_var_lib_t; files_type(tor_var_lib_t) @@ -31,6 +34,7 @@ files_pid_file(tor_var_run_t) # tor local policy # +allow tor_t self:capability { setgid setuid }; allow tor_t self:fifo_file { read write }; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; @@ -86,13 +90,13 @@ domain_use_interactive_fds(tor_t) files_read_etc_files(tor_t) files_read_etc_runtime_files(tor_t) +auth_use_nsswitch(tor_t) + libs_use_ld_so(tor_t) libs_use_shared_libs(tor_t) miscfiles_read_localization(tor_t) -sysnet_dns_name_resolve(tor_t) - optional_policy(` seutil_sigchld_newrole(tor_t) ') diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if index 92b58fef..7a9bb272 100644 --- a/policy/modules/services/uucp.if +++ b/policy/modules/services/uucp.if @@ -83,19 +83,19 @@ interface(`uucp_admin',` allow $1 uucpd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, uucpd_t) - files_list_tmp($1) - manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t) - logging_list_logs($1) - manage_files_pattern($1, uucpd_log_t, uucpd_log_t) + admin_pattern($1, uucpd_log_t) files_list_spool($1) - manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) + admin_pattern($1, uucpd_spool_t) - manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t) + admin_pattern($1, uucpd_ro_t) - manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t) + admin_pattern($1, uucpd_rw_t) + + files_list_tmp($1) + admin_pattern($1, uucpd_tmp_t) files_list_pids($1) - manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t) + admin_pattern($1, uucpd_var_run_t) ') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index 127887d5..ac53fac3 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -1,5 +1,5 @@ -policy_module(uucp, 1.7.0) +policy_module(uucp, 1.7.1) ######################################## # @@ -116,6 +116,8 @@ corecmd_exec_bin(uux_t) files_read_etc_files(uux_t) +fs_rw_anon_inodefs_files(uux_t) + libs_use_ld_so(uux_t) libs_use_shared_libs(uux_t) diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc index ec240724..3102286d 100644 --- a/policy/modules/services/zabbix.fc +++ b/policy/modules/services/zabbix.fc @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) + /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if index 7a83adae..c84cfe46 100644 --- a/policy/modules/services/zabbix.if +++ b/policy/modules/services/zabbix.if @@ -87,19 +87,30 @@ interface(`zabbix_read_pid_files',` ## Domain allowed access. ## ## +## +## +## The role to be allowed to manage the zabbix domain. +## +## ## # interface(`zabbix_admin',` gen_require(` type zabbix_t, zabbix_log_t, zabbix_var_run_t; + type zabbix_initrc_exec_t; ') - allow $1 zabbix_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, zabbix_t, zabbix_t) + allow $1 zabbix_t:process { ptrace signal_perms }; + ps_process_pattern($1, zabbix_t) + + init_labeled_script_domtrans($1, zabbix_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 zabbix_initrc_exec_t system_r; + allow $2 system_r; logging_list_logs($1) - manage_files_pattern($1, zabbix_log_t, zabbix_log_t) + admin_pattern($1, zabbix_log_t) files_list_pids($1) - manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t) + admin_pattern($1, zabbix_var_run_t) ') diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index 370d5f27..8e4926ef 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -1,5 +1,5 @@ -policy_module(zabbix, 1.1.0) +policy_module(zabbix, 1.1.1) ######################################## # @@ -10,6 +10,9 @@ type zabbix_t; type zabbix_exec_t; init_daemon_domain(zabbix_t, zabbix_exec_t) +type zabbix_initrc_exec_t; +init_script_file(zabbix_initrc_exec_t) + # log files type zabbix_log_t; logging_log_file(zabbix_log_t) diff --git a/policy/modules/services/zebra.fc b/policy/modules/services/zebra.fc index 33c70f13..70f22670 100644 --- a/policy/modules/services/zebra.fc +++ b/policy/modules/services/zebra.fc @@ -1,3 +1,9 @@ +/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) /usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) /usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if index bd9f6bc3..0e19ff37 100644 --- a/policy/modules/services/zebra.if +++ b/policy/modules/services/zebra.if @@ -32,26 +32,37 @@ interface(`zebra_read_config',` ## Domain allowed access. ## ## +## +## +## The role to be allowed to manage the zebra domain. +## +## ## # interface(`zebra_admin',` gen_require(` type zebra_t, zebra_tmp_t, zebra_log_t; type zebra_conf_t, zebra_var_run_t; + type zebra_initrc_exec_t; ') - allow $1 zebra_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, zebra_t, zebra_t) - - files_list_tmp($1) - manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t) - - logging_list_logs($1) - manage_files_pattern($1, zebra_log_t, zebra_log_t) + allow $1 zebra_t:process { ptrace signal_perms }; + ps_process_pattern($1, zebra_t) + + init_labeled_script_domtrans($1, zebra_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 zebra_initrc_exec_t system_r; + allow $2 system_r; files_list_etc($1) - manage_files_pattern($1, zebra_conf_t, zebra_conf_t) + admin_pattern($1, zebra_conf_t) + + logging_list_logs($1) + admin_pattern($1, zebra_log_t) + + files_list_tmp($1) + admin_pattern($1, zebra_tmp_t) files_list_pids($1) - manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t) + admin_pattern($1, zebra_var_run_t) ') diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index 5b29a095..e4bb1ffe 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -1,5 +1,5 @@ -policy_module(zebra, 1.7.0) +policy_module(zebra, 1.7.1) ######################################## # @@ -21,6 +21,9 @@ init_daemon_domain(zebra_t, zebra_exec_t) type zebra_conf_t; files_type(zebra_conf_t) +type zebra_initrc_exec_t; +init_script_file(zebra_initrc_exec_t) + type zebra_log_t; logging_log_file(zebra_log_t) @@ -37,7 +40,7 @@ files_pid_file(zebra_var_run_t) allow zebra_t self:capability { setgid setuid net_admin net_raw }; dontaudit zebra_t self:capability sys_tty_config; -allow zebra_t self:process { signal_perms setcap }; +allow zebra_t self:process { signal_perms getcap setcap }; allow zebra_t self:file { ioctl read write getattr lock append }; allow zebra_t self:unix_dgram_socket create_socket_perms; allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -64,6 +67,7 @@ manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file }) kernel_read_system_state(zebra_t) +kernel_read_network_state(zebra_t) kernel_read_kernel_sysctls(zebra_t) kernel_rw_net_sysctls(zebra_t) diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index 54a9dac2..bdd500c4 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -537,3 +537,17 @@ define(`filetrans_pattern',` allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3; ') + +define(`admin_pattern',` + manage_dirs_pattern($1,$2,$2) + manage_files_pattern($1,$2,$2) + manage_lnk_files_pattern($1,$2,$2) + manage_fifo_files_pattern($1,$2,$2) + manage_sock_files_pattern($1,$2,$2) + + relabel_dirs_pattern($1,$2,$2) + relabel_files_pattern($1,$2,$2) + relabel_lnk_files_pattern($1,$2,$2) + relabel_fifo_files_pattern($1,$2,$2) + relabel_sock_files_pattern($1,$2,$2) +')